[170849] in North American Network Operators' Group
Re: CVE-2014-0160 mitigation using iptables
daemon@ATHENA.MIT.EDU (shawn wilson)
Thu Apr 10 13:58:33 2014
In-Reply-To: <86376.1397137973@turing-police.cc.vt.edu>
From: shawn wilson <ag4ve.us@gmail.com>
Date: Thu, 10 Apr 2014 13:57:50 -0400
To: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Cc: North American Network Operators Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Apr 10, 2014 at 9:52 AM, <Valdis.Kletnieks@vt.edu> wrote:
> On Wed, 09 Apr 2014 11:07:36 +0100, Fabien Bourdaire said:
>
>> # Log rules
>> iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \
>> "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"
>
> That 52= isn't going to work if it's an IPv4 packet with an unexpected
> number IP or TCP options, or an IPv6 connection....
IPv6 wasn't mentioned here (that'd be ip6tables). But yeah, there
might be some other shortcomings with the match. I think it's the
right way to go - it just needs a bit of work (maybe a bm string
match?). You're also going to deal with different versions (see
ssl-heartbleed.nse for the breakdown). Though, I wonder if there are
any other variations you might miss...
