[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Owen DeLong owend at he.net
Sat Apr 13 22:52:06 CEST 2013


On Apr 13, 2013, at 01:31 , Marc Heuse <mh at mh-sec.de> wrote:

> Hi Jim!
> 
> On 12.04.2013 08:45, Jim Small wrote:
>> Your tools are better than you think!  With some advice from Sam Bowne I can consistently crash Windows 8 using fake_router6 and flood_router26 - takes less than a minute.  However, I can't crash Windows 7 with KB2750841.  So it would seem there is some missing functionality on Windows 8/2012 as compared to 7/2008 R2 with KB2750841.
>> 
>> RA Guard on some switches does seem to protect against this - even with using fragmentation and/or HBH tricks.  However, with Fernando's ra6 tool I can create wicked packets that still crash Windows 8 with RA Guard.  However, with a switch that can block fragments and/or undetermined transport packets (ULP not in first fragment) I can defend against these attacks.  It is some work though and there could be unintended side effects.  Hopefully the drafts Fernando is pushing will eventually make it through the IETF and close the loopholes.
> 
> I think everybody - including me - is interested what you are doing
> exactly :-)
> 
> how do you crash windows 8 with fake_router6 and flood_router26?
> 
> And how do you use Fernando's ra6 tool to bypass RA guard on some
> switches and crash windows 8 with it?
> 
> Thanks!
> 
> btw. at my IPv6 hacking training a few days at hack in the box
> amsterdam, we were able crash the whole conference network (not just the
> part we were in) four times - with different issues each time.
> I do not know what it were each time, once it triggered a kernel bug in
> linux in point to point links, another time it was crashing Arbor'  over
> its intrusion detection engine as the neighbor table grew and grew.
> everything is oh so IPv6 ready ...
> 
> Greets,
> Marc
> 

If you're saying that's impossible to do with IPv4, then you're not trying hard enough, IMHO.

Sure, there are some bugs in IPv6 implementations and some vulnerabilities. However, let's
look at this realistically. We've been beating up IPv4 for 30 years and we're still finding bugs
and vulnerabilities there.

It's not like you crashed the entire conference network by accident with casual packets or
script-kiddie tools. You gathered some of the most capable hackers, focused on attacking
IPv6, and went at it in a brutal exercise of trying to expose and probe any vulnerability that
might exist. This is a valuable exercise, but thinking it is representative of the real world
in which most of us operate is, well, absurd.

Yes, the vulnerabilities need to get fixed, and I'm pretty sure they will. However, claiming this
is a reason not to deploy IPv6 is ill-advised at best.

Let's look at what happens while we keep delaying IPv6 deployment.

1.	The IPv4 network is having more and more CGN boxes and other hacks thrown onto
	it. Many of these have had even less testing than the IPv6 work you guys are doing.

2.	It becomes harder and harder to sustain IPv4 and the internet becomes more fragile.

3.	The cost of sustaining IPv4 continues to rise.

4.	We're continuing to have to spend extra money/time/resources maintaining 2 stacks even longer.

Bottom line, IPv6 is at least as ready for prime time as IPv4 was when it was first deployed.
While it has some known vulnerabilities, so does IPv4 if you look at the real world and how often
most systems actually get patched.

The question is, which set of consequences is worse? The consequences of deploying IPv6 as
it currently stands and patching it going forward, or, the consequence of delaying IPv6 and
continuing to try and hold the IPv4 internet together with spit and bailing wire?

IMHO, the damage from the latter is going to be much more pervasive, much more expensive,
and much harder to recover than the former.

Owen





More information about the Ipv6hackers mailing list