Skip to content

Commit 287e3cc

Browse files
authored
Editing tq-015
1 parent fd0dac8 commit 287e3cc

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

techniques/tq-015-packet-headers-exfiltration-with-BPF.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,20 @@
11
# tq-015 Packet headers exfiltration with BPF
22

3-
If UDP or TCP injection can be reliably blocked with BPF and if header values
3+
If UDP or TCP injection can be reliably blocked with a BPF and if the header values
44
are static it’s possible to exfiltrate the values through a series of tests
55
bisecting binary values for those headers in BPF<sup>[1](#fn1)</sup> filters.
6-
IPv4 has 8-bit TTL<sup>[2](#fn2)</sup> and 16-bit Fragment ID, IPv6 has Hop
6+
IPv4 has a 8-bit TTL<sup>[2](#fn2)</sup> and a 16-bit Fragment ID, IPv6 has a Hop
77
Limit<sup>[2](#fn2)</sup> (modern pseudonym of TTL).
88

99
TTL exfiltration tricks are not needed for UDP as it has `IP_RECVTTL`.
1010

11-
TBD: is IPv6 flow label useful value? Any IPv6 EHs? What TCP packet bits are useful? Window size? Presence of ACK in RST? TCP Options?
11+
TBD: is IPv6 flow label a useful value? Any IPv6 EHs? What TCP packet bits are useful? Window size? Presence of ACK in RST? TCP Options?
1212

13-
TBD: is it possible to exfiltrate presence of RST packet _ignored_ by TCP stack?
13+
TBD: is it possible to exfiltrate the presence of a RST packet _ignored_ by the TCP stack?
1414

15-
<a name="fn1">1</a>: unfortunately, eBPF that is [so useful for metadata exfiltration](https://blog.cloudflare.com/epbf_sockets_hop_distance/) is [whitelisted only for Android System, not for applications](https://github.com/aosp-mirror/platform_bionic/blob/android-9.0.0_r12/libc/SECCOMP_WHITELIST_SYSTEM.TXT)
15+
<a name="fn1">1</a>: unfortunately, eBPF that is [so useful for metadata exfiltration](https://blog.cloudflare.com/epbf_sockets_hop_distance/) is [whitelisted only for the Android System, not for applications](https://github.com/aosp-mirror/platform_bionic/blob/android-9.0.0_r12/libc/SECCOMP_WHITELIST_SYSTEM.TXT)
1616

17-
<a name="fn2">2</a>: TTL in incoming packet is different from hop distance gathered via traceroute. Also, “static” TTL may vary a bit due to possible multi-path routes from injecting server.
17+
<a name="fn2">2</a>: TTL in an incoming packet is different from the hop distance gathered via a traceroute. Also, “static” TTL may vary a bit due to possible multi-path routes from injecting server.
1818

1919
## Examples
2020
- AS6697, Beltelecom, [Belarus blocks tor](https://ooni.torproject.org/post/belarus-fries-onion/) injecting TCP RST

0 commit comments

Comments
 (0)