Patching Holes in Enterprise Grade Firewalls and Writing Netfilter Modules
Over the years, firewalls have progressively become more and more sophisticated; however, there are a of couple classic methods of bypassing even enterprise grade firewalls that seem to consistently work. Namely, by using covert channels, an attacker can exfiltrate data through these firewalls. In fact, these techniques were used as a means of covert communication during the Target breach in 2014[1] which exposed the information of approximately 70 million customers[2]. These techniques, such as DNS Tunneling and ICMP Tunneling consistently work because their respective protocols are mandated by business requirements. Furthermore, firewalls generally do not have any built-in capability to detect these covert channels.
Preventing Covert Channels
From a networking perspective, we have a few options to prevent covert channels. The preferred option is to examine whether devices on the network really need to communicate using these protocols (DNS and ICMP). If devices on the network need to use these protocols, which is common, then rather complex firewall rules or intrusion detection systems configurations are necessary to defend against the threat. Specifically, advanced tools such as Snort and Bro can each be configured to detect ICMP anomalies[3] and DNS anomalies[4].
Don’t Forget About ICMP Tunnels
During my research on these techniques, I focused on ICMP tunnels since they are often forgotten about by network engineers and are less restrictive on what data can be transmitted. Since ICMP is a transport layer protocol, it was designed with data encapsulation in mind. However, only a select few programs utilize this protocol in normal operation. These programs (ping and traceroute) don’t put any useful data in the packet’s payload; they only care about receiving a reply.
Difficulties in Detecting Malicious ICMP Traffic
It is surprisingly difficult to detect malicious ICMP traffic since it is a transport protocol and can carry any kind of data which means that you can’t simply do detection based off a blocklist. Also, it is difficult to generate a complete profile of known good traffic as there is a large variety of implementations between common tools on different operating systems. For instance, the ping tool on Ubuntu generates a distinct ICMP packet from the ping tool on Windows. However, since the majority of benign programs that use ICMP ignore the payload, and ICMP Tunnels require the payload to be intact, then a possible solution is to simply overwrite the payload with useless data.
The most common firewall implementation, iptables, did not have this capability, so I wrote an extension for iptables and netfilter. The result was a generalized tool that allows users to overwrite data in any given packet arbitrarily.
Note that this extension was written as a proof of concept and could break networking capabilities easily, and should only be used for experimentation. It should not be used in production. The extension is available for download and use at: https://github.com/SecurityInnovation/iptables-OVERWRITE
Understanding The Reality of Covert Channels
Covert channels are so effective because understanding of their underlying protocols is often oversimplified to a mainstream use case, when in reality, these protocols offer robust end-to-end networking functionality. By being aware that these covert channels exist, network engineers are better equipped to effectively defend a network.
Nick Huber was a summer 2018 intern at Security Innovation, Seattle. Nick is a student at the University of Washington where he participates on the university’s CTF and CCDC teams.
[1] http://artemonsecurity.com/KAPTOXA_20140114.pdf (Released through FireEye iSIGHT Threat Intelligence and reuploaded)
[2] https://www.forbes.com/sites/maggiemcgrath/2014/01/10/target-data-breach-spilled-info-on-as-many-as-70-million-customers/
[3] https://github.com/Security-Onion-Solutions/security-onion/wiki/ICMP-Anomaly-Detection
[4] https://github.com/Security-Onion-Solutions/security-onion/wiki/DNSAnomalyDetection