Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to identify utp #131

Open
WGjason opened this issue Jun 7, 2022 · 5 comments
Open

how to identify utp #131

WGjason opened this issue Jun 7, 2022 · 5 comments

Comments

@WGjason
Copy link

WGjason commented Jun 7, 2022

How to identify utp packets? Are there any features?
@freak82
Copy link

freak82 commented Jun 7, 2022

At what level do you want to identify it?
I mean, in some application, in the firewall?
We the following iptables rule to identify UTP SYN packets and redirect them to our software which allows us later to redirect the whole UTP session. It works pretty well in practice and give very few false positives.

-A PREROUTING -i eth0 -p udp -m u32 --u32 "0x0>>0x16&0x3c@0x4&0xffff0000=0x1c0000&&0x0>>0x16&0x3c@0x8&0xffff0000=0x41000000" -j TPROXY --on-port XXXX --on-ip XXX.XXX.XXX.XXX --tproxy-mark 0x1/0x1

I realize that the rule may seem cryptic due to the usage of u32 kernel module.
Basically the rule identifies the following fields from the packet (from the top of my head):
0x0>>0x16&0x3c@0x4&0xffff0000=0x1c0000 - skips the IP header + 4 bytes more (the the source/destination ports from the UDP header) and checks if the Length field in the UDP header gives 28 (0x1c). This is because the UDP header length is 8 bytes and the UTP SYN is 20 bytes.
0x0>>0x16&0x3c@0x8&0xffff0000=0x41000000 - skips the IP header + 8 bytes more and then checks if the type and version of the UTP header are equal to 4 (SYN) and 1 respectively.
Maybe the ack-nr can be checked also if it's zero but I'm not sure that this is guaranteed and thus we don't do it.

@WGjason
Copy link
Author

WGjason commented Jun 7, 2022

Thank you for your answer. I want to identify and parse utp packets in my firewall. Can other types of UTP packets be identified except for UTP SYN?

@freak82
Copy link

freak82 commented Jun 7, 2022
edited
Loading

You can identify the FIN (1) and RST (3) packets by similar rule functionality because the length of the UTP packet in these cases is always 20 bytes.
However, the ACK packets can have variable length due to the selective ACK functionality.
The DATA packets can also have variable length.
So, the above scheme can't be used for ACK and DATA packets because the false positives will increase greatly if the length of the packet can't be used.
We have custom kernel module which recognizes the first UTP data packet of each UTP session (we use it for different purpose).
The module basically checks every possible DATA UTP packet if it has 68 bytes payload and the payload starts with
"\x13BitTorrent protocol".
This can most likely be implemented with u32 rule but it'd be even more cryptic.

I can't think of an easy way to recognize all of the UTP packets without some additional logic which tracks their connection ids and their lifetime.

@WGjason
Copy link
Author

WGjason commented Jun 7, 2022

Thanks again for your answer!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@freak82 @WGjason and others