Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://www.sans.org/reading-room/whitepapers/protocols/complete-guide-

Slides:



Advertisements
Similar presentations
Security Assessment of Neighbor Discovery for IPv6
Advertisements

10: ICMPv6 Neighbor Discovery
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
ZyXEL Confidential Address Autoconfiguration Feng Zou SW2 ZyXEL Communications Corp. 04/11/2006.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.
Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
資 管 Lee Lesson 12 IPv6 Mobility. 資 管 Lee Lesson Objectives Components of IPv6 mobility IPv6 mobility messages and options IPv6 mobility data structures.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
IPv6 Transition : Why a new security mechanisms model is necessary?
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ITIS 6167/8167: Network and Information Security Weichao Wang.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
COEN 252: Computer Forensics Router Investigation.
1 CMPT 471 Networking II ICMPv6 © Janice Regan, 2012.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Lesson 6 Neighbor Discovery.
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 1.
CMPT 471 Networking II Address Resolution IPv6 Neighbor Discovery 1© Janice Regan, 2012.
بسم الله الرحمن الرحیم. Why ip V6 ip V4 Addressing Ip v4 :: 32-bits :: :: written in dotted decimal :: :: ::
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College
1 CMPT 471 Networking II ICMP © Janice Regan, 2012.
– Chapter 4 – Secure Routing
Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.
7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
1 Version 3.1 modified by Brierley Module 8 TCP/IP Suite Error and Control Messages.
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 8 TCP/IP Suite Error and Control Messages.
CCNA 2 Week 8 TCP/IP Suite Error Control Messages.
Introduction to InfoSec – Recitation 11 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
IPv6 Routing Milo Liu SW2 R&D ZyXEL Communications, Inc.
1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)
Ch 6: IPv6 Deployment Last modified Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:
An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.
1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public BSCI Module 8 Lesson 3 1 BSCI Module 8 Lesson 3 Implementing Dynamic IPv6 Addresses.
ICMPv6 Error Message Types Informational Message Types.
Neighbor Discovery. IPv6 Terminology Additional subnets Router Host Neighbors Host Intra-subnet router Switch LAN segment Link Subnet Network.
DoS/DDoS attack and defense
1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)
IPv6 (Internet Protocol V. 6)
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
BAI513 - Protocols IP Version 6 Operation BAIST – Network Management.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
CHAPTER 10: DHCP Routing & Switching. Objectives 10.0 Introduction 10.1 Dynamic Host Configuration Protocol v Dynamic Host Configuration Protocol.
Network Layer IP Address.
Presentation on ip spoofing BY
03 Jun 2011There's no place like ::1 Introduction to IPv6 Protocol part 2 George Kargiotakis oss-unipi: Event #27.
Introduction to Information Security
How to pass Cisco Exam in first attempt?
IPv6 101 pre-GDB - IPv6 workshop 7th of June 2016 edoardo
CIS 116 IPv6 Fundamentals 2 – Primer Rick Graziani Cabrillo College
Error and Control Messages in the Internet Protocol
Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park
Internet Protocol, Version 6 (IPv6)
Presentation transcript:

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http:// ipv6-attack-defense-33904

 Man in the middle with spoofed ICMPv6 neighbor advertisement.  Man in the middle with spoofed ICMPv6 router advertisement.  Man in the middle using ICMPv6 redirect or ICMPv6 too big to implant route.  Man in the middle to attack mobile IPv6 but requires ipsec to be disabled.  Man in the middle with rogue DHCPv6 Man in the Middle

 ICMPv6 neighbor discovery requires two types of ICMPv6.  They are ICMPv6 neighbor solicitation (ICMPv6 Type 135) and ICMPv6 neighbor advertisement (ICMPv6 type 136). Man in the middle with spoofed ICMPv6 neighbor advertisement (1)

 Node A finds out the MAC address of Node B by sending ICMPv6 neighbor solicitation packet to multicast address for all nodes (FF02::1).  Every node on the network, including Node B, receives this ICMPv6 neighbor solicitation.  Node B receives the ICMPv6 neighbor solicitation packet and responds with ICMPv6 neighbor advertisement to Node A with solicited (S) flag enabled.  Node A receives the advertisement and knows that IPv6 of Node B is on Node B MAC address.  The address is successfully looked up, both Nodes can perform communication and data transfer Man in the middle with spoofed ICMPv6 neighbor advertisement (2)

 Attacker utilizes his computer with THC parasite6 and allows IPv6 forwarding.  Node A tries to find out the MAC address of Node B by sending ICMPv6 neighbor solicitation packet to multicast address forall nodes (FF02::1) Man in the middle with spoofed ICMPv6 neighbor advertisement (3)

 Every node on the network, including Node B and Attacker, receives this ICMPv6 neighbor solicitation.  Node B receives the ICMPv6 neighbor solicitation packet and responds with ICMPv6 neighbor advertisement to the Node A with solicited (S) flag enabled.  Attacker receives the ICMPv6 neighbor solicitation packet and responds with ICMPv6 neighbor advertisement to Node A with solicited (S) and override (O) flag enabled. Man in the middle with spoofed ICMPv6 neighbor advertisement (4)

 Node A receives the advertisement from Node B and Attacker, but because Attacker enables override (O) flags, it overwrites and exists neighbor cache entry of Node A.  Node A is deceived so it knows is that IPv6 of Node B is on the Attacker MAC address.  Both Node A and Node B can perform communication and data transfer, but all traffics from Node A to Node B goes through the Attack Man in the middle with spoofed ICMPv6 neighbor advertisement (5)

Man in the middle with spoofed ICMPv6 neighbor advertisement (6)

 The computer on the network sends the ICMPv6 router solicitation (ICMPv6 type 133) in order to prompt routers to generate the router advertisement quickly.  The router responds with ICMPv6 router advertisement (ICMPv6 type 133) which contains network prefix, options, lifetime, and autoconfig flag. MITM With Spoofed ICMPv6 Router Advertisement (1)

 Node A requests for router advertisement by sending ICMPv6 router solicitation packet to multicast address forall routers (FF02::2).  Every router on the network receives this ICMPv6 router.  ROUTER receives the ICMPv6 neighbor solicitation packet and responds with ICMPv6 neighbor advertisement destined to the FF02::1, so all nodes on the network receive it.  Node A receives ICMPv6 advertisement from ROUTER which contains network prefix, options, lifetime, and autoconfig flag.  Node A configures its routing table based on the router advertisement and implant default gateway MITM With Spoofed ICMPv6 Router Advertisement (2)

 The problem is that anyone can claim to be the router and can send the periodic router advertisement to the network.  As a result, anyone can be the default gateway on the network MITM With Spoofed ICMPv6 Router Advertisement (3)

 Attacker utilizes his computer with THC fake_router6, allowing IPv6 forwarding, and configuring default route to the ROUTER.  ROUTER sends the periodic ICMPv6 router advertisement to the network, so that every computer on the network can configure their routing tables.  Attacker sends the ICMPv6 router advertisement and announces himself as the router on the network with the highest priority (Hauser, 2011).  Computers on the network configure the default gateway on their routing table to the Attacker MITM With Spoofed ICMPv6 Router Advertisement (4)

MITM With Spoofed ICMPv6 Router Advertisement (5)

 You can monitor the neighbor cache entry and create early alert mechanism when the suspicious change of cache occurs.  You can use Secure Neighbor Discovery (SEND) in order to prevent Man in the Middle attack, but it potentially increases your device load because of the encryption required.  It is recommended to a layer two devices such as switch, with router advertisement guard (RA guard) in order to block malicious incoming RA (IETF, 2011). Techniques to reduce risk of MITM (1)

 IPSEC on mobile IPv6, which is mandatory by default, prevents Man in the Middle from targeting mobile device.  In addition, the create mechanism to give early alert about rogue DHCPv6 server detection.  Multiple DHCPv6 servers may help to reduce the impact of Man in the Middle. Techniques to reduce risk of MITM (2)

 It is also recommended to create a permanent entry for the default gateway address on the neighbor cache.  Network segmentation such as subnet or VLAN may be used to reduce the risk of Man in the Middle attack.  Switch port security and IEEE 802.1x also work in an IPv6 network (Purser, 2010). Techniques to reduce risk of MITM (3)

 Traffic flooding with ICMPv6 router advertisement, neighbor advertisement, neighbor solicitation, multicast listener discovery, or smurf attack.  Denial of Service which prevents new IPv6 on the network.  Denial of Service which is related to fragmentation.  Traffic flooding with ICMPv6 neighbor solicitation and a lot of crypto stuff to make CPU target busy Denial of Services

 Smurfing is an attack that aims to flood the target with network traffic so that it cannot be accessed.  This method is categorized as traffic a amplification attack because this method enables attacker with few resources to produce enormous volume of traffic.  On the IPv4 network, the smurf attack can be performed by sending spoofed ICMP echo requests to the broadcast address.  The source address of the request is the target of the attack.  IPv6 does not have a broadcast address, but it has a multicast address to reach all nodes in the network. Smurf attack (1)

 The small bandwidth usage on the attacker side is multiplied by the number of computers connected to the network on the victim side.  The attacker utilizes his computer with THC smurf6 or THC rsmurf6.  These tools can be used to send the ICMPv6 echo requests to all nodes multicast address (FF02::1) with the spoofed source from the attack target.  In the local network, THC smurf6 attack does not only floods the network but it also increases the CPU utilization. Smurf attack (2)

 Duplicate address detection (DAD) is the mechanism of IPv6 stateless autoconfiguration to detect whether an IPv6 address exists on the network.  This mechanism uses ICMPv6 neighbor solicitation which sends to all nodes multicast address.  If the IPv6 address does not exist on the network, no response will be sent back to the solicitation source. Duplicate Address Detection (1)

 The computer which wants to join the network asks about C existence using ICMPv6 neighbor solicitation.  Because there is no response to the solicitation, this computer concludes that none uses C as their IPv6 address and it uses C as its own IPv6 address. Duplicate Address Detection (2)

 Attacker utilizes his computer with THC dos-new-ipv6.  New computer wants to join the network and asks whether IPv6 C exists.  Attacker replies and claims that he is C Duplicate Address Detection (3)

 New computer, then, asks whether IPv6 D exists.  Attacker replies and claims that he is D.  Every time the new computer asks about IPv6 existence, the attacker replies and claims that he is that IPv6.  The new computer cannot join the network since it does not have IPv6 address. Duplicate Address Detection (4)

Duplicate Address Detection (5)

 Configure the firewall to limit the volume of packets, so that the risk of flooding can be minimized.  Configure the border router to not allow IPv6 source routing and routing header type 0.  Configuring the system not to reply to ICMPv6 request destined to FF02::1 multicast address in order to prevent being part of smurf attack. Reduce risk of DoS (1)

 The intrusion detection system must be configured to monitor traffic anomaly and to generate an alert when an anomaly is detected.  Although DHCPv6 may be flooded, it is also recommended to use multiple DHCPv6 servers as an alternative for IPv6 stateless auto-configuration in order to mitigate Denial of Service caused by Duplicate Address Detection. Reduce risk of DoS (2)

 IPv6 fragmentation attack may be used to bypass the intrusion detection system since the fragmentation process is performed by source and destination device.  In order to help IPv4 to IPv6 mechanism, there are some known tunnelling techniques which are vulnerable to Denial of Service attack.  As an example is routing loop attack using IPv6 automatic tunnelling (Network Working Group, 2010). Other Attacks

 Computer which uses teredo tunnelling in IPv4 network may be used to bypass firewall and IDS as network perimeter defense.  ICMP attacks against TCP do still work, for example, to use ICMPv6 error messages to tear down BGP session. Other Attacks (2)

 Local multicasts will ensure that one compromised host can find all other hosts in a subnet  Techniques to a single host remain the same (port scan, attacking active ports, exploitation, etc.)  Remote alive scans (ping scans) on networks will become impossible Reconnaissance (1)

 alive6-local – for local/remote unicast targets, and local multicast addresses  Sends three different type of packets:  ICMP6 Echo Request  IP6 packet with unknown header  IP6 packet with unknown hop-by-hop option  IP6 fragment (first fragment) Reconnaissance (2)

 alive6-remote – remote multicast addresses  Same as above but sends all packets in two fragments and a routing header for a router in the target network  Will only work if the target router allows routing header entries to multicast addresses – requires bad implementation! Reconnaissance (3)

 If a system is choosing a wrong router for a packet, the router tells this to the sender with an ICMP6 Redirect packet.  To prevent evil systems implanting bad routes, the router has to send the offending packet with the redirect.  If we are able to guess the full packet the system is sending to a target for which we want to re-route, we can implement any route we want! But how?  Easy – if we fake an Echo Request, we know exactly the reply! Route Implanting with ICMP6 Redirects (1)

Route Implanting with ICMP6 Redirects (2)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.