Provided by : Ayman Mohamed Abelgadir. Supervisor : Dr. Mohamed Awad Elshaikh

Transcription

1 The National Ribat University Faculty of Graduate Studies and Scientific Research Master Thesis in Study of Denial of Service and ARP Spoofing Attacks In IPv6 Networks Provided by : Ayman Mohamed Abelgadir Supervisor : Dr. Mohamed Awad Elshaikh

2 Dedication I would like to dedicate my work to my father, who great teacher, instilled the spirit of research, perseverance and study in myself. And to my mother who always asking God for compromise me, and to my dear wife for her continuous support, and also to my brothers, my daughters, and my children. I

3 ACKNOWLEDGMENTS First of all, I wish to offer my sincere gratitude to Dr. Mohammed Awad Elshaikh, my thesis supervisor, for his guidance, advice, encouragement and suggestions during my study. He has led me to the world of IPv6. His knowledge and hard work stimulated my interest to do research in the area of IPv6. I would like to thank Eng. Ahmed Ali for his continuous support and Eng. Mohamed Mahgoub from Nile Center For Technology and Research for his strong help. Finally, I wish to thanks my wife for her continuing love, understanding, and encouragement. II

4 ABSTRACT In the lights of today and future advancing technologies, IPv6 internet protocol demand, becomes crucial for its usages & benefits. This thesis describes IPv6 packets structure, headers and address the details of all of the Internet Control Message Protocol Version 6 (ICMP6) and its various messages' types. The thesis describes the built & utilization of messages to visualize IPv6 based cyber-attacks, (DOS)& ARP poisoning, on IPv6 networks And tracking of this messages through ICMPv6 by packet analyzer, open source tools, to capture packets frames and analyzed them to reached the results which approved the existence of attacks on III

5 IPv6,and the traces of simulated attacks extend form the link layer to the application layer. المستخلص في ظل تطور التقنية المتنامي حاليا و مستتتق, ي تبت ا اداتتاار الستتا األهم نظاا دستخااماته و الطلب عليه. التتتتتتتIPv6 هذا ال حث تواتتتو ة تتتور عامة مكونات IPv6 و تتطاق ةالتف تتتيل لل اوتو و ICMPv6 و الاسائل المستخامة فيه و انواعها. ما توضت هذ الاستائل يفية استتخاال الهتمات مو نو DOS & ARP للواو للشت كات التي تستخال IPv6 ي حيث تم متاةبة هذ الاسائل ةمااق ة وتستيل تحا ات ال اوتكو ICMPv6 ةاستخاال ةبض اد وات مفتوحة الم ا ري و تحليل النتائج التي تم راتتتتتتاهتا ومقارنتها ةبا تنفيذ التتار في هذا ال حث تأ ا مو وجو هتمات مو IV

6 النو DOS & ARP ت اأ مو المستتتتتتوا ال اني Link layer و ت تتتتتل اااها الي مستوا التط يقات Application layer في ةيئة ش كات. IPv6 Contents 1.1 Introduction Problem Statement Research Objective Research Methodology Research Scope Research Question Thesis Structure Pervious work and literature review Brief Overview of IPv IPv6 Security IPv6 Security Impact IPv6 Packet Security...7 V

7 2.5 Packet Headers Extension Headers Internet Control Message Protocol Version 6 (ICMP6) Information Messages Error Messages NeighborDiscovery The Router Solicitation message The Router Advertisement message The NeighborSolicitation message The NeighborAdvertisement message The NeighborRedirect Message Pervious work and literature review Study of IPv6 Security vulnerabilities DOS attack in IPv6 networks and counter measurement Vulnerabilities and Threats in IPv6 Environment Mitigation IPv6 Vulnerabilities Result & Analysis Tools Virtual Box Application version Wireshark The Hacker Choice Snort Network design and equipment Dell Laptop Ubuntu Kali Network Topology Experiments 29 VI

8 3.2.1 The ARP poisoning Attack Normal operation of the IPv6 network First ARP poisoning Attack Second ARP poisoning Attack Third ARP poisoning Attack The Denial of Service Attack First Denial Of Service( DOS) Attack Second Denial Of Service( DOS) Attack Third Denial Of Service( DOS) Attack Mitigation The (DOS) attack by Snort IPS Conclusion & Recommendation for future work Result Recommendation..78 Bibliography LIST OF FIGURES Figure 2.1 IPv6 Packet Headers...7 Figure 2.2 IPv6 Extension Headers... 8 Figure 2.3 Sequence of Extension Headers... 9 Figure 2.4 Extension Headers Arrangements... 9 Figure 3.1 Network Diagram Figure 3.2 Moniter Of Packets in Normal Operation Figure 3.3 Accessing website in normal operation Figure 3.4 Activity diagram for normal operation Figure 3.5 Packets before first ARP attack Figure 3.6 pinging replay by server Figure 3.7 Solicitation and advertisement message before firstarp...37 Figure 3.8 Monitor of packets in firstarp Figure 3.9 Explain how attacker work Figure 3.10 Pinging in first ARP attack VII

9 Figure 3.11Packet for accessing website before first ARP Figure 3.12 Accesing website before first ARP Figure 3.13 In first ARP attacker replay instead of server Figure 3.14 In first ARP web service unavailable Figure 3.15 Attacker machine spoofed to client in first ARP Figure 3.16 Router solicitation message in second ARP Figure 3.17 Pinging after second ARP Figure 3.18 Continue advertisement message in second ARP Figure 3.19 The attacker success in second ARP Figure 3.20 Web services stopped in second ARP Figure 3.21 Man-in-the Middle in second ARP Figure 3.22 Attacker machine spoofed in second ARP Figure 3.23 Advertisement and solicitation in third ARP Figure 3.24 Recived packets in third ARP Figure 3.25 Attacker spoofed in third ARP Figure 3.26 Activity diagram for ARP spoofed Figure 3.27 Attacker advertisement in first DOS Figure 3.28 Solicitation message in first DOS Figure 3.29 Packets before second DOS Figure 3.30 Second DOS webserver not respond Figure 3.31 Pinging to webserver in third DOS Figure 3.32 Normal operation before third DOS Figure 3.33 Continue advertisement in third DOS Figure 3.34 Activity diagram for DOS attack Figure 3.35 Snort IPS blocking DOS attack Figure 3.36 Activity diagram for mitigate DOS attack VIII

10 LIST OF TABLE Table (2.1) Error Message Code...10 Table (2.2) Time Exceeded Code...11 Table ( 2.3) ICMPv6 error message Table (2.4) IPv4 ARP and IPv6 Neighbors Discovery Table (3.1) IPv6 and link layer addresses 28 IX

11 List of Abbreviations The following is a table of abbreviations.symbols and notations used within the topic of this thesis. Abbreviation ACK AH ARP Attacker Machine Capture Monitor Definition Acknowledge Authentication Header Address Resolution Protocol Linux Kali system Computer running wireshark application to capture data in the network X

12 Client Computer in the network used to access the server CPU Central Processing Unit DAD Duplicate Address Detection DHCP Dynamic Host Configuration Protocol DNS Domain Name System DOS Denial of Service Dst Destination of Packets going ESP Encrypted Security Payload GUI Graphical User Interface HTTP Hyper Text Transfer Protocol ICMP Internet Control Message Protocol ICMPv4 Internet Control Message Protocol version4 ICMPv6 Internet Control Message Protocol version6 IGMP Internet Group Management Protocol IP Internet Protocol IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 MITM Man - In- The-Middle MTU Maximum Transmission Unit NIC Network Interface Card NIDS Network Intrusion Detection System NIPS Network Intrusion Prevention System Ping Packet Internet Groper RFC Request For Comment Src Source of sending Packets XI

13 SYN TCP THC Webserver Synchronize Transfer Control Protocol The Hacker Choice Linux server hosted test web site and web services XII

14 CHAPTER ONE 1.1. Introduction Internet Protocol Address ( IP ) is a shorter way of saying Internet Protocol Address. IP address is the numbers assigned to computer network interfaces. Although used names to refer to the things seek on the Internet, such as computers translate these names into numerical addresses so they can send data to the right location. So when sending an , visiting a web site, the computers sends data packets to the IP address of the other end of the connection and receives packets destined for its own IP address[1]. There is two type of ip addresses, the old is Internet Protocol Address version4( IPv4 )is the fourth version in the development of the Internet Protocol and the first version of the protocol widely deployed, and they support three different types of addressing modes[2]. The second one is Internet Protocol Address version6 (IPv6) which intended to replace IPv4 in the worldwide Internet mainly due to the address exhaustion of IPv4. IPv6 extremely enhances the address space from 32 bits to 128 bits. It means the future expansion of the Internet is now dependent on the successful global deployment of the next generation of Internet protocol[3]. IPv4 address created in way that nodes must be concern about security (its end to end model ), these why IPv4 addressing based network suffers from security. Today original Internet continues to be completely transparent and no security framework provides for resilient against general threats and attack, an example in Denial of service attack certain services are flooded with a large amount of illegitimate 1

15 request that render the target system unreachable by legitimate users. The result of Denial of service attack from an architectural vulnerability of IPv4 is the broadcast flooding.also the small address space of IPv4's can facilitate malicious code distribution and other scan port or reconnaissance attack.in IPv4 network, the Address Resolution Protocol (ARP) is responsible for mapping a host's IP address with its physical or MAC address. In case of forged ARP response are broadcasted with incorrect mapping information that could force packets to be sent to the wrong destination and the ARP poisoning occurs.however, many techniques have been developed to overcome some of the IPv4 security limitations, like Network address Translation and Network Address Port Translation,also IPsec facilitated the use of encryption communication[4]. IPv6 address security it s similar to IPv4 security.transporting packets mechanism in the network almost the same. The mostly unaffected layer is upper layer which is responsible for transporting application data. However, because IPv6 mandates (IPsec),it has often been stated that IPv6 is more secure than IPv4, Although this may be true in an ideal environment with well-coded applications, a robust identity infrastructure, and efficient key management, in reality the same problems that plague IPv4 IPsec deployment will affect IPv6 IPsec deployment. IPv6 is not protected with any kind of cryptography. Additionally, because most security breaches occur at the application level. The IPv6 security features introduced mainly by way of two dedicated extension headers which is the Authentication Header (AH) and the Encrypted Security Payload (ESP), with complementary capabilities. 2

16 The two headers can be used together to provide all the security features simultaneously. Also IPv6 support another new features IPv6 including increased address space, auto configuration, QoS capabilities, and network-layer security. All these IPv6 features can be used to prevent various network attack methods including IP spoofing, some Denial of Service attacks (where IP Spoofing has been employed), data modification and sniffing activity[4] Problem Statement According of the rapid migration from Internet Protocol version 4 (IPv4) to Internet Protocol version 6 (IPv6), is it possible to say that still there is attacks can happen in a solely IPv6 networks which inherit from previous IPv4, such as ARP spoofing attack and Denial of service attack? these two types of attacks were chosen because are abundance, prevalence and easier to implement in IPv4 network The Main Objective 1. Observe the effect of ARP poisoning and Denial of service attack in IPv6 networks. 2. Approve that these two types of attacks can happen in IPv6 networks. 3. Mitigate the Denial of service attack by using Snort software Methodology Exploit the link layer in IPv6 protocol against the ARP spoofing and Denial of service attacks, via different scenarios of experiment s and captured logged. 3

17 1.5. Research Scope This thesis is limited to result of exploit ARP spoofing and Denial of service attacks on virtual environment of computers and servers which used IPv Research Questions Is there attacks can be happened in IPv6 network up to these date? Is the same type of attacks which effect the IPv4 networks can conceder as threats to IPv6 networks? How can we mitigate the security issue due to Denial of Service in IPv6 Networks? 1.7. Thesis Structure In this thesis, the researcher has deep concentrated on effect of (Denial of Service and ARP poisoning attacks on IPv6 networks. Chapter two deals with technical background of IPv6 through of the terms: IPv6 features, security & security impact, packet security, packet headers, extension headers, internet control message protocol version6, and Neighbor Discovery.Also chapter two including pervious work and literature review for study of IPv6 security vulnerabilities, denial of service attack in IPv6 networks and counter measurements, Vulnerabilities and Threats in IPv6 Environment and Mitigating IPv6 Vulnerabilities. Chapter three provides the network topology, tools and result with details analysis. Chapter four describe the conclusion and recommendation for future work. 4

18 CHAPTER TWO 2. Pervious Work and Literature Review The new version of internet protocol IP version 6 has new technical features and specifications Brief Overview Of IPv6 IPv6 (Internet Protocol Version6) is also called IPng (Internet Protocol next generation) and it is the newest version of the internet protocol.ipv6 is the replacement to internet protocol version4. It was designed as an evolutionary upgrade to the internet protocol and will, in fact, coexist with older IPv4 for some time. IPv6 is designed to allow the Internet to grow steadily, both in terms of the number of hosts connected and the total amount of data traffic transmitted. While increasing the pool of addresses is one of the most often-talked about benefit of IPv6, there are other important technological changes in IPv6 that will improve the IP protocol:[5] -No more NAT (Network Address Translation) - Auto-configuration - No more private address collisions - Better multicast routing - Simpler header format - Simplified, more efficient routing - True quality of service (QoS), also called "flow labeling" - Built-in authentication and privacy support - Flexible options and extensions - Easier administration (no DHCP) 5

19 2.2. IPv6 Security IPv6 security is in many ways the same as IPv4 security. The basic mechanisms for transporting packets across the network stay mostly not changed and the upper-layer protocols that transport the actual application data are mostly unaffected. However(But), because IPv6 mandates (Command/ Order) the inclusion of IP Security(IPsec), it has often been stated that IPv6 is more secure than IPv4. Although this may be true in an ideal environment with well-coded applications, a robust (strong/ Healthy) identity( unique ) infrastructure (Setup/ structure), and efficient key management, in reality the same problems that plague ( Infection/ Outbreak) IPv4 IPsec deployment will affect IPv6 IPsec deployment. Therefore, IPv6 is usually deployed ( installed/arranged) without cryptographic protections of any kind. Additionally, because most security breaches occur at the application level, even the successful deployment of IPsec with IPv6 does not guarantee any additional security for those attacks beyond the valuable ability to determine the source of the attack[6] IPv6 Security Impact Many security issues in IPv6 remain the same as in IPv4, but IPv6 also has new features that affect system and network security, as well as potentially (actually) impacting on policies and procedures. IPv6 and IPv4 usually operate completely independently over the same Layer 2 infrastructure, so additional and separate IPv6 security mechanisms must be implemented. Many areas will need overhauling (Repairing/ Fixing), such as firewalls, monitoring, and security appliance. It is important to keep that IPv6 is young operationally and may have issues not yet encountered (faced), or even imagined[7]. 6

20 2.4. IPv6 Packet Security Unlike IPv4, IPsec security is mandated (assigned/ Authorized) in the IPv6 protocol specification. Allowing IPv6 packet authentication and/or payload encryption via the Extension Headers. However, IPsec is not automatically implemented; it must be configured and used with a security key exchange Packet Headers An Internet Protocol version 6 (IPv6) data packet comprises of two main parts: the header and the payload. The first 40 bytes/octets (40x8 = 320 bits) of an IPv6 packet comprise of the header (see Figure 2.1) that contains the following fields: (Figure 2.1):IPv6 Packet Headers The wonder of IPv6 lies in its header. An IPv6 address is 4 times larger than IPv4, but surprisingly, the header of an IPv6 address is only 2 times larger than that of IPv4. IPv6 headers have one Fixed Header and zero or more Optional (Extension) Headers. All the necessary information that is essential for a router is kept in the Fixed Header. The Extension Header contains optional information that helps routers to understand how to handle a packet/flow. 7

21 Source address (128 bits) The 128-bit source address field contains the IPv6 address of the originating node of the packet. It is the address of the originator of the IPv6 packet. Destination address (128 bits) The 128-bit contains the destination address of the recipient node of the IPv6 packet. It is the address of the intended recipient of the IPv6 packet Extension Headers Extension Headers In IPv6, the Fixed Header contains only that much information which is necessary, avoiding those information which is either not required or is rarely used. All such information is put between the Fixed Header and the Upper layer header in the form of Extension Headers. Each Extension Header is identified by a distinct value. When extension headers are used, IPv6 fixed header s next header field points to the first extension header. If there is one more extension header, then the first extension header's next-header s field points to the second one, and so on. The last Extension header s next-header s field points to the upper layer header. Thus, all the headers points to the next one in a linked list manner. If the next header field contains the value 59,it indicates that there are no headers after this header, not even upper layer header. The following extension headers must be supported as per RFC 2460: in (Figure 2.2). (Figure 2) (Figure 2.2):IPv6 Extension Headers 8

22 The sequence of extension headers should be as showed below (Figure 2.3): Sequence of Extension Headers These headers, should be processed by First and subsequent destinations. And also by final destination. Extension headers are arranged one after another in a linked list manner, as depicted in the following diagram in (Figure 2.4) [8]. (Figure 2.4): Extension Headers Arrangements 2.7. Internet Control Message Protocol Version 6 (ICMP6) The Internet Control Message Protocol Version 6 (ICMPv6) is the successor of ICMPv4 and is mandatory for the IPv6 network to operate at all.icmpv6 is used by IPv6 nodes to report errors encountered in processing packets, and to perform other internet-layer functions, such as diagnostics (ICMPv6 ping).icmpv6 is an integral (Basic/ important ) part of IPv6, and the base protocol (all the messages and behavior required by this specification) MUST be fully implemented by every IPv6 node. Therefore, it replaces not only ICMPv4, but also other network related protocols such as the Address Resolution Protocol (ARP) for the resolving of link-layer addresses or the Internet Group 9

23 Management Protocol (IGMP) which is used for the establishment of multicast group memberships[9] Information Messages They are two type of information message: The echo request or solicitation messages, contain the identifier and sequence number and type 128. The Replay or advertisement message, also contain identifier and sequence number and type is Error Messages They are four types of ICMP errors messages: [9] The Destination Unreachable message is sent if an IP packet cannot be delivered. It uses the Code field of the ICMPv6 header to further specify the reason, such as No route to destination or Address unreachable and is sent to the source address of the invoking (appealing/begging) packet. And the possible code is mention below in table (2.1) Code 0 Table (2.1) : Error Message Code No route to destination Code 1 Communication administratively Code 3 Code 4 prohibited Address unreachable Port unreachable The ICMPv6 error messages identifies the Packet Too Big message. It is sent backward to the source if the router cannot deliver the IP packet due to smaller maximum transmission unit (MTU) values on the forwarding link. Therefore, the Packet Too Big message stores the MTU 11

24 of the next hop link to inform the originating node to fragment its future packets with this size. This feature is used by the Path MTU Discovery (RFC 1981) which identifies the smallest MTU along the path from the source to the destination node by simply sending packets to the destination node until a direct reply instead of a Message Too Big error message comes back. Time exceeded is the error message. It is sent back to the originating node if the Hop Limit value in the IPv6 header reaches its limit of 0. This could either indicate a routing loop or a Hop Limit value that was set too low from the source node. This error message is well-known for its use with the trace route utility which is used to discover the path that a packet takes on its way through the destination network. Table (2.2) :Time Exceeded Code Code 0 Hop limit exceeded Code 1 Fragment reassembly time exceeded The ICMPv6 error message is the Parameter (Restriction/Limit) Problem. It is sent if an IPv6 node cannot process an IPv6 packet due to an error in its header or any of the extension headers. All ICMPv6 error messages contain the original IPv6 header and as much data from the original IPv6 packet as possible, until the ICMPv6 message size is fulfilled. These information reveal to which connection they belong and are used by statefull firewalls for their security decisions. Table ( 2.3) :ICMPv6 error message Code 0 Erroneous header field Code 1 Unrecognized next Header type Code 2 Unrecognized IPv6 option 11

25 2.8. Neighbor Discovery Neighbor Discovery is a family of different functions related to other IPv6 nodes on the same link such as finding routers and other nodes, maintaining reachability information about active neighbors (Neighbor Unreachability Detection - NUD) or configuring their own unique IPv6 addresses via Auto configuration (Duplicate Address Detection DAD ). The corresponding (parallel/ Matching) five ICMPv6 messages with Neighbor Discovery are specified below: [10] The Router Solicitation message Which is ICMPv6 informational message type 133, is sent by a node in order to discover any routers on the link? It is therefore sent to the allrouters multicast address ff02::2. As an option, this message carries the link-layer address of the requesting node. This has the advantage that the responding router directly knows to which node the answering packet should be sent. If a router is present on the link, it answers immediately with a Router Advertisement[11] The Router Advertisement message It is ICMPv6 informational message type 134 and contain one or more prefixes, the prefixes have lifetime, and used stateless or state full auto configuration The Neighbor Solicitation message It is ICMPv6 informational message type 135, and used by the node to get Link Layer address of neighbor The Neighbor Advertisement message It is ICMPv6 informational message type 136, and through it the Neighbor solicitation response to. 12

26 2.8.5 The Neighbor Redirect Message It is ICMPv6 informational message type 136, It is sent from a router to a node in order to indicate a more appropriate first-hop node along the path to the destination network. This can either be another router on the same link or a directly connected Neighbor node in the case that the originating node did not expect it on the same link due to other used IPv6 prefixes. A redirect message contains two addresses, namely the Target Address which is the best next hop and the Destination Address which is the address of the destination of the original IPv6 packet. The table (2.4) below comparing between IPv6 neighbors Discovery and IPv4 ARP. Table (2.4) : IPv4 ARP and IPv6 Neighbors Discovery 13

27 2.9. Pervious work and literature review At the start of the internet services, ipv4 protocol approved design came out of as the base of networks and instrumented for internet protocol. It was mostly used for makes observations & Developments purposes. Security was not a major concern in that part of the time. Because of that Internet protocol version 4 way of doing things has the lower limit security options compared with the latest Internet protocol version six version, and later when security issues became the central important point for IP-based networks. Since the Internet protocol version 4 way of doing things has its limits in security, the top layer security protocols have been introduced. Let s say, digital signatures, the process of disguising/masking a message methods, Authentication, Access Control, Internet Protocol Security, Secure Socket Layer (SSL), http S, and so on. In spite of upper layer security architecture,the lower layers still unprotected and not protected on the public network. Attacker or trespasser use these opportunity to gather information about Internet protocol version 4 based systems and their communications. This bug leads the network with Internet protocol version six way of doing things based to Dos attacks, spoofed attacks, and network capture. Even with higher security concerns in the design of the Internet protocol version 4 way of doing things, this way of doing things is still exposed to being hurt/damage for these kinds of attacks Study of IPv6 Security vulnerabilities [12] 14

28 These project study and focuses on exploring Man-In-The-Middle (MITM), Denial of Service and reconnaissance attacks in solely IPv6 based networks. Scanners are the first tools used for reconnaissance attack to explore the network and open ports in the network. The large size of IPv6 addresses scanning is very challenging by using traditional scanning methods therefore in their project instead they crafted multicast addressing which is more or less detrimental in respect of the time needed. The Denial of service attacks were done with three different ways but all of them its locally with ICMPv6 redirect massages and router advertisement message.they tried to prove that Denial of service attacks are still present impacts in IPv6 based networks. Operating Systems do not protect their routing tables from fake routes thus leads to inject Denial of service attacks on the hosts Denial of Service attack in IPv6 networks and counter measurements [13] This project study and expresses the different IPv6 based cyber-attacks which could result in the Denial of Service (DoS) on the IPv6 network. IPv6 is the next generation internet protocol and the demand of its benefits is implacable. So its concentrated on investigating the strength of some possible methods of launching the DoS on future solely IPv6 networks with open source tools. Moreover, it is based to signify how differently some network devices respond to this type of attack either locally or remotely in respect of the CPU utilization and the bandwidth usage. Packet analyzer is used to capture and analyze these attacks. The DoS attacks in this project include the protocols IPv6, ICMPv6 and TCP 15

29 with two different category methods and variety of different IPv6 extension headers and packet formats. This project has different kinds of attacks that result with low impress on local area devices like default gateway and simultaneously very high impact on targets devices with another autonomous system number that an attacker would never have administrative privileges on. The DoS attacks with flooding abrupt IPv6 network traffic from one attacker node was performed with various test cases on different parts of network areas. The monitoring and analysis were done on these traffics captured by Wireshark and routers status via CLI and then statistics were built for each method and their test cases. The test cases packet structure was built according to the captured packets at the attacker s outbound interface and the source code of the tools. DoS attacks experimented in this thesis includes IPv6 extension header with IPv6 fragmentation mechanism and result on the packets were not able to be forwarded out of the local area router. On other hand when done the evaluation of the fragmentation mechanism was examined, abrupt traffics were originated with two differ-rent bandwidth limitations from the attacker node, it cause to maximal DoS attack on the routers, and the effects were high enough for the router to become hang-up or halt. When an IPv6 access-list implemented on a router as a counter measurement also in order to stop the abrupt traffic types based on the source and destination addresses, the router nodes were most impacted against the abrupt IPv6 traffic and in some cases caused total halt in network functionality due to the maximum CPU utilization, and the 16

30 result of DoS on a router was extreme and an access-list which was tested in the research found a to be not a solution to handle the attacks Vulnerabilities and Threats in IPv6 Environment[14] This thesis reviews IPv6 security with focus on Local Area Networks and IDS/IPS systems It compares IPv4 and IPv6 threats, vulnerabilities and gives basic security recommendations. Selected IPv6 attacks and exploits are demonstrated in simulated attacker/victim scenario on IPv6 network. These experiments are then used to set up guidelines for evaluating usability of IDS/IPS appliances against IPv6-specific threats. The goal of this work was to gather knowledge of IPv6 security and related threats, then look into this area from perspective of current IDS/IPS solutions and afterwards transform the gained knowledge into practical guidelines how to assess usability of these systems. The first part of this work contains comprehensive and up-to-date com-prison of IPv4 and IPv6 related threats with references to corresponding RFCs. This part may be useful as a reference for future work. However, any such potential work should take into account that IPv6 is very dynamic and still developing technology. In fact, some of the information may become outdated in a couple of months. The second part focused on particular attacks and IDS/IPS appliance assessment. I see the main contribution of this work in description of the selected attacks. Even though several ready-to-use tools for penetration testing exist, none of them comes with any kind of documentation. Original intention was to test physical and virtual 17

31 appliance with same firmware and compare performance results. However, issue in the VMware virtual infrastructure was found during the testing so I decided, after consultation with the thesis supervisor, to scratch the results as untrustworthy. Testing of additional functionalities of the physical appliance was performed as a substitute. The overall results of the assessment are unsatisfactory. It is necessary to mention that the situation among the majority of other vendors is very similar. I strongly believe that such testing will help to improve IPv6 capabilities and hopefully even the protocol itself. There is a wide range of possibilities for future work as well as challenges in the area of IPv6 security. The most current one would be transition mechanisms from IPv4 to IPv6 and its coexistence. Further development of testing tools and tests cases would be advisable as well. In conclusion, it can not be decided whether IPv6 is by design more secure than IPv4. It is just different, maybe more different than many expected. Wider deployment or testing of IPv6 capable solutions in real-world scenarios Mitigating IPv6 Vulnerabilities[15] 18

32 This paper reviews some of the improvements associated with the new Internet Protocol version 6, with an emphasis on its security-related functionality. At the end it concludes summarizing some of the most common security concerns the new suite of protocols creates. Mitigating security issues in IPv6 is important from an economic standpoint as well. New companies who want to start their business will be handed out only IPv6 addresses and if the other big organizations want to keep their business growing, they have to provide services to these new companies so as to generate more revenue. All the communication will happen over IPv6 and if security is weak, then the communication can be compromised. Since IPv6 is in an early stage, more testing needs to be done to find out all the loopholes and resolve them. Vulnerabilities in IPv6 include Transmission Control Protocol (TCP) SYN flood attack, type-zero header attack, Domain Name System (DNS) attacks, tunneling issues, and fragmentation and extension vulnerabilities.the scope of this research is limited to researching on some of these known vulnerability issues and proposing solutions to mitigate some of the security attacks caused due to such vulnerabilities, thereby making IPv6 more secure. The aim of this research is to lessen some of those security concerns and provide practical solutions to make IPv6 more secure and adaptable. Sub-problems for the research question In order to answer the following question How can we mitigate the security issues caused due to the IPv6 protocol header, focusing on the issues which are specific to only IPv6? 19

33 What different security risks are associated due to RFC noncompliant network devices and what can be done in order to mitigate them? What are the threats associated with the dual stack architecture and what are the implementation and architecture considerations for the same? Three sub-problems have been identified, they are as follows The first sub-problem deals with the issues that are specific only to IPv6. Unlike IPv4, Internet Control Message Protocol (ICMP) is a required component of IPv6 and hence the firewall policy needs to be added in order to account for all the ICMPv6 type messages (which is optional in IPv4). Neighbor discovery uses ICMPv6 messages to find out the link layer address for the connected interface, find the neighboring routers and various other functions, making the role of ICMPv6 in IPv6 to be quite broad. Hence, care must be taken that the policies which are set related to ICMPv6 protocol account for all these different message types. Also, this problem of setting ICMPv6 firewall policy is an important one since quite a large amount of attacks can be in the form of ICMPv6 messages. The scope of this research related to the first sub problem is to test the different operating systems with respect to the Cisco ASA firewall and Juniper SRX firewalls and come up with the basic rule set which can be used by the vendors to ensure that the basic ICMPv6 related malicious packets are prevented from entering into the internal network. The second sub-problem is about the RFC non-compliant network devices. Not all IPv6 enabled devices support IPv6 completely and different platforms have different performance characteristics with respect to IPv6 attacks. RFC 2460 states that the extension headers of a particular type should appear only once (except in the case of 21

34 destination options header). The optional information in IPv6 is encoded in the extension headers. Different end-user operating systems such as Red Hat, Ubuntu, and FreeBSD react differently to extension headers. Also, extension headers have caused some of the devices running these operating systems to completely ignore the layer 4 (OSI model- transport layer) segment and this vulnerability has been used to exploit the internal network. Some of the OS platforms do not comply with the RFC 2460 and do allow more than one extension header of a particular type in a single packet. The scope of this research is to test the effect of sending malicious packets on different platforms in this case and coming up with a detailed analysis on the performance of various operating systems. The third sub-problem is related to the threats associated with the dual stack nature of the network. All the organizations throughout the world cannot change their network to IPv6 overnight, so the networks will remain dual stack for a significant period of time. IPv6 will be gradually deployed as IPv4 will only be supported for legacy services and clients. Initially, there will be islands of IPv6 networks separated by IPv4 networks. There has to be a way in which IPv6 networks can communicate through IPv4 networks. This is accomplished with the help of tunneling. Teredo tunnels are essential for users behind NAT devices so that they can communicate with the external IPv6 networks. Teredo tunnels bypass the NAT devices and it is difficult to investigate the Teredo traffic since they work on random port numbers. Teredo tunnels can also bypass the firewalls and the security based controls need to be made intelligent in regards to Teredo tunnels. Hence, applying firewall policies becomes very difficult in case of Teredo traffic. The solution should be presented in such a way that it supports end-to-end host security. 21

35 This third sub-problem deals with researching some of the potential threats due to Teredo tunnels which can be overlooked by most organizations and proposing a solution on how to tackle the same. 22

36 CHAPTER THREE 3.Results & Analysis This chapter start by defines briefly in different section the tools which used in this research to implement the experiments, and describe the network environment and topology. This chapter deals with definition of ARP poisoning attack, normal operation of the IPv6 network before attack, and implement the attack in three different scenarios with observation and analysis the result after tracking and comparing the messages which reciprocal between machines' over ICMPv6 protocol via link layer address and describe how the attacker success to impersonates the web server and Man-In- The Middle appearance has been proven. Then jump to shortly idea of Denial of service attack, and observe the IPv6 network before attack appearance. The attack done in three different cases and the result been observed and analyzed by tracking the advertisement messages which sourced from attacker machine to flooded the network and successfully Denial of service attack take place. The last section in this chapter contain the mitigation of Denial of service attack by Snort software which acting as IPS, and describe the setting which used in Snort application to blocking these attack and the affect of used IPS. 3.1Tools Virtual Box Application version VirtualBox is apowerful x86 and AMD64/Intel64 virtualization product for enterprise as well as home use. and it is a general-purpose full 23

37 virtualize for x86 hardware, targeted at server, desktop and embedded use, and extremely feature rich, high performance product for enterprise customers, it is also the only professional solution that is freely available as Open Source Software under the terms of the GNU General Public License (GPL) version 2[16] Wireshark Wireshark is an IP based network protocol analyzer and sniffer. It reads packets from the network by the help of pcap, tcpdump and etc. and details them into easy understandable way. It is an open source network analyzer founded in It works in two different modes Promiscuous and Non-Promiscuous. The difference between them is, in promiscuous mode node s NIC can sniffs or read from all the traffic packets on the channel while in non-promiscuous mode it only reads the packets belonging to the hosted node. Wireshark supports rich set of features to represent IP packet information,following are a few of them[17]. Live capture and offline analysis. Deep inspection of hundreds of protocols, with more being added all the time. Standard three-pane packet browser. Its default fields include; packet number, time, source address, destination address, name of the protocol, information about the protocol. Live data can be read from Ethernet, IEEE , PPP/HDLC, ATM, Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2. 24

38 3.1.3 The Hacker Choice (THC-IPv6) is an open source toolkit maintained by Van Hauser". THC allows the penetration test on the IPv6 protocol to challenge the weaknesses of node. This toolkit includes over 50 separate tools that allow performing such a task on IPv6 based protocols and headers. The THC tool is capable of IPv6 node Discovery, IPv6 router impersonate, and initiate DoS attacks. THC is an assembled hacker group from around the world. It is an open source community who develops and expose the security vulnerability of IP based networks. The aim of their project is to expose the security breaches of products. THC are founded in 1995 and it has been published scientific thesis and releases security penetration tools [18 ]. Some of the tools that THC allows: parasite6 : ICMPv6 Neighbor solicitation/advertisement spoofer that can be used to launch Man-In-The-Middle attack. flood_router26 : to flood the target /64 networks with router advertisement messages to make a bottle neck fake_router6 : To advertise a node as a highest priority router on the network to redirect the traffic to the defined node redir6 : This tool takes advantage of the icmp6 redirect spoofer to launch man-in-the-middle attack. denial6 : Seven different methods of denial-of-service tests against a target by taking advantage of the IPv6 extension header mechanism[19]. 25

39 3.1.4 Snort[20] Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS), created by Martin Roesch in It working on deference operating system such as Linux, Windows. Snort can operate in three different modes namely tap (passive), inline, and inline-test. Snort policies and rules can be configured in these three modes too. Snort uses a simple, lightweight rules description language that is flexible and quite powerful[21] Network design and equipment's This section describe the machines hardware specifications & operating system including application and software which installed and the main function of machines Dell laptop With windows 7 64 bit operating system running by Intel core I7 2.00GHz and Ram 6 GB, which used for installed Oracle VM virtual Box Manager Application and used the virtualization technology to create Ubuntu Linux server and Kali Linux Server Also I installed WierShark version application for capture Package between mention servers. And Snort version application as Intrusion Prevention System. 26

40 Ubuntu Linux server version used as Web server with Intel core I7 2.00GHz and Ram 6 GB Kali Linux Server version used as hacking machine with certain tools, and serve by Intel Core I7 2.00GHz, 2GB Memory Network Topology (Figure 3.1):Illustrated Diagram for Interfaces in the Lab 27

41 The pervious diagram showed the details of network adapters which target in this project, and the name of machines including the operating system [figure3.1]. Table (3.1):IPv6 and link layer addresses Machine Name IPv6 address Link layer address Webserver 2001:abcd:2/64 08:00:27:A:8C:B3 Client 2001:abcd:1/64 08:00:27:00:90:DA Attacker 2001:abcd:4/64 08:00:27:80:A0:CA The table (3.1) contain the IPv6 and link layer address for Attacker machine, Web server,client access & monitor terminal. 28

42 3.2 Experiments The ARP poisoning Attack ARP spoofing is the technique of forging fake ARP messages on a network. The attacker updates a host's ARP cache with false information via spoofed ARP Replies. In this attack, an attacker places himself in the middle of two hosts that are communicating. The attacker makes sure that all traffic between the hosts pass through him and is able to see the entire traffic the attacker effectively used the Neighbor solicitation and Neighbor advertisement messages to perform a Man-in-the-Middle attack Normal operation of the IPv6 network Qualification All devices are off. Client & capture monitor does not have any networking service such as DHCP or DNS. Client & capture monitor is ON and capturing network traffic on Virtual Box Host-only Network. IP forwarding has been turned OFF in Attacker machine. 29

43 Experiment Turn on computer Client & capture monitor and Web Server. Wait till Client & capture monitor and Web Server stabilize. Client & capture monitor sends 10 pings to Web Server. From client via browser open web site [2001:abcd::2] Save Capture as normal-operation. Observation The traffic between web server and client before attack its seem that are running normal and smoothly, these resulted out from captured data in the detailed packets number15upto34in figure3.2,and accessing web services from the access machine,as shown in figure 3.3 (Figure 3.2):Monitor Of Packets in Normal Operation In the figure 3.2 above, the client sent its Neighbor solicitation for webserver from its link layer address over ICMPv6 and the webserver replay in Neighbor advertisement with its link address also. When the client make echo request ping, the server replay with echo normally and 31

44 the IP6 appeared in source and destination packets instead of link layer address. And the client access website in the webserver via TCP and HTTP normally without need for more solicitation and advertisement messages. (Figure 3.3):accessing website in normal operation Analysis From the frame number 15 below, the server sent its neighbor solicitation for client via its link layer address (8c:b3) over ICMPv6. 15 fe80::a00:27ff:fea6:8cb3 2001:abcd::1 ICMPv6 86 Neighbor Solicitation for 2001:abcd::1 from 08:00:27:a6:8c:b3 Frame 15: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: 2001:abcd::1 Internet Control Message Protocol v6 31

45 From the frame number 16, The client replay to the webserver from its link layer address (90:da) over ICMPv6 by sending IPv6mcast neighbor solicitation. 16 fe80::d953:a236:d606:890c ff02::1:ffa6:8cb3 ICMPv6 86 Neighbor Solicitation for fe80::a00:27ff:fea6:8cb3 from 08:00:27:00:90:da Frame 16: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: IPv6mcast_ff:a6:8c:b3 (33:33:ff:a6:8c:b3) Internet Protocol Version 6, Src: fe80::d953:a236:d606:890c, Dst: ff02::1:ffa6:8cb3 Internet Control Message Protocol v6 In frame 17 the webserver replay back to client in neighbor advertisement with its link address also 17 fe80::a00:27ff:fea6:8cb3 fe80::d953:a236:d606:890c ICMPv6 86 Neighbor Advertisement fe80::a00:27ff:fea6:8cb3 (sol, ovr) is at 08:00:27:a6:8c:b3 Frame 17: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: fe80::d953:a236:d606:890c Internet Control Message Protocol v6 In frame 18 The client replay back to webserver in neighbor advertisement with its link address also :abcd::1 fe80::a00:27ff:fea6:8cb3 ICMPv6 86 Neighbor Advertisement 2001:abcd::1 (sol, ovr) is at 08:00:27:00:90:da Frame 18: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: fe80::a00:27ff:fea6:8cb3 Internet Control Message Protocol v6 32

46 In frame 19 the client make echo request ping via its IPv6 address (2001:abcd::1) over internet control message protocol (ICMPv6) :abcd::1 2001:abcd::2 ICMPv6 94 Echo (ping) request id=0x0001, seq=21, hop limit=128 (reply in 20) Frame 19: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6 In frame 20 the webserver replay by echo replay ping via its IPv6 address (2001:abcd::2) over internet control message protocol (ICMPv6) and the IPv6 appeared in source and destination packages instead of link layer address :abcd::2 2001:abcd::1 ICMPv6 94 Echo (ping) reply id=0x0001, seq=21, hop limit=64 (request in 19) Frame 20: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6 In frame 29 below, when the client start to browse web site from webserver, the client sent [SYN] to server over Transmission Control Protocol (TCP) in port :abcd::1 2001:abcd::2 TCP [SYN] Seq=0 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1 Frame 29: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: (49425), Dst Port: 80 (80), Seq: 0, Len: 0 33

47 In frame 30 The server replay to the client by sending [SYN,ACK] :abcd::2 2001:abcd::1 TCP [SYN, ACK] Seq=0 Ack=1 Win=28800 Len=0 MSS=1440 SACK_PERM=1 WS=128 Frame 30: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Transmission Control Protocol, Src Port: 80 (80), Dst Port: (49425),Seq:0,Ack: 1, Len: 0 In the figure below describe the normal operation on activity diagram (Figure 3.4):Activity diagram for normal operation 34

48 First ARP poisoning Attack Qualification All devices are off. Client & capture monitor does not have any networking service such as DHCP or DNS. Client & capture monitor is ON and capturing network traffic on Virtual Box Host-only Network. IP forwarding has been turned OFF in Attacker machine. Experiment Turn on computer Client & capture monitor and Web Server. Wait till Client & capture monitor and Web Server stabilize. Client & capture monitor sends 10 pings to Web Server. from client via browser open web site [2001:abcd::2] Turn on Attacker machine Lunch attack by command #atk6-parasite6 eth0 2001: abcd::2 fake-mac. Client & capture monitor sends 10 pings to Web Server. from client via browser open web site [2001:abcd::2] Save Capture as ARP-first-attack Observation Before the attack started in (step 6) Client & capture monitor is able to ping the Web Server successfully as showing below in Figure 3.5, and the packets captured from number 1 up to 8 in Figure 3.5 prove that. 35

49 Figure 3.5:Packets before first ARP attack Its clear in the figure above that the client sent its Neighbor solicitation for webserver from its link layer address over ICMPv6, and the webserver replay in Neighbor advertisement with its link layer address also and the ping echo request and replay take place in figure 3.6. Figure 9 (Figure 3.6):pinging replay by server After the attack has started the echo request results and analysis in the following: 36

50 Web server replies to the Neighbor Solicitation of Client computer with its own Neighbor Advertisement the Figure 3.7 below shown the packets captured from 46 up47 as output. Figure 3.7:solicitation and advertisement message before first ARP The client access and the server used their link layer address for Neighbor solicitation and advertisement over ICMPv6, the attacker repeatedly sends spoofed Neighbor advertisement messages and overrides other entries. The Neighbor advertisements sent by both the Attacker and web server have the override flag set to 1. The attacker send a Neighbor advertisement to client computer saying that it has the IP that belongs to web server, as its clear in figure3.8 37

51 (Figure 3.8):Monitor of packets in first ARP In the detailed package in Figure 3.8, the attacker send continues advertisement message over its link layer address as the source address to the link layer address of client access station, and used IPv6 address of the webserver for its tricky message. Now, the ping request sent by Client computer to web server,replayed by the Attacker since the attacker is impersonating the web server. However the attacker generates a Neighbor solicitation message to find the real destination of the packet. Then, the attacker forwards the reply to client computer and the ARP completes successfully and evolve to a Man-in-the-Middle attack. These appear in Figure 3.8 on the logged packets from 127 up 129. But the web server in these case been unreachable,and the Man-in-the-Middle attack unable to forward the message instead of the web server, just hacking the client computer,these prove by Figure 3.8 because the client unable to access webserver. 38

52 (Figure 3.9) explain how attacker work In the below screen the ping request echo from the client not reached the server, and replayed by time out, but the attacker replay by Neighbor advertisement by its own link address,and the webserver no longer been reachable via its link layer address, and also the attacker can capture any data between the client and server. (Figure 3.10):Pinging in first ARP attack At the upper layer exactly in application layer its observed that,before the attack start,the client can access web site [2001:abcd::2] on web server,so the web application services running fine on the server and the network traffic mutual aid normally between client and the web 39

53 server, the Figure 3.11 reflects that and the detailed packets from 29 up to 32 in Figure 3.11 confirm that. (Figure 3.11):packet for accessing website before first ARP The packets exchanged normally between client and web server over TCP protocol and client can browse the website from the server figure3.12 (Figure 3.12):accessing website before first ARP After attack started, when client try to access web server, the attacker replay its [ACK] flag by [SYN] flag, and repeated send [ACK] and [TCP Retransmission ] instead of web server, and the web site not more 41

54 been access. Figure 3.13 detailed the packets from 121 up to124, and Figure 3.13 confirm that web site unreachable. (Figure 3.13):in first ARP attacker replay instead of server The attacker received all client browsing request instead of webserver,and replay by unreachable error, but, if there is any web site working in attacker machine it can be reached instead of web site in the server from client access machine if attacker prepared proper setting for trap website. (Figure 3.14):in first ARP web service unavailable The attacker launches a successful attack by repeatedly sending spoofed Neighbor advertisements to any Neighbor solicitation message generated on the network as showing in below Figure

55 (Figure 3.15):attacker machine spoofed to client in first ARP Analysis In frame 46 after attack lunched, the client sent solicitation message for server IPv6 address over its link address :abcd::1 2001:abcd::2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da Frame 46: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6 In frame 47 The server replay to client solicitation message by advertisement message :abcd::2 2001:abcd::1 ICMPv6 78 Neighbor Advertisement 2001:abcd::2 (sol) Frame 47: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6 Form the frame number 121 up to 124 below, while the attacks running, the client running browsing and resend repeated [SYN] to attacker machine to its link layer address (a0:ce) 42

56 :abcd::1 2001:abcd::2 TCP 86 [TCP Retransmission] [SYN] Seq=1 Win=8192 Len=1 MSS=1441 WS=256 SACK_PERM=1 Frame 121: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: (50021), Dst Port: 80 (80), Seq: 0, Len: :abcd::1 2001:abcd::2 TCP 86 [TCP Retransmission] [SYN] Seq=1 Win=8192 Len=1 MSS=1441 WS=256 SACK_PERM=1 Frame 122: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: (50022), Dst Port: 80 (80), Seq: 0, Len: :abcd::1 2001:abcd::2 TCP 82 [TCP Retransmission] [SYN] Seq=1 Win=8192 Len=1 MSS=1441 SACK_PERM=1 Frame 123: 82 bytes on wire (656 bits), 82 bytes captured (656 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: (50021), Dst Port: 80 (80), Seq: 0, Len: :abcd::1 2001:abcd::2 TCP 82 [TCP Retransmission] [SYN] Seq=1 Win=8192 Len=0 MSS=1440 SACK_PERM=1 Frame 124: 82 bytes on wire (656 bits), 82 bytes captured (656 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: (50022), Dst Port: 80 (80), Seq: 0, Len: 0 In frame 127 the attacker machine sent advertisement message over the server IPv6 address 2001:abdc::2 by its link layer address (a0:ce) to client IPv6 address. 43

57 :abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (sol, ovr) is at 08:00:27:80:a0:ce Frame 127: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6 In frame 128 the attacker machine repeat sent advertisement message over the server IPv6 address 2001:abdc::2 by its link layer address (a0:ce) to client IPv6 address :abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (rtr, ovr) is at 08:00:27:80:a0:ce Frame 128: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6 In frame 129 below the attacker machine continue repeat sent advertisement message over the server IPv6 address 2001:abdc::2 by its link layer address (a0:ce) to client IPv6 address and the client communicate with attacker link address because its used the server IPv6, the attacker successfully work in server place by server IPv6 address and capture and data exchange from client to server :abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (rtr, ovr) is at 08:00:27:80:a0:ce Frame 129: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v Second ARP poisoning Attack 44

58 Qualification All devices are off. Client & capture monitor does not have any networking service such as DHCP or DNS. Client & capture monitor is ON and capturing network traffic on Virtual Box Host-only Network. IP forwarding has been turned OFF in Attacker machine. Experiment Turn on computer Client & capture monitor and Web Server. Wait till Client & capture monitor and Web Server stabilize. Turn on Attacker machine and wait for it to stabilize. Lunch attack by command #atk6-parasite6 eth0 2001:abcd::2 fake-mac. Client & capture monitor sends 10 pings to Web Server. from client via browser open web site [2001:abcd::2]. Save Capture as ARP-Second-attack. Observation The attacker start sending multicast listener message and router solicitation message on the network to scan and discover the link 45

59 address for its neighbors and the source for all these message the attacker link address, as appear in Figure 3.16 the packets from number 3 up to10 which logged by capture machine. (Figure 3.16):Router solicitation message in second ARP When the client device start send ping to web server while attacking running, first replay came from web server, these cleared below by Figure (Figure 3.17):pinging after second ARP The attacker continue send repeated Neighbor advertisement,which captured in Figure 3.18 in the detailed packets from 55 up to 59 below,and the link address of attacker its been in package source address with red arrows. 46

60 (Figure 3.18):continue advertisement message in second ARP The attacker replay to client device to achieve reaming request as a Man-in-the-Middle, that its plump in packets number 62 up to 66 and Figure 3.19 below prove that. 47

61 (Figure 3.19):attacker success in second ARP (Figure 3.20): web services stopped in second ARP In the level of application,when the client try to browse the web site [2001:abcd::2] in webserver,its unable to reached it and the error generated, because all client request for browse website replayed by the attacker link layer address instead of webserver address the website as in (Figure 3.20) above, and the packets captured from 110 up to 117 in Figure 3.21 below say that the Man-in-the Middle attack its successfully presented because the attacker address its exchange the message with client machine as web server. 48

62 (Figure 3.21):Man-in-the Middle in second ARP Finally the changing of the attack scenario didn t produce any changes in the result. But still the attacker effectively used the Neighbor solicitation and Neighbor advertisement messages to perform ARP poisoning attack and the form of a Man-in-the-Middle attack take place as in the previous scenario. These declared in Figure 3.22 below, as the attacker acting instead of web server and replay to client and gathering all information for successfully attacks. (Figure 3.22):attacker machine spoofed in second ARP 49

63 Analysis In frame number 3 up to frame number 7 below the attacker start sending multicast listener message and router solicitation message on the network to discover the link address for its neighbors and the source for all these message the attacker link address (a0:ce) 3 :: ff02::16 ICMPv6 110 Multicast Listener Report Message v2 Frame 3: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_16 (33:33:00:00:00:16) Internet Protocol Version 6, Src: ::, Dst: ff02::16 Internet Control Message Protocol v6 4 :: ff02::1:ff00:4 ICMPv6 78 Neighbor Solicitation for 2001:abcd::4 Frame 4: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_ff:00:00:04 (33:33:ff:00:00:04) Internet Protocol Version 6, Src: ::, Dst: ff02::1:ff00:4 Internet Control Message Protocol v6 5 :: ff02::1:ff80:a0ce ICMPv6 78 Neighbor Solicitation for fe80::a00:27ff:fe80:a0ce Frame 5: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_ff:80:a0:ce (33:33:ff:80:a0:ce) Internet Protocol Version 6, Src: ::, Dst: ff02::1:ff80:a0ce Internet Control Message Protocol v6 6 :: ff02::16 ICMPv6 110 Multicast Listener Report Message v2 Frame 6: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_16 (33:33:00:00:00:16) Internet Protocol Version 6, Src: ::, Dst: ff02::16 Internet Control Message Protocol v6 51

64 7 fe80::a00:27ff:fe80:a0ce ff02::16 ICMPv6 110 Multicast Listener Report Message v2 Frame 7: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: IPv6mcast_16 (33:33:00:00:00:16) Internet Protocol Version 6, Src: fe80::a00:27ff:fe80:a0ce, Dst: ff02::16 Internet Control Message Protocol v6 In frame 59 below the attacker sourced advertisement message from its link layer address to client IPv6 address :abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (rtr, sol, ovr) is at 08:00:27:80:a0:ce Frame 59: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6 In frame 62 the attacker received the data which sent from client to web server,and its link address take place in destination direction :abcd::1 2001:abcd::2 ICMPv6 94 Echo (ping) request id=0x0001, seq=1081, hop limit=128 (no response found!) Frame 62: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6 All the request for browsing website from client [SYN]received by attacker machine,which clear in frame 110 and :abcd::1 2001:abcd::2 TCP [SYN] Seq=0 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1 Frame 110: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: (50288), Dst Port: 80 (80), Seq: 0, Len: 0 51

65 :abcd::1 2001:abcd::2 TCP 86 [TCP Retransmission] [SYN] Seq=1 Win=8192 Len=1 MSS=1441 WS=256 SACK_PERM=1 Frame 111: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: (50288), Dst Port: 80 (80), Seq: 0, Len: 0 In frame 112 the client sent solicitation message form its IPv6 address to attacker machine link address :abcd::1 2001:abcd::2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da Frame 112: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v6 In frame 113 below the attacker successfully sent advertisement message to client address instead of webserver, and communicate with the client and received any data which sent to webserver :abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (sol, ovr) is at 08:00:27:80:a0:ce Frame 113: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6 52

66 Third ARP poisoning Attack Qualification All devices are off. Client & capture monitor does not have any networking service such as DHCP or DNS. Client & capture monitor is ON and capturing network traffic on Virtual Box Host-only Network. IP forwarding has been turned OFF in Attacker machine. Experiment Turn on computer Client & capture monitor and Web Server. Wait till Client & capture monitor and Web Server stabilize. ping web server from client computer continuously Turn on Attacker machine and wait for it to stabilize Lunch attack by command #atk6-parasite6 eth0 2001:abcd::2 fake-mac. Save Capture as ARP-Third-attack. Observation The attack was effective when the attack was performed while client devise was continuously pinging web server. As soon as the attack started, an exchange of Neighbor solicitation and 53

67 Neighbor advertisement messages took place. Similar to previous scenario, the attacker successfully established a ARP poisoning Attack and the Man-in-the-Middle attack took place, and the Figure 3.23 show how poisoning expanding from packets 17 up to 19. (Figure 3.23):advertisement and solicitation in third ARP The attacker use continues Neighbor advertisement and solicitation messages to communicate with the link address of the web server over ICMPv6 protocol via its link layer address. In the Figure 3.24 below show how the attacker gradually receive the package from the server instead of client machine and the Man-in-themiddle attack take place after ARP poisoning Attack successfully which that clear in packets 528 through 532, which appearing the source address of packets it s the web server and the distinction is the attacker link address. 54

68 (Figure 3.24):received packets in third ARP Before the attack starts, there is no evidence of the Man-in-the-middle attack. But Once the attacks is launched, the attacker performs a successful ARP poisoning Attack and the Man-in-the-Middle took place over MAC Address after continues Neighbor advertisement and solicitation messages which is identical to previous scenarios at final result but the different is ARP poisoning Attack start when there are data exchanging between client and the server, and below figure 3.25 show rapid attack presented and direct spoofed packet between the attacker and the web server. Analysis (Figure 3.25):attacker spoofed in third ARP 55

69 From the frames below its clear that the attacker start sending neighbor solicitation and advertisement messages on the network to discover the link address for its neighbors and the source of all these message the attacker link address (a0:ce), and successfully impersonate him self as webserver 17 fe80::a00:27ff:fea6:8cb3 fe80::d953:a236:d606:890c ICMPv6 86 Neighbor Advertisement fe80::a00:27ff:fea6:8cb3 (rtr, sol, ovr) is at 08:00:27:80:a0:ce Frame 17: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: fe80::d953:a236:d606:890c Internet Control Message Protocol v6 18 fe80::a00:27ff:fea6:8cb3 fe80::d953:a236:d606:890c ICMPv6 86 Neighbor Advertisement fe80::a00:27ff:fea6:8cb3 (rtr, ovr) is at 08:00:27:80:a0:ce Frame 18: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: fe80::d953:a236:d606:890c Internet Control Message Protocol v6 19 fe80::a00:27ff:fea6:8cb3 fe80::d953:a236:d606:890c ICMPv6 86 Neighbor Advertisement fe80::a00:27ff:fea6:8cb3 (rtr, ovr) is at 08:00:27:80:a0:ce Frame 19: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: fe80::d953:a236:d606:890c Internet Control Message Protocol v6 56

70 528 fe80::a00:27ff: fe80:a0ce fe80::a00:27ff:fea6:8cb3 ICMPv6 86 Neighbor Solicitation for fe80::a00:27ff:fea6:8cb3 from 08:00:27:80:a0:ce Frame 528: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: fe80::a00:27ff:fe80:a0ce, Dst: fe80::a00:27ff:fea6:8cb3 Internet Control Message Protocol v6 529 fe80::a00:27ff:fea6:8cb3 fe80::a00:27ff:fe80:a0ce ICMPv6 78 Neighbor Advertisement fe80::a00:27ff:fea6:8cb3 (sol) Frame 529: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: fe80::a00:27ff:fe80:a0ce Internet Control Message Protocol v6 530 fe80::a00:27ff:fea6:8cb3 fe80::a00:27ff:fe80:a0ce ICMPv6 86 Neighbor Advertisement fe80::a00:27ff:fea6:8cb3 (rtr, sol, ovr) is at 08:00:27:80:a0:ce Frame 530: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: fe80::a00:27ff:fe80:a0ce Internet Control Message Protocol v6 531 fe80::a00:27ff:fea6:8cb3 fe80::a00:27ff:fe80:a0ce ICMPv6 86 Neighbor Advertisement fe80::a00:27ff:fea6:8cb3 (rtr, ovr) is at 08:00:27:80:a0:ce Frame 531: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_80:a0:ce (08:00:27:80:a0:ce), Dst: CadmusCo_80:a0:ce (08:00:27:80:a0:ce) Internet Protocol Version 6, Src: fe80::a00:27ff:fea6:8cb3, Dst: fe80::a00:27ff:fe80:a0ce Internet Control Message Protocol v6 57

71 In Figure 3.26 below ARP spoofed attack described on activity diagram and the flow of attack appearing & normal operations. (Figure 3.26): Activity diagram for ARP spoofed attacks The Denial of Service Attack 58

72 The goal of a denial of service attack is to deny legitimate users to access the a particular resource or services. in these project the attacks lunched against host and network resource First Denial Of Service( DOS) Attack Qualification All devices are off. Client & capture monitor does not have any networking service such as DHCP or DNS. Client & capture monitor is ON and capturing network traffic on VirtualBox Host-only Network. IP forwarding has been turned OFF in Attacker machine. Experiment Turn on computer Client & capture monitor and Web Server. Wait till Client & capture monitor and Web Server stabilize. Turn on Attacker machine and wait for it to stabilize Lunch attack by command #atk6-flood_route26 eth0 2001:abcd::2 Client & capture monitor sends pings to Web Server. from client via browser open web site [2001:abcd::2] Save Capture as DOS-first-attack Observation When the command lunched,,the attacker start sending continue router advertisement as much flooded the network as Figure 3.27 shown 59

73 below, simultaneously the client sending repeated solicitation message to web server as clear in Figure (Figure 3.27):attacker advertisement in first DOS In the above picture which explain the packets that sent from attacker machine to the destination target the IPv6 of the web server, as Neighbor advertisement message but every packet been sourced by different link layer address as to flooded the network routes, at the same time in below picture the client sent its own Neighbor solicitation message for the web server IPv6 via its link layer address. 61

74 (Figure 3.28) solicitation message in first DOS When the client device try to send ping to web server while attacking running the result host unreachable and the Denial Of Service Attack successfully utilization the resources. In application level When the client try to browse web site [2001: abcd::2],its unable to reached it, and the error generated,so the web server not been reachable more for users and the attacker success take place. Analysis In frames below its clearly prove that the attacker send continues advertisement message on the network to IPv6mcast from different link address, and in the same time the client sent solicitation messages to 61

75 web server, these messages are together flood the network and deny legitimate users from using the network services and resource's 6 fe80::e4:f427:e5b7: :abcd::2 ICMPv Router Advertisement from 00:0c:27:e5:b7:47 Frame 6: 1486 bytes on wire (11888 bits), 1486 bytes captured (11888 bits) on interface 0 Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: IPv6mcast_01 (33:33:00:00:00:01) Internet Protocol Version 6, Src: fe80::e4:f427:e5b7:4701, Dst: 2001:abcd::2 Internet Control Message Protocol v6 7 fe80::e4:f45a:e5b7: :abcd::2 ICMPv Router Advertisement from 00:0c:5a:e5:b7:47 Frame 7: 1486 bytes on wire (11888 bits), 1486 bytes captured (11888 bits) on interface 0 Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: IPv6mcast_01 (33:33:00:00:00:01) Internet Protocol Version 6, Src: fe80::e4:f45a:e5b7:4701, Dst: 2001:abcd::2 Internet Control Message Protocol v6 8 fe80::e4:f48d:e5b7: :abcd::2 ICMPv Router Advertisement from 00:0c:8d:e5:b7:47 Frame 8: 1486 bytes on wire (11888 bits), 1486 bytes captured (11888 bits) on interface 0 Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: IPv6mcast_01 (33:33:00:00:00:01) Internet Protocol Version 6, Src: fe80::e4:f48d:e5b7:4701, Dst: 2001:abcd::2 Internet Control Message Protocol v6 62

76 9 fe80::e4:f4c0:e5b7: :abcd::2 ICMPv Router Advertisement from 00:0c:c0:e5:b7:47 Frame 9: 1486 bytes on wire (11888 bits), 1486 bytes captured (11888 bits) on interface 0 Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: IPv6mcast_01 (33:33:00:00:00:01) Internet Protocol Version 6, Src: fe80::e4:f4c0:e5b7:4701, Dst: 2001:abcd::2 Internet Control Message Protocol v :abcd::1 ff02::1:ff00:2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da Frame 51195: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: IPv6mcast_ff:00:00:02 (33:33:ff:00:00:02) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: ff02::1:ff00:2 Internet Control Message Protocol v fe80::e4:f4c3:badf: :abcd::2 ICMPv Router Advertisement from 00:0c:c3:ba:df:47 Frame 51196:1486bytes on wire(11888 bits), 1486 bytes captured (11888 bits) on interface 0 Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: IPv6mcast_01 (33:33:00:00:00:01) Internet Protocol Version 6, Src: fe80::e4:f4c3:badf:4701, Dst: 2001:abcd::2 Internet Control Message Protocol v Second Denial Of Service( DOS) Attack Qualification 63

77 All devices are off. Client & capture monitor does not have any networking service such as DHCP or DNS. Client & capture monitor is ON and capturing network traffic on Virtual Box Host-only Network. IP forwarding has been turned OFF in Attacker machine. Experiment Turn on computer Client & capture monitor and Web Server. Wait till Client & capture monitor and Web Server stabilize. Client & capture monitor sends pings to Web Server. From client via browser open web site [2001:abcd::2] Turn on Attacker machine and wait for it to stabilize. Lunch attack by command #atk6-flood_route26 eth0 2001:abcd::2 Save Capture as DOS-second-attack. Observation In Figure 3.29 below the detailed packets from 1 up to 27 say that Before the attack start client device can ping to web server and receive replay from it, and client computer can access the web site in the server, and packets from 28 after attack they failed to receive replay from the destination because the attacker sent its Neighbor advertisement message target the server address, in the same time 64

78 the client try to reach the server by sending its Neighbor solicitation message over its link address. (Figure 3.29):packets before second DOS In the application level the client can access the web site[2001: abcd::2] in is local browser before attack start as normal situation. But after attack start and take place the web site been unreachable, and the attacks complete successfully. Swapping the experiment steps didn t produce any changes. The attacker effectively used the router advertisement messages and Neighbor solicitation to perform a Denial Of Service Attack as in the previous scenario as appear in Figure

79 (Figure 3.30):second DOS webserver not respond Analysis Before attacks lunched the client sent solicitation message to web server and received its advertisement message, also sent ping echo from its IPv6 address 2001:abcd::1 and the webserver replay echo from its IPv6 address 2001:abcd::2 normally, this what cleared in below frames :abcd::1 ff02::1:ff00:2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da Frame 1: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: IPv6mcast_ff:00:00:02 (33:33:ff:00:00:02) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: ff02::1:ff00:2 Internet Control Message Protocol v :abcd::2 2001:abcd::1 ICMPv6 86 Neighbor Advertisement 2001:abcd::2 (sol, ovr) is at 08:00:27:a6:8c:b3 Frame 2: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6 66

80 3 2001:abcd::1 2001:abcd::2 ICMPv6 94 Echo (ping) request id=0x0001, seq=626, hop limit=128 (reply in 4) Frame 3: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v :abcd::2 2001:abcd::1 ICMPv6 94 Echo (ping) reply id=0x0001, seq=626, hop limit=64 (request in 3) Frame 4: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v6 Before attacks lunched also client sent [SYN] from its IPv6 address 2001:abcd::1 and the webserver replay [ACK] from its IPv6 address 2001:abcd::2 normally, and can access web site,that clear in below frames :abcd::1 2001:abcd::2 TCP [SYN] Seq=0 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1 Frame 15: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: (50379), Dst Port: 80 (80), Seq: 0, Len: :abcd::2 2001:abcd::1 TCP [SYN, ACK] Seq=0 Ack=1 Win=28800 Len=0 MSS=1440 SACK_PERM=1 WS=128 Frame 16: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Transmission Control Protocol, Src Port: 80 (80), Dst Port: 50379(50379),Seq: 0, Ack: 1,Len: 0 67

81 In below frames after attacks lunched, the attacker sent direct continues advertisement message on the network to IPv6mcast from different link address, and flooded the network with these messages, and server been unreachable because the client start sent solicitation message searching for server fe80::de:f7be:4207:2f :abcd::2 ICMPv Router Advertisement from 00:0c:be:42:07:2f Frame : 1486 bytes on wire (11888 bits), 1486 bytes captured (11888 bits) on interface 0 Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: IPv6mcast_01 (33:33:00:00:00:01) Internet Protocol Version 6, Src: fe80::de:f7be:4207:2f01, Dst: 2001:abcd::2 Internet Control Message Protocol v fe80::de:f7f1:4207:2f :abcd::2 ICMPv Router Advertisement from 00:0c:f1:42:07:2f Frame : 1486 bytes on wire (11888 bits), 1486 bytes captured (11888 bits) on interface 0 Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: IPv6mcast_01 (33:33:00:00:00:01) Internet Protocol Version 6, Src: fe80::de:f7f1:4207:2f01, Dst: 2001:abcd::2 Internet Control Message Protocol v :abcd::1 ff02::1:ff00:2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da Frame : 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: IPv6mcast_ff:00:00:02 (33:33:ff:00:00:02) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: ff02::1:ff00:2 Internet Control Message Protocol v6 68

82 Third Denial Of Service( DOS) Attack Qualification All devices are off. Client & capture monitor does not have any networking service such as DHCP or DNS. Client & capture monitor is ON and capturing network traffic on VirtualBox Host-only Network. IP forwarding has been turned OFF in Attacker machine. Experiment Turn on computer Client & capture monitor and Web Server. Wait till Client & capture monitor and Web Server stabilize. Client & capture monitor sends continue pings to Web Server. from client via browser open web site [2001:abcd::2] Turn on Attacker machine and wait for it to stabilize Lunch attack by command #atk6-flood_route26 eth0 2001:abcd::2 Save Capture as DOS-third-attack Observation Before The attack start client devise was continuously pinging web server and received the replays also from the server, but after attack start the replays from the server come with delay and these delays increasing until been time out and server been unreachable, these distinct in Figure 3.31 below. 69

83 (Figure 3.31):pinging to webserver in third DOS (Figure 3.32):normal operation before third DOS Also as appear in above Figure 3.32 between frame number 1 up to 20 that the sequence of continue ping request, and the browsing web site [2001:abcd::2] form client computer not effective before the attack was performed. As soon as the attack started, an generate of randomly advertisement messages from attacker machine, and Neighbor solicitation messages 71

84 from client computer similar to previous case, the attacker successfully established a Denial Of Service Attack, these distinct in Figure 3.33 below in different link layer address which generated by attacker machine to success the goal. (Figure 3.33):continue advertisement in third DOS Before the attack starts, there is no evidence of denial of service, Once the attack is launched, the attacker performs a successful denial of service. Analysis 71

85 In below frames its clear that,before attacks lunched the client sent ping echo from its IPv6 address 2001:abcd::1 and the webserver replay echo from its IPv6 address 2001:abcd::2 normally :abcd::1 2001:abcd::2 ICMPv6 94 Echo (ping) request id=0x0001, seq=641, hop limit=128 (reply in 4) Frame 3: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Internet Control Message Protocol v :abcd::2 2001:abcd::1 ICMPv6 94 Echo (ping) reply id=0x0001, seq=641, hop limit=64 (request in 3) Frame 4: 94 bytes on wire (752 bits), 94 bytes captured (752 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Internet Control Message Protocol v :abcd::1 2001:abcd::2 TCP [SYN] Seq=0 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1 Frame 13: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: 2001:abcd::2 Transmission Control Protocol, Src Port: (50406), Dst Port: 80 (80), Seq: 0, Len: :abcd::2 2001:abcd::1 TCP [SYN, ACK] Seq=0 Ack=1 Win=28800 Len=0 MSS=1440 SACK_PERM=1 WS=128 Frame 14: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_a6:8c:b3 (08:00:27:a6:8c:b3), Dst: CadmusCo_00:90:da (08:00:27:00:90:da) Internet Protocol Version 6, Src: 2001:abcd::2, Dst: 2001:abcd::1 Transmission Control Protocol, Src Port:80(80),Dst Port: (50406), Seq: 0, Ack: 1, Len: 0 72

86 After attacks lunched, while client exchanging data with the server, the attacker sent continues advertisement message on the network, and flooded the network with these messages, and server been unreachable because the client start sent solicitation message searching for server,this which clear in below frames :abcd::1 ff02::1:ff00:2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da Frame : 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: IPv6mcast_ff:00:00:02 (33:33:ff:00:00:02) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: ff02::1:ff00:2 Internet Control Message Protocol v :abcd::1 ff02::1:ff00:2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da Frame : 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: IPv6mcast_ff:00:00:02 (33:33:ff:00:00:02) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: ff02::1:ff00:2 Internet Control Message Protocol v :abcd::1 ff02::1:ff00:2 ICMPv6 86 Neighbor Solicitation for 2001:abcd::2 from 08:00:27:00:90:da Frame : 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on interface 0 Ethernet II, Src: CadmusCo_00:90:da (08:00:27:00:90:da), Dst: IPv6mcast_ff:00:00:02 (33:33:ff:00:00:02) Internet Protocol Version 6, Src: 2001:abcd::1, Dst: ff02::1:ff00:2 Internet Control Message Protocol v6 73

87 The activity diagram below describe the Denial of Service attack, the dotes line and shapes reflect the attacks process. (Figure 3.34): Activity diagram for DOS attacks 74

88 Mitigation the (DOS)attack by Snort IPS From the previous paragraph, we touch that how DOS attack can affect the IPv6 networks, we used the open source Snort Software to mitigating the vulnerability due denial of service attack, we wrote Snort rule which trigger an action(reject) and alert if we detect a- flooding of Neighbor Discovery packets, we set the threshold to be 1200 packets in one second. If this threshold is exceeded, it would trigger an action(reject) and alert : reject icmp any any -> 2001:abcd::2 any \ (itype:6;detection_filter:track by_dst,count 1200,seconds 1; \ msg:"icmpv6 flooding due to NeighborDiscovery Protocol- Possible attack";sid: ;rev:1); also we write another rate filter rule for above rule to take action every time the rule option match : rate_filter \ gen_id 134, sig_id , \ track by_dst, \ count 1, seconds 1, \ new_action drop, timeout 0 after apply above rules in Snort software, while its running on Intrusion Prevention System (IPS) mode, with simulator attack, its come out with blocking floods packets which target the server interface as to flood the network to reach denial of service attack, the below figure showing Snort dropped packets and alert. 75

89 (Figure...3):Snort IPS blocking the DOS attack And the below figure illustrates the activity diagram for mitigate the Denial of service attack. (Figure...3): activity diagram for mitigate DOS attack 76