Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Proactive Network Security New Vulnerabilities in IPv6 Tyler Reguly Who Am I? • Security Research Engineer w/ nCircle VERT – Interesting research in IPv6, OS X and Web Application Security • Blogger – http://www.computerdefense.org – http://blog.ncircle.com/vert • Spoken Previously @ TASK and OWASP Toronto IPv6 Basics / Features • New Header Format – Addresses are 4x the size of IPv4, yet the header is only 2x bigger. • Larger Address Space – 128-bit Address Space • Increased QoS Support – Flow Label field in header • Stateful & Stateless Address Configuration – DHCP or Automatic Address Assignment • Built-in Security – IPSec is built into the protocol Testing Setup • IPv6 Router (Windows Server 2003 SP1) • 3 Hosts – Windows Server 2003 SP1 – Windows XP SP2 – Ubuntu 7.04 • Testing was related to nCircle’s IPv6 research, this issue was found during that testing. Background on the Attack • If you add a IPv6 route to your router (W2K3) and tell it to publish it, the route is shared to all hosts. • You can publish large quantities of these addresses relatively quickly. – From the command prompt (command on the next page) – You could spoof these even faster • Various Operating Systems deal with these large numbers of advertisements in different ways. The Command C:\Documents and Settings\Administrator> for /L %k in (0, 1, 9999) DO for /L %i in (0, 1, 9999) DO netsh interface ipv6 add route 2001:db8:%k:%i::/64 "Local Area Connection" publish=yes Windows XP Results • A Denial of Service Situation occurs where Windows XP will continuously receive and record the published addresses. • XP will maintain 100% CPU usage as it attempts to handle these addresses (svchost.exe running in as SYSTEM). • My first round of testing was after ~7500 addresses and XP generated errors in both ipconfig and netsh ipconfig Error C:\Documents and Settings\Administrator>ipconfig Windows IP Configuration An internal error occurred: The file name is too long. Please contact Microsoft Product Support Services for further help. Additional information: Unable to query host name. netsh Error C:\Documents and Settings\Administrator>netsh interface ipv6 show address Querying active state... No entries were found. The file name is too long. Windows Server 2003 Results • Windows Server 2003 seems to have a 9600 ‘route’ limit. • If I continue to publish after the 9600 limit is hit, the addresses tied to the routes are simply discarded. • Potentially a larger problem then adding all ‘routes’. • What happens if a valid ‘route’ is published? – It is ignored! Ubuntu Results • Ubuntu beats even Sever 2003 • Ubuntu has a 16 ‘route’ limit. • If you continue to publish addresses after that, they are discarded. Potential Attack • What’s interesting about this attack is that the router isn’t ‘registered’ or specified. • Anything on the network can publish ‘routes’ • The Result: – A malicious individual could spam out invalid ‘routes’. – Many systems inadvertently have IPv6 enabled – All of these systems would be affected. • Hosts could have their CPUs maxed • Servers could lose communication with other hosts. Potential Outcome • Windows XP – Effective DoS against the host • Host is forced to 100% CPU Usage • Troubleshooting tools are rendered ineffective. – Mitigation: Don’t use IPv6 • Server 2003 and Ubuntu – Effective DoS that could limit access to network resources. • Server will not learn new ‘routes’ – Mitigation: Don’t use IPv6 Vendor Responses • Ubuntu Security Team – No Response to my Email • MSRC – Immediate response (April ’07) – Ongoing discussing (April – June ‘07) – Determination that this issue would be fixed in SP3 (June ‘07) • Hadn’t tested beyond XP at this point – Follow-up to see if the fix was in SP3 (April ’08) • It had be triaged out (deemed unimportant) – Public Release (May ’08) Questions / Comments? Thanks! Contact [email protected]