Sunday, February 16, 2014

IPv6 DoS attack using router flooding


This is one of the simplest DoS attacks I have ever seen. It is very easy to carry out and it's effects are devastating. It is a little different from normal DoS attacks in the sense that even when the attacker stops the attack the victim machines' resources will not free up! This makes it very lethal. The other point of difference is that it can be carried out only in a LAN environment.

Before we delve into the actual attack and its solutions we need to understand a little about ipv6 and its functioning.

Stateless autoconfiguration in IPv6 and Router advertisement packets

When a machine is statically assigned an ip address or it receives one via a dhcp server it is called as a stateful configuration. An ipv6 machine has the ability to generate a unique ipv6 address even if it is not able to communicate to a dhcpv6 server. This is known as stateless autoconfiguration.

It generates the ipv6 address using network blocks advertised in what is known as router advertisement packets (RA). The local router maintains a list of all network blocks which are supposed to be given by a dhcp server and which are supposed to be given as stateless address blocks.

So whenever a router sends a RA packet containing stateless address blocks a hosts accepts the packet and assigns an address to itself belonging to that network.

By default, all the modern OS listen to ipv6 Router advertisement packets without verifying and authenticating the router. Interestingly, OS like Windows (7 and 8) and FreeBSD do not have an upper limit to the number of such stateless network a machine can belong to. ( an ipv6 device can be a part of many ipv6 networks).

Moreover the whole process of listening and generating ipv6 address is somewhat CPU intensive.

These are the key ingredients of an ipv6 attack.

Suppose a malicious attacker rapidly starts sending bogus ipv6 router advertisements. Windows and FreeBSD at some point will get overwhelmed and will start using a lot of memory and CPU. Infact a tool designed to exploit this utility can bring down an entire network of ipv6 hosts within seconds.

The ipv6 router flood attack


All you need is the script which can be found in Kali linux. Connect your machine to a LAN network and simply run this script. Right now, you cannot direct this attack to a particular host and it will bring down the entire network.

It is as easy as running:

flood_router6 [interface]

For demonstration I ran a Kali VM and connected my laptop with another. Both were running windows 7. I ran this command and within seconds the CPU spiked to 100% utilisation. Infact even after stopping the attack the machine remained unresponsive and I had to reboot the machine!

IPv6 addresses bound to the attacked machine

Wireshark capture of the attack.
CPU utilisation after half an hour of stopping the attack




Solutions:


There are many ways to stop this attack.

1) Disabling router discovery

System administrators can disable router discovery. The machine will discard any RA packets.

netsh int ipv6 set int "[int number]" routerdiscovery=disabled

To find your interface number run the command

netsh interface ipv6 show interface

Disabling router discovery

the netsh show interface command

2) RA Guard:


There are switches with RA guard feature. Turning it can mitigate this attack although the script has a few advanced options which can be used to defeat it. More about this in a later post.


3) Using firewall to block such packets. 

Conclusion


This attack is very lethal since it renders the machine totally unusable. Only rebooting solves the problem. Moreover many latest operating systems including Windows 7, 8 , Surface and Android are vulnerable! Since all the modern OS are ipv6 ready and listen for RA packets, this attack can create chaos in a network.


Important links:


1) How IPv6 works
2) IPv6 message formats
3) Kali linux
4) Router flood author
5) Router Guard