A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

Transcription

1 2015 IEEE 2015 International Conference on Computer, Communication, and Control Technology (I4CT 2015), April in Imperial Kuching Hotel, Kuching, Sarawak, Malaysia A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art Navaneethan C. Arjuman National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Penang, Malaysia nava@nav6.usm.my Abstract In IPv4, ICMP was used for error reporting and flow control management among others. Due to lack of security consideration in the design of ICMPv4 protocol leading to numerous vulnerabilities, this has led to exploitation and attacks on a particular network. IPv6 is a new protocol introduced to replace IPv4 in order to circumvent IP address depletion. ICMPv6 now has expanded role, so security measures introduced in ICMPv4 are no longer sufficient to address the security issues potentially inherent in ICMPv6. This paper will review the vulnerabilities and exploitation of ICMPv6. The existing mitigation techniques and approaches used to address these vulnerabilities will also be reviewed to an extent. Index Terms ICMPv6, Security, Mitigation, Review 1 INTRODUCTION The exponential growth of the Internet has led to the depletion of the current Internet addressing scheme, i.e. Internet Protocol version 4 (IPv4). In order to ensure the Internet growth is not stunted in anyway, a new protocol was introduced to replace IPv4. Internet Protocol version 6 (IPv6) provides a much bigger address space as compared to IPv4 and at the same time introduced new features and capabilities that were non-existent in IPv4 that will greatly improve transmission efficiency (Wu at el, 2009). IPv6 inherits some of the existing security issues inherent in IPv4. ICMPv6, a counterpart of ICMPv4, is also vulnerable to attacks. The complex design of ICMPv6 has also led to new security vulnerabilities that can be taken advantage off by attackers. In this paper, we will review the weaknesses that exist within the ICMPv4 and ICMPv6 protocols and how the attackers can exploit these weaknesses to carry out attacks. This paper also highlights existing mitigation techniques that can be used to identify these attacks based on certain classification art. 2 BACKGROUND This section will focus on common vulnerabilities between ICMPv4 and ICMPv ICMP Protocol Internet Control Message Protocol (ICMP) is an integral part of any IP implementation (Kaushik & Joshi, 2010). ICMP Selvakumar Manickam National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Penang, Malaysia selva@nav6.usm.my is designed to provide query and error messages for effective communication between host and gateways in the IP network ICMPv Type Code Checksum Unused Header & 64 bits from original datagram Figure 1- ICMPv4 Data Structure Figure 1 show the ICMPv4 data structure. Figure 1 has two key components i.e Type and Code. The devices in the network are programmed to react in certain manner upon receiving these parameters in the packets payload. The table below highlights subset of ICMPv4 Types and Codes and it s functionalities that relevant to the attacks that will be discussed in the later sections. Table 1 Subset of ICMPv4 Types and Codes Type Name Code 0 Echo Reply 0 No Code 3 Destination 0 Net 1 Host 2 Protocol 3 Port 4 Fragmentation Needed and Don't Fragment was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Communication with Destination Network is Administratively 10 Communication with Destination Host is Administratively 11 Destination Network /15/$ IEEE 323

2 4 Source Quench for Type of Service 12 Destination Host for Type of Service 13 Communication Administratively 14 Host Precedence Violation 15 Precedence cutoff in effect 0 Node Code (Deprecated) 5 Redirect 0 Redirect Datagram for the Network (or subnet) 1 Redirect Datagram for the Host 2 Redirect Datagram for the Type of Service and Network 3 Redirect Datagram for the Type of Service and Host 8 Echo Request 0 No Code 9 Router 10 Router Selection ICMPv6 0 No Code 16 Does not route common traffic 0 No Code Type Code Checksum Message Body Figure 2- ICMPv6 Data Structure Similar to ICMPv4, the data structure of ICMPv6 also has two (2) key components i.e Type and Code. The data structure of ICMPv6 has been modified significantly compared to ICMPv4 to overcome the issues related to ICMPv4. Furthermore the ICMPv6 roles are also expanded compare to ICMPv4. For example the role ARP protocol in IPv4 has been absorbed under ICMPv6. The table below highlights subset of ICMPv6 Types and Codes that have direct impact to the attacks discussed in ICMPv4 and also might be presence in the IPv6 networks. Table 2 Subset of ICMPv6 Messages Message Description Type Code Destination Error Message no route to destination 1- communication Informational Message with destination administratively prohibited 2 beyond scope of source address 3 - address unreachable 4- Port 5- source address failed ingress/egress policy 6 - reject route to destination 7- Error in Source Routing Header Packet Too Big 2 0 Echo Request Echo Reply Router Solicitation Router Neighbour Solicitation Neighbour Redirect Message Similar to IPv4, the devices in the IPv6 network will route the IPv6 packets as per instruction of Type and Code of the ICMPv6 packets as in Table 2. But in ICMPv6, the Type and Code functionalities are different compare to ICMPv4. The Type and Codes of ICMPv6 are modified to meet the new challenges in the IPv6 network. 3 ICMP ATTACKS ICMP facilitates sending informational and error messages to the originating host by nearest gateway of destination host and informs the source host about the errors in the datagram processing (Kaushik & Joshi, 2010). The attackers will exploit the above mentioned information and launch appropriate attacks on the networks. The following sections discuss in details some of common ICMP based attacks that already exist in the IPv4 and possibly presence in IPv6 networks. 3.1 ICMP Attacks 324

3 This section discusses in details the following attacks that already exist in the IPv4 and possibly presence in IPv6 networks as well ICMP Sweep Under these attacks, the attackers will send range of echo request continuously and this will force the host to reply the echo requests continuously. This will keep the host busy replaying to the echo requests. This attack is known as ICMP Sweep attack. This scenario will lead into flooding unnecessary data in the network and degrade the performance of the network. The Figure 3 illustrated how these attacks take place in the network.. Figure 3- ICMP Sweep Attack Table 3 Comparison between presences of ICMPv4 and Type =8 Code = Inverse Mapping Type=128 and Code=0 The attacker will use Inverse Mapping technique to obtain the map the internal devices or host that are protected by filtering devices such as firewalls and gateways. Usually the attacker will send range of ICMP echo request messages to range of IP addresses behind filtering devices. If there are internal routers are available then the internal routers will response with ICMP reply Host for each request. With this information, the attacker able to build a network map of devices behind the filtering devices which later can be exploited using other relevant attacks. Table 4 Comparison between presences of ICMPv4 and Type=0, Code=0 without sending Type=8, Code= Operating System (OS) fingerprinting Type=129 Code =0 without sending Type =120 Code = 0 Knowing the detailed system profile would provide added advantage for attackers to attack a particular network efficiently. Under the usual scenario, the attackers would use port scanners to find out the services that are available in the systems. The attacker is able to identify the underlying Operating System (OS) in a network by exploiting the ICMP packets. Different OS manufactures has slightly different communications procedures. This variation allows the attackers able to profile remotely the underlying OS in the targeted system. This would provide added advantage for the attacker to attack particular system in a different manner. Table 5 Comparison between presences of ICMPv4 and ICMPv6 packets during the attacks. Type =8 and code other than ICMP Route Redirect Type = 128 and Code other than 0 One of the key functions of ICMP is to facilitate redirect routing in case failing of any one router or in efficient performance of the particular router in the network when ICMP message received from any host. Attacker would exploit the above mentioned weakness of by redirecting the routing to exploiter s router so that the attackers can again access all the information in the packets. This is the will allow the Man-In-Middle attacks take place. Figure 4- ICMP Route Redirect Attack (Christopher Low, 2011) In Figure 4, the attacker will able to intercept the communication between source and destination host via gateway G2 by taking control of the secondary gateway G1 means of sending ICMP route redirect message to the source host. So all traffic bound for destination host has to go through Gateway G1 which leads into Man-In-The-Middle (MITM) attack. Table 6 Comparison between presences of ICMPv4 and 325

4 Type =5 Type = 137 and Code= Ping of death During the ping death attacks, the attacker will sends oversized ICMP message to a target host. In IPv4 the TCP/IP specification allows for a maximum of octets in a single packet of information. If the packet size more than the above mentioned size the target host potentially crashed or rebooted. This issue due to some OS does not know how to handle the ICMP packets that are larger than stipulated in the RFC. Similar scenario exists in IPv6 networks as well. Table 7 Comparison between presences of ICMPv4 and Total size of IP packet > bytes ICMP Smurf attack Type=2 and Code =0 Attacker crafts Smurf attack to flood the network. The attackers will exploit weakness in the ICMP and IP protocols by duplicating the original source address of the packet. The nuke attack is a denial of service attack based on sending invalid packets to the target host. This attack can be achieved by modifying ping utilities and sends repeat corrupt data to target host and eventually slowing the host until the host computer complete stop working. Nukes send invalids packets of information to target OS until it is unable to handle and eventually crashed the system. Table 9 Comparison between presences of ICMPv4 and Invalid packets Invalid packets ICMP Router Discovery Message Attack When a host boots up, it will look out for the default router by issuing a router solicitation message. When the attacker listens in to this message, it will spoof a reply to the host. The default route of the host is now will be set to the attacker s IP address in its reply. Now the attacker can initiate attacks such as sniffing, man-in-the-middle attacks for all the traffic outbound traffic via the attacker s machine. At the time the denial of service attack is also can be initiated by not forwarding any packets onto the correct subnet as shown by Figure 6 as below. Figure 6 MITM Attack with spoofed ICMPv6 Router (Atik Pilihanto, 2011) Figure 5- ICMPv4 Smurf Attack (Christopher Low, 2011) In IPv4 network, the Smurf attack can be performed by sending spoofed ICMP echo requests to the broadcast address. The source address of the request is the target of the attacks. Whereas in IPv6 networks, IPv6 does not have a broadcast address but it has a multicast addresses to reach all nodes in the network. Table 8 Comparison between presences of ICMPv4 and Type =0, Code=0 without sending Type=8, code = ICMP nuke attack Type 128 Code 0 without Type 129 Code 0 Figure 6 - ICMP Router Discovery Message Attack (Atik Pilihanto,2011) Table 10 Comparison between presences of ICMPv4 and Type=9 and 10, Code =0 Type=133 and 134, Code=0 3.2 Unique ICMPv6 Attacks In IPv6 networks, there are attacks that are only specific to ICMPv6. The following section highlights the attacks that only unique to ICMPv6 only Man In The Middle Attack With Spoofed ICMPv6 Neighbour In IPv4, MITM carried out using ARP Cache Poising and DHCP spoofing. Since in IPv6, ARP is replaced by ICMPv6 326

5 neighbor discovery process, so this attacks only unique to IPv6 networks only. Figure 7 shows the process flow of how MITM attack take place in the IPv6 network. network. This will scenario will be known as Denial of Service where it prevents new IPv6 host on the network. Table 12 Comparison between presences of ICMPv4 and Not applicable Type = 135 and 136, Code=0 Figure 7 MITM Attack with spoofed ICMPv6 Neighbour (Atik Pilihanto,2011) In the above attacks both Node A and Node B can perform communication and data transfer normally, but all traffics from Node A to Node B goes through the attacker s node. The attacker also can use this opportunity to intercepting the traffic to steal secret or confidential information, filtering the traffic, hijacking the established TCP connection, etc. Table 11 Comparison between presences of ICMPv4 and ICMPv6 Significant Not applicable Type = 135 and 136, Code = Duplicate Address Detection (DAD) In order to detect whether an IPv6 address already exist in the network under the IPv6 stateless auto configuration, Duplicate Address Detection (DAD) protocol is used to detect the duplication. DAD only applicable for IPv6 networks only. DAD uses ICMPv6 neighbor solicitation by sending to all the nodes multicast addresses. If there are no IPv6 addresses exist on the network, no response will be sent back to the solicitation source host. Figure 8 shows the Duplicate Address Detection mechanism in the normal situation. Figure 8 Duplicate Address Detection (DAD) (Atik Pilihanto, 2011) Under these attacks, since everyone can reply to the ICMPv6 neighbor solicitation, every solicitation sent to detect possible duplication will be replied. Finally no one can join the 4 CLASSIFICATION Network security attacks threats are usually handled by firewalls and intrusion detection systems (Kaushik & Joshi, 2010). These are tools are designed to address prevention, detection, mitigation and response perspective to an attack. Besides firewalls and intrusion detection systems, there are already available tools with the existing mechanisms that collect the above mentioned ICMPv4 data and correlate them to relevant ICMPv4 based attacks. Similarly for ICMPv6 there is a great need of similar mechanism and tools to detect ICMPv6 based attacks. The Table 3 till 12 clear shows that ICMPv4 exploitation that exist in the IPv4 networks will be expected to be presence in IPv6 networks as well. At the same time, the tables clearly indicate that there is some exploitation only applicable for IPv4 or IPv6 only. The key variation of the classification would be the type and code would be different. 5 CONCLUSION The future work would be looking at proposing improved system effectively to collect ICMPv4 and ICMPv6 packets and classify packets. At same time provide alert system to highlight the network administrator the potential attacks in the network. REFERENCES [1] AK Kaushik and R.C Joshi, Network Forensic System for ICMP Attacks, International Journal of Computer Applications, 2010 [2] Liu Wu, DUAN Hai-xin, LIN tao, Li Xing, WU Jianping, H6Proxy:ICMPv6 Weakness Analysis Implementation of IPv6 Attacking Test Proxy, Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing, [3] Redhwan M. A. Saad, Sureswaran Ramadass and Selvakumar Manickam, A Study on Detecting ICMPv6 Flooding Attack based on IDS, Australian Journal of Basic and Applied Sciences, [4] Christopher Low, ICMP Attacks Illustrated, SANS Institute, [5] A. Conta,S. Deering and M. Gupta. Internet Control Message Protocol (ICMPv6) for Internet Protocol Version 6 (IPv6) Specification, RFC 4443, IETF, March 2006, [6] Atik Pilihanto, A Complete Guide on IPv6 Attack and Defense, SANS Institute,