ipv6 security tutorial · • ipv6 protocol issues and security myths • ipv6 toolkits •...
TRANSCRIPT
21/06/16
1
IPv6 Security Tutorial TWNOG and TWNIC OPM
23 June 2016
Acknowledgment • Some parts of this presentation is based on “IPv6 Security”
by SWITCH Networks. – http://www.switch.ch/
21/06/16
2
Agenda • IPv6 Operations and Features • IPv6 Protocol Issues and Security Myths • IPv6 Toolkits • Scanning IPv6 Networks • Neighbour Advertisement Attacks • Attacks with Router Advertisement
– Rogue RA, Lifetime 0, RA Flooding – Extension Header Attacks (Hop by Hop, Routing Header 0)
• Securing IPv6 – Best Practices
IPv6 Operations & Features
4
A Short Overview
21/06/16
3
IPv6 is the new Protocol • IP stands for Internet Protocol which is one of the main
pillars that supports the Internet today
• Current version of IP protocol is IPv4
• The new version of IP protocol is IPv6
• IPv6 was also called IPng in the early days of IPv6 protocol development stage
New Functional Improvement Address Space
– Increase from 32-bit to 128-bit address space
Management – Stateless autoconfiguration means no more need to configure IP
addresses for end systems, even via DHCP
Performance – Fixed header size (40 bytes) and 64-bit header alignment mean better
performance from routers and bridges/switches
No hop-by-hop segmentation – Path MTU discovery
21/06/16
4
New Functional Improvement Multicast/Multimedia
– Built-in features for multicast groups, management, and new "anycast" groups
Mobile IP – Eliminate triangular routing and simplify deployment of mobile IP-based systems
Virtual Private Networks – Built-in support for ESP/AH encrypted/ authenticated virtual private network
protocols
Built-in support for QoS tagging No more broadcast
IPv6 Security Features • IPsec is mandatory in IPv6
• Since IPsec became part of the IPv6 protocol, all nodes can secure their IP traffic if they have required keying infrastructure
• IPsec does not replace standard network security requirement but introduce added layer of security with existing IP network
21/06/16
5
IPsec Security Services AH ESP
Integrity of the IPv6 header & data Confidentiality of the IPv6 data Source: Migrating to IPv6, Marc Blanchet
IPv6 Addressing • An IPv6 address is 128 bits long
• So the number of addresses are 2^128 or – 340282366920938463463374607431768211455 – 3.40 x 1038
– 340 trillion trillion trillion addresses
2001:DC0:A910::
1010 1001 0001 0000
nibbles
21/06/16
6
IPv6 Addressing 2001:0DB8:DEAD:BEEF:1AB6:503F:A804:71D9
0010 0000 0000 0001 0000 1101 1011 1000
1101 1110 1010 1101 1011 1110 1110 1111
0001 1010 1011 0110 1001 0000 0011 1111
1010 1000 0000 0100 0111 0001 1101 1001
128 bits is reduced down to 32 hex digits 11
IPv6 Address Space IPv6 Prefix Allocation RFC
0000::/8 Reserved by IETF RFC 4291 2000::/3 Global Unicast RFC 4291 FC00::/7 Unique Local Address RFC 4193 FE80::/10 Link Local Unicast RFC 4291 FEC0::/10 Reserved by IETF RFC 3879 FF00::/8 Multicast RFC 4291 2002::/16 6to4 RFC3056
http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
21/06/16
7
IPv6 Addressing Structure 0 127
ISP /32
32
128 bits
Customer Site /48
16
Subnet /64
16 64
Device /128
Network Prefix Interfaced Identifier (IID)
Addressing Threats • Using EUI-64 for Interface ID means its unique worldwide
– Same trackable IID even when network prefix changes – Loss of privacy
21/06/16
8
IPv6 Extension Header • Adding an optional Extension Header in IPv6 makes it simple to add
new features in IP protocol in the future without major re-engineering of IP routers everywhere.
• The number of extension headers are not fixed, so the total length of the extension header chain is variable.
• The extension header will be placed in between main header and payload in an IPv6 packet.
IPv6 Extension Header
16
IPv6-Header Next Header = 43
(Routing)
TCP Header & Data
Routing Hdr Next Header = 44
(Fragment)
Fragment Hdr Next Header = 6
(TCP)
IPv6-Header Next Header = 6
(TCP)
TCP Header & TCP Segment
Typical IPv6 Header
IPv6 Header with Extension Header
21/06/16
9
Next Header Field
17
IPv6 Extension Headers Value (Hex) Value (Dec) Extension Header
00 0 Hop-by-Hop Extension Header 2B 43 Routing Extension Header 2C 44 Fragmentation Extension Header 32 50 Encrypted Security Payload (ESP) Extension Header
33 51 Authentication Header (AH) Extension Header 3A 58 ICMPv6 3B 59 No Next Header 3C 60 Destination Options Extension Headers
21/06/16
10
Order Of Extension Header • Source node follow the order:
1. Hop-by-hop 2. Routing 3. Fragment 4. Authentication 5. Encapsulating security payload 6. Destination option 7. Upper-layer
• Only hop-by-hop has to be processed by every intermediate nodes • Routing header need to be processed by intermediate routers • At the destination fragmentation has to be processed before others
Extension Header Threats • IPv6 extension headers are used to extend the functionality of the
protocol
• An attacker could manipulate this feature to create attack – Create an IPv6 packet with long list of extension headers that cause a DoS
to the routers along the path or to the destination host – Lengthy extension headers could consume system resource or could crash
the the host protocol stack – Could be use as an attack vector to inject malicious code to the network by
avoiding firewall and IDS (Numerous extension header in a single packet could spread the payload in to second fragment that could not be checked by the firewall)
21/06/16
11
Extension Header Limitations • There is no limit to the number of extension headers that can be used
• Different formats for each type of extension header
• The order of extension header is a recommendation, not a requirement
ICMPv6 Messages • There are two classes of ICMPv6 messages (like
ICMPv4) – Error messages
Destination Unreachable, Packet Too Big, Time Exceeded, Parameter Problem – Informational messages
Echo request, Echo reply, Router solicitation, Router advertisement, Redirect, Router renumbering
• ICMPv6 message contain a type (8 bit) and code (8 bit) – Type: Identifies the ICMP message type i.e Destination
Unreachable – Code: That relate the details (Sub type) of the message to the
type of the message i.e. Destination Unreachable (Type 1) has got 4 code (Sub type)
21/06/16
12
ICMPv6 filtering is more complex
ICM
Pv6
M
essa
ge T
ypes
Error-Messages (1-127) 1:Destination Unreachable 2:Packet too big (PMTUD)
3:Time Exceeded (Hop Limit) 4:Parameter Problem
Info-Messages (Ping) 128:Echo Request 129:Echo Reply
Multicast Listener Discovery (MLD, MLD2) 130:Multicast Listener Query 131/143:Multicast Listener Report/2
132:Multicast Listener Done
Neighbor Discovery (NDP), Stateless Autoconfiguration (SLAAC) 133: Router Solicitation 134: Router Advertisement
135: Neighbor Solicitation (DAD) 136: Neighbor Advertisement (DAD) 137: Redirect Message
Other (Router Renumbering, Mobile IPv6, Inverse NS/NA,…) 138-153
ICMPv6 Messages • One minor improvement made in ICMPv6 was that the message types were
separated – error messages have type values from 0 to 127 – informational messages have type values from 128 to 255
• List of all ICMPv6 type and code value – http://www.iana.org/assignments/icmpv6-parameters
• Some of the type values are defined so far – So undefined type should be blocked
• Unallocated error messages: Type 5-99 and type 102-126 • Unallocated informational message: Type 156-199 and type 202-254 • Experimental message: Type 100, 101, 200, 201 • Extension type message: Type 127, 255
• However if new message are allocated by IANA in the future, adjustment need to be made to this filter
21/06/16
13
ICMPv6 Messages • ICMPv6 is used for many legitimate purpose so following messages
must be permitted through the network perimeter – Type 1: Destination Unreachable – Type 2: Packet Too Big [PMTUD] – Type 3: Time Exceeded – Type 4: Parameter Problem
• Following messages can be permitted as an option through the network perimeter (If Source & Destination of the packet can be controlled) – Type 128: Echo Request – Type 129: Echo Reply
ICMPv6 Messages • Following messages need to be blocked through the network perimeter
if those functions are not used for specific purpose: – Type 138: Router Renumbering – Type 129: Echo Reply – Type 139 & 140: Node Information Query Messages
• RFC 4890 – recommendations for filtering ICMPv6
21/06/16
14
ICMPv6 Messages • ICMPv6 error message contain part/full of the original packet in its
payload that cause the error at the first place – More likely full packet in ICMPv6 as minimum MTU is 1280 byte
• This payload could be used by the hacker as a covert channel to send any malicious code
• So firewall should inspect payload segment in ICMPv6 error packet to make sure it is legitimate – If the error packet fragment does not contain legitimate IPv6 address or it is
not statefully sent then packet should be dropped
ICMPv6 Messages • A Denial of Service (DoS) attack can be initiated by
generating a stream of illegal packets i.e large packet, expiring hop count etc – If enough erred packets are generated it could drive high CPU
utilization of the router
• ICMPv6 error message generation can be limited by using following command
Router(config)#ipv6 icmp error-interval 10000 [in millisecond]
21/06/16
15
ICMPv6 Messages • Rate limiting ICMPv6 traffic from overwhelming the router
! !ipv6 access-list ICMPv6 ! permit icmp any any !! !class-map match-all ICMPv6 ! match protocol ipv6 ! match access-group name ICMPv6 !! !! !policy-map ICMPv6_RATE_LIMIT ! class ICMPv6 ! police 100000 200000 conform-action transmit exceed-action drop !! !Interface fa0/0 ! service-policy input ICMPv6_RATE_LIMIT !!!
Example configuration • ICMPv6 filter (Undefined ICMPv6 message type)
Router#sh ipv6 access-list ICMPV6_UNDEFINE_TYPE !
IPv6 access list ICMPV6_UNDEFINE_TYPE !
deny icmp any any 5 99 sequence 10 !
deny icmp any any 102 126 sequence 20 !
deny icmp any any 156 199 sequence 30 !
deny icmp any any 202 254 sequence 40 !
deny icmp any any 100 sequence 50 !
deny icmp any any 101 sequence 60 !
deny icmp any any 200 sequence 70 !
deny icmp any any 201 sequence 80 !
deny icmp any any 127 sequence 90 !
deny icmp any any 255 sequence 100 !
permit icmp any any sequence 110 !
21/06/16
16
Example configuration • ICMPv6 filter (Specific ICMPv6 message type and code)
Router(config)#ipv6 access-list ICMPV6_SPECIFIC_TYPE_CODE !
Router(config-ipv6-acl)#deny icmp any any ? !
<0-255> ICMPv6 message type !
auth Match on authentication header !
beyond-scope Destination beyond scope !
dest-option Destination Option header (all types) !
dest-option-type Destination Option header with type !
destination-unreachable Destination address is unreachable !
dhaad-reply Home agent address discovery reply !
dhaad-request Home agent address discovery request !
dscp Match packets with given dscp value !
Continue next slide……….
Example configuration echo-reply Echo reply !
echo-request Echo request (ping) !
flow-label Flow label !
header Parameter header problems !
hop-limit Hop limit exceeded in transit !
log Log matches against this entry !
log-input Log matches against this entry, including input !
mld-query Multicast Listener Discovery Query !
mld-reduction Multicast Listener Discovery Reduction !
mld-report Multicast Listener Discovery Report !
mobility Mobility header (all types) !
Continue next slide……….
21/06/16
17
Example configuration mobility-type Mobility header with type !
mpd-advertisement Mobile prefix advertisement !
mpd-solicitation Mobile prefix solicitation !
nd-na Neighbor discovery neighbor advertisements !
nd-ns Neighbor discovery neighbor solicitations !
next-header Parameter next header problems !
no-admin Administration prohibited destination !
Continue next slide……….
Example configuration no-route No route to destination ! packet-too-big Packet too big ! parameter-option Parameter option problems ! parameter-problem All parameter problems ! port-unreachable Port unreachable ! reassembly-timeout Reassembly timeout ! redirect Neighbor redirect
21/06/16
18
IPv6 Neighbor Discovery (ND) • IPv6 uses multicast (L2) instead of broadcast to find out target host
MAC address
• It increases network efficiency by eliminating broadcast from L2 network
• IPv6 ND uses ICMPv6 as transport – Compared to IPv4 ARP, there is no need to write different ARP for different
L2 protocol i.e. Ethernet etc.
RFC 4861
NDP Message Types
36
133 Router Solicitation Prompts a router to send a Router Advertisement.
134 Router Advertisement Sent by routers to tell hosts on the local network the router exists and describe its capabilities
135 Neighbor Solicitation Sent by a device to request the layer two address of another device while providing its own as well
136 Neighbor Advertisement Provides information about a host to other devices on the network
137 Redirect Router informs host of a better first hop to destination
21/06/16
19
IPv6 Neighbor Discovery (ND) • Solicited-Node Multicast is used for Duplicate Address Detection
– Part of the Neighbour Discovery process – Replaces ARP – Duplicate IPv6 Addresses are rare, but still have to be tested for
• For each unicast and anycast address configured, there is a corresponding solicited-node multicast address – This address is only significant for the local link
IPv6 Neighbor Discovery (ND) • Solicited Node Multicast Address
– Starts with FF02::1:FF00:0/104 – Last 24 bit from the interface IPV6 address
• Example Solicited Node Multicast Address – IPV6 Address 2406:6400:0:0:0:0:0000:0010 – Solicited Node Multicast Address is FF02:0:0:0:0:1:FF00:0010
• All hosts listen to its solicited node multicast address corresponding to its unicast and anycast address (if defined)
21/06/16
20
IPv6 Neighbor Discovery (ND) • Host A would like to communicate with Host B
– Host A IPv6 global address 2406:6400::10 – Host A IPv6 link local address fe80::226:bbff:fe06:ff81 – Host A MAC address 00:26:bb:06:ff:81
• Host B IPv6 global address 2406:6400::20 – Host B Link local UNKNOWN [Gateway if outside the link] – Host B MAC address UNKNOWN
• How will Host A create L2 frame for Host B?
IPv6 Neighbor Discovery (ND)
21/06/16
21
IPv6 Autoconfiguration Stateless mechanism
For a site not concerned with the exact addresses No manual configuration required Minimal configuration of routers No additional servers Use SLAAC
Stateful mechanism For a site that requires tighter control over exact address assignments Use stateful address protocol (DHCPv6)
Stateless with DHCP Use Router Advertisement to allocate prefixes Other parameters provided by DHCP
RFC 2462
What is SLAAC? • Stateless Address Autoconfiguration (SLAAC)
• RFC 4862
• IP address is assigned based on the prefix provided by router (RA) + generated Interface ID
• Use Duplicate Address Detection (DAD) to verify the new address is unique
21/06/16
22
IPv6 Autoconfiguration
Tentative Address (EUI-64) FE80::310:BAFF:FE64:1D
Is this address unique?
Assign FE80::310:BAFF:FE64:1D 2001:1234:1:1/64 network
1. A new host is turned on 2. Assign tentative address to new host
3. Perform Duplicate Address Detection (DAD)
4. Host sends NS message to all-nodes multicast address (FF02::1)
5. Wait for NA message. If none arrives, it is unique.
6. Assign link local address to interface
43
IPv6 Autoconfiguration
FE80::310:BAFF:FE64:1D
Send me Router Advertisement
Router Advertisement Assign 2001:1234:1:1:310:BAFF:FE64:1D
2001:1234:1:1/64 network
1. Host sends an RS message to all-routers multicast group (FF02::2)
2. Router replies with a Routing Advertisement (RA)
3. Host will learn the network prefix
4. Host will assign a new address using Network Prefix + Interface ID
21/06/16
23
Exercise: Basic IPv6 • Login to your assigned VM
• Assign a static IPv6 address to the interface – 2406:6400:X::/48
• Launch Wireshark or any sniffing tool – Filter out ICMPv6 – Observe the message types (and content) of the packets
IPv6 Toolkits
46
Quick Introduction to the Tools
21/06/16
24
IPv6 Attack Frameworks • “The Hackers’ Choice” THC-IPv6
– https://www.thc.org/thc-ipv6/
• SI6 Networks IPv6 Toolkit – http://www.si6networks.com/tools/ipv6toolkit/
• Chiron – http://www.secfu.net/tools-scripts/
THC-IPv6 – Installation Ubuntu
#install sudo apt-get install thc-ipv6 #verify
ls /usr/bin/atk6-*
Redhat / CentOS #install sudo yum install epel-release sudo apt-get install thc-ipv6 #verify ls /usr/bin/*6
48
21/06/16
25
THC-IPv6 Tools alive6 Checks for live interfaces with ipv6 address
parasite6 “ARP spoofer” for ipv6 redir6 Redirects all traffic into a target implementation6 Test what the firewall supports
firewall6 Performs various ACL bypass attempts thcping6 Test for anti-spoofing (RPF check)
thcping6 <interface> <src-addr> <dest-addr>
fake_router26 Pretend to be a router (replaces fake_router6)
ndpexhaust26 Attack with ICMPv6 toobig and echorequest thcsyn6 Flood the target with SYN packets
http://tools.kali.org/information-gathering/thc-ipv6
SI6 IPv6Toolkit – Installation Ubuntu
sudo yum -y install libpcap-devel
wget https://github.com/fgont/ipv6toolkit/archive/master.zip
unzip master.zip cd ipv6toolkit-master/
sudo make all
sudo make install
#verify ls /usr/local/sbin/*6
Redhat / CentOS
sudo apt-get -y install libpcap-dev
wget https://github.com/fgont/ipv6toolkit/archive/master.zip
unzip master.zip cd ipv6toolkit-master/
sudo make all
sudo make install
#verify ls /usr/local/sbin/*6
50
21/06/16
26
SI6 IPv6 Toolkit Commands
addr6 IPv6 address analysis and manipulation tool
Blackhole6 Troubleshooting tool which can find IPv6 where in the network topology packet with specific Extension header is being dropped
flow6 Tool to perform security assessment of the IPv6 Flow Label frag6 Tool to perform IPv6 fragmentation-based attacks icmp6 Attacks based on ICMPv6 error messages na6 Tool to send arbitrary Neighbor Advertisement messages ra6 Tool to send arbitrary Router Advertisement messages
scan6 IPv6 address scanning tool tcp6 Send arbitrary TCP segments and perform a variety of TCP-based
attacks
https://www.si6networks.com/tools/ipv6toolkit/index.html
Exercise: Attack Toolkit • If you are running Linux or OS X:
– Install THC-IPv6 and IPv6 Toolkit
• If you are running Windows: – Request for a Linux VM from instructor – Login to the VM assigned to you – Both tools are already installed
21/06/16
27
Scanning IPv6 Networks
53
IPv6 uses 128-bit address
It takes too long (or impossible) to scan the entire range
Fact or Myth?
21/06/16
28
Scanning a Network • The entire IPv4 address space can be scanned in under 5 minutes*
• IPv6 networks are too big to scan sequentially, but still possible
It's not still possible anymore… • DNS bruteforcing on common hostnames
– using a dictionary – or sequential a,aa,aaa,aab
• Alive bruteforcing on typical addresses – low range: ::1,::2,::3,… – DHCP: sequential ranges 1000-2000 (find one, got all) – Serviceport in IP addresses numbers: ::80,::53,53:1,53:2 – Autoconfiguration with MAC: 24 Bit are per Vendor-ID, 24 Bit must be
guessed (16'777'216) – Addresses using words 2001:db8::cafe:f00d:babe:beef – other guessable patterns
21/06/16
29
Example: Finding hosts in DNS for target.org • use dnsdict6 with 'xlarge' built-in dictionary
dnsdict6 –x target.org
- apollo.target.org ==> 2001:beef:123:8:20c:29ff:fe3d:903 - ares.target.org ==> 2001:beef:123:8:20c:29ff:fea0:11fc - argos.target.org ==> 2001:beef:123:8:20c:29ff:fea0:2121 - athena.target.org ==> 2001:beef:123:8:20c:29ff:fea0:2ffc – […] – Found 72 hosts and 60 unique ip-addresses for target.org
Example: Finding live IPs of target.org • ping6 www.target.org (to get an idea of the used ip-pattern) • 2001:beef:123:1::5 • use alive26 with a known or guessed pattern
alive26 -d eth1 2001:beef:123:0-ff:0:0:0:0-1f
– Alive: 2001:beef:123:1::5 (www.target.org) [ICMP echo-reply] – Alive: 2001:beef:123:2::4 (logon.target.org) [ICMP echo-reply] – Alive: 2001:beef:123:3::1 (sales.target.org) [ICMP echo-reply] – Alive: 2001:beef:123:a::9 (control.target.org) [ICMP echo-reply] – […] – Scanned 8192 addresses and found 138 systems alive
21/06/16
30
More help from DNS / DNSSEC
• Try DNS Zone Transfer to read complete zone file dig @<nameserver> <domain> axfr
è seldom possible by now
• DNSSEC Zone Walking (NSEC records are chained) dnssecwalk <nameserver> <domain>
è corrective with NSEC3 (bind 9.6.0)
If the attacker is already in the LAN • ping multicast addresses
– e.g.Link-local scope all nodes multicast address ff02::1 • ping6 –I eth1 ff02::1 • alive26 eth1 ff02::1
– doesn't work from Windows – doesn't work for all targets
• Sniffing – e.g. listen to Neighbor Discovery Protocol
• Neighbor Cache – the equivalent to IPv4 ARP chache
• Linux: ip -6 neigh • Windows: netsh interface ipv6 show neighbors • Cisco: show ipv6 neighbors
21/06/16
31
Target Discovery – Mitigation? • Use of static random addresses & unguessable DNS names? (hmm….)
• Privacy extensions? (hmm….)
• Any place where IPv6 addresses are listed will become more attractive for attackers (DNS, DHCP records, Logfiles…) è protect them
• also mitigate Remote Neighbor Cache Exhaustion Attack – A scan floods neighbor cache table (fast) – Rate limiting, Ingress Filtering (see Section Perimeter)
Scanning – Attack Tool • dnsdict6
– Used to find all subdomains and enumerate IPv6 addresses
• alive26 – Shows alive addresses in the segment.
root@kali:~# atk6-dnsdict6 -d apnic.net
21/06/16
32
63
Starting DNS enumeration work on apnic.net. ... Gathering NS and MX information... NS of apnic.net. is sec1.apnic.net. => 2001:dc0:2001:a:4608::59 NS of apnic.net. is ns1.apnic.net. => 2001:dc0:2001:0:4608::25 NS of apnic.net. is sec3.apnic.net. => 2001:dc0:1:0:4777::140 NS of apnic.net. is ns3.apnic.net. => 2001:dc0:1:0:4777::131 NS of apnic.net. is sec4.apnic.net. => 2001:dc0:4001:1:0:1836:0:141 MX of apnic.net. is ao-mailgw.apnic.net. => 2001:dd8:8:701::25 MX of apnic.net. is ia-mailgw.apnic.net. => 2001:dd8:a:851::25 MX of apnic.net. is nx-mailgw.apnic.net. => 2001:dd8:9:801::25 Starting enumerating apnic.net. - creating 8 threads for 1419 words... Estimated time to completion: 1 to 2 minutes 6to4.apnic.net. => 2001:dc0:2001:11::234 api.apnic.net. => 2001:dd8:9:2::101:29 as.apnic.net. => 2001:dd8:9:2::101:12 blog.apnic.net. => 2001:dd8:8:701::11
Attacks at the Local link • Attacks related to Neighbor Discovery (NDP)
– Neighbor Solicitation (NS) – Advertisement (NA) – Duplicate Address Detection
• Attacks related to Router Advertisement (RA) – RA Flooding
21/06/16
33
Neighbor Advertisement Attacks
65
DAD DoS, ND Spoofing, NA Spoofing
Attacker sends NA for each NS
Duplicate Address Detection - DOS
A B C
A sends NS for DAD
Sorry, I have this address already
I want to use this IPv6 address
A can't configure any IPv6 address
21/06/16
34
Duplicate Address Detection - DOS • Attacker replies to each DAD-NS
• Victim can't configure an IPv6 address at all
• Works also if Autoconfiguration is disabled: DAD is mandatory also for DHCPv6 or manually configured addresses!
DAD – Attack Tool dos-new-ip6 This tool prevents new ipv6 interfaces to come up by sending answers to duplicate ip6 checks. This results in a DOS for new IPv6 devices.
root@kali:~# atk6-dos-new-ip6 eth0
Started ICMP6 DAD Denial-of-Service (Press Control-C to end) ...
Spoofed packet for existing ip6 as 2400:6401::1
Spoofed packet for existing ip6 as fe80::5054:ff:fe42:e97a
poofed packet for existing ip6 as 2001:d35d:b33f:0:5054:ff:fe42:e97a
Spoofed packet for existing ip6 as 2001:d35d:b33f:0:5054:ff:fe42:e97a
21/06/16
35
Exercise: DAD DoS • Try to assign a new IPv6 address to your interface, using
static address sudo ifconfig eth0 add 2400:6400::1/64
• Alternatively, restart the interfaces so it will do another ND • If you want to act as an attacker, try the command:
dos-new-ip6 eth0
• Observe the output of the tool. • Has the client obtained a global unicast address?
DAD-DOS Observations • Linux configures link local address (!) and tries every 30 seconds to
configure a Global Unicast Address. – /proc/sys/net/ipv6/conf/*/accept_dad default=1
• XP tries a few times – also with different random addresses, and then quits
• Win7 tries a few times and then quits - might show popup "Windows has detected an IP address conflict“
21/06/16
36
DAD DOS Mitigation • NS/NA can't be blocked because it's used also for Address Resolution
("ARP”)
• Most switches can forward multicast packets only to the needed ports
• This feature is called "MLD snooping", check if it is enabled
Neighbor Discovery Spoofing
72
A B B
Attacker spoofs NA with his MAC address
A sends NS: Who has IPv6 address B? Please send Link Layer Address
I have IP B, here is my MAC address
I want to talk to IP B, pls send your MAC addr.
A talks to Attacker instead of B
21/06/16
37
NDP Spoofing – Attack Tool Parasite6 This is an "ARP spoofer" for IPv6, redirecting all local traffic to your own system (or nirvana if fake-mac does not exist) by answering falsely to Neighbor Solicitation requests, specifying FAKE-MAC results in a local DOS.
Also check out fake_advertise6, flood_advertise6, flood_solicitate6
NDP Spoofing – Attack Tool root@kali:~# atk6-parasite6 -l eth0 aa:bb:cc:11:22:33
Remember to enable routing (ip_forwarding), you will denial service otherwise!
=> echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Started ICMP6 Neighbor Solitication Interceptor (Press Control-C to end) ...
Spoofed packet to fe80::3636:3bff:fed0:3030 as fe80::4af8:b3ff:fe9a:d29e
Spoofed packet to fe80::3636:3bff:fed0:3030 as fe80::4af8:b3ff:fe9a:d29e
21/06/16
38
Redirect Spoofing
75
A B
B
R1
Attacker sends redirect to A with new-ip/mac
A wants to talk to B
A adds route and then talks to Attacker instead of B
<original-router> <new-ip>
<target-ip>
<src-ip>
ICMPv6 Redirect – Attack Tool redir6 Implant a route into src-ip, which redirects all traffic to target-ip to new-ip. You must know the router which would handle the route. If the new-router-mac does not exist, this results in a DOS.
21/06/16
39
Attacks with Router Advertisement
77
Rogue RA, Lifetime 0 Attacks, RA Flooding
Rogue RA Principle
A C B
Attacker sends Router Advertisements
I am your Default Router!
ICMPv6 Type 134 (RA) Src: own Link Local Address Dst: ff02::1 Data: Prefix, Options, Lifetime, Autoconfig Flag
R1
All nodes autoconfigure IPv6 according to spoofed RA: Default Router, Prefix information
21/06/16
40
Rogue RA – Denial of Service
79
A B B R1
BLOCK
All traffic sent to Attacker ends up in a black hole
Default Router
Rogue RA – Man in the Middle Attack
80
A B B R1 FORWARD
Attacker can intercept, listen, modify unprotected data
Default Router
21/06/16
41
Rogue RA – Performance Issue
81
A B B R1
WLAN
Attacker becomes a bottleneck Often not an attack but misconfigured client
Default Router
Rogue RA – Attack Tool fake_router6 / fake_router26
Announce yourself as a router and try to become the default router.
root@kali:~# atk6-fake_router26 -A 2001:D35D:B33F::/64 eth0 Starting to advertise router (Press Control-C to end) ...
21/06/16
42
Rogue RA – Attack Tool [nsadmin@server1 ~]$ ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:42:E9:7A
inet addr:192.168.1.1 Bcast:192.168.255.255 Mask:255.255.0.0
inet6 addr: 2001:d35d:b33f:0:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2001:db8::5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: fe80::5054:ff:fe42:e97a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:299646 errors:0 dropped:0 overruns:0 frame:0
TX packets:89280 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:220558509 (210.3 MiB) TX bytes:6622864 (6.3 MiB)
Output after fake_router26 is run
Exercise: Route Advertise • Login to your assigned VM
• Try to become the default route fake_router26 eth0
• Observe the interface ip -6 route
• Advertise a fake route fake_router26 –A 1234::abcd:X::/64 eth0
21/06/16
43
Router Lifetime 0 Attack
85
A B B
R1 is down (Router lifetime = 0)
R1
Attacker sends RAs with Lifetime = 0
Try to remove router from routing table
Router Lifetime 0 Attack kill_router6 • Announce (to ff02:1) that a router is going down (RA with
Router Lifetime 0) to delete it from the routing tables.
86
root@kali:~# atk6-kill_router6 eth0 '*'
21/06/16
44
Some Rogue RA Facts • Everybody can send Router Advertisements!
– Nodes will add (new) global addresses – Nodes will add / delete default route – Also in "IPv4-only" networks: IPv6-enabled hosts will configure IPv6
addresses and can then be attacked over IPv6 (second door) – Possible Attacks: DOS, MITM, decreased Network-Performance (and
more, see soon)
Router Advertisement Flooding
88
A B C
2004:: is a prefix 2005:: is a prefix 2006:: is a prefix 2007:: is a prefix…
R1
Attacker floods LAN with Router Advertisements
21/06/16
45
RA Flooding – Tool flood_router26 / flood_router6 • Flood the local network with router advertisements
RA Flooding – Tool root@kali:~# atk6-flood_router6 eth0
!
! Please note: flood_router6 is deprecated, please use flood_router26!
!
Starting to flood network with router advertisements on eth0 (Press Control-C to end, a dot is printed for every 1000 packets):
.........................................................................
.........................................................................
.........................................................................
.........................................................................
.........................................................................
.........................................................................
..................
21/06/16
46
RA Flooding – Victim [nsadmin@server1 ~]$ ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:42:E9:7A
inet addr:192.168.1.1 Bcast:192.168.255.255 Mask:255.255.0.0
inet6 addr: 2a01:d07b:1aca:eccb:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:d86e:5318:d649:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:364a:768d:3b38:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:cea:f971:b02b:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:3a55:4067:f66a:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:206e:57f1:c2fa:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:3b81:65c6:317b:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:de28:2da1:2a1b:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:53aa:d153:a394:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:8c7f:8bb0:1611:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:96f0:c201:ed8f:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:d4b0:f9:c3e7:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:c994:2497:861e:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:ed60:6bfd:cc19:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: 2a01:5e4c:2412:e7e0:5054:ff:fe42:e97a/64 Scope:Global
inet6 addr: fe80::5054:ff:fe42:e97a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:370574 errors:0 dropped:0 overruns:0 frame:0
TX packets:89790 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:228886582 (218.2 MiB) TX bytes:6686773 (6.3 MiB)
91
Some RA Flooding Facts • Everybody can send Router Advertisements!
• Attacker floods LAN with RAs and lots of Prefixes
• Nodes will stall or crash:
• Windows XP,Vista,7,8,200x Server • Free/Net/Open-BSD - depends on version • OS X • Juniper • Android phones, iPads,... slow down or freeze
• Safe: • Cisco IOS & ASA - is fixed • Linux has a limit of 16 IPv6 addresses incl. link local (not attackable)
21/06/16
47
Detection of Rogue RAs & ND Spoofing • With a generic Intrusion Detection System
• signatures needed
• decentralized sensors in all network segments needed
• With NDPmon
• can monitor RAs, NAs, DAD-DOS
• generates syslog-events and/or sends e-mails
• free available at ndpmon.sourceforge.net
• Using Deprecation Daemons:
• ramond, rafixd
RA Guard • Router Advertisement Guard (RFC 6105)
• All messages between IPv6 end-devices traverse the controlled L2 networking device.
• Filter RA messages based on a
set of criteria
21/06/16
48
RA Guard – 3 Types • Stateless RA-Guard
– filter incoming RAs based on information found in the message (Link Layer address, IP source address, Prefix List, Router Priority) or in the L2-device configuration (Switch-Port).
• Stateful RA-Guard – Stateful RA-Guard learns dynamically about legitimate RA senders and
stores this information for allowing subsequent RAs ("Learning-Mode").
• SEND-based RA-Guard – Filtering RAs based on SEND considerations
SEND • Secure Neighbor Discovery (RFC 3971)
• A crypto solution for securing NDP messages
• A set of new ND options added
21/06/16
49
Rogue RA Conclusion • Mitigation of Rogue RA must be considered - even in IPv4-only
networks
• There are several mitigation approaches with different Pros/Cons – these can be combined
• Different operational scenarios require different mitigation approaches
• See RFC 6104 for more information and references
IPv6 Security Best Practices
98
21/06/16
50
0. Are you running IPv6? • Know whether you are running IPv6
– IPv6 is enabled by default in some devices and operating systems • (ISATAP, Teredo, etc in Windows PC)
– If not using IPv6, make sure to disable this in all devices
• Decide when to enable IPv6 – Make sure there are IPv6 policies in place
1. Learn IPv6 • Teach your network operators about IPv6
• Teach your users about IPv6
• Set up a test environment – Don’t assume that staff will get it the first time – some trial and error to be done
• Learn from others’ deployment strategies
21/06/16
51
2. Adopt the same BCPs in IPv4 • Implement BCP38 and MANRS
• Replicate your IPv4 policies into IPv6
• Replicate your IPv4 filters
• Use similar authentication methods as in IPv4 – For login and routing protection
3. Apply Filters • Filter out some ICMPv6 messages
• Rate limit
• Block Routing Header 0 – This is now the default from RFC 5095
21/06/16
52
4. IPv6 Support for Equipment • Check if your security equipment has support for IPv6
• Always include security plans in the overall IPv6 deployment plan
• Update purchasing plans to include this
References • IPv6 Security by S. Hogg and E. Vyncke
• NIST Guidelines for the Secure Deployment of IPv6
21/06/16
53
References • RFC 2460: Internet Protocol Version 6 (IPv6) Specification
• RFC 4861: Neighbor Discovery for IP version 6 (IPv6)
• RFC 6583: Operational Neighbor Discovery Problem
• RFC 5157: IPv6 Implications for Network Scanning
• RFC 7707: Network Reconnaissance in IPv6 Networks
• RFC 7721: Security and Privacy Considerations for IPv6 Address Generation Mechanisms
• RFC 5095: Deprecation of Type 0 Routing Headers in IPv6
• RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls
• RFC 6980: Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery
• RFC 7527: Enhanced Duplicate Address Detection
• RFC 6104: Rogue IPv6 Router Advertisement Problem Statement
References • RFC 6105: IPv6 Router Advertisement Guard
• RFC 3971: Secure Neighbor Discovery (SEND)
21/06/16
54
Questions?
107
www.facebook.com/APNIC
www.twitter.com/apnic
www.youtube.com/apnicmultimedia
www.flickr.com/apnic
www.weibo.com/APNICrir