Saturday, March 27, 2021

Can you prevent spoofed packets from entering the internal network ?

tldr: The end goal is to not have spoofed packets with arbitrary payloads enter the network.

Consider some IPv4 network with public IP and lots of devices behind a NAT. To some extend NAT and a stateful firewall prevents someone on the external network directly sending traffic to the inside. However, if you manage to spoof packages in a way that you know what the firewall expects it will let those packets through. The OS/application will then decide what to do with those ... which could have some undesired consequences depending on the payload of the packets.

This seems to be a problem in particular for UDP packets since you have not many options to create a state. To my knowledge, having the right src/dst port/ip will make a packet go through.

Is there anything you can do about this?

With TCP and in particular encrypted traffic this is a bit easier. At least you can create some intercepting proxy which decrypts and forwards the packets to the final destination. So the actual packet from the external network is gone and will in most cases not make its way to the end application.

But (unencrypted) UDP is a problem. Is there some way to change the payload of the packet while still preserving its meaning? There are converters for pdf/doc files to some other format like images in order to remove scripts/macros. The image has less functions but is still human readable. I did not came across something similar for packets though. I don't think this is generally possible. Some kind of intercepting/mangling proxy would be nice but works only for encrypted stuff. Also I'm not aware of any solution that works for encrypted UDP like QUIC or DTLS.

Maybe there are some other options?



No comments:

Post a Comment