My next class:

Layer 2 DoS and other IPv6 Tricks

Published: 2011-04-11. Last Updated: 2011-04-11 18:28:18 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

IPv6, just like IPv4, is a layer 3 (Network Layer) protocol. However, it does depend on Layer 2 (Link Layer) to reach the next hop. Historically, Layer 2 has been a fertile attack breeding ground. Layer 2 protocols like Ethernet do not address these security issues and are build to be lightweight rather then secure. The assumption is that physical access to the network is restricted, and with that physical access controls can be used to mitigate most Layer 2 risks.

Of course, this hasn't been true for most networks. Wireless access, access to unsecured network jacks in public areas and even remote access via compromised hosts inside the network have been shown to provide access to layer 2. 802.1x is probably the best option to mitigate most of these threats, but even 802.1x will not protect you from a compromised authenticated workstation, and 802.1x can be difficult to implement in many scenarios.

So how does this all apply to IPv6? One of the big changes in IPv6 is that ARP is replaced with the Neighbor Discovery Protocol (NDP). NDP is based on ICMPv6. In addition, Router Advertisements (RA) are used to configure hosts. 

Probably the most important thing to understand: Neither NDP or RA prevent by default any attacks we have seen against ARP or DHCP. Just like for ARP and DHCP, we need to be able to detect and mitigate spoofing.

NDP Spoofing

By default, NDP messages are not authenticated, just like ARP is not authenticated. In its simplest form, we can use the NDP to impersonate a legitimate host on the local network to play man in the middle (MITM). MITM attacks work and can be applied just like with IPv4

Variations of the attack can be used in denial of service as well. Just like for IPv4, an IPv6 host will check if the address it is about to use is already used. By just responding to these checks ("gratuitous ARP" in IPv4), we are able to to prevent a host from obtaining an address.

RA Spoofing

The RA protocol replaces DHCP in many cases and can be used to assign IP addresses. Spoofing router advertisements can help with MITM attacks as the attack is now pretending to be a router. In a regular IPv6 network, this may only be partially successful as the rogue router is competing with legitimate routers. But by assigning itself a high priority and creating a DoS against the legitimate router, the attack has a decent chance of succeeding. 

Recently (see a few diaries back), this attack was demonstrated against IPv4 networks by combining it with NAT-PT and the preference of current operating systems to route over IPv6 if both IPv4 and IPv6 are available.

Of course, if you just spoof random RA, you will be able to mess up hosts sufficiently to stop responding at all.

Attack Tools

There is probably at least one tweet/slashdot/digg "event" a day advertising a new tool to implement these attacks. To save yourself some time: Check out the THC IPv6 attack library. It already implements a lot of these tools including a nice library to implement more. Implementing the same tools again in scappy gets you some python brownie points though.

Defenses

For the IPv4 versions of these attacks, many vendors implemented defenses, and there are open source tools like arpwatch to help you detect these attacks. In addition, we have just gotten used to watching out for these attacks and a reasonably skilled network admin is usually able to spot ARP spoofing.

For IPv6, we are a bit behind the curve when it comes to defenses. RFC 6105 outlines a mechanism calls "RA Guard" [1] that can be used to identify legitimate routers and only allow RA messages from switch ports connected to authorized routers, just like we are used to when configuring DHCP Snooping.

RFC3971 defines a mechanism called "SEND" (Secure Neighbor Discovery" which uses PKI to sign ND messages. In addition, cryptographically generated addresses (CGA) are used to avoid spoofing on the local network. However, this protocol is not yet widely implemented and the overhead associated with it can cause DoS conditions itself. 

Unlike ARP messages, the ICMPv6 messages could be routed. However, a host is not supposed to accept any ND or RA message with a TTL of less then 255.

Summary

Layer 2 defense is not easy. In particular defending against DoS. The best thing you can probably do is to know what's supposed to be on your network, and be able to quickly detect and disconnect misbehaving hosts. 

 

[1] http://tools.ietf.org/rfc/rfc6105.txt
[2] http://tools.ietf.org/rfc/rfc3971.txt
[3] http://tools.ietf.org/rfc/rfc3972.txt

 

 

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ethernet ipv6 layer 2
2 comment(s)
My next class:

Comments

Wait a second... what? If I configure my ND/RA system to use a different TTL than 255, it will break ND/RA? Who the heck came up with this stuff? I think over time we'll find more issues in IPv6 that may indicate that we infact didn't really know what we were doing when designing IPv6 protocols...
When I saw this, I thought of a belt and suspenders design approach. Even if your router, due to some misconfiguration or bug, forwards RAs from outside the local subnet, the hosts will not accept it, as the hop limit is < 255.

Diary Archives