Community discussions

MikroTik App
 
teucrus
just joined
Topic Author
Posts: 1
Joined: Mon Aug 02, 2021 11:35 am

A discussion about UDP hole punching and how to prevent it.

Mon Aug 02, 2021 11:58 am

Hello everyone. I was reading about UDP hole punching and peer to peer connections and I was wondering about methods to block them.
It's more of an educational approach to test my understanding of the concept rather than an actual implementation.
I do get that if the peers know the addresses they want to connect to, you cannot do much to block the traffic (maybe some L7 packet matching)
But what about the case they use a rendezvous server?
Here is my thought process about this:

Client A send a UDP packet to the rendezvous server (src-address: a.a.a.a, dst-address:b.b.b.b)
Client B send a UDP packet to the rendezvous server (src-address: c.c.c.c, dst-address:b.b.b.b)
Rendezvous server sends the details to each client.

So at this point, NAT in client As router has opened a UDP port and is communicating with the server, but instead is getting a connection from client B for the IP c.c.c.c
Is it somehow possible to restrict the incoming connection just to the IP address the specific connection was made to (b.b.b.b)?
Am I correct to assume that this way, the direct connections from other clients would be blocked?
I know that someone would be able to use the rendezvous server as a relay, but at this stage you can always block the rendezvous server itself.
This approach should also allow skype blocking etc.

I 'd love to read your thoughts on the matter.

P.S. I know this is not 100% Mikrotik/RouterOS territory, but I am using exclusively Mikrotik routers and I 'd like to know how this can be implemented in RouterOS
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: A discussion about UDP hole punching and how to prevent it.

Mon Aug 02, 2021 5:37 pm

Nobody implements such a thing that I have read in any of the forums.
In other words not a concern.
Unless you can be more specific for the issue, cannot help.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: A discussion about UDP hole punching and how to prevent it.

Mon Aug 02, 2021 5:47 pm

The NAT will only pass traffic from an address that previously the destination of an outgoing packet.
So the scenario you describe will not work. But a scenario where some service tells client A that the other peer is client B and convinces it to send a packet there, while at (about) the same time telling client B that it has to send a packet to client A will work, and open a UDP "tunnel" between them.
The connection towards the controlling server does not have to be UDP, it can just as well be TCP. But the connection between the clients has to be UDP.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: A discussion about UDP hole punching and how to prevent it.

Mon Aug 02, 2021 6:22 pm

The NAT will only pass traffic from an address that previously the destination of an outgoing packet.
So the scenario you describe will not work. But a scenario where some service tells client A that the other peer is client B and convinces it to send a packet there, while at (about) the same time telling client B that it has to send a packet to client A will work, and open a UDP "tunnel" between them.
The connection towards the controlling server does not have to be UDP, it can just as well be TCP. But the connection between the clients has to be UDP.
Didnt understand a word. Does this concern MT users or not??
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: A discussion about UDP hole punching and how to prevent it.

Mon Aug 02, 2021 6:36 pm

Didnt understand a word.
Now you understand why sometime after reading other posts I get confused...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: A discussion about UDP hole punching and how to prevent it.

Mon Aug 02, 2021 6:48 pm

Didnt understand a word.
Now you understand why sometime after reading other posts I get confused...
There's a difference: you don't understand English while @anav doesn't understand networking :-P
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: A discussion about UDP hole punching and how to prevent it.

Mon Aug 02, 2021 7:01 pm

:shock: ..... :) ..... :D ..... :lol:

@anav :mrgreen:
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: A discussion about UDP hole punching and how to prevent it.

Mon Aug 02, 2021 7:33 pm

MKX is just jealous that he doesnt have my MTUNA certification!!!
However, he was accurate at least on this occasion.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: A discussion about UDP hole punching and how to prevent it.

Mon Aug 02, 2021 9:03 pm

Is it somehow possible to restrict the incoming connection just to the IP address the specific connection was made to (b.b.b.b)?
Am I correct to assume that this way, the direct connections from other clients would be blocked?
As @pe1chl has explained, the rendezvous server is only there to learn the public IPs behind which the peers are located and inform each of the peers about the other one's public IP, and maybe the UDP port it is using.

But the hole punching itself leverages on the fact that UDP is a stateless protocol, so if you send a request packet from a.a.a.a:A to b.b.b.b:B, the firewall has to let through packets from b.b.b.b:B to a.a.a.a:A, otherwise UDP responses would be unable to get through in general. So a response from c.c.c.c:B will be blocked if the request went to b.b.b.b:B - no need to do anything special. But if the peer in LAN sends its own request to c.c.c.c:B first, a subsequent packet from c.c.c.c:B will get through.

To prevent hole punching from succeeding, it is enough that the NAT portion of the firewall randomly changes the source port of the request packets it forward (randomly per connection, not per packet, as that would break also "normal" traffic). Since the connection to the rendezvous server is a different one from the connection to the peer, the firewall will assign a different source port to each of them, so the source port seen by the rendezvous server is useless for the peer.

The firewall in RouterOS normally only changes the source port of a packet during the srcnat handling if it has already been occupied by another connection towards the same remote socket. But you can try to add to-ports=x-y to the action=src-nat or action=masquerade rule - this will definitely replace the source port, but I've never tried whether the ports from the x-y range are chosen randomly or systematically, i.e. whether two subsequent connections to different remote sockets will get the same or different source port.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: A discussion about UDP hole punching and how to prevent it.

Tue Aug 03, 2021 6:11 pm

Nice Sindy, that is a question not an answer and more to the point, you have not let us know whether or not we should go out and buy diapers, as I may sh*t myself, finding out MT routers have this huge security vulnerability!!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: A discussion about UDP hole punching and how to prevent it.

Wed Aug 04, 2021 10:53 pm

What do you consider a security vulnerability, the UDP hole punching? How is that a bigger security hole than the fact that two devices, each behind another router, can establish communication via some cloud server that provides the packet forwarding service for them (TeamViewer, Anydesk etc.)?

And how is that "security hole" Mikrotik-specific?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: A discussion about UDP hole punching and how to prevent it.

Thu Aug 05, 2021 12:41 am

I have no idea, the op is suggesting that MT has a UDP hole or leak making the router unsafe.
If not true, that all I need to know or can understand. The rest is noise for me.

Who is online

Users browsing this forum: cciprian, FlowerShopGuy, johnson73, loloski, seutertje and 68 guests