-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
All ALGs vulnerable? #6
Comments
UDP uses fragmentation so looking at fragmentation would work there. For TCP, segmentation needs to be looked at. Realistically to prevent this, ALG should be disabled. The NAT Pinning PoC (10 years ago) demonstrated that ALGs can be triggered without any fancy packet boundary control as many ALGs are CRLF-based and simply parse line by line, not by packet boundaries. Ideally ALGs become disabled by default and browsers restrict ALG-specific ports for all outbound socket features they support other than necessary (for example, allow SIP via WebRTC, but not HTTP, HTTPS, FTP, STUN, TURN, TURNS, etc) |
Am I wrong or wouldn't ignoring TCP packets with a fragmentation flag in the IP header be an easy fix for most ALGs? |
Checking for TCP segmentation or IP fragmentation would solve SIP but not other ALGs, eg https://github.com/samyk/linux/blob/29b0b5d56589d66bd5793f1e09211ce7d7d3cd36/net/netfilter/nf_conntrack_irc.c |
There is very little information to find about this, but I was wondering whether this is a design implementation on the R7000 router that was exploited, or whether this affects all ALGs per definition? Surely the TCP case could easily be avoided if the router would take fragmentation into account by looking at the fragment offset field in the packet? I am unsure about the UDP case though...
The text was updated successfully, but these errors were encountered: