Project

General

Profile

Actions

Security #7458

closed

af-packet: defrag option can lead to truncated packets

Added by Jason Ish 7 months ago. Updated 1 day ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
HIGH
Disclosure Date:

Description

Given a default AF_PACKET IDS configuration, the default snaplen is set to 1524. However, the defrag option can reassemble fragmented packets up to the maximum packet size. Suricata will then see these packets as truncated, create an alert, but not go any further with the packets.

A quick test with --set default-packet-size=5000 helps with smaller packets, as seen with Wireguard, but can only be increased to just over 32000 before other parameters need to be adjusted.

If the defrag option is used, should we set up AF_PACKET to handle full-size packets by default?


Subtasks 1 (0 open1 closed)

Security #7459: af-packet: defrag option can lead to truncated packets (7.0.x backport)ClosedJason IshActions

Related issues 1 (0 open1 closed)

Related to Suricata - Optimization #4798: af-packet: default to tpacket-v3 in IDS modeClosedJason IshActions
Actions #1

Updated by OISF Ticketbot 7 months ago

  • Subtask #7459 added
Actions #2

Updated by OISF Ticketbot 7 months ago

  • Label deleted (Needs backport to 7.0)
Actions #3

Updated by Jason Ish 7 months ago

Current work-around with code changes for IDS mode only:

# 65535 + 14
default-packet-size: 65549

af-packet
  - interface: enp10s0
    defrag: true
    # Required for custom block-size, but not recommended for IPS.
    tpacket-v3: true
    # Large enough 32 packets of default-packet-size.
    block-size: 2097152

For t-packet v2, as well as IPS mode I guess the best thing is to disable defrag. However, turning off defrag is necessary for IPS setups.

Questions:
- What is the impact of increasing this block size?
- What is the impact of increasing the default packet size?
- Can we/should we modify the code to fix this for tpacket-v2 (which is the default)?

Should we look at better defaults? If IDS, default to tpacket-v3 with large packet size? If IPS, force off defrag?

I think it would be rather trivial to stuff something like DNS requests with extra data such that Suricata IDS defaults would always see the packets as truncated. Or perform some UDP tunneling in large packets that are always fragmented and seen as truncated by Suricata, using the defaults.

Actions #4

Updated by Jason Ish 7 months ago

  • Description updated (diff)
Actions #5

Updated by Jason Ish 7 months ago

To keep with tpacket v2, I had to make this adjustment:

#define AFP_BLOCK_SIZE_DEFAULT_ORDER 5

Where the value is currently 3.

Actions #6

Updated by Jason Ish 6 months ago

  • Assignee changed from OISF Dev to Eric Leblond
Actions #7

Updated by Jason Ish 5 months ago

Actions #8

Updated by Jason Ish 5 months ago

  • Status changed from New to In Progress
  • Assignee changed from Eric Leblond to Jason Ish
Actions #9

Updated by Jason Ish 5 months ago

  • Status changed from In Progress to In Review
Actions #10

Updated by Jason Ish 4 months ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
Actions #11

Updated by Jason Ish 4 months ago

  • Severity changed from MODERATE to HIGH
Actions #13

Updated by Jason Ish 4 months ago

  • Status changed from In Review to Resolved

While its still possible that truncated packets can be seen in 7.0.9, the alert is there, and the configuration options are there to mitigate the issue.

In summary, the following changes were made to the development branch and backported to 7.0.9:
- increase default block size from 32k to 128k. This allows a fully defragmented packet to fit.
- For tpacket-v2, increase the default snaplen from 1514 to 9k. In normal usage its probably unlikely to see 65k packets, and keeping the snaplen down decreases the memory usage. Its not uncommon to see packets a little over the MTU with VPNs and such. So this should cover those.
- Expose a tpacket-v2 block size parameter to the config so users can lower if necessary
- Add a warning to recommend tpacket-v3 if in passive IDS mode
- Add a warning to disable defrag if in IPS mode

Actions #14

Updated by Jason Ish 4 months ago

  • Status changed from Resolved to Closed
Actions #15

Updated by Juliana Fajardini Reichow 1 day ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF