rstlss
is an example of an unprivileged Linux process using a BPF filter to
block certain TCP packets coming to the socket.
This specific example shows how to circumvent one-sided TCP reset attack
by an on-path DPI box blocking
https://rutracker.org
(as Inappropriate TCP Resets Considered Harmful). :-)
On-path DPI box is assumed to be passive, being unable to drop packets, just being able to inject some.
One-sided TCP reset attack means that RST packet is injected only towards the "client" endpoints and the "server" does not get another RST. E.g. some networks in Uganda block OpenVPN/TCP with two-sided TCP reset attacks. One has to control the server as well to mitigate two-sided attack.
Following tests were done on 2019-04-19 from AS8997, OJSC Rostelecom. The vantage point observes blocking of HTTPS websites by means of SNI-based detection and one-sided RST injection to block connections.
It just runs and just works:
$ go build .
$ ./rstlss
panic: Get https://rutracker.org/robots.txt: read tcp 192.168.100.223:34176->195.82.146.214:443: read: connection reset by peer
goroutine 1 [running]:
main.main()
/home/darkk/go/src/github.com/darkk/rstlss/main.go:72 +0x69a
$ RSTLSS=1 ./rstlss | grep -C 3 rutracker
Allow: /forum/viewforum.php?f=
Allow: /forum/viewtopic.php
Disallow: /
Host: rutracker.org
User-agent: Adsbot-Google
User-agent: Googlebot-Image
$
The binary is run with awesome Termux after cross-compiling the binary at the desktop:
$ CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build .
Android PoC needs DNS server specified manually due to
golang/go#8877 and
net.dns1
hidden
since Android 8.0. One can get DNS server from Network Details:
$ RSTLSS_DNS=192.168.100.1:53 ./rstlss
panic: Get https://rutracker.org/robots.txt: read tcp 192.168.100.136:39882->195.82.146.214:443: read: connection reset by peer
goroutine 1 [running]:
main.main()
/home/darkk/go/src/github.com/darkk/rstlss/main.go:72 +0x544
$ RSTLSS_DNS=192.168.100.1:53 RSTLSS=1 ./rstlss | grep -C 3 rutracker
Allow: /forum/viewforum.php?f=
Allow: /forum/viewtopic.php
Disallow: /
Host: rutracker.org
User-agent: Adsbot-Google
User-agent: Googlebot-Image
$
This technique does not protect from malicious data being injected and effectively terminating the connection (e.g. HTTP redirect, TLS Alert or random garbage for authenticated TLS connection). Doing MAC within 4096 opcodes limit of a BPF program (~11 opcodes per dword) is left as an exercise for the reader.