Generic Routing Encapsulation (GRE) Tunnel Defined

What is a GRE tunnel? Let's begin with a technical definition. Generic routing encapsulation (or GRE) is a communication protocol. You can use it to share data directly through network nodes, rather than over the public network. That communication happens through a GRE tunnel.

You might use a GRE tunnel to communicate with a device (like a router) that is incompatible with your computer. Or you might use a GRE tunnel to ensure that a message gets to a recipient despite any protocol challenges you think might exist, even if you're not sure. 

But hackers can also use GRE tunnels in sophisticated attacks that take down critical systems for days. If you choose to either use or accept tunnels, you should understand the risks.

GRE explained 

To break down what a GRE tunnel is and how it works, we'll need to define a few critical terms. 

Any GRE protocol involves:

• Nodes: A device that can accept or send information (like computers, routers, printers, and switches) is a node. 
• Packets: Information sent from one device to another is split into packets. 
• Headers: Each packet contains a header with information about the sender, the recipient, and the order of the message. 
• Payload: The payload includes important contents of the message. 

During GRE, a data packet essentially gets wrapped up inside a new packet. The payload never changes, but the process adds two headers.

• Identification: This header notifies recipients that they're dealing with a GRE packet. 
• Directions: The second header includes source and recipient information.

With encapsulation complete, GRE tunneling can begin. Think of this as a form of direct, protected communication between two nodes. Even if the packet must zoom past other nodes, it's never inspected or held up along the way. It moves swiftly to the target. 

GRE tunnel setup explained 

In most cases, you'll set up a GRE tunnel by tapping into your router setup. But you'll need two pieces of information to get started. 

GRE tunnels rely on:

• Your IP address. This isn't the same as a human-friendly web address (like www.okta.com). An IP address is made up of numbers and decimals. 
• Your recipient's IP address. You'll need that same data for the node you want to connect to. 

GRE standards were set up by the Network Working Group back in 2000. Developers can look over this very technical document and understand just how to set up new headers and configure messages to move through without disruption. 

GRE protocols at work: an example 

Many of us deal with incompatible devices. For example, Google Nest users dealing with low batteries or power issues may be dealing with an incompatibility issue. Typically, solving that means buying new equipment. But what if there was another way?

If you know the IP address of your target server, you could reconfigure your router and send your messages along, even if you never buy one new thing to smooth the process. 

In essence, you'll trick your incompatible devices into believing that they can get along nicely and communicate like old friends. You'll wrap your messages in the proper code and experience no delays. 

Let’s give a simplistic example to describe how this works. You have a package tied to the back of your bicycle that you need to get to the post office across the river. Unfortunately, no bridge exists, and your bike can't ride across the water. But you can put your bike on a ferry. Doing so doesn't mean changing your package or your bike. You just wrap your package in another system for the journey.

GRE protocols in computing work much the same way (with a lot more coding, of course). 

GRE and other network systems 

Packet rules are plentiful and widespread. Sometimes, implementing a GRE tunnel means running afoul of some of these protocols. 

For example, a maximum transmission unit (MTU) is set at the device level, and it dictates how big a packet can be. A maximum segment size (MSS) measures payload size. 

Move through the GRE encapsulation process, and you won't change the size of your payload. But you will add two headers, and that could mean you violate MTU rules. Your clean, repackaged packets could be blown apart before they're delivered. 

GRE encapsulation attacks: definition and defense 

The GRE protocol allows one device to talk to another, bypassing open filtering systems. Hackers love setups like this. With a little bit of tinkering, they can set up distributed denial of service (DDoS) attacks that crash your servers and take you offline. 

In 2016, for example, hackers used GRE to attack the website for the Rio Olympics. They hoped to crash the server, blocking people from watching the games on their devices. Brazil and the International Olympics Committee (IOC) were able to keep the systems up and running, even though traffic from hackers reached 540 Gb per second at the height of the attack. 

Masking techniques aren't available for GRE tunnels. Hackers must disclose their originating IP addresses. Any security technician, seeing so much traffic coming from one source, would simply block that address from sending anything more. 

Hackers get around this problem by deploying botnets. Hundreds of thousands of infected devices, typically connected via a purchase made on the internet, point their packets at a target. An attack like this is massive, and it's very difficult to stop. 

Your defense approaches for a DDoS attack stemming from GRE are the same as those you'd use for any other botnet attack. In essence, your job is to either scale up your capacity to handle the additional traffic or scale back your access to reduce the packets that can come your direction.

We've written a playbook for developers filled with ideas about how to combat DDoS attacks. If you're looking for help, start here.

References

Generic Routing Encapsulation. (March 2000). Network Working Group. 

WiFi Routers That Are Incompatible With Nest Products. Google Nest Help. 

How a Massive 540 Gb/Sec DDoS Attack Failed to Spoil the Rio Olympics. (September 2016). The State of Security.