Skip to content

DTLS 1.2 based firewall

Jump to bottom Edit New page
Achim Kraus edited this page Apr 9, 2019 · 20 revisions

DTLS 1.2 based firewall

One of the major arguments not using DTLS is, that it's much harder to protect UDP traffic from DDoS than TCP traffic. On of the facts, that argument is based on, is that a lot of DDoS attack are using UDP (DNS, NTP, some are also expect CoAP to be a new source for such attacks). Though a firewall can filter TCP from UDP traffic very efficiently using the Protocol field of the IP-header, it seems to be easier to protect. Filtering DTLS 1.2 records is also possible and not that much harder. According RFC6347 all records have a header structure which starts with a content type and for 1.2 followed by two fixed bytes for the version. The valid value range for content type is defined in RFC 5246 and will be extend by TLS12_CID.

Using iptables a DTLS 1.2 filter could be established by

#! /bin/sh
# IPv4 layer, RFC 791, minimum 20 bytes, use IHL to calculate the effective size
# IPv6 layer, RFC 2460, "next header" => currently not supported :-)  
# UDP layer, RFC 768, 8 bytes
# DTLS 1.2 header first 3 bytes "14 - 19 fe fd"

if [ -z "$1" ]  ; then
    INTERFACE=
else 
    INTERFACE="-i $1"
fi

echo "Create DTLS_FILTER"
iptables -N DTLS_FILTER
echo "Prepare DTLS_FILTER"
iptables -F DTLS_FILTER
iptables -A DTLS_FILTER -m u32 ! --u32 "0>>22&0x3C@ 7&0xFFFFFF=0x14FEFD:0x19FEFD" -j DROP

echo "Remove INPUT to DTLS filter $1"
iptables -D INPUT ${INTERFACE} -p udp --dport 5684 -j DTLS_FILTER
echo "Forward INPUT to DTLS filter"
iptables -A INPUT ${INTERFACE} -p udp --dport 5684 -j DTLS_FILTER

Download script

First all UDP traffic to port 5684 is delegated to be processed by the DTLS_FILTER chain. The rule there uses the u32 module. The part "0>>22&0x3C@" jumps over the IP header options using the IHL field of the IP-header. The second part "7&0xFFFFFF=0x14FEFD:0x19FEFD" load 4 bytes at address 7 and mask the last 3 bytes. That results in the first 3 bytes of the DTLS records, though the UDP header is 8 bytes long. The value range for content type is 0x14 - 0x19 and the version for DTLS 1.2 is fixed `FEFD``.

With that you can filter the traffic on your own nodes. I'm not sure, if cloud provider will support such a filter on earlier traffic stage, which would be much more effective. But using that filter on your own node is better than passing the traffic to the java scandium layer.

For comments and improvements, just create a New Issue here in this repository.

cf_64

Resources

Education - Courses - Tutorials

Links to research information about CoAP and DTLS 1.2

History of reported Attacks around CoAP and DTLS

Installation

Californium - running the sandbox locally for integration tests

Californium as old style unix systemd service

Californium as k8s service

General

Logs and IP Capturing ‐ How To Provide The Right Information

DTLS 1.2 based firewall

DTLS 1.2 connection ID bypassing NATs

DTLS 1.2 connection ID based load balancer

CoAP over TCP - RFC 8323

Clone this wiki locally