|
1 | 1 | # tq-015 Packet headers exfiltration with BPF
|
2 | 2 |
|
3 |
| -If UDP or TCP injection can be reliably blocked with BPF and if header values |
| 3 | +If UDP or TCP injection can be reliably blocked with a BPF and if the header values |
4 | 4 | are static it’s possible to exfiltrate the values through a series of tests
|
5 | 5 | bisecting binary values for those headers in BPF<sup>[1](#fn1)</sup> filters.
|
6 |
| -IPv4 has 8-bit TTL<sup>[2](#fn2)</sup> and 16-bit Fragment ID, IPv6 has Hop |
| 6 | +IPv4 has a 8-bit TTL<sup>[2](#fn2)</sup> and a 16-bit Fragment ID, IPv6 has a Hop |
7 | 7 | Limit<sup>[2](#fn2)</sup> (modern pseudonym of TTL).
|
8 | 8 |
|
9 | 9 | TTL exfiltration tricks are not needed for UDP as it has `IP_RECVTTL`.
|
10 | 10 |
|
11 |
| -TBD: is IPv6 flow label useful value? Any IPv6 EHs? What TCP packet bits are useful? Window size? Presence of ACK in RST? TCP Options? |
| 11 | +TBD: is IPv6 flow label a useful value? Any IPv6 EHs? What TCP packet bits are useful? Window size? Presence of ACK in RST? TCP Options? |
12 | 12 |
|
13 |
| -TBD: is it possible to exfiltrate presence of RST packet _ignored_ by TCP stack? |
| 13 | +TBD: is it possible to exfiltrate the presence of a RST packet _ignored_ by the TCP stack? |
14 | 14 |
|
15 |
| -<a name="fn1">1</a>: unfortunately, eBPF that is [so useful for metadata exfiltration](https://blog.cloudflare.com/epbf_sockets_hop_distance/) is [whitelisted only for Android System, not for applications](https://github.com/aosp-mirror/platform_bionic/blob/android-9.0.0_r12/libc/SECCOMP_WHITELIST_SYSTEM.TXT) |
| 15 | +<a name="fn1">1</a>: unfortunately, eBPF that is [so useful for metadata exfiltration](https://blog.cloudflare.com/epbf_sockets_hop_distance/) is [whitelisted only for the Android System, not for applications](https://github.com/aosp-mirror/platform_bionic/blob/android-9.0.0_r12/libc/SECCOMP_WHITELIST_SYSTEM.TXT) |
16 | 16 |
|
17 |
| -<a name="fn2">2</a>: TTL in incoming packet is different from hop distance gathered via traceroute. Also, “static” TTL may vary a bit due to possible multi-path routes from injecting server. |
| 17 | +<a name="fn2">2</a>: TTL in an incoming packet is different from the hop distance gathered via a traceroute. Also, “static” TTL may vary a bit due to possible multi-path routes from injecting server. |
18 | 18 |
|
19 | 19 | ## Examples
|
20 | 20 | - AS6697, Beltelecom, [Belarus blocks tor](https://ooni.torproject.org/post/belarus-fries-onion/) injecting TCP RST
|
|
0 commit comments