google / gvisor

Application Kernel for Containers
https://gvisor.dev
Apache License 2.0
15.85k stars 1.3k forks source link

netstack shouldn't respond to packets with invalid source IP addresses #1507

Closed eyalsoha closed 4 years ago

eyalsoha commented 4 years ago

gVisor will process packets with the source IP address equal to the interface's address, though it shouldn't.

Following the guidelines in CERT Advisory CA-96.21 III. Solution, a device shouldn't accept packets from an internal IP address. Nor should it be willing to generate a packet that isn't from an internal address.

So if gVisor gets a packet where the source IP address is equal to one of the interface's addresses, it should drop it, because no other device should be able to make packets like that. gVisor doesn't drop it, though. In the case of a SYN packet, the endpoint will SYN, SYNACK, and RST itself.

tamird commented 4 years ago

The network-layer source and destination addresses are parsed here: https://github.com/google/gvisor/blob/83ab47e87badd8b46f784739903361d9f824fa2c/pkg/tcpip/stack/nic.go#L820. That's probably where we should handle this case.

eyalsoha commented 4 years ago

Is the right thing there to drop all packets where:

?

We would like to drop any packet that couldn't be valid. If those packets are coming from outside gVisor, they shouldn't have a source address that gVisor "owns". That is, gVisor already has a NIC with that address.

But if that function is reached even from packets that gVisor generates, for example, one endpoint pinging another in the same system, then we need to be more careful.

tamird commented 4 years ago

A much more recent document on this attack is https://tools.ietf.org/html/rfc4987.