IPv6 Flaw Could Greatly Amplify DDoS Attacks

tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"

Re:Better idea

[Tuoqui]

I think the idea of RH0 is the fact that you can specify an exceptionally long route rather than using the shortest possible route to your path.

Imagine a network of 9 computers in a mesh topology. Now imagine instead of taking at most 4 hops to get to your destination you can specify it to go through every single computer on the network for a maximum of 9-10 hops. Because all of this traffic passes through each computer in the network you have amplified the power of your DoS attack by a factor of 2-3x because you are increasing the network congestion as well as potential collisions and everything else.

Now imagine the internet. I can believe it would amplify the power of DoS attacks by 80x or more if this were permitted. The fact remains is that a good network administrator will let the routers know the best routes. Why specify the route with RH0 when the routers are already built to know the best possible route (through protocols like OSPF and BGP you can even have the routers let each other know about potential problems in the network).

An article that discusses the actual vulnerability

[slashdotmsiriv]

http://www.potaroo.net/ispcol/2007-05/6pong.html

Re:Better idea

[Breakfast+Pants]

From TFS, Originally envisioned as a way to let mobile users to retain a single IP for their devices...

Re:Who gives a $%##?

[tcopeland]

I don't know, looks like it's getting used in the 2008 Olympics (via thenewsroom).

Re:What's with all the anti-IPv6 stuff lately?

[laffer1]

People are actually starting to look at IPv6 security. The recent OpenBSD issues highlighted the problem. OpenBSD, FreeBSD and MidnightBSD should all be patched for this issue. OpenBSD chose to turn it off completely for now. There is some talk about adding support to PF for blocking specific traffic. FreeBSD and MidnightBSD both used a patch that adds a new sysctl to disable the feature by default, but still allow it. As I recall, the reason its in the spec to begin with is for research purposes. I don't follow DragonFly or NetBSD enough to know if they've patched yet.

Re:NOT COOL.

[Echnin]

I was there for a couple of days in June last year. I was surprised to see that Linux is actually quite popular; they were selling Linux machines in the mall. The people were also very nice, and I enjoyed myself there. A half-litre of Staropramen was about an euro fifty, which added to the enjoyment. We were staying in a school there, and they had a very well-maintained computer lab (the machines weren't the fastest in the world admittedly, but more than adequate) which dual-booted XP and... I think Fedora or something. Now, Estonia is geographically a Baltic state, but culturally and linguistically they are very close to Finland, a Nordic state which as I expect most of you would know is the home of Linus Torvalds. Perhaps they feel a connection to Linus? Any Estonians here who want to shed some light on this?

Early IPv6 drafts had limited the Type 0 route len

[Jim+Logajan]

Some history and information:

The earlier drafts of the IPv6 RFCs had limited the Type 0 routing addresses to 23 per extension header. The current limit is theoretically 128, though maximum packet size through any one link will tend to get in the way.

The number of times an IPv6 packet may ping-pong is limited by the Hop Limit field, which is an 8 but unsigned integer (i.e. 255 times).

While it is true that a very permissive router or host may process a packet with more than one Type 0 routing header, RFC 2460 strongly recommends that a router or host only process one such extension header.

One product that has been designed to locate implementation problems with IPv6 stacks (it can't do anything about design flaws!) is the Maxwell product from http://www.iwl.com/. Truth in advertising requires that I point out I helped create some of the test cases for that product (however, I am not an employee of IWL or own any equity or options on equity in the company).

Don't confuse Estonians with Russians

[Goonie]

Estonians don't like Russians very much. They got squished between Hitler and Stalin during WWII, and ended up part of the Soviet Union for 50 years, during which their language was suppressed, hundreds of thousands of Russians were brought in, and ran the place with their typical environmental consciousness and regard for the local ways (none at all, in other words). So mistaking Estonians for Russians isn't likely to be particularly popular with Estonians.

In any case, Estonia writes with Latin characters and the language is more like Finnish than anything else, apparently.

Re:Don't confuse Estonians with Russians

[Skapare]

Estonian (Eesti) and Finnish (Suomi) are close enough for mutual understanding to work. Estonians watched Helsinki TV for real news and programming when Soviet Russia occupied their country (and probably still do, but now via cable legally). But the languages are not as close as Swedish, Norwegian, and Danish are to each other.

Already fixed in OpenBSD

[whamett]

The patch was released on April 27. Now that's quick!

The OpenBSD project does a great job with security; other development teams could learn a lot from them.

Re:Better idea

[mcrbids]

it's h4x0rs using stupid routes to DDOS one or more machines on the route as well as whatever machine they're addressing.

This bug sounds alot like one that I got bitten with years ago - source routing.

RedHat 6.2 came with source routing turned on by default. Since I was using a RH 6.2 system as my router/firewall, this was particularly damning, and allowed them to compromise my X11 workstation more than once. I played cat and mouse with a hax0r who penetrated my otherwise very stiff firewall for over a month, before finding out that he/she/they were using source routing to bypass all my carefully crafted firewall rules.

It was only when I set up a "default deny/log" ruleset, enabling ONLY OUTBOUND WWW/SSH/POP/SMTP connections that I found the truth.

So, I've checked source routing on every load of RH Linux when used as a firewall ever since. It's been turned off by default with every release from 7.x on, including CentOS 4.x which I'm using today.

Source routing was a bad idea then, and is a bad idea now. I will be a bad idea 10 years from now, too. Why did ipv6 re-implement this bad idea?

PS: I still don't get why RH killed their "RedHat Linux" line. I mean, I manage about a dozen mini/embedded servers and was happy to give RedHat $5/month each for security updates - and then they had to go and shoot for the moon with their "Enterprise" line. Now they get nothing from me. I never even called them for support! Maybe my 12*5*12=$720 per year doesn't matter, but that's close to a grand every year that I was happy to pay.

Guess I should be happy to save the $720/year, but it still doesn't make sense to me. /shrug

Re:NOT COOL.

[ivothamdrup]

He may have chosen Estonia in particular because there's recently (in the last week) been DDoS attacks targeting Estonia's government websites.

Those attacks were (still are, actually) carried out not by local "greedy teenagers", but top-level Russian authorities. The large-scale attacks were traced to IP addresses in Moscow owned by the Russian presidential administration and government.

The complaint makes no sense

[dbIII]

The first one... no use of firewalls or NAT devices.

Neither does IPv4 - these things are seperate to the spec and could be added on to IPv6 as well - although NAT is a kludge to get around running out of addresses which you would not currently need for IPv6.

There are a lot of IPv6 firewalls out there, the traffic has to be routed to get to you and your firewall at the incoming connection can block everything other than the required ports so long as it can understand IPv6.

There's some good books out there on networking. I recommend the O'Reilly one with the crab on the cover to avoid furthur embarrassment. The old editions likely to be found in a library probably still cover IPv6 (too old and it will be describing this new NAT thing).

Why Estonians?

[Reigo+Reinmets]

Excuse me, but i believe Russians are the DDOS attackers, specially lately, when they are bombing Estonia IT networks because of their stupid monument.

I live in Estonia, and no, i don't speak Russian language.

Now, maybe a big part of the world doesn't even know where Estonia is, but We are quite advanced IT country, here's some examples:
* We got National ID cards - and loads of services that use it as identification
* We just launched a cellphone based ID service, that basically replaces the need for a smart card reader and allows identification from anywhere in Estonia.
* We have E-Government
* Our internet banks are surely in the top 3 world wide from feature perspective
* And last, but not least, there's Skype

Re:Better idea

Because my device is mobile, and one week it's in Scotland, the next week Vancouver and some time after that somewhere in Brazil. That sort of hopping around breaks normal routing protocols.

Original CanSecWest presentation

[mrogers]

The CanSecWest presentation that started all this is available here.