「IP タイムスタンプ オプション」保護のコンフィグとテスト方法
3655
Created On 04/07/22 17:00 PM - Last Modified 01/07/25 02:51 AM
Objective
ゾーン保護を使用して IP タイムスタンプ オプション ドロップを構成およびテストする
注: この記事はTCPタイムスタンプ オプションとは関係ありません。
Environment
- すべてのPAN-OSファイアウォール
Procedure
1. Set up a linux host for testing.
2. Use ping or Install the sendip command. In debian based systems, it can be installed using apt:
$ sudo apt をインストール sendip
3. Configure a Zone Protection profile [ ネットワーク > ネットワーク プロファイル > ゾーン保護 > (Open Profile) > パケットベースの攻撃防御 > IPドロップ > Check "IP オプションドロップ: タイムスタンプ" ]
4. Associate the Zone Protection profile to the ingress Zone facing your linux host.
5. Commit
6. Run the ping or sendip command from the linux host:
$ ping -c 1 -T tsonly DESTINATION_IP
OR
$ sudo sendip -p ipv4 -is SOURCE_IP -id DESTINATION_IP -iots 05:01:00:200 -p udp -us 53 -ud 53 -d "IP Option Timestamp test" -v DESTINATION_IP
Example:
$ ping -c 1 -T tsonly 8.8.8.8
または
$ sudo sendip -p ipv4 -is 192.168.80.2 -id 8.8.8.8 -iots 05:01:00:200 -p udp -us 53 -ud 53 -d "IP Option Timestamp test" -v 8.8.8.8
[sudo] password for user1:
Added 26 options
Initializing module ipv4
Initializing module udp
Finalizing module udp
Finalizing module ipv4
Final packet data:
47 00 00 3C G..<
8A 2B 00 00 .+..
FF 11 C4 EA ....
C0 A8 50 02 ..P.
08 08 08 08 ....
44 08 05 10 D...
00 00 00 C8 ....
00 35 00 35 .5.5
00 20 3E 3B . >;
49 50 20 4F IP O
70 74 69 6F ptio
6E 20 54 69 n Ti
6D 65 73 74 mest
61 6D 70 20 amp
74 65 73 74 test
Sent 60 bytes to 8.8.8.8
Freeing module ipv4
Freeing module udp
7. 表示フィルターを使用して脅威ログを確認します (脅威ID eq 8703)
8. 詳細ログビューの表示
Additional Information
Following RFC 7126, most ISP's will generally filter IP packets with IP Option Timestamp in transit.
Snippet of Best Current Practice [Page 13]
RFC 7126 Filtering of IP-Optioned Packets
February 2014
4.7. Internet Timestamp (Type = 68)
4.7.1. Uses
This option provides a means for recording the time at which each
system (or a specified set of systems) processed this datagram, and
it may optionally record the addresses of the systems providing the
timestamps.
4.7.2. Option Specification
Specified by RFC 791 [RFC0791].
4.7.3. Threats
The timestamp option has a number of security implications [RFC6274].
Among them are:
o It allows an attacker to obtain the current time of the systems
that process the packet, which the attacker may find useful in a
number of scenarios.
o It may be used to map the network topology in a similar way to the
IP Record Route option.
o It may be used to fingerprint the operating system in use by a
system processing the datagram.
o It may be used to fingerprint physical devices by analyzing the
clock skew.
[Kohno2005] describes a technique for fingerprinting devices by
measuring the clock skew. It exploits, among other things, the
timestamps that can be obtained by means of the ICMP timestamp
request messages [RFC0791]. However, the same fingerprinting method
could be implemented with the aid of the Internet Timestamp option.
4.7.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the Internet
Timestamp option (such as ping with the Timestamp option) would break
when using the Timestamp option. (Ping without IPv4 options is not
impacted.) Nevertheless, it should be noted that it is virtually
impossible to use such techniques due to widespread dropping of
packets that contain Internet Timestamp options.
4.7.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets
containing an Internet Timestamp option.
Reference:
https://datatracker.ietf.org/doc/html/rfc7126#section-4.7