I would like to share with you another interesting insider case. This time it's related to AR G3 router series and BFD protocol detection mechanism. First of all, I'm not sure whether you are familiar with BFD Echo function for this detection protocol, so will add a short description below:
It checks the connectivity of the forwarding link by looping back packets. You can use the BFD Echo function when one of two directly connected devices does not support BFD. In this case, you can configure BFD Echo on the BFD-supporting device. That device sends an Echo Request packet to the remote device. The remote device then sends the Echo Request packet back along the same path to detect the connectivity of the forwarding link.
An image will help to understand the data above.
The BFD echo function configuration is quite basic, as we can see below:
#
bfd atob bind peer-ip 10. 1.1.1 interface Dialer1 one-arm-echo
discriminator local 1
min-echo-rx-interval 100
commit
#
Unfortunately the BFD session remains in "Down" state:
[AR router]dis bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 - 10.1.1.1 Down S_IP_IF Dialer1
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 0/1
Let's try to find out why:
First thing to do is to check the AR configuration a little bit deeper, and I was able to observe that a firewall configuration was in place. Let's check whether BFD packets are properly allowed.
We will check the configuration, dialer interface is the BFD enabled interface and is connected to untrust zone.
#
interface Dialer1
link-protocol ppp
ppp chap user xxxx
ppp chap password simple xxxxx
ip address ppp-negotiate
dialer user xx
dialer bundle x
dialer-group x
nat outbound x
zone untrust
#
bfd atob bind peer-ip 10.1.1.1 interface Dialer1 one-arm-echo
discriminator local 1
min-echo-rx-interval 100
commit
#
The interzone from local zone to untrust is permitted accordingly so normally BFD packets should be processed accordingly by the AR router.
#
firewall interzone local untrust
firewall enable
packet-filter 3000 inbound
#
acl number 3000
rule 1 permit ip source 10.1.1.1 0
............
rule 45 permit ip
.........
rule 55 permit udp
Since the BFD packets are allowed, I decide to perform a packet capture to see whether the remote end is returning the packets back to the AR router and indeed were returned as we can see below:
So it must be something on the AR router that makes it to not accept the BFD echo packets.
Checking the running configuration deeper I found out there is a firewall configuration that could cause problems, let check below:
#
firewall defend land enable
firewall defend smurf enable
firewall defend fraggle enable
firewall defend winnuke enable
firewall defend syn-flood enable
firewall defend udp-flood enable
firewall defend icmp-flood enable
firewall defend ip-sweep enable
firewall defend port-scan enable
firewall defend ping-of-death enable
firewall defend teardrop enable
firewall defend large-icmp enable
#
Land attack defence was enabled. Finally I decide to disable it to see what it's happening and... the BFD session came up.
Why it come up? How to explain this strange phenomenon?
First, what is a LAND attack and what is the mechanism behind.
A LAND (Local Area Network Denial) attack is a DoS (Denial of Service) attack that consists of sending a special poison spoofed packet to a computer, causing it to lock up.
Mechanism - the attack involves sending a spoofed IP packet ( generally is a connection initiation TCP SYN) with the target host's IP address to an open port as both source and destination. This causes the machine to reply to itself continuously, causing damage.
So this is exactly what happened, the AR router sends and BFD echo packet, which is an UDP same source and destination IP, which is returned back to the AR router and since it has same source and destination IP it considers to be a type of LAND attack and it drops it.
So, to conclude, firewall configuration could impact other protocol, before commisioning services or new protocols, it's best to review all the firewall configuration you have deployed on the device and be sure you know exactly what every command does on the system.
![[Insider Sharing] BFD Echo arm function strange behavior-2661511-1](static/image/smiley/default/victory.gif)
