There are more than 4 million vulnerable hosts on the internet that accept unauthenticated traffic, say Belgian researchers, who warn that, unless action is taken by CISOs and network product manufacturers, those hosts can be abused as one-way proxies, enabling an adversary to spoof the source address of packets to permit access to an organization’s private network, or be leveraged to facilitate new denial of service attacks.
The evidence is in an academic paper published this week by authors Angelos Beitis and Mathy Vanhoef of KU Leuven University’s DistriNet Research Unit.
They started by scanning the internet using seven scanning methods to look for devices, including desktop PCs, cloud servers, and core routers, that accept legacy or modern tunnelling traffic not protected with security such as IPSec. The 4 million vulnerable hosts they discovered accept unauthenticated IP in IP (IPIP), Generic Routing Encapsulation (GRE), IPv4 in IPv6 (4in6), or IPv6 in IPv4 (6in4) traffic. By default, they don’t use authentication or encryption.
It’s bad enough, the authors wrote, that these hosts can be abused by existing attacks, but they can also facilitate new distributed denial of service (DDoS) amplification attacks, the researchers discovered. One concentrates traffic in time, and another loops packets between vulnerable hosts, resulting in an amplification factor of at least 16 and 75, respectively.
In addition, the hosts can be hit with what the authors call an Economic Denial of Sustainability (EDoS) attack, in which the outgoing bandwidth of a host is drained, or an Administrative Denial of Service, in which the vulnerable hosts send traffic that causes the recipient to file an abuse report with the host’s ISP, possibly leading to its account being suspended.
However, CISOs are not without defenses, the paper says.
First, a host should use a secure set of protocols to provide authentication and encryption, such as IPsec (Internet Protocol Security). Often used to set up VPNs, IPsec encrypts IP packets and authenticates the packets’ source.
“Since IPsec can transport any IP protocol, it can be used to protect all discussed tunneling protocols; a host should only accept tunneling packets that are protected using IPsec,” the paper said.
Second, network defenses such as ingress and egress traffic filtering and deep packet inspection can be implemented on routers or other internet middle boxes to prevent or limit the damage of attacks. Traffic filtering would prevent an adversary from forcing hosts to spoof packets, while deep packet inspection would detect likely malicious tunnelling packets. For example, the paper says, the network could drop packets where the number of encapsulated headers exceeds a number x, where x is the number of tunneled hosts in the network.
Third, the paper says that in some networks it may also be possible to block all incoming or outgoing unencrypted tunnelling packets. For instance, if a host uses IPsec in combination with GRE but, due to a misconfiguration, also accepts unencrypted GRE packets, the network can block unencrypted GRE packets. The host would still be able to receive IPsec traffic and hence function normally while being protected from attacks.
The problem of hosts accepting unencrypted traffic isn’t new, commented Johannes Ullrich, dean of research at the SANS Institute. “People keep rediscovering this since at least 2001,” he said in an email. That was the year he first saw some 6to4 tunnels used for Internet Relay Chat (IRC) communication with a botnet. Microsoft partly addressed this when it enabled the Terado tunneling protocol in Windows 7, he wrote. Terado is a transition technology that gives IPv6 connectivity for IPv6-capable hosts on the IPv4 internet that have no native connection to an IPv6 network.
Hosts accepting unencrypted traffic have been exploited a few times in the wild, Ullrich wrote, “but for the most part, it never turned into a big deal.
“People also occasionally rediscover that IPv6 is preferred over IPv4 in most operating systems, and rogue IPv6 networks can in some cases lead to VPN leakage,” he added.
Tunneling protocols – including IPIP and GRE — are an essential backbone of the internet, the paper says. These protocols can link disconnected networks and form virtual private networks (VPNs). But one limitation is that these protocols don’t authenticate or encrypt traffic. Instead, to secure these protocols, they must be combined with IPsec.
Previous research showed misconfigured IPv4 hosts may accept unauthenticated IPIP tunneling traffic from any source, the paper says, and that these hosts could be used to spoof IPv4 addresses. The authors’ research shows that IPv4 and IPv6 hosts using other tunneling protocols can also be exploited.
The new amplification DoS attacks the two researchers discovered are:
The new Economic Denial of Sustainability (EDoS) attack is aimed at elevating a victim’s costs on the cloud by leveraging a Ping-Pong attack to consume bandwidth.
“The TuTL attack is especially concerning, since it can be abused to perform DoS attacks against any third-party host on the internet,” the authors wrote.
“Our measurements also show that many Autonomous Systems, more than four thousand in total, do not (properly) implement source address filtering, thereby allowing the spoofing of source IP addresses,” they wrote. “We hope our results will motivate and guide administrators to secure tunneling hosts better.”
In an email, Beitis and Vanhoef speculated that this issue has not been resolved for many years due to a number of factors, including the need by some organizations and ISPs to have backwards compatibility with older devices, the transition towards IPv6-enabled networks, and the need by some administrators to have simplicity and performance in their networks.
“In any case,” they added, “this issue is not trivially solvable, since some ISPs may have misconfigured legacy devices that will need co-ordination to replace/reconfigure, etc.”
ISPs should incorporate the filtering mechanisms that have been recommended for many years in order to disallow spoofed traffic, the authors said in their email, specifically ingress and egress filtering. ISPs should also ensure that their devices, by default, don’t forward tunneled packets without authentication/encryption. They note the paper also discusses the need for deep packet inspection on suspicious tunneled packets.
A VPN vendor, the authors add, should ensure that the tunneling protocols used to connect their clients to their VPN servers are secure, by incorporating authentication and encryption measures such as Wireguard, the IPSec suite of protocols, OpenVPN and more.
Network equipment vendors should ensure their equipment does not handle insecure packets by default. Ideally, they should restrict their usage to only be in combination with IPsec, and give a warning when the device is configured to accept unauthenticated tunneling packets.
If a CISO’s organization possesses its own IP ranges, the authors also said, it should subscribe to the Shadowserver Foundation to get automated warnings, since Shadowserver performs daily scans and can notify the owners of vulnerable hosts. Otherwise, organizations can request access to the authors’ tools to confirm that their network contains no open tunneling hosts.