[ipv6hackers] IPv6 Security research

Marc Heuse mh at mh-sec.de
Mon Mar 26 09:06:39 CEST 2012

Am 25.03.2012 21:55, schrieb Fernando Gont:
> Hi, Fyodor,
> I don't quite understand this vector. i.e., this seems more of a DoS,
> rather than a host scanning "attack". i.e., you're causing nodes to
> *configure* addresses rather than discovering which addresses they are
> already using.
> Am I missing something?

what they implemented works like this:

1. send a RA with prefix+autoconfig flag, and a lifetime for 1 second.
(e.g. 2004::/64)

2. systems configure themselves an IPv6 address in the prefix range and
perform DAD (e.g. 2004::2:01fe:ef12:3456)

3. the DAD packet is picked up and the global ipv6 address changed to a
link-local address ( => fe80::2:01fe:ef12:3456)

4. the generated link-local address is then pinged to verify that it exists.

somewhere between 2 and 5 the clients throw away their 2004::/64 address
and the routing entry.

this technique is performed to identify system that perform
autoconfiguration but are not detected by other means. so its one part
of the puzzle.

in my real world network tests I saw the same that each technique finds
some machines but not all. It is one of 5 techniques that are effective.


P.S. and the RA should be send with low priority to ensure the lowest
negative impact on clients as possible

Marc Heuse

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the Ipv6hackers mailing list