PDF Editor
PDF Converter
Image Converter
Video Converter
Audio Converter
File Compressor
new results for the ptb pts

New Results for the PTB-PTS Attack on Tunneling Gateways Vincent - PowerPoint PPT Presentation

Jul 08, 2023 •379 likes •597 views

New Results for the PTB-PTS Attack on Tunneling Gateways Vincent Roca Ludovic Jacquin Saikou Fall Jean-Louis Roch GreHack15, Grenoble, November 20 th 2015 1 New Results for the PTB-PTS Attack on Tunneling Gateways Packet Too Big (PTB) or

  1. New Results for the PTB-PTS Attack on Tunneling Gateways Vincent Roca Ludovic Jacquin Saikou Fall Jean-Louis Roch GreHack’15, Grenoble, November 20 th 2015 1

  2. New Results for the PTB-PTS Attack on Tunneling Gateways Packet Too Big (PTB) or Packet Too Small (PTS)? The underlying idea 2

  3. New Results for the PTB-PTS Attack on Tunneling Gateways About packet sizes and tunnel  two gateways establish a tunnel to connect two remote LANs (or sites) packet size S host A gateway G encapsulates packets LAN tunnel packet size H+S Internet packet size S host B decapsulates packets gateway H LAN 3

  4. New Results for the PTB-PTS Attack on Tunneling Gateways About packet sizes and tunnel… (cont’)  each link has a Maximum Transmission Unit (MTU) o maximum allowed frame size on that link o e.g. 1500 bytes for Ethernet (i.e., 1460 b. or less at TCP level)  Path MTU (PMTU) is the min. MTU along the path  a packet larger than a link’s MTU is either o dropped and an error ICMP “Packet Too Big” (PTB) message containing the MTU is returned to sender, or o fragmented if feasible (iff. IPv4 with DF bit clear)  each link MUST guaranty a minimum MTU o IPv4 576 bytes o IPv6 1280 bytes o essentially here for performance reasons 4

  5. New Results for the PTB-PTS Attack on Tunneling Gateways The issue  what happens if G’s outgoing link is already at MTU 576 bytes (IPv4)?  then we need H+S ≤ 576, which implies that S ≤ 576 - H packet size S host A gateway G encapsulates packets packet size H+S outgoing link MTU=576 Internet 5

  6. New Results for the PTB-PTS Attack on Tunneling Gateways The issue – an experimental example  G tunneling A’s traffic using IPsec (Linux/ Debian) gateway host A G packet of size 836, DF=1 ICMP PTB, MTU=514 bytes* MTU=576 impossible, packet size 552**, DF=1 ICMP PTB, MTU=514 bytes* … impossible, packet size 552**, DF=1 … deadlock! * 514 bytes because of IPsec ESP header ** 552 is minimum PMTU value on Linux/Debian 6

  7. New Results for the PTB-PTS Attack on Tunneling Gateways And now the exploit! 7

  8. New Results for the PTB-PTS Attack on Tunneling Gateways Attacker model  “On path” attacker  Eavesdrop and inject traffic on the WAN  IPsec cryptographic ciphers deemed secure IPsec or IPIP host A gateway G Secure LAN Linux or Windows Unsecure WAN “on path” attacker (e.g. Internet) host B gateway H Secure LAN 8

  9. New Results for the PTB-PTS Attack on Tunneling Gateways Description of the exploit  Resetting gateway G’s PMTU  the attacker needs to be on the tunnel path o eavesdrops a tunneled packet o forges an ICMP PTB message • Including a copy of the eavesdropped packet to bypass IPsec security check w.r.t. ICMP error messages  the attacker can use a compromised router…  … or be a simple host attached to a non-encrypted WiFi o if a user uses a tunnel from a laptop (on gateway H) to a remote network, and is attached to a non-encrypted WiFi, then we can attack the remote tunnel gateway  a single “well formed” ICMP PTB packet is sufficient to launch the attack! 9

  10. New Results for the PTB-PTS Attack on Tunneling Gateways Detail of the exploit  Debian IPsec gateway  Ubuntu client, TCP traffic, IPv4 with PMTUD 0 (Any IPsec protected packet) 10

  11. New Results for the PTB-PTS Attack on Tunneling Gateways Another PMTU discovery to the rescue?  Packetization Layer Path MTU Discovery (PLPMTUD)  Developed to mitigate ICMP “black holes” o no dependency on ICMP any more  Relies on “probes” and “feedbacks” to adjust pack et sizes  compatible with TCP o TCP ACK are used as feedbacks  the TCP packet size can be reduced below the 576 minimum MTU (in IPv4) if needed o e.g., 256 bytes + headers 11

  12. New Results for the PTB-PTS Attack on Tunneling Gateways PLPMTUD only mitigates the exploit  Ubuntu client, TCP traffic, IPv4 with PLPMTUD 0 (Any IPsec protected packet) 12

  13. New Results for the PTB-PTS Attack on Tunneling Gateways Some additional tests  UDP traffic with PMTUD  IPv6  Windows 7, with default configuration  IPIP tunnel 13

  14. New Results for the PTB-PTS Attack on Tunneling Gateways Ubuntu client results TCP, IPv4, PMTUD DoS: no connection possible any more IPsec tunnel (TCP closes after 2 min.) TCP, IPv4, PLPMTUD Major performance impacts: IPsec tunnel 6.5s initial freeze, tiny packets (MSS = 256) UDP, IPv4, PMTUD Major performance impacts: IPsec tunnel tiny packets TCP, IPv6, PMTUD DoS: no connection possible any more IPsec tunnel (TCP closes after 2 min.) TCP, IPv6, PLPMTUD Major performance impacts: IPsec tunnel 3.3s initial freeze, small packets (MSS = 504) TCP, IPv4, PMTUD Major performance impacts: IPIP tunnel 7 min. initial freeze, tiny packets (MSS = 256) TCP, IPv4, PLPMTUD Major performance impacts: IPIP tunnel 6.7s initial freeze, small packets 14

  15. New Results for the PTB-PTS Attack on Tunneling Gateways Windows 7 client results TCP, IPv4 Major performance impacts: IPsec tunnel fragmented packets (548 and 120) TCP, IPv6 DoS: no connection possible any more IPsec tunnel (TCP closes after 21 sec.) TCP, IPv4 DoS: no connection possible any more IPIP tunnel (TCP closes after 35 sec.)  Really strange behavior in TCP/IPv4/IPsec tests  Windows reset the “Don’t Fragment” bit after the first error  It keeps increasing TCP segment size… up to ~64 kB!!!  The gateway needs to fragment into smaller packet which is highly inefficient  Similar results with Windows 10 15

  16. New Results for the PTB-PTS Attack on Tunneling Gateways Conclusions 16

  17. New Results for the PTB-PTS Attack on Tunneling Gateways A highly effective attack  A single packet is enough to launch the attack  Only needs to eavesdrop one packet of the tunnel  The gateway and client cannot agree  Once the attacker created confusion he can pull out  Works on all client OSes  Highly effective, no matter the client configuration, leading either to DoS or major performance impacts  There is no good solution to deal with it! 17

  18. New Results for the PTB-PTS Attack on Tunneling Gateways Two issues highlighted  Tunnels and small PMTU  The client rejects request to use an MTU smaller than the “minimum guaranteed” o The client does not know this is motivated by IPsec or IPIP tunneling at the gateway o … and in any case it infringes the minimum MTU  Legitimacy of untrusted ICMP PTB packets  IPsec sanity check is not fully reliable and is by-passed if the attacker is on the path 18

  19. New Results for the PTB-PTS Attack on Tunneling Gateways Some counter-measures  Trivial and unsatisfying  Ignore DF bit at a tunneling gateway o E.g., as suggested by CISCO IPsec configuration guide!  Ignore any ICMP PTB at the gateway and let clients use PLPMTUD o But PLPMTUD won’t work with UDP!  Two proposed counter-measures at a gateway  A gateway must not blindly accept an ICMP PTB advertising a tiny MTU o The gateway needs room to add tunneling headers  A gateway should assess untrusted ICMP PTB o Add a probing scheme between tunneling gateways, similarly to PLPMTUD, to check the Path MTU 19

  20. New Results for the PTB-PTS Attack on Tunneling Gateways Thank you 20

Recommend

THE ORIGINAL TRACTOR PULLING Andy Mastin UND-30 16 pts Nate Niehoff 460-36 16 pts Nate

THE ORIGINAL TRACTOR PULLING Andy Mastin UND-30 16 pts Nate Niehoff 460-36 16 pts Nate

THE ORIGINAL TRACTOR PULLING Andy Mastin UND-30 16 pts Nate Niehoff 460-36 16 pts Nate Moran 1600-4 18 pts Mike Mastin 560 BL-32 20 pts Dave Angle 1650-10 20 pts Doug Harpring 656-45 30 pts 1 ST Doug Harpring 656-45 30

1.22k views • 106 slides
Protection of Taximeter Data by Secure Elements Jrg Wolff Physikalisch-Technische

Protection of Taximeter Data by Secure Elements Jrg Wolff Physikalisch-Technische

PTB-Workshop on Protection of Measurement Data in Legal Metrology and Related Challenges, 30.11.-01.12.2011, PTB Berlin Protection of Taximeter Data by Secure Elements Jrg Wolff Physikalisch-Technische Bundesanstalt (PTB)

261 views • 23 slides
Proto-Ersuic, Qiangic, and PTB Dominic Yu UC Berkeley ICSTLL45 (Singapore - NTU) 2012 October

Proto-Ersuic, Qiangic, and PTB Dominic Yu UC Berkeley ICSTLL45 (Singapore - NTU) 2012 October

Proto-Ersuic, Qiangic, and PTB Dominic Yu UC Berkeley ICSTLL45 (Singapore - NTU) 2012 October 27 Questions internal structure of Ersuic areal influences on historical development relation to Qiangic and PTB The Proto-Ersuic Syllable

585 views • 33 slides
Y/Y % Y/Y % HPE WW Q115 Q215

Y/Y % Y/Y % HPE WW Q115 Q215

Y/Y % Y/Y % HPE WW Q115 Q215 Q315 Q415 Q116 Q216 Q316 Revenue as Reported (5)% (8)% (5)% (4)% (3)% 1% (7)% Impact of divestitures 0 pts (0) pts (0) pts (1) pts

356 views • 32 slides
30 September 1-2 October 2016 123 consecutive pts treated by Hypofractionated Radiotherapy with

30 September 1-2 October 2016 123 consecutive pts treated by Hypofractionated Radiotherapy with

30 September 1-2 October 2016 123 consecutive pts treated by Hypofractionated Radiotherapy with curative intent July 2008 September 2015 Median Age 73 Yrs GPS <7 in 32 pts KPS 90-100 91,8% =7 in 50 pts Mean iPSA=19,5 ng/mL >7

298 views • 18 slides
Interpolation points and interpolation formulae on the square Stefano De Marchi Department of

Interpolation points and interpolation formulae on the square Stefano De Marchi Department of

From Dubiner metric to Xu and Padua pts More on Padua pts Computational aspects of Padua pts Application of Padua pts to Cubature Interpolation points and interpolation formulae on the square Stefano De Marchi Department of Computer

1.19k views • 103 slides
Probabilistic Fundamentals Probabilistic Fundamentals in Robotics in Robotics Basic Conc e pts in

Probabilistic Fundamentals Probabilistic Fundamentals in Robotics in Robotics Basic Conc e pts in

5/21/2012 Probabilistic Fundamentals Probabilistic Fundamentals in Robotics in Robotics Basic Conc e pts in Pr Basic Conc e pts in Pr obability obability Basilio Bona DAUIN Politecnico di Torino Course Outline Motivations Basic

681 views • 21 slides
University of Colorado at Colorado Springs Home Work Assignment 5 Out 11/4/2019, Due 11/18/2019

University of Colorado at Colorado Springs Home Work Assignment 5 Out 11/4/2019, Due 11/18/2019

Nov 2019 CS 1150 University of Colorado at Colorado Springs Home Work Assignment 5 Out 11/4/2019, Due 11/18/2019 1 Polygons (35 pts code + 5 pts pseudocode = 40 pts) Write a program Polygons.java that computes the area of different types of

325 views • 3 slides
61A Lecture 37 Wednesday, April 29 Announcements 2 Announcements Homework 9 (4 pts) due

61A Lecture 37 Wednesday, April 29 Announcements 2 Announcements Homework 9 (4 pts) due

61A Lecture 37 Wednesday, April 29 Announcements 2 Announcements Homework 9 (4 pts) due Wednesday 4/29 @ 11:59pm 2 Announcements Homework 9 (4 pts) due Wednesday 4/29 @ 11:59pm Quiz 4 due Thursday 4/30 @ 11:59pm 2 Announcements

1.49k views • 115 slides
Chaotic Compilation A (Statistical) Cloak for a Secret Computer Peter T. Breuer ptb@hecusys.com

Chaotic Compilation A (Statistical) Cloak for a Secret Computer Peter T. Breuer ptb@hecusys.com

Chaotic Compilation A (Statistical) Cloak for a Secret Computer Peter T. Breuer ptb@hecusys.com Hecusys LLC, Atlanta, GA, USA Jonathan P. Bowen London South Bank University, UK Background Encrypted Computing Data remains

364 views • 15 slides
Next generation cryogenic trap XII I XI X II HCI clocks III IX IIII VIII V VII Jos

Next generation cryogenic trap XII I XI X II HCI clocks III IX IIII VIII V VII Jos

Next generation cryogenic trap XII I XI X II HCI clocks III IX IIII VIII V VII Jos R. Crespo Lpez-Urrutia VI Max-Planck-Institut fr Kernphysik Table-top EBITs for PTB, Petra-III, Blaum division HCI-clock laboratory at PTB

667 views • 50 slides
TITANIUM EYEWEAR DESIGNED IN ICELAND, MADE IN ITALY AGNAR NEW NEW NEW ALBA NEW NEW NEW

TITANIUM EYEWEAR DESIGNED IN ICELAND, MADE IN ITALY AGNAR NEW NEW NEW ALBA NEW NEW NEW

TITANIUM EYEWEAR DESIGNED IN ICELAND, MADE IN ITALY AGNAR NEW NEW NEW ALBA NEW NEW NEW ALFONSO ASTRILD BALDR BANCO BIL NEW NEW NEW BRAGI BURI DAGR DELLING NEW ELENA NEW NEW NEW EIR FREYR HEIMDALL NEW HODER IVAN NEW

817 views • 47 slides
Introducing the new Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68

Introducing the new Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68

Introducing the new Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator 68 New Predator

419 views • 22 slides
Partial Transmit Sequence (PTS) based PAPR reduction for OFDM using improved harmony search

Partial Transmit Sequence (PTS) based PAPR reduction for OFDM using improved harmony search

Introduction Proposed Method Experimental Results Conclusion References Partial Transmit Sequence (PTS) based PAPR reduction for OFDM using improved harmony search evolutionary algorithm BICT 2014 Mangal Singh, Sarat Kumar Patra Department

743 views • 31 slides
full year results full year results full year results full full year results full year results full

full year results full year results full year results full full year results full year results full

AMP results presentation FULL YEAR RESULTS 2010 full year results full year results full year results full full year results full year results full year results full 2010 full year results Craig Dunn Chief Executive Officer Paul Leaming Chief

694 views • 24 slides
Contents PTS software release 3.3 highlights EyeSee - eye recording ZETA and

Contents PTS software release 3.3 highlights EyeSee - eye recording ZETA and

Contents PTS software release 3.3 highlights EyeSee - eye recording ZETA and ZETA Fast new thresholding strategies DPA - Defect Progression Analysis Head Tracker automatic head adjustment Gaze Tracker

536 views • 19 slides
Outline basic ideas ICMP header format message types ICMP related command (ping

Outline basic ideas ICMP header format message types ICMP related command (ping

1 /20 ICMP: Internet Control Message Protocol Surasak Sanguanpong nguan@ku.ac.th http://www.cpe.ku.ac.th/~nguan Last updated: Aug 8, 2002 Applied Network Research Group Department of Computer Engineering,

981 views • 9 slides
Building LLVM-IR Johannes Doerfert and Christoph Mallon Saarbr ucken Graduate School of

Building LLVM-IR Johannes Doerfert and Christoph Mallon Saarbr ucken Graduate School of

Building LLVM-IR Johannes Doerfert and Christoph Mallon Saarbr ucken Graduate School of Computer Science Saarland University Saarbr ucken, Germany December 18, 2013 C4 2 / 14 C4 Frontend Lexer Parser C-Code Token Stream AST 2 /

907 views • 43 slides
Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source

Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source

Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source address? Hide the attackers activity nmap decoy option Hide the attackers identity To be able to view the responses, the attacker

548 views • 17 slides
Network Security: Scan Seungwon Shin, KAIST some slides from Dr. Brett Tjaden More about Scan

Network Security: Scan Seungwon Shin, KAIST some slides from Dr. Brett Tjaden More about Scan

Network Security: Scan Seungwon Shin, KAIST some slides from Dr. Brett Tjaden More about Scan Scan Techniques Network scanning where is a target? which service is available on a target? can I have more information? Vulnerability scanning

675 views • 30 slides
Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat

Linux Firewalls with iptables Concepts Examples Firewalls with iptables Linux Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 14 October 2013 Common/Reports/iptables-introduction.tex, r715

470 views • 14 slides
Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez

Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez

Techniques for better alias resolution in Internet topology discovery Santiago Garcia Jimenez Eduardo Magaa lizarrondo Daniel Morato Oses Mikel Izal Azkarate Index Introduction Existing techniques for alias resolution New techniques for

848 views • 41 slides
Designing accessible latency metrics Toke Hiland-Jrgensen 25th September 2013 1 / 6

Designing accessible latency metrics Toke Hiland-Jrgensen 25th September 2013 1 / 6

Designing accessible latency metrics Toke Hiland-Jrgensen 25th September 2013 1 / 6 Quantifying latency Bufferbloat is (getting) accepted in technical circles But mostly unknown to end-users Can be explained with some care

350 views • 6 slides
OFFICE HOURS ESG-CV Reporting Prepared: 9-29-2020 Call in If you are having audio difficulty

OFFICE HOURS ESG-CV Reporting Prepared: 9-29-2020 Call in If you are having audio difficulty

OFFICE HOURS ESG-CV Reporting Prepared: 9-29-2020 Call in If you are having audio difficulty using your computer, please call in using one of the following phone numbers: US Toll free +1-855-797-9485 US Toll +1-415-655-0002 Access code:

591 views • 14 slides

More recommend

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2025 SAMBUZ, All right reserved.