[Bro-Dev] bro-2.1 IPv6, headers, evasion and other fun things

Aashish Sharma asharma at lbl.gov
Thu Feb 23 11:21:44 PST 2012

Hello brodevs:

Since effort to get bro IPv6 ready is ongoing, I thought there are some
IPv6 security issues to bring to attention. May be you already have
plans to  handle these or otherwise I think these are somethings to pay
attention to. Offcourse, I realize all this is easier said then done:

One thing I would really like is ability to log optional headers at
minimum. Here is some situations why it is important.

1) Evasion attack: Routing header can result in bro looking only
at the IP header and not the routing header which dictates where the
packet goes next. So IDS things that packet is going to host A but ends
up going to host B and then C which are included in the routing header.
So unless we parse these headers we shall not know what actually is the
ultimate destination of the packet. 

2) Evasion attack using Extension header size:  could be 128K per
header, and RFC doesn't dictate the sequence of the headers so these can
be out of order. Bro needs to address the problem of parsing and
processing these extension headers, taking in to account the full sized
extension headers, else miscreants might put malicious contents at the
end of these headers and evade the detection. 

Even tcpdump only looks at the next header only and not the routing
header unless  you specify protochain 6 in the filter. 

3) Mobility header issue: With this one can use your internal IP address
anywhere else in the world. RFC dictates to use IPSec but there is still
trust issues - check out RFC4487.  

An Application of such attack is subverting geoip blocking - example
youtube not allowing content viewing for IP's in Canada etc or avoid
roaming charges when using a mobile phone. 

4) IDS connection caching issue: Since IPv6 doesn't support
fragmentation, a Sender has to keep a copy of the packet in the IP stack
because  application doesn’t know if routers are going to fragment or
not and sender has to account for a possible ICMP error with frag bit
set. IDS has to be able to account for such situations and

5) Neighbor discovery attack: ICMP6 can broadcast address for someone
else. It assumes that network is secure.  Also given ICMP6 messages are
routable where as with  ARP this was not a problem because ARP is/was
local to a subnet only. 

6) Address Priority issues: It is possible that part of attack uses a
link local address and other part uses the site address. BRO needs to
maintain a  state which can account for all the IP's assigned and used
by the host to assemble a connection/attack etc. 

7) IPv6 allows multiple routers allocate multiple address - one from
each router. Can we flag on rogue router broadcasts or new address
allocation other then the ones which are predefined in the networks.cfg 

8) IPv4 and IPv6 co-existence issues: Its not only that hosts have
affinity to IPv6, but applications also do.  Crome prefers using v6
(it tries connecting on v6 for 300mS and then falls back to v4) while
safari prefers to pick up the IP from OS X stack. Depending on the latency
and/or other situation host and applications may be using different
addresses - Crome can use v6 while safari v4. How do we know both of
these connections are part of the same attack ? 

9) DNS resolution - Any IPv6 host takes upon itself to resolve DNS for
any query which it sees. So if an attacker chooses to use broadcast
address ff02::1 for DNS query resolution all hosts are going to resolve.

10) Collusion attack - because of the vastness of IPv6 address space, it
is possible for two hosts to use a new IP address for every packet to
communicate between them. 

11) IPv6 also brings isolation problem: Address scheme allows assigning a
Unicast local IP which doesn't have to be globally routable to a network
device such as printer. However when a work station gets both local and
global address, an external IP can bounce off this work station to
access the network device which has unicast local IP. Likewise the
network device can use a workstation (with dual address) as proxy to
communicate to the outside world.

12) Offcourse Teredo which encapsulates protocol and provides globally
reachable IPv6 address - enabled by win7 and win8.rc2 by default but
only works when ipv4 address is not available.


Aashish Sharma	(asharma at lbl.gov) 				 
Cyber Security, Information Technology Division  
Lawrence Berkeley National Laboratory  
Office: (510)-495-2680  Cell: (510)-457-1525
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120223/e5418dd5/attachment.bin 

More information about the bro-dev mailing list