[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions
zack at eantc.de
Tue Oct 20 13:22:16 CEST 2015
Hi Marc, all,
On 20/10/2015 08:54, Marc Heuse wrote:
> Hi Fernando,
> On 20.10.2015 02:37, Fernando Gont wrote:
>> I'd argue that for most of the traffic that you employ for evasion, the
>> right thing to do is to dropped. (Yep, I agree that dropping fragments
>> is not nice).
> yes and no.
> In IDS evasion you have three basic types:
> 1. sending duplicate packets with different content and a hop limit - 1
> 2. fragmentation wizardry
> 3. extension header stacking (this one is IPv6 only)
> - and a mix of these.
> a stateful inspection firewall *should* always filter all packets. in
> reality it depends on the vendor if they do or don't.
> #1 would pass a static filter, and no router would drop these kinds of
> #2 some of the examples I use for bypass are legit packets - basically
> the IDS is doing the basic things wrong. no firewall can do something
> there. but otherwise: yes, a firewall should drop when multi
> fragmentation layers or overlapping/resending fragments is present.
> #3 again, some firewalls filter, some dont. with the snort example, you
> just put 9 destination EH there with their minimum size and then your
> payload. No firewall I know filters this unless you configure it to, and
> it is an RFC legal packet, but Snort will not see the attack itself but
> just yell "uhhhh too many headers here".
It's also unfortunate that it is RFC legal because of how it is
described in RFC 2460.
This is not even an RFC 2119 SHOULD.
Each extension header should occur at most once, except for the
Destination Options header which should occur at most twice (once
before a Routing header and once before the upper-layer header).
However, I would argue that it is a good optimization for an IDS/FW.
What sane implementation would have more than 9 headers?
IANA lists 7 headers excluding ESP/AH and experimentals. If we have the
two allowed DST, the sane maximum is 8.
This might change, of course, though I hope we can avoid adding more
Just my 2 cents.
EANTC AG - European Advanced Networking Test Center
Salzufer 14, 10587 Berlin, Germany
phone +49.30.3180595-43, fax +49.30.3180595-10
zack at eantc.de http://www.eantc.de
Place of Business / Sitz der Gesellschaft: Berlin, Germany
Chairman / Vorsitzender des Aufsichtsrats: Herbert Almus
Managing Director / Vorstand: Carsten Rossenhövel, Gabriele Schrenk
Registered: HRB 73694, Amtsgericht Charlottenburg, Berlin, Germany
EU VAT No: DE 812824025
More information about the Ipv6hackers