{"id":1555,"date":"2025-01-17T03:47:33","date_gmt":"2025-01-17T03:47:33","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1555"},"modified":"2025-01-17T03:47:33","modified_gmt":"2025-01-17T03:47:33","slug":"millions-of-tunneling-hosts-are-vulnerable-to-spoofing-ddos-attacks-say-researchers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1555","title":{"rendered":"Millions of tunneling hosts are vulnerable to spoofing, DDoS attacks, say researchers"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

There are more than 4 million vulnerable hosts on the internet that accept unauthenticated traffic, say Belgian researchers, who warn that, unless action is taken by CISOs and network product manufacturers, those hosts can be abused as one-way proxies, enabling an adversary to spoof the source address of packets to permit access to an organization\u2019s private network, or be leveraged to facilitate new denial of service attacks.<\/p>\n

The evidence is in an academic paper published this week<\/a> by authors Angelos Beitis and Mathy Vanhoef of KU Leuven University\u2019s DistriNet Research Unit.<\/p>\n

They started by scanning the internet using seven scanning methods to look for devices, including desktop PCs, cloud servers, and core routers, that accept legacy or modern tunnelling traffic not protected with security such as IPSec. The 4 million vulnerable hosts they discovered accept unauthenticated IP in IP (IPIP), Generic Routing Encapsulation (GRE), IPv4 in IPv6 (4in6), or IPv6 in IPv4 (6in4) traffic. By default, they don\u2019t use authentication or encryption.<\/p>\n

It\u2019s bad enough, the authors wrote, that these hosts can be abused by existing attacks, but they can also facilitate new distributed denial of service (DDoS) amplification attacks, the researchers discovered. One concentrates traffic in time, and another loops packets between vulnerable hosts, resulting in an amplification factor of at least 16 and 75, respectively.<\/p>\n

In addition, the hosts can be hit with what the authors call an Economic Denial of Sustainability (EDoS) attack, in which the outgoing bandwidth of a host is drained, or an Administrative Denial of Service, in which the vulnerable hosts send traffic that causes the recipient to file an abuse report with the host\u2019s ISP, possibly leading to its account being suspended.<\/p>\n

Defenses<\/h2>\n

However, CISOs are not without defenses, the paper says.<\/p>\n

First, a host should use a secure set of protocols to provide authentication and encryption, such as IPsec (Internet Protocol Security).\u00a0 Often used to set up VPNs, IPsec encrypts IP packets and authenticates the packets\u2019 source.<\/p>\n

\u201cSince IPsec can transport any IP protocol, it can be used to protect all discussed tunneling protocols; a host should only accept tunneling packets that are protected using IPsec,\u201d the paper said.<\/p>\n

Second, network defenses such as ingress and egress traffic filtering and deep packet inspection can be implemented on routers or other internet middle boxes to prevent or limit the damage of attacks. Traffic filtering would prevent an adversary from forcing hosts to spoof packets, while deep packet inspection would detect likely malicious tunnelling packets. For example, the paper says, the network could drop packets where the number of encapsulated headers exceeds a number x, where x is the number of tunneled hosts in the network.<\/p>\n

Third, the paper says that in some networks it may also be possible to block all incoming or outgoing unencrypted tunnelling packets. For instance, if a host uses IPsec in combination with GRE but, due to a misconfiguration, also accepts unencrypted GRE packets, the network can block unencrypted GRE packets. The host would still be able to receive IPsec traffic and hence function normally while being protected from attacks.<\/p>\n

The problem of hosts accepting unencrypted traffic isn\u2019t new, commented Johannes Ullrich, dean of research at the SANS Institute. \u201cPeople keep rediscovering this since at least 2001,\u201d he said in an email. That was the year he first saw some 6to4 tunnels used for Internet Relay Chat (IRC) communication with a botnet. Microsoft partly addressed this when it enabled the Terado tunneling protocol in Windows 7, he wrote. Terado<\/a> is a transition technology that gives IPv6 connectivity for IPv6-capable hosts on the IPv4 internet that have no native connection to an IPv6 network.<\/p>\n

Hosts accepting unencrypted traffic have been exploited a few times in the wild, Ullrich wrote, \u201cbut for the most part, it never turned into a big deal. \u00a0<\/p>\n

\u201cPeople also occasionally rediscover that IPv6 is preferred over IPv4 in most operating systems, and rogue IPv6 networks can in some cases lead to VPN leakage,\u201d he added.\u00a0<\/p>\n

Why is this important<\/h2>\n

Tunneling protocols \u2013 including IPIP and GRE \u2014 are an essential backbone of the internet, the paper says. These protocols can link disconnected networks and form virtual private networks (VPNs). But one limitation is that these protocols don\u2019t authenticate or encrypt traffic. Instead, to secure these protocols, they must be combined with IPsec.<\/p>\n

Previous research showed misconfigured IPv4 hosts may accept unauthenticated IPIP tunneling traffic from any source, the paper says, and that these hosts could be used to spoof IPv4 addresses. The authors\u2019 research shows that IPv4 and IPv6 hosts using other tunneling protocols can also be exploited.<\/p>\n

The new amplification DoS attacks the two researchers discovered are:<\/p>\n

Tunneled-Temporal Lensing (TuTL)<\/strong>: This attack concentrates attacker-generated packets in time. For instance, the attacker sends packets for 10 seconds and uses protocol properties to ensure they arrive at the victim in a window of less than one second, resulting in an amplification factor of at least 10. The adversary does so by sending traffic over multiple different chains of vulnerable hosts so all of the traffic arrives simultaneously at the victim.<\/p>\n

The Ping-Pong attack<\/strong>: This attack loops packets sent by an attacker between vulnerable hosts. The idea, says the paper, is that an adversary constructs a tunneling packet that has another tunneling packet as an inner packet, and so on, until the maximum packet size is reached. The inner packet\u2019s IP headers have the other vulnerable host as the destination, meaning the (decapsulated) packet is constantly sent between the hosts.<\/p>\n

The new Economic Denial of Sustainability (EDoS) attack is aimed at elevating a victim\u2019s costs on the cloud by leveraging a Ping-Pong attack to consume bandwidth.\u00a0<\/p>\n

\u201cThe TuTL attack is especially concerning, since it can be abused to perform DoS attacks against any third-party host on the internet,\u201d the authors wrote.<\/p>\n

\u201cOur measurements also show that many Autonomous Systems, more than four thousand in total, do not (properly) implement source address filtering, thereby allowing the spoofing of source IP addresses,\u201d they wrote. \u201cWe hope our results will motivate and guide administrators to secure tunneling hosts better.\u201d<\/p>\n

Mitigation<\/h2>\n

In an email, Beitis and Vanhoef speculated that this issue has not been resolved for many years due to a number of factors, including the need by some organizations and ISPs to have backwards compatibility with older devices, the transition towards IPv6-enabled networks, and the need by some administrators to have simplicity and performance in their networks.<\/p>\n

\u201cIn any case,\u201d they added, \u201cthis issue is not trivially solvable, since some ISPs may have misconfigured legacy devices that will need co-ordination to replace\/reconfigure, etc.\u201d<\/p>\n

ISPs should incorporate the filtering mechanisms that have been recommended for many years in order to disallow spoofed traffic, the authors said in their email, specifically ingress and egress filtering. ISPs should also ensure that their devices, by default, don\u2019t forward tunneled packets without authentication\/encryption. They note the paper also discusses the need for deep packet inspection on suspicious tunneled packets.<\/p>\n

A VPN vendor, the authors add, should ensure that the tunneling protocols used to connect their clients to their VPN servers are secure, by incorporating authentication and encryption measures such as Wireguard, the IPSec suite of protocols, OpenVPN and more.<\/p>\n

Network equipment vendors should ensure their equipment does not handle insecure packets by default. Ideally, they should restrict their usage to only be in combination with IPsec, and give a warning when the device is configured to accept unauthenticated tunneling packets.<\/p>\n

If a CISO\u2019s organization possesses its own IP ranges, the authors also said, it should subscribe to the Shadowserver Foundation to get automated warnings, since Shadowserver performs daily scans and can notify the owners of vulnerable hosts. Otherwise, organizations can request access to the authors\u2019 tools to confirm that their network contains no open tunneling hosts.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

There are more than 4 million vulnerable hosts on the internet that accept unauthenticated traffic, say Belgian researchers, who warn that, unless action is taken by CISOs and network product manufacturers, those hosts can be abused as one-way proxies, enabling an adversary to spoof the source address of packets to permit access to an organization\u2019s […]<\/p>\n","protected":false},"author":0,"featured_media":1556,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1555","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1555"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1555"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1555\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1556"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1555"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}