Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks Navaneethan C. Arjuman nava@nav6.usm.my National Advanced IPv6 Centre January 2014 1
Introduction IPv6 was introduced to overcome the exhaustion of IPv4 address IPv6 has a lot of advantages compare to IPv4 IPv6 also has similar and new security threats as compare to IPv4 IPv6 Network is no longer exist if ICMPv6 are blocked or dropped in contrast with ICMP packets blocking and dropping as of in the IPv4 network Internet Control Message Protocol for IPv6 (ICMPv6) based attacks would be one of the key known security threats for both the Dual Stack and IPv6 Native networks 2
Problem Statement ICMPv6 has bigger role in IPv6 networks compare to ICMPv4 in IPV4 networks Role of ARP protocol in IPv4 has already absorbed under ICMPv6 under IPv6 networks Similar to ICMPv4, ICMPv6 also has weakness that will be exploited by attackers to attack the network Managing ICMPv6 issues under dual stack and native IPv6 would more complex compare just pure IPv4 networks 3
Problem Statement The existing ICMPv4 solution no longer sufficient to detect ICMPv6 attacks Modified and New Approaches required to address ICMPv6 exploitation 4
Objectives To investigate and study the weakness of ICMPv6 protocols To analyse the ICMPv6 traffics with various attack scenarios To propose new algorithm to detect ICMPv6 attacks To test and evaluate the proposed algorithm 5
Known ICMPv4 Attacks Below are known ICMPv4 Attacks that also can be present in ICMPv6 ICMP Sweep Inverse mapping Trace Route network mapping OS fingerprinting ICMP route re-direct Ping of Death ICMP Smurf attack ICMP Nuke attack Attack using source quench 6
Key ICMPv4 Type and Code that contributes the attacks in IPv4 network A"acks on ICMP Protocol Significant Parameters ICMP Sweep Inverse mapping Traceroute network mapping Type=8 and code=0 Type=0 without sending type=8 TTL=0 and type=8 OS fingerprinang Type=8 and code other than 0 ICMP route redirect Type=5 Ping of death Total size of IP packet >65535 bytes ICMP Smurf ajack ICMP Nuke ajack Type=0 without sending type=8 Invalid packet AJack using source quench Type=4 and code=0 Atul Kant Kaushik and R C Joshi, International Journal of Computer Application (0975-8887) Volume 2 N0., May 2010 7
Focusing on ICMPv6 Attacks There are many ICMPv6 attacks, the common attacks are Man in the Middle (MITM) Denial of Services 8
Man in the Middle Attacks Sniffing and session hijacking IPv4 ARP cache poisoning DHCP spoofing IPv6 ARP replaced by ICMPv6 neighbor discovery process DHCP may be replaced by the alternative process called stateless auto-configuration 9
Man in the Middle Attacks MITM some known techniques Man in the middle with spoofed ICMPv6 neighbor advertisement. Man in the middle with spoofed ICMPv6 router advertisement. Man in the middle using ICMPv6 redirect or ICMPv6 too big to implant route. Man in the middle to attack mobile IPv6 but requires ipsec to be disabled. Man in the middle with rogue DHCPv6 Server 10
Man in the Middle Attacks MITM some known techniques Man in the middle with spoofed ICMPv6 neighbor advertisement. Man in the middle with spoofed ICMPv6 router advertisement. Man in the middle using ICMPv6 redirect or ICMPv6 too big to implant route. Man in the middle to attack mobile IPv6 but requires ipsec to be disabled. Man in the middle with rogue DHCPv6 Server 11
MITM With Spoofed ICMPv6 Neighbor Advertisement ICMPv6 neighbor discovery requires two types of ICMPv6 ICMPv6 Neighbor solicitation (ICMPv6 Type 135) ICMPv6 neighbor advertisement (ICMPv6 type 136). 12
MITM With Spoofed ICMPv6 Neighbor Advertisement 13
MITM With Spoofed ICMPv6 Router Advertisement 14
MITM With Spoofed ICMPv6 Router Advertisement 15
Denial of Services Traffic flooding with ICMPv6 router advertisement, neighbor advertisement, neighbor solicitation, multicast listener discovery, or smurf attack. Denial of Service which prevents new IPv6 attack on the network. Denial of Service which is related to fragmentation. Traffic flooding with ICMPv6 neighbor solicitation and a lot of crypto stuff to make CPU target busy. 16
Smurf Attack 17
Duplicate Address Detection (DAD) 18
Duplicate Address Detection (DAD) 19
Methodology Proposed to develop ICMPv6 Based Vulnerability Attack Detection System s that has the following sub approaches ICMPv6 Traffic Reduction Technique To collect all the ICMPv6 packets with specific type and code that contributes for known ICMPv6 attacks 20
Methodology ICMPv6 Statistical Aggregation Technique Aggregating and classifying the filtered ICMPv6 traffics based on significant parameters Ruled Based Severity Alert Ruled based severity alert technique involves correlating the aggregated traffic with particular ICMPv6 based attacks and also provide indication of the severity level 21
Sample capture of inetmon ICMP Fault Monitoring Module 22
Thank You 23