View
5
Download
0
Category
Preview:
Citation preview
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:1
IPv6 Cyber Security BriefingMay 27, 2010
Ron Hulen
VP and CTO Cyber Security Solutions
Command Information, Inc.
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:2
Attack Surfaces
IPv4
Native
TunnelsEncapsulation and/or
Encryption
IPv4 +
Tunnels
IPv6Native
Dual-Stack
IPv6 +
Tunnels
Dual-Stack +
Tunnels
Protocol
Translator
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:3
Known IPv6 Vulnerabilities
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:4
The Next Header field indicates what type of header follows the IPv6 base header
All extension header information is within the payload, and not the IPv6 base header
The IPv6 Header is completely different
Fewer fields (8 vs. 13 for IPv4)
No checksums
Streamlined, efficient
Options aligned on 64 bit boundaries
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:5
IPv6 Extension Headers can be Indefinite
IPv6 Header,
NH=TCP
TCP Header
+ DATA
How many
combinations are there?
IPv6 Header,
NH=HbH
TCP Header
+ DATA
HbH Header
NH=TCP
IPv6 Header,
NH=HbH
TCP Header
+ DATA
Routing Header
NH=TCP
HbH Header
NH=RH
IPv6 Header,
NH=HbH
Routing Header
NH=FH
Fragment Header
NH=TCP
TCP Header
+ DATA
HbH Header
NH=RH
IPv6 Header,
NH=HbH
Routing Header
NH=FH
Fragment Header
NH=HDR A
Ext Hdr A
NH=TCP
HHbH Header
NH=RH
TCP Header
+ DATA
IPv6 Header,
NH=HbH
Routing Header
NH=FH
Fragment Header
NH=HDR A
Ext Hdr A
NH=HDR B
HbH Header
NH=RH
Ext Hdr B
NH=TCP
TCP Header
+ DATA
IPv6 Header,
NH=HbH
Routing Header
NH=FH
Fragment Header
NH=HDR A
Ext Hdr A
NH=HDR B
HbH Header
NH=RH
Ext Hdr B
NH=HDR C
Ext Hdr C
NH=TCP
TCP Header
+ DATA
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:6
Because CI Router was not online
ICMPv6 Probe to CI’s router w/ source routing..
Unknown UDP data sent
(source port 80, destination port 36666)
RH0 Extension Header Attack
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:7
If CI router had been online…
ICMPv6 Probe to CI’s router w/ source routing..
Malicious traffic from authorized network
(using CI as friendly network to attack from)
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:8
IPv4 Security Must Account For IPv6!
TunnelsDual Stack
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:9
IPv6 Tunnels are a Transition Mechanism
Protocol 41 and 47 Tunnels
6in4
6to4
6RD
IPv6 in GRE
IPSec Tunnels
AH
ESP Null
UDP Based Tunnels
Teredo (Port 3544)
AYIYA (Port 5072)
Heartbeat (Port 3740)
TIC (Port 3874)
TSP (Port 3653)
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:10
Tunneled Packet Processing is Complex
Payload Length
Src Address
Dest Address
Payload
HLimNH
V TC Flow Label
-in-v4IPv6 -in-IPv4/IPv4/GRE
Src Address
Dest Address
Payload Length HLimNH
V TC Flow Label
Identifier
ToS
Dest Address
OffsetFlg
(Options + Padding)
Total Length
TTL
VHL
Prot Hdr Checksum
Src Address
Identifier
ToS
Dest Address
OffsetFlg
(Options + Padding)
Total Length
TTL
VHL
Prot Hdr Checksum
Src Address
V Protocol TypeRes0C
Res1Opt Checksum
Payload
Payload Length
Src Address
Dest Address
Payload
HLimNH
V TC Flow Label
Identifier
ToS
Dest Address
OffsetFlg
(Options + Padding)
Total Length
TTL
VHL
Prot Hdr Checksum
Src Address
How many encapsulations are
there?
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:11
Tunnels Need to be Protected
ACL’s can protect against Protocol 41, 47, IPSec and port specific UDP traffic
What if you don’t know the Port?
Miredo: Teredo configured to run on any port
GoGoNet6: TSP can listen on any UDP port (ie53, 80, 443, etc)
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:12
uTorrent – Teredo and IPv6-Capable
Uses ephemeral port for
connections
User may randomly
choose port
Port may be randomly
chosen on restart
IPv6 support “on by
default”
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:13
uTorrent – Teredo Peers
uTorrent runs well over
Teredo
BitTorrent community is discovering IPv6
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:14
Microsoft Dual Stack enabled on ALL Vista / Windows 7 systems
AAAA Queries present on every network we monitored.
Considered ‘harmless’ by Security and Network Personal
Must be disabled by DoD MO2 guidelines
IPv4 “AAAA” DNS Queries Broadcast IPv6
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:15
Remote Hacker sees an organization sending 100,000+ AAAA queries a
day
Hacker Floods an organization’s mail servers with SPAM
It only takes one user with elevated privileges to open one SPAM message to
execute the encapsulated malware
Consider MS 10-009
Malware establishes an IPv6 in UDP tunnel through an organization’s
firewall to Remote Hacker on UDP port 53
Such as Miredo or GoGoNet6
Remote Hacker exfiltrates sensitive data from an organization’s enterprise
network
IPv4 “AAAA” DNS– loaded gun
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:16
ICMPv6 is Required for IPv6
ARP
Replacement
PrefixAdvertisement
Router Redirection
PING
MLD
TracerouteType Description
1 Destination Unreachable
2 Packet to Big
3 Time exceeded
4 Parameter problem
128 Echo Request
129 Echo Reply
130 Multicast Listener Query – sent to ff02::1 (all nodes)
131 Multicast Listener Report
132 Multicast Listener Done – sent to ff02::2 (all routers)
133 Router Solicitation (RS) – sent to ff01::2 (all routers)
134 Router Advertisement (RA) – sent to ff01::1 (all nodes)
135 Neighbor Solicitation (NS) – sent to ff02:0:0:0:0:1:ff00::/104
136 Neighbor Advertisement (NA)
137 Redirect message
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:17
IPv6-enabled workstations (untouched Vista, 7, Linux, Mac,
etc) always listen for Router Advertisements
User A downloads that pesky malware
Sets up tunnel like the non-standard UDP port example (or port 53)
Installs basic router advertisement daemon & IPv6 forwarding
It sends RAs out to IPv6-enabled machines with User A as it’s
default gateway
Now there are active IPv6 malware on an enterprise that can’t
be detected
Malevolent RAs: the threat inside
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:18
Summary
IPv6 Threats are Real – both native and tunneled
Hackers are using IPv6 to tunnel into networks undetected by current security tools
Companies must develop a security policy to address IPv6.
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:19
IPv6 Cyber Security War Plan
Knowledge
Analysis
Planning
Securing
Monitoring
Lifecycle Management
Command Information © 2010. All rights reserved. 2610:f8:ffff:2010:05:27:85:20
Thank You
Ron Hulen
Command Information
ron.hulen@commandinformation.com
703-234-9363
Recommended