Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service attack in IPv6 networks and Counter measurements

Published byKevin Fisher Modified over 6 years ago

Similar presentations

Presentation on theme: "Denial of Service attack in IPv6 networks and Counter measurements"— Presentation transcript:

1 Denial of Service attack in IPv6 networks and Counter measurements
Master Thesis 15HP

2 HIGHLIGHTS 1.Introduction 2.Problem Statement 3.Related Work 4.Methodology and Experiments 5.Existing solutions 6.Results 7.Conclutions 8.Future Work

3 Introduction IPv6 packet Fragmentation:
Source node of an IPv6 networks is performing payload fragmentation according to the minimum MTU size of the path to the destination. The size of each packet should not exceed the minimum MTU of the path. Fragment header: Source : RFC 2460

4 Problem Statement IPv6 packet Extension:
An IPv6 packet may carry zero, one, or more extension headers Extension headers are not examined or processed by any node along a packet’s delivery path, until the packet reaches the node except for the Hop-By-Hop option. If, as a result of processing a header, a node is required to proceed to the next header but the Next Header value in the current header is unrecognized by the node, it should discard the packet IPv6 nodes must accept and attempt to process extension headers in any order and occurring any number of times in the same packet, except for the Hop-by-Hop Options header which is restricted to appear immediately after an IPv6 header only. Each extension header should occur at most once, except for the Destination Options header which should occur at most twice. Source : RFC 2460

5 Problem Statement Hop-by-Hop Options: Routing Header:
Just Hop-By-Hop option and Destination Option can carry options with Type Length Value(TLV). 8-bit unsigned integer for the length of the options in 8-octet units. Variable-length field, of length such that the complete Hop- by-Hop Options header is an integer multiple of 8 octets long. Contains one or more TLV-encoded options. Routing Header: The same format as Hop-By-Hop options Source : RFC 2460

6 Problem Statement Research Questions:
What kind of impact could DoS attacks imply on an IPv6 network? How differently some network devices respond to this type of attack either locally or remotely in respect to the CPU utilization and the bandwidth usage? How to protect IPv6 networks from DoS? Prioritized targets : Remote area (Somewhere in the Internet with different AS)

7 Related Works 1. IPv6 Security Analysis
A technical report done by Jose Gonzalo Bejar in the year at Syracuse University. IPv6 Security Analysis report focused on an exploring MITM, DoS and reconnaissance attacks in solely IPv6 based networks. Limitation: Most of the attacks described in this report are only valid locally. Their method to launch DoS was only based on router advertisement messages, invalid gateway and ICMPv6 redirects.

8 Related Works Handling of Overlapping IPv6 Fragments
Published by Internet Engineering Task Force (IETF) and is written by Suresh Krishnan Fragmentation process overlapping allowance is the IPv6 protocol and their security issues Algorithm specified in the IPv6 protocol for fragmentation could cause security issues with the firewalls Fail to work properly on IPv6 protocol for TCP packets A TCP packet with SYN=1 and ACK=1 is sent to the target behind the firewall Firewall assumes this packet as respond to an already requested packet from the target by allowing Attacker can use the same fragmentation ID for the rest of his malicious traffic

9 Methodology and Experiments Tools:
Wireshark The Hacker Choice (THC), Open source Denial6: 1. Great size Hop-by-Hop header with router-alert 2. Great size destination option by unknown options 3. Hop-by-Hop header-router alert-180 times repeated headers 4. Hop-by-Hop header-router alert option-duplicated destination option 5. IPv6 Packets with AH header and ICMP protocol 6. First fragment packet-ICMP protocol-Hop-by-Hop header and router alert 7. Great size Hop-by-Hop header filled with unknown options without router alert

10 Methodology and Experiments
fragmentation6: Seleceted 6 out of 36 combinations which were the most effective ones on the remote Routers. 11. Flooding the target node with only one fragment packet with ping request 137 fragmentation headers in a complete fragment packet and ping request as the data payload 12. Flooding the target node with only one fragment packet 175 fragmentation headers in a complete fragment packet and ping request as the data payload 35. Flooding the target node each time with 4 fragment packets Two levels multi fragmentation: 1st fragment packet with 192 Bytes data 2nd fragment packets with 200 Bytes data, different ID and reset M flag 3rd fragment packet with offset of 50 and 200 Bytes data with M flag set 4th fragment packet with offset of 75 and 608 bytes data with M flag set

11 Methodology and Experiments
fragmentation6: 36. Flooding the target node each time with 4 fragment packets Three levels multi fragmentation: 1st fragment packet with 192 Bytes data, three fragment headers with ICMPv6 header 2nd fragment packet with 200 Bytes data, different ID and reset M flag 3rd fragment packet with offset of 50 and 200 Bytes data and reset M flag 4th fragment packet with offset of 75 and 608 bytes data and reset M flag 26. : Flooding the target node with just one fragment packet One fragment packet with “1” Byte of TCP data 25. Flooding the target node with just one fragment packet One fragment packet with 0 byte TCP data

12 Test Bed PC 1: a DELL pc ,Ubuntu
PC 2: a DELL pc , Windows 7 Enterprise PC 3: HP laptop , Linux LTS PC 4: a DELL pc , Windows 7 ISP1: Cisco 2800 series, IOS Software, 2800, Version 12.4 ISP2: Cisco 2900 series, IOS Software, 2900, Version 15.2(4)

13 Existing Solutions Proposed by some papers: Implemetation of IPSEC to stop IPv6 spoofing IPSEC itself can cause DoS due to the heavy processing overload Therefore: NONE, that we could find !

14 Results Denial6: on remote target PC3
Limitation: We were unable to generate identical traffic speed by the attacker for these 7 test cases.

15 Results Denail6: Proposed solution: To STOP the malicious traffic

16 Denail6: Proposed solution: To STOP the malicious traffic with explicit ACL Maximum speed 100Mbps Generated by the attacker (1/10 of the ISP2 router’s Interface Bandwidth)

17 Results Fragmentation6: Fragmentation attack on the local area
Areas of tests: Fragmentation attack on the local area 2. Fragmentation on a remote router with two different traffic speeds 3.Proposed solution: Fragmentation on a Router as a firewall

18 Results Fragmentation6: On the local Area 2001::2

19 Results Fragmentation6: On the Remote Router
Maximum speed 100Mbps, sorted based on lower impact on the local Router

20 Results Fragmentation6: On the Remote Router
Maximum speed 100Mbps VS 10Mbps(1/10 Bandwidth) sorted based on higher to lower impact on the remote Router

21 Results Fragmentation6:
Proposed solution: To STOP the malicious traffic

22 Results Fragmentation6: On the Remote Router with ACL on ISP2
Maximum speed 100 Mbps (1/10 on the ISP2 interface’s Bandwidth)

23 Results Fragmentation6: On the Remote Router with ACL on ISP2
Maximum speed 100 Mbps (1/10 on the ISP2 interface’s Bandwidth) Limitation: We were unable to generate identical traffic speed by the attacker for these 36 test cases.

24 Conclusions Type of DoS attacks experimented in this paper includes
IPv6 Extension header mechanism Authentication Header Hop-by-Hop option with and without router alert Destination options Large header size Many continuously repeated unknown headers within a packet IPv6 fragmentation mechanism with 36 different abnormal formats 2. Evaluation of ACL 3. Tests for ‘Local area’ and ‘Remote area’

25 Conclusions 4. Proposed solution: To lower the impact of such attacks
Deny IPV6 Fragmentation with the destination IPv6 address of a router as close as possible to the attacker Filter any IPv6 fragmentation packet with the data payload less than 1280bytes Set a short deadline for the IPv6 fragmentation packets to arrive at the destination node Deny any IPv6 packet with the routing header if there is no Mobile IPv6 node in the topology. Use more powerful CPU for routing nodes or to specify a fix size for the IPv6 header size in the IPv6 protocol Define a fix length of the Hop-by-Hop option

26 Future work It might be a good idea to set a maximum size length limitation for the extension header to avoid very long length size or many recursive illegitimate header’s options. To make changes in the IPv6 Algorithms IPv6 ACL Can not stop fragment IPv6 packets

27 THANK YOU

28 Methodology and Experiments
Denial6: 1. Great size Hop-by-Hop header with router-alert 2. Great size destination option filled by unknown options

29 Methodology and Experiments
3. Hop-by-Hop header with router alert option with 180 times repeated headers 4. Hop-by-Hop header with router alert option followed by duplicated destination option

30 Methodology and Experiments
5. IPv6 Packets with AH header and ICMP protocol 6. Just the first fragment packet of an ICMP protocol with a Hop-by-Hop header and router alert

31 Methodology and Experiments
7. Great size Hop-by-Hop header filled with unknown options without router alert

32 Methodology and Experiments
fragmentation6: Seleceted 7 out of 36 combinations which were the most effective ones on the remote Routers. 11. Flooding the target node with only one fragment packet with ping request 137 fragmentation headers in a complete fragment packet and ping request as the data payload

33 Methodology and Experiments
fragmentation6: Seleceted 7 out of 36 combinations which were the most effective ones on the remote Routers. 11. Flooding the target node with only one fragment packet with ping request 137 fragmentation headers in a complete fragment packet and ping request as the data payload

34 Methodology and Experiments
fragmentation6: 35. Flooding the target node each time with 4 fragment packets Two levels multi fragmentation: 1st fragment packet with 192 Bytes data, two fragmentation header (first fragmentation header points at the second packet with different ID) with ICMPv6 header. 2nd fragment packets with 200 Bytes data, different ID and reset M flag 3rd fragment packet with offset of 50 and 200 Bytes data with M flag set 4th fragment packet with offset of 75 and 608 bytes data with M flag set

35 Methodology and Experiments
fragmentation6: 36. Flooding the target node each time with 4 fragment packets Three levels multi fragmentation: 1st fragment packet with 192 Bytes data, three fragment headers with ICMPv6 header 2nd fragment packet with 200 Bytes data, different ID and reset M flag 3rd fragment packet with offset of 50 and 200 Bytes data and reset M flag 4th fragment packet with offset of 75 and 608 bytes data and reset M flag

36 Methodology and Experiments
fragmentation6: 26. : Flooding the target node with just one fragment packet One fragment packet with “1” Byte of TCP data

37 Methodology and Experiments
fragmentation6: 25. Flooding the target node with just one fragment packet Three levels multi fragmentation: One fragment packet with 0 byte TCP data

38 Methodology and Experiments
fragmentation6: 27. Flooding the target node with 3 fragment packets First fragment Second fragment Third fragment packet with offset of “0” and “0” size data

Download ppt "Denial of Service attack in IPv6 networks and Counter measurements"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.

Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
CE363 Data Communications & Networking Chapter 7 Network Layer: Internet Protocol.

CE363 Data Communications & Networking Chapter 7 Network Layer: Internet Protocol.
IPv6 Victor T. Norman.

IPv6 Victor T. Norman.
IPv4 - The Internet Protocol Version 4

IPv4 - The Internet Protocol Version 4
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.

IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.

Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.
IPv6 Header & Extensions Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.

IPv6 Header & Extensions Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
Network Layer Packet Forwarding IS250 Spring 2010

Network Layer Packet Forwarding IS250 Spring 2010
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
Oct 19, 2004CS573: Network Protocols and Standards1 IP: Datagram and Addressing Network Protocols and Standards Autumn 2004-2005.

Oct 19, 2004CS573: Network Protocols and Standards1 IP: Datagram and Addressing Network Protocols and Standards Autumn
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 7 Internet Protocol Version4.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 7 Internet Protocol Version4.
TCP/IP Basics A review for firewall configuration.

TCP/IP Basics A review for firewall configuration.
1Group 07 IPv6 2 1.ET/06/6472 2.ET/06/6487 3.ET/06/6491 4.EE/06/6393 5.EE/06/6455 6.EE/06/6473 Group 07 IPv6.

1Group 07 IPv6 2 1.ET/06/ ET/06/ ET/06/ EE/06/ EE/06/ EE/06/6473 Group 07 IPv6.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh 90-91 spring.

ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.

Similar presentations

Ads by Google