[ipv6hackers] flood_router26 video
Marc Heuse
mh at mh-sec.de
Sun Nov 11 17:40:23 CET 2012
Hi Sam,
Am 10.11.2012 20:00, schrieb Sam Bowne:
> I made a video yesterday testing flood_router26,
> and it is indeed very powerful, much more than
> flood_router6.
>
> http://www.youtube.com/watch?v=ykameNXRLOo
>
> I now want to understand why it works. Is there something written
> up about how it works, and exactly what it is sending?
> Perhaps a paper or conference presentation?
I presented it here:
https://conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf
The videos are not available yet, I guess that will take a few more weeks.
how it works is pretty simple. Each route entry in an RA packet makes
the linked list longer and takes more time, adds a neighbor entry etc.
hence using up RAM and CPU.
So if you flood the network, it is basically a similar mechanism like
the RA autoconfig flooding.
All OS with the exception of Linux (and I have not tested Solaris or
OpenBSD but everything else) is vulnerable against this one to very
different degrees, Windows gets lockedup or reboots (server 2012) other
get a high load and loose IPv6 connectivity (*BSD, OSX), etc.
How I make the attack more effective is that I put not one route entry
per RA but lots of them.
And basically the same is possible for autoconfig, if you put 16
prefix+autoconfig options in a RA packet, systems configure themselves
16 addresses ...
So thats why there are ~16 route and autoconfig option in each packet
flood_router26 generates. You can also have command line options to only
use route entries or autoconfig entries.
> I'll try figuring it out myself, but I'd like to refer to an
> authoritative source of information if possible.
well, you could just have emailed me ;-)
Greets,
Marc
--
Marc Heuse
www.mh-sec.de
PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
More information about the Ipv6hackers
mailing list