question

sanju216-5167 avatar image
0 Votes"
sanju216-5167 asked CandyLuo-MSFT edited

WFP: Original Destination IP from a proxied packet at TRANSPORT layer

I have come across similar question here:

https://social.msdn.microsoft.com/Forums/en-US/5356cfd8-fecd-44b4-89ca-9c0675d9ac3a/how-to-get-original-destination-address-from-proxied-packet?forum=wfp

Question 1:

I would like to figure out if a connection is being redirected/proxied and if so what the original destination IP is. I want to do it in a proxy protocol independent way (For example in Socks5 proxy the destination IP is sent in one of the Socks5 handshake message, in HTTP proxy, the destination IP/URL is embedded in the HTTP request header, which sock5 or http5 proxy servers use to relay the packet. So I want to figure out the destination IP independent of the proxy protocol in use).

Referring to the post above, if the proxy is happening using re-injection at FWPM_LAYER_{INBOUND | OUTBOUND}_TRANSPORT_V{4 | 6}), how do I track such a packet. Essentially I would want to make a note of the original packet and it's destination IP and if this IP is then modified by anyone else's callout and reinjected, I want to identify if it was the same old packet with a new destination IP.

If I attach a flow context to help me identify this, my guess the context would get wiped out during Cloning and reinjection. My idea is to first check injection state FwpsQueryPacketInjectionState0 for FWPS_PACKET_INJECTED_BY_OTHER, somehow identify it's a previous packet I have seen before with a different destination IP.

One dumb brute force way would be to hash packets and compare but that just seem very impractical from implementation and performance point of view.

Is there a cleaner way to do something like this with minimum performance impact?

Question 2:

This might be a dumb question but what's the idea behind clone-modify-inject model. One of them could be for all the layers to have a relook at the packet. But if I only modify the remote IP of an outbound packet at TRANSPORT/NETWORK layer, and permit it to be passed down the stack, technically it should work or will it be discarded?

Thank you.

not-supported
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi ,

Windows Filtering Platform (WFP) is currently not supported in the Q&A forums, the supported products are listed over here: https://docs.microsoft.com/en-us/answers/products.

Since the original WFP forum has been closed , I would suggest you contact Microsoft Customer Support and Services to consult whether there are corresponding engineers who can provide technical support.

Here is the link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,

Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.