attacking ipv6 implementation using fragmentation
play

ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, - PowerPoint PPT Presentation

Aug 16, 2023 •276 likes •1.11k views

ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security analyst and researcher. Over 20 years of diverse Information

  1. ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science

  2. Bio • Independent IT Security analyst and researcher. • Over 20 years of diverse Information Technology experience. • Instructor and software developer, etc. • Hobbies: bug-finding. • Recently joined the Centre for Strategic Cyberspace + Security Science non-profit organisation. • E-mail: antonios.atlasis@cscss.org

  3. Presentation Outline • Some background regarding fragmentation in IPv4 and its consequences. • Fragmentation in IPv6. • Examination of fragmentation issues in IPv6 implementation against some of the most popular OS – Examples. • Conclusions

  4. Some Background

  5. IP Fragmentation • Usually a normal event. • Required when the size of the IP datagram is bigger than the Maximum Transmission Unit (MTU) of the route that the datagram has to traverse (e.g. Ethernet MTU=1500 bytes). • Packets reassembled by the receiver.

  6. Fragmentation in IPv4 • Share a common fragment identification number (which is the IP identification number of the original datagram). • Define its offset from the beginning of the corresponding unfragmented datagram, the length of its payload and a flag that specifies whether another fragment follows, or not. • In IPv4, this information is contained in the IPv4 header.

  7. IPv4 Header RFC 791 0 1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7 8 9 2 1 2 3 4 5 6 7 8 9 3 1 0 0 0 Verson IHL Type of Service Total Length Identification x D M Fragment Offset TTL Protocol Header Checksum Source Address Destination Address IP Options (optional) Don't Fragment More Fragments to Follow Don't Fragment

  8. IPv4 Fragmentation e.g. MTU: 1500 bytes (Ethernet) Unfragmented packet IPv4 Embedded protocol plus payload header (e.g.3200 bytes) IPv4 Fragment 1 header MF=0 MF=1, IPv4 Fragment 2 Offset=2960 offset =0 header Length=240 length=1480 MF=1, Offset=1480, IPv4 Fragment 3 length=1480 header

  9. (some of the) Consequences of malformed fragmentation

  10. When it all started • “ Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ”, by Thomas H. Ptacek, Timothy N. Newsham, , Secure Networks, Inc. , January, 1998. • Three classes of attacks were defined against IDS/IPS: – insertion, – evasion and – Denial of Service attacks.

  11. Insertion • When an IDS accepts a packet that the end- system rejects. • An attacker can use this type of attacks to defeat signature analysis and to pass undetected through an IDS.

  12. Insertion Target Ouch! IDS X EXP LOR I T E X P L O R I T The target rejects character “R”, which IDS accepts; this breaks the IDS signature. Signature content : EXPLOIT

  13. Evasion • When an end-system accepts a packet that an IDS rejects. • Such attacks are exploited even more easily that insertion attacks.

  14. Evasion Target Ouch! IDS X EXP LOIT E X P L O I T The target accepts character “O”, which IDS rejects; this breaks the IDS signature. Signature content : EXPLOIT

  15. Fragmentation Attacks • Disordered arrival of fragments. • IDS flooding by partial fragmented datagrams. • Selective dropping of old and incomplete fragmented datagram. • Overlapping fragments. • IP Options in Fragment Streams.

  16. What Changes in IPv6 (regarding fragmentation)

  17. In IPv6 • Fragmentation fields (offset, D and M bits) have been totally removed. • IPv6 header length is limited to 40 bytes, BUT the use of Extension Headers has been introduced. • These IPv6 Extension Headers add additional functionality.

  18. IPv6 Extension Headers • IPv6 header • Hop-by-Hop Options header • Destination Options header • Routing header • Fragment header • Authentication header • Encapsulating Security Payload header • Destination Options header (processed only by the receiver). This is the recommended order • Upper-layer header by RFC2460

  19. IPv6 Fragment Header • 0 1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7 8 9 2 1 2 3 4 5 6 7 8 9 3 1 0 0 0 • Next Header Reserved Fragment Offset Res M Identification • M : More Fragment bit. • Fragment offset : Offset in 8-octet units. • The is no DF ( Don't Fragment ) bit, because in IPv6 the fragmentation is performed only by the source nodes and not by the routers along a packet's delivery path. Each fragment, except possibly the last one, is an integer multiple of 8 octets long.

  20. IPv6 Fragmentation Unfragmented packet Unfragmentable Fragmentable part part IPv6 header + some of the extension headers Unfragmentable Fragment Fragment 1 part Header Unfragmentable Fragment Fragment 2 part Header Unfragmentable Fragment Fragment 3 part Header

  21. Recommended Handling of IPv6 Fragmentation • IPv6 attempts to minimise the use of fragmentation by: – Minimising the supported MTU size to 1280 octets or greater. If required, link-specific fragmentation and reassembly must be provided at a layer below IPv6. – Allowing only the hosts to fragment datagrams.

  22. Recommended Handling of IPv6 Fragmentation • RFC5722 recommends that overlapping fragments should be totally disallowed: – when reassembling an IPv6 datagram, if one or more of its constituent fragments is determined to be an overlapping fragment, the entire datagram (and any constituent fragments, including those not yet received) must be silently discarded.

  23. Let's play a bit!

  24. Our Targets Windows 7 OpenBSD 5.0 Ubuntu 10.04.3 LTS FreeBSD 8.2-p3 i386 i386 2.6.32-38 i386 i386 IPv6: fec0::6/64 IPv6: fec0::5/64 IPv6: fec0::2/64 IPv6: fec0::4/64 FreeBSD 9 Ubuntu 11.10 amd64 3.0.0-15 i386 IPv6: fec0::7/64 IPv6: fec0::3/64

  25. Our Attacking Tool • Scapy – A powerful interactive packet manipulation program. – http://www.secdev.org/projects/scapy/

  26. The Used Protocol for our Testing Purposes • As an upper-layer protocol, the ICMPv6 was used (Echo Request type): – It is the simplest protocol that can invoke a response. – It also echoes back the payload of the Echo Request packet • Hence, using unique payload per packet, the fragmentation reassembly policy of the target can be easily identified.

  27. Using Tiny Fragmentation (without overlapping)

  28. Using of Small Fragments 8 bytes time Payload of fragment 2 8 bytes = payload of ICMPv6 Payload of fragment 1 = ICMPv6 Header IPv6 net packet payload per fragment

  29. The Code #!/usr/bin/python IPv6 header payload : 16 bytes from scapy.all import * 8 bytes fragment header + 8 bytes embedded protocol #IPv6 parameters sip="fec0::1" dip="fec0::2" conf.route6.add("fec0::/64",gw="fec0::1") Offset : 1 octet payload1="AAAAAAAA" no overlapping ipv6_1 =IPv6(src=sip, dst=dip, plen=16 ) icmpv6=ICMPv6EchoRequest(cksum=0x7d2b) #Fragment frag1=IPv6ExtHdrFragment( offset=0 , m=1, id=502, nh=58) frag2=IPv6ExtHdrFragment( offset=1 , m=0, id=502, nh=58) packet1=ipv6_1/frag1/icmpv6 packet2=ipv6_1/frag2/payload1 send(packet1) send(packet2)

  30. Demo: tiny fragmentation

  31. Results • All of the tested OS sent an echo reply to the sender. • Hence, all major OS accept fragments as small as 56 bytes (including IPv6 header = 40 bytes IPv6 Header + 8 bytes Fragment Header + 8 bytes of ICMPv6 Header).

  32. So, what's the big deal?

  33. Tiny Fragmentation Consequences • In IPv4, the embedded protocol's header, e.g. st TCP (or at least a part of it) has to be in the 1 fragment. • Firewall evasions could occur if a subsequent fragment would overwrite the TCP header (e.g. the destination port, the SYN/ACK flags, etc.) • To this end, RFC 1858 defined that: IF FO=1 and PROTOCOL=TCP then DROP PACKET.

  34. Tiny Fragmentation Consequences in IPv6 • At least one extension header can follow the Fragment Header: The Destination header. • But, the total length of the Destination Options header can reach 264 bytes (RFC 2462). • Hence, using 8-bytes fragments, we can split the Destination Option headers to 33 fragments!

  35. What does this mean? • The layer-4 protocol header will start at the 34th fragment! • And unless Deep Packet Inspection (= complete IP datagram reassembly before forwarding it), this can lead to firewall evasion, without having to overlap any fragments (as it was the case in IPv4)!

  36. What does this mean? • This number can increase if we increase the number of the used extension headers that follow the fragment extension header (although not recommended by RFC 2460, but, who cares?).

  37. Creating a very simple fragmentation overlapping

  38. Testing Fragmentation Overlapping 12 overlapping Payload of fragment 2 time 10 8 Column 1 Payload of fragment 1 6 Column 2 Column 3 4 IPv6 net packet payload per fragment 2 0 Row 1 Row 2 Row 3 Row 4

  39. (part of) the code payload1 = '' for i in range(1272): 8 bytes fragment header + payload1 = payload1 + 'A' 1280 bytes of payload = 160 payload2 = '' octets of payload for i in range(1280): payload2 = payload2 + "B" ipv6_1=IPv6(src=sip, dst=dip, plen=1288) icmpv6=ICMPv6EchoRequest(cksum=0x5610, data=payload1) #Fragment frag1=IPv6ExtHdrFragment(offset=0, m=1, id=511, nh=58) frag2=IPv6ExtHdrFragment(offset=1, m=0, id=511, nh=58) packet1=ipv6_1/frag1/icmpv6 packet2=ipv6_1/frag2/payload2 Correct offset = 160 send(packet1) send(packet2)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IPv6 Addressing and IPv6 Addressing and Implementation Implementation Rodolfo Kohn Software

IPv6 Addressing and IPv6 Addressing and Implementation Implementation Rodolfo Kohn Software

IPv6 Addressing and IPv6 Addressing and Implementation Implementation Rodolfo Kohn Software Architect Intel Software de Argentina rodolfo.kohn@intel.com IPv6 - Agenda Why IPv6? No business case Different drivers IPv6 main

440 views • 28 slides
IPv Implementation - The Naked Truth By Dr. Omar Amer Abouabdalla IPv6 Global Sdn. Bhd.

IPv Implementation - The Naked Truth By Dr. Omar Amer Abouabdalla IPv6 Global Sdn. Bhd.

IPv Implementation - The Naked Truth By Dr. Omar Amer Abouabdalla IPv6 Global Sdn. Bhd. omar@ipv6global.my Things to Connect to Internet Why IPv6??? No more room in IPv4 Quite empty in IPv6 IPv6 Implementation to to Where to

274 views • 24 slides
IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie

IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie

IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie , Justin Rohrer Naval Postgraduate School CAIDA {wdbrinkm,rbeverly,jprohrer}@nps.edu mjl@caida.org February 6-8, 2013 ISMA 2013 AIMS-5 -

513 views • 24 slides
IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie

IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie

IPv6 Alias Resolution via Induced Fragmentation Billy Brinkmeyer, Robert Beverly, Matthew Luckie , Justin Rohrer Naval Postgraduate School CAIDA {wdbrinkm,rbeverly,jprohrer}@nps.edu mjl@caida.org March 18-19, 2013 PAM 2013 - 14th

718 views • 23 slides
To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

S C I E N C E P A S S I O N T E C H N O L O G Y To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures Peter Pessl 1 , Leon Groot Bruinderink 2 , Yuval Yarom 3 1 Graz University of

416 views • 27 slides
FOSDEM 2020 Bruxelles IPv6 LLU Endpoint Support in DNS .. and its implementation in djbdnscurve6

FOSDEM 2020 Bruxelles IPv6 LLU Endpoint Support in DNS .. and its implementation in djbdnscurve6

Scope & Objectives Scoped IPv6 Address Support Qualifying the DNS (stub) Resolver Case Studies & Outlook Backup Slides Literature FOSDEM 2020 Bruxelles IPv6 LLU Endpoint Support in DNS .. and its implementation in djbdnscurve6

314 views • 20 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6 Global allocations by RIR APNIC 337 21% RIPENCC 737 45% ARIN 438 LACNIC AFRINIC 27% 87 37 5% 2% Unit: IPv6 pref i x 3 IPv6

603 views • 24 slides
IPv6 Ready Logo Aiding IPv6 Deployment Timothy Winters LACNIC 27 May 2017 IPv6 Forums IPv6

IPv6 Ready Logo Aiding IPv6 Deployment Timothy Winters LACNIC 27 May 2017 IPv6 Forums IPv6

IPv6 Ready Logo Aiding IPv6 Deployment Timothy Winters LACNIC 27 May 2017 IPv6 Forums IPv6 Ready Logo Goal 2001-Present: Conformance and Interoperability test program intended to increase user confidence and promote IPv6 deployment.

403 views • 11 slides
Institutional challenges Outline Why Fragmentation? Overview on the reasons and levels of SSN

Institutional challenges Outline Why Fragmentation? Overview on the reasons and levels of SSN

Topic # 3 Fragmentation of Social Safety Nets: Institutional challenges Outline Why Fragmentation? Overview on the reasons and levels of SSN program fragmentation (Inas) Case studies of Pakistan (Shereen), Kenya (Stefanie), and

488 views • 18 slides
IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already

IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already

IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already Here Monash IPv6 Progress Addressing End Systems Monitoring Network Address Usage Traffic Monitoring Problems IPv6 is Coming

779 views • 41 slides
IPv6 Addressing Plan Webinar Learning & Development Why Create an Addressing Plan? Bene

IPv6 Addressing Plan Webinar Learning & Development Why Create an Addressing Plan? Bene

IPv6 Addressing Plan Webinar Learning & Development Why Create an Addressing Plan? Bene fi ts of an IPv6 addressing plan - Mental health during implementation (!) - Easier implementation of security policies - E ffi cient addressing

478 views • 29 slides
Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA <keiichi@iijlab.net> IIJ Research Laboratory / WIDE project Contents IPv6 service in Japan How I live Example of IPv6 configuration Some news of IPv6

653 views • 16 slides
Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.121 / S-03 / N Beijar IPv6

Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.121 / S-03 / N Beijar IPv6

Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.121 / S-03 / N Beijar IPv6 addresses 128 bits long Written as eight 16-bit integers separated with colons E.g. 1080:0000:0000:0000:0000:0008:200C:417A =

617 views • 20 slides
Networking CS 4410 Operating Systems [R. Agarwal, L. Alvisi, A. Bracy, M. George, F.B.

Networking CS 4410 Operating Systems [R. Agarwal, L. Alvisi, A. Bracy, M. George, F.B.

Networking CS 4410 Operating Systems [R. Agarwal, L. Alvisi, A. Bracy, M. George, F.B. Schneider, E.G. Sirer, R. Van Renesse] Outline Big overall picture Then bottom-up 2 Basic Network Abstraction A process can create

1.56k views • 118 slides
CS 457 Lecture 10 Internetworking and IP Fall 2011 The Network layer Transport layer:

CS 457 Lecture 10 Internetworking and IP Fall 2011 The Network layer Transport layer:

CS 457 Lecture 10 Internetworking and IP Fall 2011 The Network layer Transport layer: TCP, UDP IP protocol Routing protocols addressing conventions path selection datagram format RIP, OSPF, BGP Network

320 views • 18 slides
Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services

Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services

Ubiquitous and Secure Networks and Services: SunSpot Development Platform Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and Services Ubiquitous and Secure Networks and

489 views • 25 slides
Physical Input and Tangible Computing Bjrn Hartmann (bjoern@cs) 08 November 2006

Physical Input and Tangible Computing Bjrn Hartmann (bjoern@cs) 08 November 2006

stanford hci group / cs147 Physical Input and Tangible Computing Bjrn Hartmann (bjoern@cs) 08 November 2006 http://cs147.stanford.edu Learning Goals Be familiar with the space of input devices, their properties and tradeoffs Be able

716 views • 60 slides
CS 640: Introduction to Computer Networks Aditya Akella Lecture 9 - IP: Packets and Routers

CS 640: Introduction to Computer Networks Aditya Akella Lecture 9 - IP: Packets and Routers

CS 640: Introduction to Computer Networks Aditya Akella Lecture 9 - IP: Packets and Routers The Road Ahead Last lecture How does choice of address impact network architecture and scalability? What do IP addresses look like?

244 views • 12 slides
Internet Protocol (IP) Internet Protocol (IP) TCP versus UDP TCP versus UDP Low Low-

Internet Protocol (IP) Internet Protocol (IP) TCP versus UDP TCP versus UDP Low Low-

Special Course on Networked Virtual January 30, 2004 Environments Internet Protocol (IP) Internet Protocol (IP) TCP versus UDP TCP versus UDP Low Low- -level protocols used by hosts and routers level protocols used by hosts and routers

274 views • 5 slides
IETF Integrated Services Specification of Guaranteed Quality of Service (RFC 2212)

IETF Integrated Services Specification of Guaranteed Quality of Service (RFC 2212)

CPSC-663: Real-Time Systems IETF Integrated Services IETF Integrated Services Specification of Guaranteed Quality of Service (RFC 2212) Resource Reservation Protocol (RFC 2205) Example of a real-time connection establishment

419 views • 8 slides
Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer!

Transport Layer (TCP/UDP) Where we are in the Course Moving on up to the Transport Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Recall Transport layer provides end-to-end connectivity across

528 views • 31 slides

More recommend