[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions

Eldad Zack zack at eantc.de
Tue Oct 20 13:22:16 CEST 2015

Hi Marc, all,

On 20/10/2015 08:54, Marc Heuse wrote:
> Hi Fernando,
> On 20.10.2015 02:37, Fernando Gont wrote:
>> I'd argue that for most of the traffic that you employ for evasion, the
>> right thing to do is to dropped. (Yep, I agree that dropping fragments
>> is not nice).
> yes and no.
> In IDS evasion you have three basic types:
> 1. sending duplicate packets with different content and a hop limit - 1
> 2. fragmentation wizardry
> 3. extension header stacking (this one is IPv6 only)
> - and a mix of these.
> a stateful inspection firewall *should* always filter all packets. in
> reality it depends on the vendor if they do or don't.
> #1 would pass a static filter, and no router would drop these kinds of
> packets.
> #2 some of the examples I use for bypass are legit packets - basically
> the IDS is doing the basic things wrong. no firewall can do something
> there. but otherwise: yes, a firewall should drop when multi
> fragmentation layers or overlapping/resending fragments is present.
> #3 again, some firewalls filter, some dont. with the snort example, you
> just put 9 destination EH there with their minimum size and then your
> payload. No firewall I know filters this unless you configure it to, and
> it is an RFC legal packet, but Snort will not see the attack itself but
> just yell "uhhhh too many headers here".

Great discussion.

It's also unfortunate that it is RFC legal because of how it is 
described in RFC 2460.
This is not even an RFC 2119 SHOULD.

    Each extension header should occur at most once, except for the
    Destination Options header which should occur at most twice (once
    before a Routing header and once before the upper-layer header).

However, I would argue that it is a good optimization for an IDS/FW.
What sane implementation would have more than 9 headers?
IANA lists 7 headers excluding ESP/AH and experimentals. If we have the 
two allowed DST, the sane maximum is 8.

This might change, of course, though I hope we can avoid adding more 
extension headers.

Just my 2 cents.


Eldad Zack
Test Engineer

EANTC AG - European Advanced Networking Test Center
Salzufer 14, 10587  Berlin, Germany
phone +49.30.3180595-43, fax +49.30.3180595-10
zack at eantc.de    http://www.eantc.de

EANTC Aktiengesellschaft
Place of Business / Sitz der Gesellschaft: Berlin, Germany
Chairman / Vorsitzender des Aufsichtsrats: Herbert Almus
Managing Director / Vorstand: Carsten Rossenhövel, Gabriele Schrenk
Registered: HRB 73694, Amtsgericht  Charlottenburg, Berlin, Germany
EU VAT No: DE 812824025

More information about the Ipv6hackers mailing list