A Sampling of Internetwork Security Issues Involving IPv6

A Sampling of Internetwork Security Issues Involving IPv6 John Kristoff jtk@cymru.com FIRST 2013 John Kristoff Team Cymru 1

Agenda diff -u ipv4 ipv6 head What is the netsec community working on? How do the usual threats change, if they do? What new headaches arise with the transition glue? What are the miscreants doing? FIRST 2013 John Kristoff Team Cymru 2

IPv4 vs. IPv6 Header Formats FIRST 2013 John Kristoff Team Cymru 3

96 more bits, no magic? OS protocol stack software and APIs Address manipulation and storage Neighbor discovery Auto-configuration ICMPv6 Fragmentation on an end-to-end basis only Network and security tools Transition technologies Note: IPsec MUSTSHOULD be supported FIRST 2013 John Kristoff Team Cymru 4

Current IETF Work dhcpv6-shield (opsec) ipv6-host-scanning (opsec) lla-only (opsec) ipv6 (opsec) ipv6-implications-on-ipv4-nets (opsec) nd-security (opsec) nd-extension-headers (6man) predictable-fragment-id (6man) stable-privacy-addresses (6man) FIRST 2013 John Kristoff Team Cymru 5

Current IETF Work (continued) ipv6-smurf-amplifier (6man) mitigate-nd-cache-dos-slnd (6man) design-choices (v6ops) enterprise-incremental-ipv6 (v6ops) nat64-experience (v6ops) ra-guard-implementation (v6ops) ula-usage-recommendations (v6ops) fragdrop (v6ops) dc-ipv6 (v6ops) FIRST 2013 John Kristoff Team Cymru 6

Scanning Scans of the entire address space impractical intelligent address scanning imperfect, but practical DNS enumeration Non-random addresses SLAAC address space with known OUIs Multicast discovery Local neighbor discovery messages See IETF I-D draft-gont-opsec-ipv6-host-scanning FIRST 2013 John Kristoff Team Cymru 7

Spam Surprise, spam travels over IPv6 transport Many DNSBLs have used rbldnsd When it comes to IPv6, rbldnsd just doesn't scale Some software and usage changes required This is true for any IP address reputation system First SMTP over IPv6 email to comcast.net was spam FIRST 2013 John Kristoff Team Cymru 8

Routing Fair amount of focus on extension header issues Neighbor cache maintenance issues e.g. IETF RFC 6547 (using /127's for IRLs) Team Cymru IPv6 full bogons service IETF RFC 6666 A Discard Prefix for IPv6 Additional consideration likely needed here: Aggregation / disaggregation / hijack events Control plane protection for IPv6 transport FIRST 2013 John Kristoff Team Cymru 9

Packet Flooding / DoS Some evidence of IPv6-specific DoS Single D, not seeing evidence of IPv6-specific DDoS Some unintentional use of IPv6 transport for DDoS Mostly IRC-based miscreants experimenting with it Traffic levels are relatively modest thus far FIRST 2013 John Kristoff Team Cymru 10

Local Network Threats Router advertisements (RAs) presents a challenge As does much of the neighbor discovery mechanisms Who do you trust? How do you trust them? Similar to the known threats with ARP and DHCP SEcure Neighbor Discovery (SEND) IETF RFC 3971 Also see IETF RFC 3756 IPv6 Neighbor Discovery Trust Models and Threats 6Guard: a honeypot-based IPv6 attack detector FIRST 2013 John Kristoff Team Cymru 11

Transition Technologies 6in4/6to4/6rd/ISATAP/Teredo/tunnel brokers, OH MY! Are protections congruent? Can you monitor them? Mitigate problems over them? Whose relay? Do they monitor? Do you trust them? FIRST 2013 John Kristoff Team Cymru 12

%#@!#&$ NAT NAT just makes my life harder As pro-nat a statement I could make, IETF RFC 5902 IAB Thoughts on IPv6 Network Address Translation Next slide PLEASE! FIRST 2013 John Kristoff Team Cymru 13

An IPv6 Business Case is Born March 17, 2003 <A> get an ipv6 host./packetpeople wont know what to do <B> A we have ipv6 <C> most packet kiddies cant hit ipv6 yet <D> Im testing a ipv6 scanner i just made <E> i seen someone make a ddos for ipv6/ipv4 Later that same day, ipv6ddos.c released FIRST 2013 John Kristoff Team Cymru 14

IPv6 4SALE in the Underground November 11, 2003 <A> Got E-Gold Accounts, PayPaL Accounts, Vhosted Shells (ushells.net), Vhosts ( ipv4 - ipv6 ), Full Domin, Root, Root Scan, Root Nuke, Proxy Serv, Fresh CC's, Fresh Cvv2 I Verify 1st FIRST 2013 John Kristoff Team Cymru 15

Hiding behind the IPv6 More recently: <A>./gem -h 192.0.2.1 -T0 -t 15000 <B> that should do it <A> i got 5000mbit hitting <C> v6 is back up on X and Y just new ips <C> D got our vps working as a tunnel broker now <C> need a /64? <A> already has native IPv6 on ciscos FIRST 2013 John Kristoff Team Cymru 16

udp6.pl, udp.pl w/ IPv6 transport http://example.com/udp6.pl <-- working ipv6ddos flood.pl --port=dst-port --size=pkt-size --time=secs --bandwidth=kbps --delay=msec ip-address [-6] Defaults: * random destination UDP ports are used unless --port is specified * random-sized packets are sent unless --size or --bandwidth is specified * flood is continuous unless --time is specified * flood is sent at line speed unless --bandwidth or --delay is specified * IPv4 flood unless -6 is specified FIRST 2013 John Kristoff Team Cymru 17

IRC bot with TCP over v6 DDoS elxbot bot ++ipv6_attacker addin wich actually worx! =~ /^ipv6flood\s+(.+)\s+(\d+)\s+(\d+)/ [ ] sub tcp6 { [ ] my @SOCKET6; while($_[3] > (time - $s_time)) { for(my $i=0;$i<200;$i++) { socket6($socket6[$i], PF_INET6, SOCK_STREAM, getprotobyname('tcp')); [ ] FIRST 2013 John Kristoff Team Cymru 18

Dissent on DDoS Resilience <A> no its nearly impossible to ddos an ipv6 connection <B> average bitch ddos kiddies couldn't ddos ipv6 <C> i only know 2 people that know how to ddos ipv6 <D> and its impossible to ddos ipv6 <E> i can ddos ipv6 tunnel down FIRST 2013 John Kristoff Team Cymru 19

Who Took Down Their Routers? Very large hosting provider site in Chicago goes dark Carefully aimed DDoS at infrastructure router Routing protocol packets being dropped Remedied with streamlined control plane filters Miscreant controlled via IRC from an IPv6 bounce FIRST 2013 John Kristoff Team Cymru 20

PING Flood 1 Gb/s ICMPv6 echo requests sent to IRC server Random source-address spoofed by a single source urpf briefly enabled, but that feature melted router Source ISP eventually fixed the host FIRST 2013 John Kristoff Team Cymru 21

What We (Don't) See Today IPv6 is widely used as a transport, but rarely a platform IPv6 dark nets are dark Very little IPv6-specific malware Anecdotal evidence of malware using IPv6 as transport Some evidence of miscreants using IPv6 to hide origin Some evidence of using IPv6 to hide from monitoring Some evidence of using IPv6 to mitigate retribution Useful and necessary IPv6 threat research ongoing Relatively little IPv6 opsec measurement occurring FIRST 2013 John Kristoff Team Cymru 22

Resources and References http://www.gont.com.ar/ https://www.ietf.org/mailman/listinfo/opsec https://www.ietf.org/mailman/listinfo/v6ops http://lists.si6networks.com/listinfo/ipv6hackers http://www.cymru.com/jtk/ FIRST 2013 John Kristoff Team Cymru 23