No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Firewall does not allow discovering the whole path between source host and destination host.

Publication Date:  2015-12-10 Views:  109 Downloads:  0
Issue Description

Topology:



Firewall Version:


Huawei Versatile Routing Platform Software
Software Version: USG5100 V300R001C10SPC500 (VRP (R) Software, Version 5.30)
Copyright (C) 2008-2014 Huawei Technologies Co., Ltd.
Secospace USG5120 uptime is 1 week, 6 days, 21 hours, 26 minutes


Configuration:

USG:


#
interface GigabitEthernet0/0/0
alias GE0/MGMT
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.0.1

interface GigabitEthernet0/0/1
ip address 10.10.10.1 255.255.255.252
#
interface GigabitEthernet0/0/2
ip address 20.20.20.1 255.255.255.252
#
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/0
add interface GigabitEthernet0/0/1

firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/2
#
ospf 1
area 0.0.0.0
  network 10.10.10.0 0.0.0.3
  network 20.20.20.0 0.0.0.3

#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound

firewall packet-filter default permit interzone local dmz direction outbound
#
dns resolve
#
undo dns proxy
#
policy interzone local trust inbound
policy 1
  action permit
  policy source 192.168.10.0 mask 24
  policy destination 10.10.10.0 mask 30

policy interzone local trust outbound
policy 1
  action permit
  policy source 10.10.10.0 mask 30
  policy destination 192.168.10.0 mask 24

policy interzone trust untrust inbound
policy 1
  action permit
  policy source 192.168.20.0 mask 24
  policy destination 192.168.10.0 mask 24

policy 2
  action permit
  policy source 20.20.20.0 mask 30
  policy destination 192.168.10.0 mask 24

policy interzone trust untrust outbound
policy 1
  action permit
  policy source 192.168.10.0 mask 24
  policy destination 192.168.20.0 mask 24

policy 2
  action permit
  policy source 192.168.10.0 mask 24
  policy destination 20.20.20.0 mask 30
#


ROUTER ‘A’:


#
interface GigabitEthernet0/0/0
ip address 192.168.10.1 255.255.255.0

interface GigabitEthernet0/0/1
ip address 10.10.10.2 255.255.255.252
#
ospf 1
area 0.0.0.0
  network 10.10.10.0 0.0.0.3
  network 192.168.10.0 0.0.0.255
#



ROUTER ‘B’:


#
interface GigabitEthernet0/0/0
ip address 192.168.20.1 255.255.255.0

interface GigabitEthernet0/0/1
ip address 20.20.20.2 255.255.255.252
#
ospf 1
area 0.0.0.0
  network 20.20.20.0 0.0.0.3
  network 192.168.20.0 0.0.0.255
#



Symptom:


PC-B is reachable from PC-A by PING.
However, PC-A cannot see all hops with TRACER, from PC-A to PC-B. USG hides hops, in particular the IP-Address defined on local interfaces (GE 0/0/1  &  GE 0/0/2).


PC-A:

PC>ping 10.10.10.1

Ping 10.10.10.1: 32 data bytes, Press Ctrl_C to break
From 10.10.10.1: bytes=32 seq=1 ttl=254 time=265 ms
From 10.10.10.1: bytes=32 seq=2 ttl=254 time=47 ms
From 10.10.10.1: bytes=32 seq=3 ttl=254 time=31 ms
From 10.10.10.1: bytes=32 seq=4 ttl=254 time=31 ms
From 10.10.10.1: bytes=32 seq=5 ttl=254 time=172 ms

--- 10.10.10.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/109/265 ms

PC>ping 20.20.20.1

Ping 20.20.20.1: 32 data bytes, Press Ctrl_C to break
From 20.20.20.1: bytes=32 seq=1 ttl=254 time=78 ms
From 20.20.20.1: bytes=32 seq=2 ttl=254 time=47 ms
From 20.20.20.1: bytes=32 seq=3 ttl=254 time=47 ms
From 20.20.20.1: bytes=32 seq=4 ttl=254 time=31 ms
From 20.20.20.1: bytes=32 seq=5 ttl=254 time=47 ms

--- 20.20.20.1 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/50/78 ms


PC>ping 20.20.20.2

Ping 20.20.20.2: 32 data bytes, Press Ctrl_C to break
From 20.20.20.2: bytes=32 seq=1 ttl=253 time=140 ms
From 20.20.20.2: bytes=32 seq=2 ttl=253 time=46 ms
From 20.20.20.2: bytes=32 seq=3 ttl=253 time=31 ms
From 20.20.20.2: bytes=32 seq=4 ttl=253 time=47 ms
From 20.20.20.2: bytes=32 seq=5 ttl=253 time=31 ms

--- 20.20.20.2 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/59/140 ms

PC>tracert 10.10.10.1

traceroute to 10.10.10.1, 8 hops max
(ICMP), press Ctrl+C to stop
1  192.168.10.1   31 ms  16 ms  31 ms
2  10.10.10.1   47 ms  46 ms  78 ms

PC>tracert 20.20.20.1

traceroute to 20.20.20.1, 8 hops max
(ICMP), press Ctrl+C to stop
1  192.168.10.1   15 ms  16 ms  31 ms
2  20.20.20.1   16 ms  468 ms  140 ms

PC>tracert 20.20.20.2

traceroute to 20.20.20.2, 8 hops max
(ICMP), press Ctrl+C to stop
1  192.168.10.1   16 ms  16 ms  15 ms
2    *  *  *
3  20.20.20.2   47 ms  31 ms  47 ms

PC>tracert 192.168.20.10

traceroute to 192.168.20.10, 8 hops max
(ICMP), press Ctrl+C to stop
1  192.168.10.1   31 ms  <1 ms  16 ms
2    *  *  *
3  20.20.20.2   78 ms  47 ms  78 ms
4    *192.168.20.10   63 ms  31 ms


USG:


<SRG>display firewall session table verbose protocol icmp
08:25:54  2015/12/10
Current Total Sessions : 6
  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:00
  Interface: GigabitEthernet0/0/2  NextHop: 20.20.20.2  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:0 bytes:0
  192.168.10.10:35211-->192.168.20.10:2048

  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:00
  Interface: GigabitEthernet0/0/2  NextHop: 20.20.20.2  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:0 bytes:0
  192.168.10.10:35467-->192.168.20.10:2048

  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:00
  Interface: GigabitEthernet0/0/2  NextHop: 20.20.20.2  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:0 bytes:0
  192.168.10.10:35723-->192.168.20.10:2048

  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:01
  Interface: GigabitEthernet0/0/2  NextHop: 20.20.20.2  MAC: 00-e0-fc-50-16-ef
  <--packets:0 bytes:0   -->packets:3 bytes:276
  192.168.10.10:35979-->192.168.20.10:2048

  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:01
  Interface: GigabitEthernet0/0/2  NextHop: 20.20.20.2  MAC: 00-e0-fc-50-16-ef
  <--packets:0 bytes:0   -->packets:1 bytes:92
  192.168.10.10:36235-->192.168.20.10:2048

  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:20  Left: 00:00:03
  Interface: GigabitEthernet0/0/2  NextHop: 20.20.20.2  MAC: 00-e0-fc-50-16-ef
  <--packets:2 bytes:184   -->packets:2 bytes:184
  192.168.10.10:36491-->192.168.20.10:2048

Solution

Root Cause:

In a Tracert attack, the attacker discovers the path between the source host and the destination according to the returned ICMP timeout packet when the TTL value is 0 and the ICMP port unreachable packet returned from the destination. The attacker can probe the network structure.
When the Tracert packet attack defense is configured, the device discards ICMP timeout packets.


Solution:


• Disable the Tracert packet attack defense.
• Enable ICMP timeout packet function (by default this function is disable).
• Enable the sending ICMP destination unreachable packets.

USG:

[SRG]undo firewall defend tracert enable
[SRG]ip ttl-expire enable
[SRG]ip unreachable enable



PC-A:


PC>tracert 192.168.20.10

traceroute to 192.168.20.10, 8 hops max
(ICMP), press Ctrl+C to stop
1  192.168.10.1   31 ms  16 ms  16 ms
2  10.10.10.1   15 ms  31 ms  47 ms
3  20.20.20.2   93 ms  63 ms  78 ms
4  192.168.20.10   78 ms  78 ms  47 ms

END