CARP Phishing
-
A short and interesting read about CARP traffic. Likely not new information for some.
https://isc.sans.edu/diary/Catching+CARP+Fishing+for+Firewall+States+in+PFSync+Traffic/31616/?is=55349e6df1ae7d0eb1f5f3ef0a11b2b29cccb62b3a13d647441b48fa18c8f5d6
-
I can respect their desire to use the CARP puns but the way they wrote that is unnecessarily specific. While commonly found together, pfsync isn't tied to CARP. There are other HA mechanisms, or reasons to use pfsync w/o HA. Also using a dedicated interface for CARP traffic isn't a thing, even with unicast CARP it goes over the interface with the IP address only.
Also they left out the ability for someone with access to that interface to alter the state table. Delete states, inject new states, etc. That's just as dangerous as sniffing the traffic, if not more so.
The dangers of exposing pfsync traffic are well known and we do mention that concern in the docs, at least here:
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
@jimp I have no practical experience with CARP. I thought the article was interesting and may have relevance to the group. I also know that not everything is as black and white as a security guy thinks it is.
Thank you for the additional information. -
It's helpful thanks for sharing.
