Cómo configurar y probar la protección con la opción "IP Timestamp"
3655
Created On 04/07/22 17:00 PM - Last Modified 01/07/25 02:49 AM
Objective
Configurar y probar la opción de marca de tiempo de IP mediante protección de zona
Nota: Este artículo no está relacionado con las opciones de marca de tiempo de TCP .
Environment
- Todos los firewalls de PAN-OS
Procedure
1. Set up a linux host for testing.
2. Use ping or Install the sendip command. In debian based systems, it can be installed using apt:
$ sudo apt install sendip
3. Configure a Zone Protection profile [ Red > Perfiles de red > Protección de zona > (Open Profile) > Protección contra ataques basados en paquetes > Caída de IP > Check "Opción IP Drop: Marca de tiempo" ]
4. Associate the Zone Protection profile to the ingress Zone facing your linux host.
5. Commit
6. Run the ping or sendip command from the linux host:
$ ping -c 1 -T tsonly DESTINATION_IP
OR
$ sudo sendip -p ipv4 -is SOURCE_IP -id DESTINATION_IP -iots 05:01:00:200 -p udp -us 53 -ud 53 -d "IP Option Timestamp test" -v DESTINATION_IP
Example:
$ ping -c 1 -T tsonly 8.8.8.8
O
$ sudo sendip -p ipv4 -is 192.168.80.2 -id 8.8.8.8 -iots 05:01:00:200 -p udp -us 53 -ud 53 -d "IP Option Timestamp test" -v 8.8.8.8
[sudo] password for user1:
Added 26 options
Initializing module ipv4
Initializing module udp
Finalizing module udp
Finalizing module ipv4
Final packet data:
47 00 00 3C G..<
8A 2B 00 00 .+..
FF 11 C4 EA ....
C0 A8 50 02 ..P.
08 08 08 08 ....
44 08 05 10 D...
00 00 00 C8 ....
00 35 00 35 .5.5
00 20 3E 3B . >;
49 50 20 4F IP O
70 74 69 6F ptio
6E 20 54 69 n Ti
6D 65 73 74 mest
61 6D 70 20 amp
74 65 73 74 test
Sent 60 bytes to 8.8.8.8
Freeing module ipv4
Freeing module udp
7. Verifique los registros de amenazas mediante el filtro de visualización (threatid eq 8703)
8. Vista de la vista de registro detallada
Additional Information
Following RFC 7126, most ISP's will generally filter IP packets with IP Option Timestamp in transit.
Snippet of Best Current Practice [Page 13]
RFC 7126 Filtering of IP-Optioned Packets
February 2014
4.7. Internet Timestamp (Type = 68)
4.7.1. Uses
This option provides a means for recording the time at which each
system (or a specified set of systems) processed this datagram, and
it may optionally record the addresses of the systems providing the
timestamps.
4.7.2. Option Specification
Specified by RFC 791 [RFC0791].
4.7.3. Threats
The timestamp option has a number of security implications [RFC6274].
Among them are:
o It allows an attacker to obtain the current time of the systems
that process the packet, which the attacker may find useful in a
number of scenarios.
o It may be used to map the network topology in a similar way to the
IP Record Route option.
o It may be used to fingerprint the operating system in use by a
system processing the datagram.
o It may be used to fingerprint physical devices by analyzing the
clock skew.
[Kohno2005] describes a technique for fingerprinting devices by
measuring the clock skew. It exploits, among other things, the
timestamps that can be obtained by means of the ICMP timestamp
request messages [RFC0791]. However, the same fingerprinting method
could be implemented with the aid of the Internet Timestamp option.
4.7.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the Internet
Timestamp option (such as ping with the Timestamp option) would break
when using the Timestamp option. (Ping without IPv4 options is not
impacted.) Nevertheless, it should be noted that it is virtually
impossible to use such techniques due to widespread dropping of
packets that contain Internet Timestamp options.
4.7.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets
containing an Internet Timestamp option.
Reference:
https://datatracker.ietf.org/doc/html/rfc7126#section-4.7