High volume of Protocol 47 (GRE) traffic from HiNet (AS3462) found

I’ve been monitoring protocol 47 traffic for the last six months and found a clear trend from one internet service provider, HiNet (AS3462). Protocol 47 is the Assigned Internet Protocol Number for Generic Routing Encapsulation (GRE).  GRE is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network protocols inside virtual point-to-point links over an IP network.

The summary of the data I collected, grouped by city and sorted by traffic volume, is noted below:

Protocol 47 (GRE) traffic observed

The raw data collected, listing each IP address and timestamp, can be found here.

Example uses of GRE include:

  • In conjunction with PPTP to create VPNs.
  • In conjunction with IPsec VPNs to allow passing of routing information between connected networks.
  • Distributed denial of service (DDoS) protected appliance to an unprotected endpoint.

So why would I even see GRE traffic from over a hundred IP addresses on HiNet’s network? This  is due to a large amount of comprised Internet of Things (IoT) devices on their network. The two most common types of these devices found were security (IP enabled) cameras and DVRs.

GRE traffic was found in late 2016 during a massive DDoS attack performed by the Mirai botnet.  I believe the traffic I’ve found is a leftover remnant of this botnet.  Similar conclusions have been reached by SANS Internet Storm Center users and heise Security.

HiNet

HiNet did not respond to my multiple requests for comment as to why they have chosen not to filter the rouge traffic from leaving their network.

Cisco noted the vulnerability of GRE decapsulation over ten years ago and how it could be used to bypass access-control lists (ACLs) .  Cisco also provided the steps to mitigate the issue, including how to block GRE traffic completely.

Are large scale GRE based DDoS attacks likely to return in the future? The answer is not certain, however Arbor Networks ASERT team noted in August 2016 that, “As with all types of DDoS attacks the miscreants stumble upon, we expect to see other botnets-for-hire and ‘booter/stresser’ services adding GRE to their repertoires in short order.”

Will the burden of filtering the rouge traffic fall to the ISP or the IoT device makers to prevent it from happening in the first place?

Leave a Reply