Ripple20 and Dropping UDP packets with the frag bit set in its header

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Wallace_n_Gromit

Regular Contributor
After listening to a podcast about the Ripple20 Vulnerability:


Discussion of the Ripple20 Vulnerability (re: embedded Treck TCP/IP stack in multi-millions of IoT devices) begins at 1:44:05 and the proposed mitigation for most of the issues begins at 2:02:47.

The Host referred to "UDP fragmentation attacks" as a way that several of the vulnerabilities would be exploited. He suggested that a method of mitigation would be for a router to have a specific purpose filter to "...drop any UDP packet with the frag bit set in its header" Is this something that a Asuswrt-merlin firmware/script can currently do? And if so how would it be enabled?
 

Attachments

Wallace_n_Gromit

Regular Contributor
You could do it with an iptables rule.
After doing some preliminary searches about iptables I found:

https://www.tecmint.com/linux-iptables-firewall-rules-examples-commands/

I used the command [iptables -L -n -v] which I used on the command line on my RT-AC68U. Interesting and loooong output.

I guess what this tells me is that I can directly input iptables command lines directly into the router from a SSH session.

the command would look something like this:

iptables -A INPUT -p udp -i eth0 -j DROP

I can't seem to find a command line item to specify [drop any UDP packet with the frag bit set in its header]

ADD: I did find another site https://ciphers.pw/threads/iptables-ddos-protection.5454/ that seems to give examples of various iptables command lines that block some DDos and offers various udp command variations.

Nothing that mentions blocking all udp INPUT with frag bit set.

2nd Edit: I found another site https://github.com/iotaledger/iri/issues/276 that seems to offer a method to see if udp-fragmentation-offload is off/on. I'm supposing/deducing that udp-fragmentation-offload = off is the equivalent of having the udp frag bit set off, dropping fragmented udp packets?

At the command prompt typed [opkg install ethtool] then typed [ethtool -k eth0 | grep udp-fragmentation-offload] got the result:
udp-fragmentation-offload: off

So perhaps, the Merlin firmware, by default already drops udp packets that have the frag bit set?
 
Last edited:

ColinTaylor

Part of the Furniture
I think you need to understand how the vulnerability actually works before trying to create a fix for it. The video doesn't explain any of the technical details. Incoming fragmented packets are reassembled by the router's network stack before being processed so normally you would never get to see an incoming fragmented packet.
 

Vexira

Part of the Furniture
After doing some preliminary searches about iptables I found:

https://www.tecmint.com/linux-iptables-firewall-rules-examples-commands/

I used the command [iptables -L -n -v] which I used on the command line on my RT-AC68U. Interesting and loooong output.

I guess what this tells me is that I can directly input iptables command lines directly into the router from a SSH session.

the command would look something like this:

iptables -A INPUT -p udp -i eth0 -j DROP

I can't seem to find a command line item to specify [drop any UDP packet with the frag bit set in its header]

ADD: I did find another site https://ciphers.pw/threads/iptables-ddos-protection.5454/ that seems to give examples of various iptables command lines that block some DDos and offers various udp command variations.

Nothing that mentions blocking all udp INPUT with frag bit set.

2nd Edit: I found another site https://github.com/iotaledger/iri/issues/276 that seems to offer a method to see if udp-fragmentation-offload is off/on. I'm supposing/deducing that udp-fragmentation-offload = off is the equivalent of having the udp frag bit set off, dropping fragmented udp packets?

At the command prompt typed [opkg install ethtool] then typed [ethtool -k eth0 | grep udp-fragmentation-offload] got the result:
udp-fragmentation-offload: off

So perhaps, the Merlin firmware, by default already drops udp packets that have the frag bit set?
Mabye you should ping one of the Asus reps about it they might be able to help.
 

Wallace_n_Gromit

Regular Contributor
Incoming fragmented packets are reassembled by the router's network stack before being processed so normally you would never get to see an incoming fragmented packet.
Is there any common legitimate reason to have UDP traffic have fragmented packets? MTU

I seem to recall that many vulnerabilities reported now-a-days are described as using "...specially crafted [insert whatever here] packets/headers/files etc. etc.". The interpreter of this content ( like pdf readers, TCP/IP stacks, UPnP etc) must have a vulnerability that has been discovered and being exploited -- the famous buffer overflow, for example.

If a common vector for malware to act (in this case) is fragmented udp traffic to the vulnerable Treck embedded/non-updated TCP/IP stack on Iot devices, and most legitimate udp traffic isn't fragmented(maybe?), wouldn't it be proactive to disable/DROP incoming udp packets that display a frag bit in its header (like the host suggested)?

I've searched online for what "udp-fragmentation-offload: off" (like at stackoverflow.com) means which is the default on Merlin firmware 384.17. Not clear what it means, but I'm guessing it's a good thing regarding protecting against malformed/malicious udp packets?

BTW, sometimes I feel that I'm talking Star Trek Techno-Jargon. Three days ago I wouldn't have been able to come up with what I just typed. o_O
 
Last edited:

ColinTaylor

Part of the Furniture
Is there any common legitimate reason to have UDP traffic have fragmented packets? MTU
Given that a host's MTU could be set as low as 576 I imagine there could easily be applications that had a packet size greater than that.

fragmentation-offload just moves the workload from the host to the processor on the NIC.
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top