Tips for an Information Security Analyst/Pentester career - Episode 16: IPv6 DoS attack
Over this episode, we're going to see a DoS attack on IPv6.
Windows systems enable IPv6 networking by default and, if you go to your network adapter settings, you'll normally find IPv6 enabled. Microsoft recommends to leave it enabled, as it might be needed by some network functionalities.
However, this implies a built-in vulnerability.
In fact, these conditions might allow for IPv6 addresses to be handed out automatically, without any security implementations in mind, based on a Router Advertisement.
A hacker leveraged this vulnerability by setting up an attack that works by sending Router Advertisement packets and forcing operating systems to create IPv6 addresses in response to every packet received. By flooding the network with enough RA's, Windows machines consume more and more CPU time, causing CPU utilization to reach 100%.
Prep
For the purposes of this demonstration, I used two virtual machines, both of them configured in VirtualBox as using an internal network adapter:
- Kali Linux 2017 v. 1 prebuilt image: Internal network adapter. Static IP address (10.10.10.1/24).
- Windows 10 64-bit: Internal network adapter. Static IP address (10.10.10.2/24)
Both virtual machines have been configured with an internal adapter, in order to prevent any potential damages to the physical OS.
We successfully verify our virtual machines can communicate, by pinging each other.
Attack
The attack is performed by using flood_router6, tool available here. Unlike what I read in other posts about the topic, it's not bundled in Kali. You'll have to compile it from source code (pretty painful operation).
The syntax for the attack is flood_router6, followed by the name of the interface we want to use. In this case, we only have one network adapter, so we can use eth0.
I let the attack run for a few seconds and the CPU utilization on my Windows 10 virtual machine suddenly spiked to 100%, crashing the OS.
If we launch ipconfig /all, we notice a bunch of automatically assigned IPv6 addresses, which keep being assigned to the machine, essentially causing a denial of service.
Windows 10 handles this vulnerability better than Windows 7, but it can nonetheless be attacked.
In fact Windows 7 becomes completely unusable after such an attack, while Windows 10 might simply go down for a while.
This is an example of DoS attack, but the same technique could be successfully used for implementing DDoS attacks and cause major mayhem on corporate networks.
I was unable to install the latest Windows updates on this machine, due to lack of disk space, so I reserve to test this vulnerability again in a fully patched system.
However, I've seen demos of this type of attack dating back to 2012 and, at the best of my knowledge, I don't think Microsoft has ever released a patch for this.
However, I've seen demos of this type of attack dating back to 2012 and, at the best of my knowledge, I don't think Microsoft has ever released a patch for this.
External sources:
- https://hotforsecurity.bitdefender.com/blog/denial-of-service-attack-through-ipv6-router-advertisement-vulnerability-4362.html
- https://www.darkreading.com/attacks-breaches/ipv6-and-the-growing-ddos-danger/a/d-id/1322942
- Mark Heuse's attack
- https://www.youtube.com/watch?v=Wc5GY6DT3SU
Episode 15
Comments
Post a Comment