Denial of Service attack in IPv6 networks and Counter measurements Master Thesis 15HP
HIGHLIGHTS 1.Introduction 2.Problem Statement 3.Related Work 4.Methodology and Experiments 5.Existing solutions 6.Results 7.Conclutions 8.Future Work
Introduction IPv6 packet Fragmentation: Source node of an IPv6 networks is performing payload fragmentation according to the minimum MTU size of the path to the destination. The size of each packet should not exceed the minimum MTU of the path. Fragment header: Source : RFC 2460
Problem Statement IPv6 packet Extension: An IPv6 packet may carry zero, one, or more extension headers Extension headers are not examined or processed by any node along a packet’s delivery path, until the packet reaches the node except for the Hop-By-Hop option. If, as a result of processing a header, a node is required to proceed to the next header but the Next Header value in the current header is unrecognized by the node, it should discard the packet IPv6 nodes must accept and attempt to process extension headers in any order and occurring any number of times in the same packet, except for the Hop-by-Hop Options header which is restricted to appear immediately after an IPv6 header only. Each extension header should occur at most once, except for the Destination Options header which should occur at most twice. Source : RFC 2460
Problem Statement Hop-by-Hop Options: Routing Header: Just Hop-By-Hop option and Destination Option can carry options with Type Length Value(TLV). 8-bit unsigned integer for the length of the options in 8-octet units. Variable-length field, of length such that the complete Hop- by-Hop Options header is an integer multiple of 8 octets long. Contains one or more TLV-encoded options. Routing Header: The same format as Hop-By-Hop options Source : RFC 2460
Problem Statement Research Questions: What kind of impact could DoS attacks imply on an IPv6 network? How differently some network devices respond to this type of attack either locally or remotely in respect to the CPU utilization and the bandwidth usage? How to protect IPv6 networks from DoS? Prioritized targets : Remote area (Somewhere in the Internet with different AS)
Related Works 1. IPv6 Security Analysis A technical report done by Jose Gonzalo Bejar in the year 2014 at Syracuse University. IPv6 Security Analysis report focused on an exploring MITM, DoS and reconnaissance attacks in solely IPv6 based networks. Limitation: Most of the attacks described in this report are only valid locally. Their method to launch DoS was only based on router advertisement messages, invalid gateway and ICMPv6 redirects.
Related Works Handling of Overlapping IPv6 Fragments Published by Internet Engineering Task Force (IETF) and is written by Suresh Krishnan Fragmentation process overlapping allowance is the IPv6 protocol and their security issues Algorithm specified in the IPv6 protocol for fragmentation could cause security issues with the firewalls Fail to work properly on IPv6 protocol for TCP packets A TCP packet with SYN=1 and ACK=1 is sent to the target behind the firewall Firewall assumes this packet as respond to an already requested packet from the target by allowing Attacker can use the same fragmentation ID for the rest of his malicious traffic
Methodology and Experiments Tools: Wireshark The Hacker Choice (THC), Open source Denial6: 1. Great size Hop-by-Hop header with router-alert 2. Great size destination option by unknown options 3. Hop-by-Hop header-router alert-180 times repeated headers 4. Hop-by-Hop header-router alert option-duplicated destination option 5. IPv6 Packets with AH header and ICMP protocol 6. First fragment packet-ICMP protocol-Hop-by-Hop header and router alert 7. Great size Hop-by-Hop header filled with unknown options without router alert
Methodology and Experiments fragmentation6: Seleceted 6 out of 36 combinations which were the most effective ones on the remote Routers. 11. Flooding the target node with only one fragment packet with ping request 137 fragmentation headers in a complete fragment packet and ping request as the data payload 12. Flooding the target node with only one fragment packet 175 fragmentation headers in a complete fragment packet and ping request as the data payload 35. Flooding the target node each time with 4 fragment packets Two levels multi fragmentation: 1st fragment packet with 192 Bytes data 2nd fragment packets with 200 Bytes data, different ID and reset M flag 3rd fragment packet with offset of 50 and 200 Bytes data with M flag set 4th fragment packet with offset of 75 and 608 bytes data with M flag set
Methodology and Experiments fragmentation6: 36. Flooding the target node each time with 4 fragment packets Three levels multi fragmentation: 1st fragment packet with 192 Bytes data, three fragment headers with ICMPv6 header 2nd fragment packet with 200 Bytes data, different ID and reset M flag 3rd fragment packet with offset of 50 and 200 Bytes data and reset M flag 4th fragment packet with offset of 75 and 608 bytes data and reset M flag 26. : Flooding the target node with just one fragment packet One fragment packet with “1” Byte of TCP data 25. Flooding the target node with just one fragment packet One fragment packet with 0 byte TCP data
Test Bed PC 1: a DELL pc ,Ubuntu PC 2: a DELL pc , Windows 7 Enterprise PC 3: HP laptop , Linux 14.04.1 LTS PC 4: a DELL pc , Windows 7 ISP1: Cisco 2800 series, IOS Software, 2800, Version 12.4 ISP2: Cisco 2900 series, IOS Software, 2900, Version 15.2(4)
Existing Solutions Proposed by some papers: Implemetation of IPSEC to stop IPv6 spoofing IPSEC itself can cause DoS due to the heavy processing overload Therefore: NONE, that we could find !
Results Denial6: on remote target PC3 Limitation: We were unable to generate identical traffic speed by the attacker for these 7 test cases.
Results Denail6: Proposed solution: To STOP the malicious traffic
Denail6: Proposed solution: To STOP the malicious traffic with explicit ACL Maximum speed 100Mbps Generated by the attacker (1/10 of the ISP2 router’s Interface Bandwidth)
Results Fragmentation6: Fragmentation attack on the local area Areas of tests: Fragmentation attack on the local area 2. Fragmentation on a remote router with two different traffic speeds 3.Proposed solution: Fragmentation on a Router as a firewall
Results Fragmentation6: On the local Area 2001::2
Results Fragmentation6: On the Remote Router Maximum speed 100Mbps, sorted based on lower impact on the local Router
Results Fragmentation6: On the Remote Router Maximum speed 100Mbps VS 10Mbps(1/10 Bandwidth) sorted based on higher to lower impact on the remote Router
Results Fragmentation6: Proposed solution: To STOP the malicious traffic
Results Fragmentation6: On the Remote Router with ACL on ISP2 Maximum speed 100 Mbps (1/10 on the ISP2 interface’s Bandwidth)
Results Fragmentation6: On the Remote Router with ACL on ISP2 Maximum speed 100 Mbps (1/10 on the ISP2 interface’s Bandwidth) Limitation: We were unable to generate identical traffic speed by the attacker for these 36 test cases.
Conclusions Type of DoS attacks experimented in this paper includes IPv6 Extension header mechanism Authentication Header Hop-by-Hop option with and without router alert Destination options Large header size Many continuously repeated unknown headers within a packet IPv6 fragmentation mechanism with 36 different abnormal formats 2. Evaluation of ACL 3. Tests for ‘Local area’ and ‘Remote area’
Conclusions 4. Proposed solution: To lower the impact of such attacks Deny IPV6 Fragmentation with the destination IPv6 address of a router as close as possible to the attacker Filter any IPv6 fragmentation packet with the data payload less than 1280bytes Set a short deadline for the IPv6 fragmentation packets to arrive at the destination node Deny any IPv6 packet with the routing header if there is no Mobile IPv6 node in the topology. Use more powerful CPU for routing nodes or to specify a fix size for the IPv6 header size in the IPv6 protocol Define a fix length of the Hop-by-Hop option
Future work It might be a good idea to set a maximum size length limitation for the extension header to avoid very long length size or many recursive illegitimate header’s options. To make changes in the IPv6 Algorithms IPv6 ACL Can not stop fragment IPv6 packets
THANK YOU
Methodology and Experiments Denial6: 1. Great size Hop-by-Hop header with router-alert 2. Great size destination option filled by unknown options
Methodology and Experiments 3. Hop-by-Hop header with router alert option with 180 times repeated headers 4. Hop-by-Hop header with router alert option followed by duplicated destination option
Methodology and Experiments 5. IPv6 Packets with AH header and ICMP protocol 6. Just the first fragment packet of an ICMP protocol with a Hop-by-Hop header and router alert
Methodology and Experiments 7. Great size Hop-by-Hop header filled with unknown options without router alert
Methodology and Experiments fragmentation6: Seleceted 7 out of 36 combinations which were the most effective ones on the remote Routers. 11. Flooding the target node with only one fragment packet with ping request 137 fragmentation headers in a complete fragment packet and ping request as the data payload
Methodology and Experiments fragmentation6: Seleceted 7 out of 36 combinations which were the most effective ones on the remote Routers. 11. Flooding the target node with only one fragment packet with ping request 137 fragmentation headers in a complete fragment packet and ping request as the data payload
Methodology and Experiments fragmentation6: 35. Flooding the target node each time with 4 fragment packets Two levels multi fragmentation: 1st fragment packet with 192 Bytes data, two fragmentation header (first fragmentation header points at the second packet with different ID) with ICMPv6 header. 2nd fragment packets with 200 Bytes data, different ID and reset M flag 3rd fragment packet with offset of 50 and 200 Bytes data with M flag set 4th fragment packet with offset of 75 and 608 bytes data with M flag set
Methodology and Experiments fragmentation6: 36. Flooding the target node each time with 4 fragment packets Three levels multi fragmentation: 1st fragment packet with 192 Bytes data, three fragment headers with ICMPv6 header 2nd fragment packet with 200 Bytes data, different ID and reset M flag 3rd fragment packet with offset of 50 and 200 Bytes data and reset M flag 4th fragment packet with offset of 75 and 608 bytes data and reset M flag
Methodology and Experiments fragmentation6: 26. : Flooding the target node with just one fragment packet One fragment packet with “1” Byte of TCP data
Methodology and Experiments fragmentation6: 25. Flooding the target node with just one fragment packet Three levels multi fragmentation: One fragment packet with 0 byte TCP data
Methodology and Experiments fragmentation6: 27. Flooding the target node with 3 fragment packets First fragment Second fragment Third fragment packet with offset of “0” and “0” size data