New RA Flood Attack

Killing Mavericks

Killing Lion

Windows 8.1 Survives!

Older Contents (2012)

Killing the Microsoft Surface with a Wireless IPv6 Attack

You can get the attack script at http://pastebin.com/aXUxBXxk

To use it, first download and compile thc-ipv6-2.0.

BE GOOD--don't attack any devices without proper authorization.

Google Notified

Hello: I have been studying IPv6 vulnerabilities for a few years, and they were a large problem for Windows but not for the Mac or Linux. But with the recent release of thc-ipv6-2.0 that has all changed. The new RA flood tool freezes an Android device, as shown in the videos here: http://samsclass.info/ipv6/proj/RA_flood2.htm I think you should be aware of this. It might be good to block excessive RA packets with a firewall, or implement some other countermeasure. --Sam Bowne

City College San Francisco

Freezing an Android Phone With an IPv6 Attack

IPv6 Attack Kills MacBook Air & 3 iPads

Notifying Apple

But I wanted to make sure they knew, so I sent this message to product-security@apple.com:

Hello: I have been studying IPv6 vulnerabilities for a few years, and they were a large problem for Windows but not for the Mac. But with the recent release of thc-ipv6-2.0 that has all changed. It can bring a Mac down in seconds, as shown in the videos here: http://samsclass.info/ipv6/proj/RA_flood2.htm I think you should be aware of this. It might be good to block excessive RA packets with a firewall. --Sam Bowne

City College San Francisco

Killing Mac OS X on a Wireless LAN

Killing Mac OS X with a Crossover Cable

This makes the attack MUCH more practical than the one I demonstrated at BayThreat, which required an expensive and bulky switch and a separate router.

Data Breaches and Password Hashes WITH the New IPv6 RA Flood Attack

The IPv6 attack starts in Part 2.

Videos: Part 1 Part 2 Part 3

Wireless: Freezing the iPad Mini

Killing Mac OS X Reliably with a better switch

This kills the Mac OS X reliably, showing a crash of the Ethernet adapter so it stops configuring addresses, followed by the whole OS freezing.

Wireless Attack on iPad 3

The other devices we tested were Windows 8, iPad 1, and MacBook Air. They all slowed down during the attack, but remained usable. The iPad 1 was the most resistant to this attack, all it did was consume about 10% - 20% of the CPU, making no significant difference in its performance.

Posted 11-30-12

Microsoft's IPv6 Readiness Update

http://support.microsoft.com/kb/2750841

However, it's only available for Win 7 and Win Server 2008 R2. In addition, it only provides partial protection: a patched machine freezes totally during the attack, but recovers quickly when it stops. It is possible to do better--Ubuntu Linux completely shrugs off the attack, adding a few new IPv6 addresses and showing no deleterious effect at all.

Here's a video showing the attack killing Windows 8, Server 2008, and Mac OS X:

Here's a video showing the extent to which the Microsoft IPv6 Readiness Update protects Windows 7 and Server 2008 R2. It also shows the attack's effect on Windows XP and Ubuntu Linux.

Details of an earlier test using virtual machines are here.

Killing Mac OS X and Server 2012

How it Works

It's a normal RA, with these ICMPv6 Options:

MTU

Prefix Information

Source link-layer address

Here's a captured packet from the newer attack, shown in two images because it's too big to fit in one.

It's a normal RA, with these ICMPv6 Options:

17 Route Information sections

18 Prefix Information sections

1 Source link-layer address

So each packet burdens the recipients a lot more.

I think Microsoft and Apple need to pay attention this time, because this one crashes the Mac, and it makes Server 2012 restart, which makes me suspect it could be exploited further, perhaps into a remote code execution attack.

Packet Captures

RAs.pcap

References

Marc Hause's slides presenting thc-ipv6 version 2

http://conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf

Step-by-step instructions for testing the older tool

http://samsclass.info/ipv6/proj/projL9-flood-router.htm

First posted: 7:30 am 11-20-12 by Sam Bowne

Page reorganized with Contents section 11-30-12 10:36 am

New videos 4 and 5 added 12-5-12

BayThreat Videos added 12-8-12 11:19 pm

Attacks on the Mac OS X with simulated routers added 7:45 pm, 12-10-12.

Apple notified 12-11-12

3 iPads video added 11:37 PM 12-11-12

Android attack and Google notification added 4:36 PM 12-12-12

Microsoft Surface attack added 7 am 12-15-12

Mavericks & Win 8.1 added 11-12-13