[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Antonios Atlasis antonios.atlasis at gmail.com
Fri Mar 8 08:36:07 CET 2013


Hi,

I believe that you can also add the security issues due to abuse of IPv6
Extension Headers (check this:
https://www.blackhat.com/ad-12/archives.html#Atlasis). An updated plus some
new issues will be presented in a few days here
https://www.troopers.de/agenda13/troopers13-ipv6-security-summit-2013/index.htmlAs
I'll show in a live demo, among else under specific circumstances you
can even evade network firewalls (without using fragmentation overlapping,
or tiny fragments, etc.)

Antonios


2013/3/8 Jim Small <jim.small at cdw.com>

> I'm working on a presentation for practical IPv6 security countermeasures.
>  I've reviewed the latest presos from Fernando, Marc, Antonios, and Éric
> Vyncke to compile a list of security vulnerabilities.  Here's a somewhat
> subjective list of what I feel are "scary" attacks for those new to IPv6:
>
> 1)      Remotely triggered neighbor cache exhaustion attacks (from subnet
> scanning)
>
> 2)      RA floods (autoconfig prefixes, routes, etc...) which crash all L2
> adjacent hosts with IPv6 enabled stacks
>
> 3)      RA spoofing
>
> 4)      DHCPv6 spoofing
>
> 5)      NDP (NS/NA) spoofing
>
> 6)      NS floods - DoS
>
> 7)      Fragmentation attacks
>
> 8)      ICMPv6 redirect spoofing
>
> 9)      MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
> this one...
>
> a.       For general countermeasures it is possible to do MLD ACLs and of
> course you could implement 802.1X and/or 802.1AE.  I know Fernando/Marc
> aren't fans of MLDv2 - what do you think are the most risky aspects?
>
> 10)   "Discoverability" or the idea that you should use randomized
> addressing so as not to be discoverable from a "semi-intelligent" brute
> force scan (assuming you're not in DNS or some other registry)
>
> 11)   Extension header attacks - this one is especially tough, probably
> lots more to find...  I especially like Marc's warp packets with the router
> alert "high speed tag" which also double as ACL bypass agents.
>
> 12)   Tunnel attacks - I think the only interesting ones would be those
> against 6in4, ISATAP, and 6rd as IMHO those are the only ones that are in
> use.  I have read about tunnel attacks but haven't played with this very
> much.  Do you think this is a serious threat worth covering?  Any
> suggestions on tools?
>
> For the first 10 except fragmentation there are plenty of effective
> countermeasures that I could discuss.  There are some defenses against
> fragmentation and extension header attacks but these are less mature.  In
> addition, it would be difficult to protect against these at L2.  As much as
> I'd like to believe 12 isn't necessary it still very much is.  We have a
> long way to go both within corporate networks and on backbone networks to
> progress to end-to-end native v6 access.
>
> So what do you think?  Are these the most concerning security issues for
> those looking to deploy IPv6?  Any thoughts greatly appreciated either on
> or off list.
>
> Thanks,
>   --Jim
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>



-- 
=====================
Antonios Atlasis, PhD, MPhil
GXPN, GREM, GPEN, GWAPT, CCIH, GCIA



More information about the Ipv6hackers mailing list