弁財天

ゴフマン「専門家を信じるのではなく、自分自身で考えて判断せよ」

TCPに不正なタイムスタンプを設定することでF/WやIPSのコネクション追跡(conntrack)を攻略する人々のランキング発表w update4

core.ac.uk→Výkonové testování Network Intrusion Detection systémů/Performance testing of Network Intrusion Detection systems (PDF)

Performace Testing of Network Intrusion Detection Systems 2013 Pavel Pustówk https://core.ac.uk/download/pdf/17305409.pdf

5.3.4. TCP SYN zahlcení
Suricata zde zasílá cíli příznak RST a vzápětí posílá invalid ACK a to zřejmě z toho důvodu, že útočník nepřijímá zprávu. Vypsané jsou pouze dva vzorové záznamy, ostatní jsou stejné, mění se jen čas.

5.3.4. TCP SYN congestion
The Suricata sends the RST flag to the target here and then sends an invalid ACK, probably because that the attacker is not receiving the message. Only two sample records are listed, the others are the same, they are changing just time.

5.3.4. TCP SYN 輻輳
SuricataはここでRSTフラグをターゲットに送信し、次に無効なACKを送信してる。 おそらく攻撃側がメッセージを受信して​​いないからだろう。 同じなので記録サンプルは2つだけをリストした。彼らは時刻を変更してる。(不正なTCPタイムスタンプのことか…)

root@bt:~# hping3 -i u1 -S 192.168.0.2
HPING 192.168.0.2 (eth0 192.168.0.2): S set, 40 headers + 0 data bytes
--- 192.168.0.2 hping statistic ---
105632 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Forma zachycení
04/01/2013-22:44:31.366683 [**] [1:2210046:1] SURICATA STREAM SHUTDOWN RST
invalid ack [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.0.2:0
-> 192.168.1.2:2751
04/01/2013-22:44:31.366683 [**] [1:2210045:1] SURICATA STREAM Packet with
invalid ack [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.0.2:0
-> 192.168.1.2:2751

TCPに不正なタイムスタンプを設定することでカーネルのCT(Connection Tracking)を攻略したのか…

redhat.com→TCP SACK パニック - カーネルの脆弱性 - CVE-2019-11477、CVE-2019-11478、および CVE-2019-11479

# cat /proc/sys/net/ipv4/tcp_sack
1
# 
# sysctl -A|grep tcp_sack
net.ipv4.tcp_sack = 1
net.ipv4.tcp_sack = 1 → 0

# uname -a
Linux localhost.localdomain 5.6.19-300.fc32.x86_64 #1 SMP Wed Jun 17 16:10:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# grubby --default-kernel
/boot/vmlinuz-5.6.13-200.fc31.x86_64
# grubby --set-default /boot/vmlinuz-5.6.19-300.fc32.x86_64 
The default is /boot/loader/entries/cf557c5d7dbd4f75a28277269a37efa9-5.6.19-300.fc32.x86_64.conf with index 0 and kernel /boot/vmlinuz-5.6.19-300.fc32.x86_64
# grubby --default-kernel
/boot/vmlinuz-5.6.19-300.fc32.x86_64
# grubby --default-index
0
#

NFQのIPSが原因でカーネルが落ちるのかぁw

たぶん net.ipv4.tcp_sack = 0 では解決できないw

Jun 22 16:52:36 localhost kernel: general protection fault, probably for non-canonical address 0x1d55a57780000000: 0000 [#1] SMP NOPTI
Jun 22 16:52:36 localhost kernel: CPU: 0 PID: 3511 Comm: TX#00 Not tainted 5.6.19-300.fc32.x86_64 #1
Jun 22 16:52:36 localhost kernel: Hardware name:
Jun 22 16:52:36 localhost kernel: RIP: 0010:nf_conntrack_update+0x14b/0x370 [nf_conntrack]
Jun 22 16:52:36 localhost kernel: Code: 01 00 00 48 8b 83 b8 00 00 00 48 85 c0 0f 84 ef 00 00 00 0f b6 10 84 d2 0f 84 e4 00 00 00 48 01 d0 0f 84 db 00 00 00 48 8b 00  80 84 00 00 00 01 0f 84 cb 00 00 00 0f b7 43 32 66 83 f8 02 0f
Jun 22 16:52:36 localhost kernel: RSP: 0018:ffffa0c582f3f970 EFLAGS: 00010286
Jun 22 16:52:36 localhost kernel: RAX: 1d55a57780000000 RBX: ffff8c1d43b59540 RCX: 0000000080190018
Jun 22 16:52:36 localhost kernel: RDX: 0000000000000055 RSI: 0000000080190018 RDI: ffffe3d1cc0ed620
Jun 22 16:52:36 localhost kernel: RBP: ffffa0c582f3f9e0 R08: 0000000000000000 R09: 0000000000000000
Jun 22 16:52:36 localhost kernel: R10: 0000000000000001 R11: 0000000000000001 R12: ffff8c1d3520ca00
Jun 22 16:52:36 localhost kernel: R13: 0000000000000002 R14: ffff8c1d43b59040 R15: 0000000000000000
Jun 22 16:52:36 localhost kernel: FS:  00007fb1f777e700(0000) GS:ffff8c1e6f800000(0000) knlGS:0000000000000000
Jun 22 16:52:36 localhost kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 22 16:52:36 localhost kernel: CR2: 000028b508314000 CR3: 000000035621e000 CR4: 00000000000406f0
Jun 22 16:52:36 localhost kernel: Call Trace:
Jun 22 16:52:36 localhost kernel: ? nfqnl_reinject+0x38/0x50 [nfnetlink_queue]
Jun 22 16:52:36 localhost kernel: nfqnl_reinject+0x38/0x50 [nfnetlink_queue]
Jun 22 16:52:36 localhost kernel: nfqnl_recv_verdict+0x285/0x4c0 [nfnetlink_queue]
Jun 22 16:52:36 localhost kernel: nfnetlink_rcv_msg+0x131/0x220 [nfnetlink]
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x34/0x70
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x40/0x70
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x34/0x70
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x40/0x70
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x34/0x70
Jun 22 16:52:36 localhost kernel: ? __switch_to_xtra+0x2f4/0x4e0
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x34/0x70
Jun 22 16:52:36 localhost kernel: ? nfnetlink_net_exit_batch+0x60/0x60 [nfnetlink]
Jun 22 16:52:36 localhost kernel: netlink_rcv_skb+0x47/0x110
Jun 22 16:52:36 localhost kernel: netlink_unicast+0x1ce/0x290
Jun 22 16:52:36 localhost kernel: netlink_sendmsg+0x233/0x450
Jun 22 16:52:36 localhost kernel: sock_sendmsg+0x5e/0x60
Jun 22 16:52:36 localhost kernel: ____sys_sendmsg+0x227/0x270
Jun 22 16:52:36 localhost kernel: ? copy_msghdr_from_user+0xb8/0x140
Jun 22 16:52:36 localhost kernel: ___sys_sendmsg+0x7c/0xc0
Jun 22 16:52:36 localhost kernel: ? do_futex+0x89f/0xd50
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x34/0x70
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x40/0x70
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x34/0x70
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x40/0x70
Jun 22 16:52:36 localhost kernel: ? __switch_to_asm+0x34/0x70
Jun 22 16:52:36 localhost kernel: ? __switch_to+0x2cb/0x420
Jun 22 16:52:36 localhost kernel: __sys_sendmsg+0x49/0x80
Jun 22 16:52:36 localhost kernel: do_syscall_64+0x5b/0xf0
Jun 22 16:52:36 localhost kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 22 16:52:36 localhost kernel: RIP: 0033:0x7fb1fc40477d
Jun 22 16:52:36 localhost kernel: Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ba ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 ee ee ff ff 48
Jun 22 16:52:36 localhost kernel: RSP: 002b:00007fb1f777c760 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
Jun 22 16:52:36 localhost kernel: RAX: ffffffffffffffda RBX: 0000000001305ed0 RCX: 00007fb1fc40477d
Jun 22 16:52:36 localhost kernel: RDX: 0000000000000000 RSI: 00007fb1f777c7a0 RDI: 0000000000000008
Jun 22 16:52:36 localhost kernel: RBP: 00007fb1f777c890 R08: 0000000000000000 R09: 00007fb1fc339b10
Jun 22 16:52:36 localhost kernel: R10: 0000000000000000 R11: 0000000000000293 R12: 00007fb1e8051520
Jun 22 16:52:36 localhost kernel: R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000004
Jun 22 16:52:36 localhost kernel: Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc fscache nft_queue nfnetlink_queue xsk_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag snd_seq_dummy snd_hrtimer cfg80211 rfkill nfnetlink_log nft_log nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nft_counter nf_tables_set nf_tables nfnetlink ebtable_filter ebtables vfat fat edac_mce_amd kvm_amd ccp kvm irqbypass joydev pcspkr k10temp snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg snd_hda_codec sp5100_tco snd_hda_core i2c_piix4 snd_seq snd_hwdep snd_seq_device snd_pcm acpi_cpufreq snd_timer snd soundcore binfmt_misc ip_tables radeon i2c_algo_bit drm_kms_helper crct10dif_pclmul crc32_pclmul crc32c_intel ttm ghash_clmulni_intel drm r8169 video fuse
Jun 22 16:52:36 localhost kernel: ---[ end trace 19c57e1b8960d695 ]---
Jun 22 16:52:36 localhost kernel: RIP: 0010:nf_conntrack_update+0x14b/0x370 [nf_conntrack]
Jun 22 16:52:36 localhost kernel: Code: 01 00 00 48 8b 83 b8 00 00 00 48 85 c0 0f 84 ef 00 00 00 0f b6 10 84 d2 0f 84 e4 00 00 00 48 01 d0 0f 84 db 00 00 00 48 8b 00  80 84 00 00 00 01 0f 84 cb 00 00 00 0f b7 43 32 66 83 f8 02 0f
Jun 22 16:52:36 localhost kernel: RSP: 0018:ffffa0c582f3f970 EFLAGS: 00010286
Jun 22 16:52:36 localhost kernel: RAX: 1d55a57780000000 RBX: ffff8c1d43b59540 RCX: 0000000080190018
Jun 22 16:52:36 localhost kernel: RDX: 0000000000000055 RSI: 0000000080190018 RDI: ffffe3d1cc0ed620
Jun 22 16:52:36 localhost kernel: RBP: ffffa0c582f3f9e0 R08: 0000000000000000 R09: 0000000000000000
Jun 22 16:52:36 localhost kernel: R10: 0000000000000001 R11: 0000000000000001 R12: ffff8c1d3520ca00
Jun 22 16:52:36 localhost kernel: R13: 0000000000000002 R14: ffff8c1d43b59040 R15: 0000000000000000
Jun 22 16:52:36 localhost kernel: FS:  00007fb1f777e700(0000) GS:ffff8c1e6f800000(0000) knlGS:0000000000000000
Jun 22 16:52:36 localhost kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 22 16:52:36 localhost kernel: CR2: 000028b508314000 CR3: 000000035621e000 CR4: 00000000000406f0
Jun 22 16:52:38 localhost abrt-dump-journal-oops[849]: abrt-dump-journal-oops: Found oopses: 1
Jun 22 16:52:38 localhost abrt-dump-journal-oops[849]: abrt-dump-journal-oops: Creating problem directories
Jun 22 16:52:38 localhost abrt-server[8490]: Can't find a meaningful backtrace for hashing in '.'
Jun 22 16:52:38 localhost abrt-server[8490]: Preserving oops '.' because DropNotReportableOopses is 'no'
Jun 22 16:52:38 localhost abrt-notification[8508]: System encountered a non-fatal error in ??()
Jun 22 16:52:39 localhost abrt-dump-journal-oops[849]: Reported 1 kernel oopses to Abrt

2020年6月21日〜22日のsuricataのfast.log

[x472]06/20/2020-20:51:54.737702 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.120.154.6 日本 東京都 東京 JP Tokyo Shinagawa (Higashishinagawa) [ASN3210 37.120.128.0/19]:39743 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x472]06/20/2020-20:51:54.737702 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.120.154.6 日本 東京都 東京 JP Tokyo Shinagawa (Higashishinagawa) [ASN3210 37.120.128.0/19]:39743 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x341]06/20/2020-20:32:36.080205 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.120.154.86 日本 東京都 東京 JP Tokyo Shinagawa (Higashishinagawa) [ASN3210 37.120.128.0/19]:44308 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x341]06/20/2020-20:32:36.080205 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 37.120.154.86 日本 東京都 東京 JP Tokyo Shinagawa (Higashishinagawa) [ASN3210 37.120.128.0/19]:44308 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x139]06/21/2020-12:52:58.914639 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 我が家.11 benzaiten.dyndns.org ZZ benzaiten.dyndns.org ZZ:47934 -> 我が家.11:8443
[x129]06/21/2020-12:52:58.914639 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 我が家.11 benzaiten.dyndns.org ZZ benzaiten.dyndns.org ZZ:47934 -> 我が家.11:8443
[x111]06/22/2020-15:56:16.441113 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 1.72.0.136 sp1-72-0-136.msc.spmode.ne.jp 日本 東京都 東京 JP Tokyo Chiyoda [ASN9605 NTT DOCOMO, INC. 1.72.0.0/22]:15496 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x111]06/22/2020-15:56:16.441113 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 1.72.0.136 sp1-72-0-136.msc.spmode.ne.jp 日本 東京都 東京 JP Tokyo Chiyoda [ASN9605 NTT DOCOMO, INC. 1.72.0.0/22]:15496 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x104]06/21/2020-13:15:41.103712 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 220.11.10.110 softbank220011010110.bbtec.net 日本 JP Tokyo Minato-ku [ASN17676 SoftBank BB Corp. 220.0.0.0/10]:63135 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x104]06/21/2020-13:15:41.103712 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 220.11.10.110 softbank220011010110.bbtec.net 日本 JP Tokyo Minato-ku [ASN17676 SoftBank BB Corp. 220.0.0.0/10]:63135 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x82]06/21/2020-06:02:50.297912 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 180.14.61.65 p6091065-ipngn29501marunouchi.tokyo.ocn.ne.jp 日本 東京都 町田市 JP Tokyo Chiyoda (Marunouchi) [ASN4713 NTT Communications Corporation 180.0.0.0/10]:63350 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x82]06/21/2020-06:02:50.297912 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 180.14.61.65 p6091065-ipngn29501marunouchi.tokyo.ocn.ne.jp 日本 東京都 町田市 JP Tokyo Chiyoda (Marunouchi) [ASN4713 NTT Communications Corporation 180.0.0.0/10]:63350 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x75]06/21/2020-17:53:02.061246 [**] [1:2200074:2] SURICATA TCPv4 invalid checksum [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 我が家.11 benzaiten.dyndns.org ZZ benzaiten.dyndns.org ZZ:38636 -> 我が家.11:80
[x63]06/22/2020-15:02:21.325793 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 61.193.92.218 eAc1Aak218.osk.mesh.ad.jp 日本 青森県 青森市 JP Tokyo Chiyoda [ASN2518 BIGLOBE Inc. 61.193.0.0/17]:52900 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x63]06/22/2020-15:02:21.325793 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 61.193.92.218 eAc1Aak218.osk.mesh.ad.jp 日本 青森県 青森市 JP Tokyo Chiyoda [ASN2518 BIGLOBE Inc. 61.193.0.0/17]:52900 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x63]06/21/2020-11:48:45.860834 [**] [1:2210046:2] SURICATA STREAM SHUTDOWN RST invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 115.36.20.195 115-36-20-195.chubu1.commufa.jp 日本 長野県 飯田市 JP Mie Yokkaichi (Chubu) [ASN18126 Chubu Telecommunications Company, Inc. 115.36.0.0/16]:50121 -> 我が家.11 benzaiten.dyndns.org ZZ:80
[x63]06/21/2020-11:48:45.860834 [**] [1:2210045:2] SURICATA STREAM Packet with invalid ack [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 115.36.20.195 115-36-20-195.chubu1.commufa.jp 日本 長野県 飯田市 JP Mie Yokkaichi (Chubu) [ASN18126 Chubu Telecommunications Company, Inc. 115.36.0.0/16]:50121 -> 我が家.11 benzaiten.dyndns.org ZZ:80

投稿されたコメント:

コメント
コメントは無効になっています。