0

Is there a way to check for GRE Tunnels? I've heard spammers will use GRE tunnels to send mail from a central machine out of another and would like to check for possible GRE tunnels.

Tiffany Walker
  • 6,541
  • 13
  • 53
  • 77

1 Answers1

3

First, let me point out thatyou seem to be barking up the wrong tree.

Saying "I've heard spammers will use GRE tunnels to send mail from a central machine out of another" is like like saying "I've heard spammers will use TCP to send mail from a central machine out of another": Both statements are 100% true. Both conditions are also unavoidable unless you intend to rip out all network connectivity in the environment.

In other words: If GRE tunnels are really a security issue and you have no legitimate use for them in your environment you should block all GRE traffic at your firewall and be done with it.
The same can be said for any other protocol or service: If you're not using it, don't allow it to exist -- it's just another security hole.

Second, in order to establish a GRE tunnel you need two machines to be participating in it -- the client and the endpoint.

  • If your system is the client that means the spammers already have access to your machine (so you're kinda already in a bad spot because you're giving accounts to spammers, or they've broken in).
  • If your system is the endpoint that means the spammers have access and are able to configure it to accept and terminate incoming tunnels (which likely means they have root, and you're definitely in a bad spot).

If you're still reading that means that (a) you need to allow GRE traffic (for some reason), and (b) you are reasonably sure that your system is not compromised such that it would be a source or destination for spammer traffic

Honestly in this case I wouldn't bother worrying about tunnel traffic any further.
If you ARE still concerned though, there are three steps you should be taking:

  1. Ensure that your firewall only allows GRE (or any other tunneling protocol) traffic to and from specific, authorized addresses or blocks.
  2. Ensure that tunnels must be established with good, strong authentication.
  3. Optionally audit your network traffic by looking for traffic with a tunneling protocol (GRE, ESP, etc.) and if you see something unexpected raise an alarm about it.
voretaq7
  • 79,345
  • 17
  • 128
  • 213