[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Marc Heuse mh at mh-sec.de
Sat Apr 13 10:31:21 CEST 2013

Hi Jim!

On 12.04.2013 08:45, Jim Small wrote:
> Your tools are better than you think!  With some advice from Sam Bowne I can consistently crash Windows 8 using fake_router6 and flood_router26 - takes less than a minute.  However, I can't crash Windows 7 with KB2750841.  So it would seem there is some missing functionality on Windows 8/2012 as compared to 7/2008 R2 with KB2750841.
> RA Guard on some switches does seem to protect against this - even with using fragmentation and/or HBH tricks.  However, with Fernando's ra6 tool I can create wicked packets that still crash Windows 8 with RA Guard.  However, with a switch that can block fragments and/or undetermined transport packets (ULP not in first fragment) I can defend against these attacks.  It is some work though and there could be unintended side effects.  Hopefully the drafts Fernando is pushing will eventually make it through the IETF and close the loopholes.

I think everybody - including me - is interested what you are doing
exactly :-)

how do you crash windows 8 with fake_router6 and flood_router26?

And how do you use Fernando's ra6 tool to bypass RA guard on some
switches and crash windows 8 with it?


btw. at my IPv6 hacking training a few days at hack in the box
amsterdam, we were able crash the whole conference network (not just the
part we were in) four times - with different issues each time.
I do not know what it were each time, once it triggered a kernel bug in
linux in point to point links, another time it was crashing Arbor'  over
its intrusion detection engine as the neighbor table grew and grew.
everything is oh so IPv6 ready ...


Marc Heuse

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the Ipv6hackers mailing list