如何配置和测试“IP 时间戳选项”保护
3625
Created On 04/07/22 17:00 PM - Last Modified 01/07/25 02:52 AM
Objective
使用区域保护配置和测试 IP 时间戳选项丢弃
注意:本文与TCP时间戳选项无关。
Environment
- 所有 PAN-OS 防火墙
Procedure
1. Set up a linux host for testing.
2. Use ping or Install the sendip command. In debian based systems, it can be installed using apt:
$ sudo apt 安装 sendip
3. Configure a Zone Protection profile [ 网络 > 网络配置文件 > 区域保护 > (Open Profile) > 基于数据包的攻击防护 > IP 丢弃 > Check "IP 选项删除:时间戳" ]
4. Associate the Zone Protection profile to the ingress Zone facing your linux host.
5. Commit
6. Run the ping or sendip command from the linux host:
$ ping -c 1 -T tsonly DESTINATION_IP
OR
$ sudo sendip -p ipv4 -is SOURCE_IP -id DESTINATION_IP -iots 05:01:00:200 -p udp -us 53 -ud 53 -d "IP Option Timestamp test" -v DESTINATION_IP
Example:
$ ping -c 1 -T tsonly 8.8.8.8
或者
$ sudo sendip -p ipv4 -is 192.168.80.2 -id 8.8.8.8 -iots 05:01:00:200 -p udp -us 53 -ud 53 -d "IP Option Timestamp test" -v 8.8.8.8
[sudo] password for user1:
Added 26 options
Initializing module ipv4
Initializing module udp
Finalizing module udp
Finalizing module ipv4
Final packet data:
47 00 00 3C G..<
8A 2B 00 00 .+..
FF 11 C4 EA ....
C0 A8 50 02 ..P.
08 08 08 08 ....
44 08 05 10 D...
00 00 00 C8 ....
00 35 00 35 .5.5
00 20 3E 3B . >;
49 50 20 4F IP O
70 74 69 6F ptio
6E 20 54 69 n Ti
6D 65 73 74 mest
61 6D 70 20 amp
74 65 73 74 test
Sent 60 bytes to 8.8.8.8
Freeing module ipv4
Freeing module udp
7. 使用显示过滤器验证威胁日志 (threatid eq 8703)
8. 详细日志视图
Additional Information
Following RFC 7126, most ISP's will generally filter IP packets with IP Option Timestamp in transit.
Snippet of Best Current Practice [Page 13]
RFC 7126 Filtering of IP-Optioned Packets
February 2014
4.7. Internet Timestamp (Type = 68)
4.7.1. Uses
This option provides a means for recording the time at which each
system (or a specified set of systems) processed this datagram, and
it may optionally record the addresses of the systems providing the
timestamps.
4.7.2. Option Specification
Specified by RFC 791 [RFC0791].
4.7.3. Threats
The timestamp option has a number of security implications [RFC6274].
Among them are:
o It allows an attacker to obtain the current time of the systems
that process the packet, which the attacker may find useful in a
number of scenarios.
o It may be used to map the network topology in a similar way to the
IP Record Route option.
o It may be used to fingerprint the operating system in use by a
system processing the datagram.
o It may be used to fingerprint physical devices by analyzing the
clock skew.
[Kohno2005] describes a technique for fingerprinting devices by
measuring the clock skew. It exploits, among other things, the
timestamps that can be obtained by means of the ICMP timestamp
request messages [RFC0791]. However, the same fingerprinting method
could be implemented with the aid of the Internet Timestamp option.
4.7.4. Operational and Interoperability Impact if Blocked
Network troubleshooting techniques that may employ the Internet
Timestamp option (such as ping with the Timestamp option) would break
when using the Timestamp option. (Ping without IPv4 options is not
impacted.) Nevertheless, it should be noted that it is virtually
impossible to use such techniques due to widespread dropping of
packets that contain Internet Timestamp options.
4.7.5. Advice
Routers, security gateways, and firewalls SHOULD drop IP packets
containing an Internet Timestamp option.
Reference:
https://datatracker.ietf.org/doc/html/rfc7126#section-4.7