[ipv6hackers] IPv6 Security research

Owen DeLong owend at he.net
Wed Mar 28 05:14:23 CEST 2012

On Mar 26, 2012, at 12:06 AM, Marc Heuse wrote:

> Am 25.03.2012 21:55, schrieb Fernando Gont:
>> Hi, Fyodor,
>> I don't quite understand this vector. i.e., this seems more of a DoS,
>> rather than a host scanning "attack". i.e., you're causing nodes to
>> *configure* addresses rather than discovering which addresses they are
>> already using.
>> Am I missing something?
> what they implemented works like this:
> 1. send a RA with prefix+autoconfig flag, and a lifetime for 1 second.
> (e.g. 2004::/64)
> 2. systems configure themselves an IPv6 address in the prefix range and
> perform DAD (e.g. 2004::2:01fe:ef12:3456)
> 3. the DAD packet is picked up and the global ipv6 address changed to a
> link-local address ( => fe80::2:01fe:ef12:3456)
> 4. the generated link-local address is then pinged to verify that it exists.
> somewhere between 2 and 5 the clients throw away their 2004::/64 address
> and the routing entry.
> this technique is performed to identify system that perform
> autoconfiguration but are not detected by other means. so its one part
> of the puzzle.
> in my real world network tests I saw the same that each technique finds
> some machines but not all. It is one of 5 techniques that are effective.

This requires you to have access to or compromise at least one machine on the target network first. I'd be more concerned about remote scanning attacks than local ones.

If you're local, why not just enumerate the solicited node addresses (there are only 16.7M of them, after all) with ND packets and look for the answers. That should grab 100% success and works regardless of RA or any other mitigation tool.


More information about the Ipv6hackers mailing list