IPv6 Intrusion Detection Research Project



Similar documents
IPv6 Security Assessment and Benchmarking Abstract Test Suite

Security of IPv6 and DNSSEC for penetration testers

testing your IPv6-firewall with ft6

Testing IPv6 Firewalls with ft6

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna Marc Heuse

IPv6 Security Analysis

ip6tables testing ip6tables Oliver Eggert (Universität Potsdam) ft6: firewall tester for IPv6 Folie 1 von 12

IP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

IPv6 Security Nalini Elkins, CEO Inside Products, Inc.

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

IPv6 Hardening Guide for Windows Servers

Introduction to IP v6

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Firewalls und IPv6 worauf Sie achten müssen!

ICSA Labs Network Protection Devices Test Specification Version 1.3

Tomás P. de Miguel DIT-UPM. dit UPM

IPv6 Fundamentals: A Straightforward Approach

Firewalls and Intrusion Detection

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

A Sampling of Internetwork Security Issues Involving IPv6

INLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN

IPv6 First Hop Security Protecting Your IPv6 Access Network

Practical Security Assessment of IPv6 Networks and Devices. Fernando Gont

IPv6 Security ::/0. Poland MUM Warsaw March, 2012 Eng. Wardner Maia Brazil

Security Assessment of Neighbor Discovery for IPv6

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Vulnerabili3es and A7acks

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

IPv6 Security from point of view firewalls

C)PTC Certified Penetration Testing Consultant

Advanced Honeypot Architecture for Network Threats Quantification

IPV6 FRAGMENTATION. The Case For Deprecation. Ron Bonica NANOG58

IPv6 Associated Protocols

Dedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.

Security Advisory. Some IPS systems can be easily fingerprinted using simple techniques.

IPv6 Security. Scott Hogg. Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610

Intrusion Detection Systems

Packet filtering and other firewall functions

Overview. Lecture 16: IP variations: IPv6, multicast, anycast. I think we have a problem. IPv6. IPv6 Key Features

ITL BULLETIN FOR JANUARY 2011

Traffic Monitoring : Experience

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Recent Advances in IPv6 Security. Fernando Gont

Moonv6 Test Suite. IPv6 Firewall Functionality and Interoperablility Test Suite. Technical Document. Revision 0.6

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

SEcure Neighbour Discovery: A Report

Distributed Denial of Service (DDoS)

IPv6 Fundamentals Ch t ap 1 er I : ntroducti ti t on I o P IPv6 Copyright Cisco Academy Yannis Xydas

VoIP Fraud and Misuse

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec. Leonardo Serodio May 2013

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Telematics. 9th Tutorial - IP Model, IPv6, Routing

Certified Penetration Testing Consultant

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

CS5008: Internet Computing

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Personal Firewall Default Rules and Components

Chapter 9. IP Secure

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Firewall Firewall August, 2003

Beginner s Guide to Securing IPv6

IPv6 Infrastructure Security

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

Honeyd Detection via Packet Fragmentation

HONEYD (OPEN SOURCE HONEYPOT SOFTWARE)

Security with IPv6 Explored. U.S. IPv6 Summit Renée e Esposito Booz Allen Hamilton Richard Graveman RFG Security

8.2 The Internet Protocol

Network Defense Tools

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewall Design Principles Firewall Characteristics Types of Firewalls

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Firewalls. Mahalingam Ramkumar

Securing the system using honeypot in cloud computing environment

Mobility on IPv6 Networks

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Internet Protocol Version 6 (IPv6)

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls Netasq. Security Management by NETASQ

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Content Distribution Networks (CDN)

IDS / IPS. James E. Thiel S.W.A.T.

Network/Internet Forensic and Intrusion Log Analysis

Covert Channels. Some instances of use: Hotels that block specific ports Countries that block some access

Transcription:

IPv6 Intrusion Detection Research Project Carsten Rossenhövel, EANTC AG Sven Schindler, Universität Potsdam Co-Financed By:

Project Goals Independently assess the true, current risks of IPv6 attacks Develop intrusion detection tools for IPv6 Assess the readiness of commercial firewalls to cope with intrusion attempts Jointly conducted by Beuth University of Applied Sciences, Berlin; University of Potsdam; Strato AG and EANTC AG. Co-funded by German Federal Ministry of Education and Research Testing and Consultancy services for the service provider network life cycle Network design consultancy and proof of concept testing RfP support, acceptance testing and network audits Vendor neutral technology seminars

Project Steps 2011-2013 Analyze IPv6 Security Threats Develop and Test Intrusion Detection Tool Install Darknet To Monitor Activity Install Honeynet To Attract Attacks

IPv6 Darknet Live since February 2012, 99.90 % availability Set up two directly attached darknets, one via tunnel broker Completely passive no routes announced; darknet did not respond in any case Should receive only backscatter traffic or attacks Collector EANTC /48 Collector UniP /64 Collector Beuth /64 Deutsche Telekom CompanyConnect 6in4 DFN German Research Network Hurricane Electric

IPv6 Darknet Results Received only 1,145 packets in five months! Mostly TCP backscatter (SYN/ACK-bits set) No ICMP or DNS requests Example: 186 backscatter packets arrived from one IRC server in Cape Town probably a victim of a DDOS attack

IPv6 Darknet Results (2) How to crawl address spaces in IPv6? Incremental address search infeasible in IPv6 Possible solution: Distribute new prefix for IPv6 address autoconfiguration, triggering Duplicate Address Detection responses Possible solution: Send ICMPv6-echo request to the AllNodes multicast group No attacker used smart methods like the above; Result matched expectations With advertised routes, things change: Sandia.gov received 70 packets/s on a /12 darknet in 2012 http://www.caida.org/workshops/dust/1205/slides/dust1205_cdeccio.pdf

IPv6 Honeynet (honeydv6) Project team extended low-interaction open source honeyd to support IPv6 (original author: Niels Provos) What is standard honeyd? Emulates a complete network Uses nmap fingerprints to mimic a range of operating systems Captures packets via pcap library We: Added IPv6 extension header, fragmentation, ICMPv6 support

Honeyd Administration Interface

Honeyd Test with OpenVAS We validated the implementation with OpenVAS (free vulnerability assessment tool) Honeydv6 detects all newly introduced attacks Next: Install honeyd at large-scale data center site of the associated project partner (www.strato.de)

Development of New/Extended IPv6 Attacks Scapy Toolkit Snort V6 Plugin Open source flexible packet generation toolkit for IPv4/IPv6 packets with arbitrary headers Project created GUI to simplify Scapy use without programming knowledge Open source intrusion detection tool Project extended it for special IPv6 attacks detection beyond trivial basics

The Hacker s Choice (THC) IPv6 Attack Toolkit Project based IPv6 attacks on THC s tool Tools/Attacks/Test Suite initiated by van Hauser Parasite6: icmp neighbor solicitation/advertisement spoofer Fake_router6: Announce yourself as a router with the highest priority dos-new-ipv6: Detect new IPv6 devices and tell them that their chosen IP collides on the network Flood-router6: Flood a target with random router advertisements http://thc.org/thc-ipv6/

IPv6 Extension Headers IPv6 extension headers are a source of potential attacks Variety and complexity challenging for any implementation Some headers are to be inspected on each hop, some only at destination +---------------+----------------+-----------------+----------------- IPv6 header Routing header Fragment header fragment of TCP header + data Next Header = Next Header = Next Header = Routing Fragment TCP +---------------+----------------+-----------------+-----------------

Hop-by-Hop and Destination Options Router Alert RFC 2711 Padding Pad1, PadN IPv6 Jumbograms RFC 2675 Tunnel Encapsulation Limit RFC 2473 IP Mobility Home Address RFC 6275 Action to take when option is not recognized is encoded in the option type.

Detection of Attacks With Snort Free lightweight network intrusion detection system Open source; rulesets maintained by Sourcefire IPv6 extensions available at http://www.idsv6.de

Attacks Included in Test Plan 1. ICMPv6 Filtering 2. Type 0 Routing Header 3. IPv6 Header Chain Inspection 4. Overlapping IPv6 Fragments 5. Tiny IPv6 Fragments 6. Excessive Hop-by-Hop Option 7. PadN Covert Channel 8. Address Scopes 9. Spoofed Neighbor Discovery 10. Duplicate Address Detection 11. Spoofed Redirect Message 12. Spoofed Zero-Lifetime Router Advertisement Message 13. Router Advertisements Flooding 14. Neighbor Advertisements Flooding

Outlook Project nears completion Honeydv6 evaluation pending Project partners in the process of publishing tools (under GPL) to ease attack testing for SPs and enterprises EANTC is going to publish an open source IPv6 firewall test plan with functional attacks and performance test cases EANTC may publish firewall test results in the future

Thank You For Your Interest! For further information, please contact us: EANTC AG Salzufer 14 D-10587 Berlin Germany Phone: +49.30.318 05 95-0 Fax: +49.30.318 05 95-10 E-mail: info@eantc.de www.eantc.de

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information