LLDP WAN Advertisement - Security/Privacy Consequences?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
MonarchX
DD-WRT User


Joined: 26 Sep 2009
Posts: 119

PostPosted: Fri May 07, 2021 18:16    Post subject: LLDP WAN Advertisement - Security/Privacy Consequences? Reply with quote
UniFi Dream Machine does not have SSH CLI flexibility that Ubiquiti Edge/USG Routers and DD-WRT/OpenWRT routers have. Many SSH commands do not work in UDM CLI, but some commands do work and survive reboot with https://github.com/boostchicken/udm-utilities .

I can't stop LLDP advertising over WAN every 30 seconds. UDM does that on every port. Ubiquiti does not consider it a bug and does not offer an option to disable LLDP in UDM controller. Ubiquiti Community forums don't have an answer to this issue, but maybe someone here does.

LLDP is a Layer-2 protocol. It has has source MAC address and destination Multicast MAC address. LLDP frame EtherType is 0x88cc. IPTables rules to drop INPUT and FORWARD packets for those MAC address do not stop LLDP advertisement.

EBTables below also have no effect:
Quote:
ebtables -A INPUT -p 0x88cc -j DROP
ebtables -A INPUT -s <LLDP Source MAC> -j DROP
ebtables -A INPUT -d <LLDP Source MAC> -j DROP
ebtables -A INPUT -s <LLDP Destination MAC> -j DROP
ebtables -A INPUT -d <LLDP Destination MAC> -j DROP
ebtables -A FORWARD -p 0x88cc -j DROP
ebtables -A FORWARD -s <LLDP Source MAC> -j DROP
ebtables -A FORWARD -d <LLDP Source MAC> -j DROP
ebtables -A FORWARD -s <LLDP Destination MAC> -j DROP
ebtables -A FORWARD -d <LLDP Destination MAC> -j DROP
ebtables -A OUTPUT -p 0x88cc -j DROP
ebtables -A OUTPUT -s <LLDP Source MAC> -j DROP
ebtables -A OUTPUT -d <LLDP Source MAC> -j DROP
ebtables -A OUTPUT -s <LLDP Destination MAC> -j DROP
ebtables -A OUTPUT -d <LLDP Destination MAC> -j DROP



LLDP packets from PCAP capture contain my router WAN port's real MAC address, but I always clone my WAN IP MAC address.

Anyone over WAN can see LLDP packets with one MAC address and WAN TCP/UDP + ARP packets with cloned MAC address, but can they figure out that both packet types belong to the same source? If not, then wouldn't such LLDP packets obfuscate data and confuse a possible bad actor/attacker and/or ISP?
Sponsor
tedm
DD-WRT Guru


Joined: 13 Mar 2009
Posts: 554

PostPosted: Mon May 10, 2021 4:07    Post subject: Reply with quote
First of all LLDP is not routable on the Internet so unless the remote attacker is your ISP you don't have to worry about it.

Secondly you can easily drop an Ethernet switch in between the Dream Machine and your ISP. If you want to screw with your ISP then put a Cisco Catalyst there and turn on CDP on it then your ISP will think you have a Cisco firewall instead of a Ubiquity firewall....LOL
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum