[ipv6hackers] (Remote) Neighbor Cache Exhaustion Attacks - Some Discussion

Enno Rey erey at ernw.de
Tue Mar 5 17:45:44 CET 2013 

Hi,

see the link/post...
I used three devices as L3 hop between attacker and "protected segment", those are

a) 1921 router running

L3_Device#sh ver | i RELEASE
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M3, RELEASE SOFTWARE (fc1)
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

b)

C1841_IOS_12_4_22#sh ver | i RELEASE
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(22)T, RELEASE SOFTWARE (fc1)
ROM: System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)


c) Old3560#sh ver | i RELEASE
Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 15.0(1)SE, RELEASE SOFTWARE (fc1)
BOOTLDR: C3560 Boot Loader (C3560-HBOOT-M) Version 12.2(35r)SE2, RELEASE SOFTWARE (fc1)



Do you see other ND cache handling/behavior on other Cisco devices? I will do some more lab testing with a Nexus and a 4948E, time provided.

best

Enno




On Tue, Mar 05, 2013 at 05:06:18AM -0800, Joseph Jackson wrote:
> What cisco gear and ios version are you running in your lab?
> 
> 
> 
> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of Enno Rey
> Sent: Tuesday, March 05, 2013 5:59 AM
> To: ipv6hackers at lists.si6networks.com
> Subject: [ipv6hackers] (Remote) Neighbor Cache Exhaustion Attacks - Some Discussion
> 
> Hi,
> 
> I just build a small Cisco-based lab to verify if my (potentially flawed, seriously) understanding of remote neighbor cache exhaustion attacks is correct.
> It seems that Cisco devices never store more than 512 INCOMPLETE entries in their neighbor cache, regardless of the actual number of NS packets sent out (and missing their respective NAs).
> 
> Can anybody confirm similar behavior for other vendors' L3 devices or routers based on BSD/Linux/Solaris/whatever?
> I tend to conclude that the actual risk of remote NCE is exaggerated in some circles, but I might have overlooked sth.
> Details as for the testing I did can be found here: http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1/.
> 
> Happy about any kind of feedback...
> 
> best
> 
> Enno
> 
> 
> 
> --
> Enno Rey
> 
> *****************     TROOPERS13    ******************
> ** International IT Security Conference & Workshops **
> ***  Coming Soon / Heidelberg, Germany             ***
> *****************  www.troopers.de  ******************
> 
> ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474 PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1
> 
> Handelsregister Mannheim: HRB 337135
> Geschaeftsfuehrer: Enno Rey
> 
> =======================================================
> Blog: www.insinuator.net || Conference: www.troopers.de =======================================================
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

-- 
Enno Rey

*****************     TROOPERS13    ******************
** International IT Security Conference & Workshops **
***  Coming Soon / Heidelberg, Germany             ***
*****************  www.troopers.de  ******************

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================

More information about the Ipv6hackers mailing list