[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Jim Small jim.small at cdw.com
Fri Apr 12 08:45:18 CEST 2013


Marc,

Your tools are better than you think!  With some advice from Sam Bowne I can consistently crash Windows 8 using fake_router6 and flood_router26 - takes less than a minute.  However, I can't crash Windows 7 with KB2750841.  So it would seem there is some missing functionality on Windows 8/2012 as compared to 7/2008 R2 with KB2750841.

RA Guard on some switches does seem to protect against this - even with using fragmentation and/or HBH tricks.  However, with Fernando's ra6 tool I can create wicked packets that still crash Windows 8 with RA Guard.  However, with a switch that can block fragments and/or undetermined transport packets (ULP not in first fragment) I can defend against these attacks.  It is some work though and there could be unintended side effects.  Hopefully the drafts Fernando is pushing will eventually make it through the IETF and close the loopholes.

--Jim

> -----Original Message-----
> From: Marc Heuse [mailto:mh at mh-sec.de]
> Sent: Wednesday, April 03, 2013 4:31 AM
> To: IPv6 Hackers Mailing List; Jim Small
> Subject: Re: [ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6
> Floods
> 
> 
> > Q3) Is Windows 8 still vulnerable to DoS/BSOD from RAs?
> > A3) Need to test...
> 
> it is vulnerable to RA flooding (especially routing entries with small
> lifetimes), but not resulting BSOD or similar. The CPU stays at 100%
> until the flooding is over, then resumes normal operation.
> 
> Same problem as in Linux, FreeBSD, OS X, however on those weird things
> can happen, e.g. IPv6 stack breaks (no connectivity possible) or system
> hicups.
> 
> So at the moment Windows is in a better state compared to other OS when
> it comes to RA flooding.
> 
> Greets,
> Marc
> 
> --
> Marc Heuse
> www.mh-sec.de
> 
> PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A


More information about the Ipv6hackers mailing list