You are not logged in.

#1 2019-12-07 15:13:36

teckk
Member
Registered: 2013-02-21
Posts: 343

Hijacking VPN-tunneled TCP connections

Interesting, has this been talked about already? Someone posted about it on LQ.
https://seclists.org/oss-sec/2019/q4/122

Offline

#2 2019-12-07 22:39:03

xerxes_
Member
Registered: 2018-04-29
Posts: 153

Re: Hijacking VPN-tunneled TCP connections

It looks like Arch Linux is also vulnerable to this attack, so if someone is using VPN and care about this, can override settings in file /usr/lib/sysctl.d/50-default.conf with file created in /etc/sysctl.d/90-override.conf with, for example settings:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp10s.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.other_network_interface.rp_filter = 1

and restart service/reboot machine.
Test by:

sysctl -a 2>/dev/null | grep "\.rp_filter"

See https://access.redhat.com/solutions/53031

Offline

#3 2019-12-08 08:03:03

nl6720
Wiki Admin
Registered: 2016-07-02
Posts: 181

Re: Hijacking VPN-tunneled TCP connections

xerxes_ wrote:
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.enp10s.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.other_network_interface.rp_filter = 1

If you want the value to be 1 for all interfaces, then just set net.ipv4.conf.all.rp_filter. Or alternatively net.ipv4.conf.default.rp_filter and reboot. The biggest value between net.ipv4.conf.interface and net.ipv4.conf.all wins, read https://www.kernel.org/doc/Documentatio … sysctl.txt . I wanted to write "strongest value" not "biggest value", but rereading the docs, it says "max value", so I'm not that certain anymore.

xerxes_ wrote:
sysctl -a 2>/dev/null | grep "\.rp_filter"

sysctl(8) supports regex pattern matching:

sysctl -ar '\.rp_filter'

If I understand correctly, net.ipv4.conf.*.rp_filter only affects IPv4, for IPv6 you need firewall rules.
It looks like the nft(8) man page has examples for rpfilter and strong host model. Though I'm not sure what should be their exact placement. And they're also bound to break something.

Last edited by nl6720 (2019-12-08 08:14:33)

Offline

#4 2019-12-09 22:00:50

loqs
Member
Registered: 2014-03-06
Posts: 9,601

Re: Hijacking VPN-tunneled TCP connections

@nl6720 I read

The max value from conf/{all,interface}/rp_filter is used
	when doing source validation on the {interface}.

To mean the max of net net.ipv4.conf.all.rp_filter and net.ipv4.conf.interface.rp_filter will be used.
So loose overrides strict overrides none.
However if

net.ipv4.conf.all.rp_filter = 1

is set before any interfaces are created then that value will also be used as the per interface value,
which is why /usr/lib/sysctl.d/50-default.conf only needs to set one value.
Edit:
Wireguard discussion referencing the same nft FIB filtering https://lore.kernel.org/wireguard/860fe … gmail.com/

Last edited by loqs (2019-12-09 22:17:45)

Offline

Board footer

Powered by FluxBB