This article is more than 1 year old

IPv6 vulnerable to fragmentation attacks that threaten core internet routers

Net boffins float RFC to fix the protocol before things turn nasty

Fragmentation's troubled history

Gont says he's been looking at atomic fragments since presenting an IPv6 hacking course in 2010, when he and an attendee decided to come up with “an IPv6-version of IPv4's idle/dumb scan” attack.

“We verified that it was possible to trigger the generation of atomic fragments with ICMPv6 PTB packets, and that many implementations were not performing any kind of checks on the received ICMPv6 packets” (such as to ensure the received packets corresponded to an outgoing TCP connection).

Gont conducted more research, and in 2013, found that “such dropping was quite widespread” in the public Internet.

The result was, he found, “with a single packet you could DoS communications between two systems for about 10 minutes. For obvious reasons, if successfully exploited against BGP routers, the impact could be severe.”

Furthermore, Gont told The Register, it's not easy to protect systems with packet filters, because of another IPv6 feature, extension headers.

Extension headers make IPv6 more extensible than IPv4, but because they can daisy-chain together: “IPv6 Extension Headers make packet filtering difficult since the filtering device would need to process/follow the list of extension headers headers in order to get to the actual payload (the ICMPv6 packet, in this case)”, Gont told us.

Filtering devices between two systems are, in fact, a condition for the vulnerability to be exploitable. “Some filtering device between the two communicating systems (or one of the two communicating systems themselves) must be configured to drop IPv6 fragments,” Gont told The Register's networking desk.

“Based on research published in RFC7872 (which I co-authored), it's clear that that's the case for many Internet servers. On the other hand, when it comes to BGP routers, it depends on whether one of the two BGP peers implements a filtering policy that drops IPv6 fragments directed to the BGP router.”

Some systems are not vulnerable, he noted.

“A few implementations (e.g. NetBSD and some versions of FreeBSD) were not implementing this feature,” Gont told us.

“Other implementations (e.g. Linux and OpenBSD) were quick in responding to this issue, and patched their stacks before RFC8021 was published.

“However, some popular server and router implementations still implement this functionality, and hence this attack vector is still exploitable … besides, some deployed systems run older versions of the patched systems, so e.g., you might be able to exploit this attack against a Linux server that is not using the patched kernel.”

Gont says SI6 Networks is preparing a blog post explaining how to reproduce the issue using its open source IPv6 toolkit. The post will appear here. ®

More about

More about

More about

TIP US OFF

Send us news


Other stories you might like