China Illustrates How Not To Do Firewall Filtering

china

Someone’s noticed a very interesting fact about firewall filtering that relies on session sniping, i.e. killing connections with RST packets. Namely, it’s rather trivial to bypass.

For those who are into this sort of thing, the idea is very simple. China blocks people from going to certain sites by having their firewall kill browser sessions that contain certain banned keywords.

This particular security technique is based on sitting in between the users and the Internet, monitoring for banned words at the firewall, and then sending “kill packets” to the client when they ask for something China doesn’t want them to see. These “kill packets” (RSTs) tell the requesting computer to drop the connection immediately, which results in the user not getting the page they were looking for. Simple enough.

Unfortunately for China, it’s fairly trivial to drop various types of packets using a firewall on the client side.

In other words, the entire content filtering system is based on client systems receiving and responding normally to the firewall’s kill packets. If the client simply drops those packets, i.e. ignores them, then their session will continue on as if there were no filtering device in place at all.

And to make it even cooler, one can use TTL values to determine which RST packets are probably legitimately coming from the endpoint, and which are coming from a security device in the middle. So one could say, for example, “Drop all incoming packets with the RST flag set that have a TTL less than x.”

Of course, the firewall admin could exploit that rule by increasing the TTL on their outgoing RSTs, but then one could simply open up the rule and drop all RSTs. Cat and mouse, as usual.

Anyway, the idea’s quite interesting and it’ll be fun to see how it plays out.

Related posts: