Slashdot Mirror
IPv6 Flaw Could Greatly Amplify DDoS Attacks
tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"
n/t
was involved? If it weren't for those guys at sendmail, he'd be the number one source of Unix(tm) root exploits.
Please, if he were really that smart, he'd use an OLPC!
Clearly the problem here lies with Estonia, not IPv6.
That roughly translates to "It's so easy, an Estonian can do it".
Someone is gonna be buying them roast duck (with the mango salsa) soon.
You can hold down the "B" button for continuous firing.
Don't route stuff stupidly. Instead of banning RH0, make sure it doesn't do redundant routes.
Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
Leave it in, but advise people to disable it for network security.
That already works for other problems, right?
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
Where can I get one of these $300 Estonian Linux machines? To heck with Dellbuntu.
hey! It's not nice to call people nerds.
Why you say?
:)
Because IPv6 will never be implemented widely anyway.
Why will it not you say?
Because too many people are happy with the current IPv4 + NAT insanity that is in place now. Nevermind the fact that the insanely ridiculous kludge that is NAT and all of the insanely ridiculous mini-kludges (DynDNS, UDP Connection "Warming", etc.) that currently keep the internet glued together and working (sort of) like it is supposed to work probably cost as much or more time and energy that a multi-year dual-stack IPv4 to IPv6 transition would.
Ok, I'm done ranting.
Have a great weekend everyone!
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
As I understand it, it is not sufficient to simply ignoring the rthdr0 headers. To protect the infrastructure, the safest thing is for all implementations to immediately DROP any packets containing these headers to keep them from propagating further.
However, there are still people in the IETF who don't want to recognize the severity of their mistake. Why do we, as a community of implementors and consumers, continue to trust these guys as a protocol standards body? It is obvious that they don't understand how complexity is the enemy of security. They add features to protocols without any concrete examples of how the feature would be used, simply because they don't ever want to make a decision. Rather than saying "No, this feature is not worth the extra complexity, we are not going to include it", it is always "OK, we will allow this as an optional mode of operation".
In this case, this was done in a particularly egregious fashion, considering the security issues with source routing have been known since at least '93 or so (in IPv4).
IIRC, the main reason the transitional scheme was dropped was because routers would need to track more states. Like they're not going to be tracking gigantic numbers of states in order to have a workable authenticated source-routing system.
However, there is one good thing about this. People might finally realize IPv6 is NOT an addressing scheme, it is a very powerful protocol. (Would you believe I had to correct a senior network engineer on that yesterday?)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
http://www.potaroo.net/ispcol/2007-05/6pong.html
How is this different to source routing packets in IPv4? Surely people will just configure firewalls and hosts to drop these packets in exactly the same way as is done for IPv4 now.
I've been using IPv6 for nearly a decade, but most of the IPv6 traffic on my LAN is local to the LAN. There are very few interesting places on the Internet that have IPv6 addresses and fewer end users coming from IPv6 capable nodes.
What's more, IPv4+NAT (as standard) doesn't give you half the features of IPv6. I've listed them before, I'll list them again here. Sure, not many use them NOW, but most of these are major areas of growth and Internet-aware devices will (sooner or later) have to use IPv6 to get the support they need.
There are probably a whole bunch of other advantages not listed here. Go to your local USAGI dealership and test drive an IPv6 today.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
People are actually starting to look at IPv6 security. The recent OpenBSD issues highlighted the problem. OpenBSD, FreeBSD and MidnightBSD should all be patched for this issue. OpenBSD chose to turn it off completely for now. There is some talk about adding support to PF for blocking specific traffic. FreeBSD and MidnightBSD both used a patch that adds a new sysctl to disable the feature by default, but still allow it. As I recall, the reason its in the spec to begin with is for research purposes. I don't follow DragonFly or NetBSD enough to know if they've patched yet.
MidnightBSD: The BSD for Everyone
Some history and information:
The earlier drafts of the IPv6 RFCs had limited the Type 0 routing addresses to 23 per extension header. The current limit is theoretically 128, though maximum packet size through any one link will tend to get in the way.
The number of times an IPv6 packet may ping-pong is limited by the Hop Limit field, which is an 8 but unsigned integer (i.e. 255 times).
While it is true that a very permissive router or host may process a packet with more than one Type 0 routing header, RFC 2460 strongly recommends that a router or host only process one such extension header.
One product that has been designed to locate implementation problems with IPv6 stacks (it can't do anything about design flaws!) is the Maxwell product from http://www.iwl.com/. Truth in advertising requires that I point out I helped create some of the test cases for that product (however, I am not an employee of IWL or own any equity or options on equity in the company).
In any case, Estonia writes with Latin characters and the language is more like Finnish than anything else, apparently.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
My mother speaks Estonian and can with some level of adaptation understand and express herself in a way that is understood by the Finnish, which I know for certain as my father is Finnish. Unfortunately, as I grew up in Sweden and was too much of an ungrateful kid to actually learn the languages of my parents, I can't directly comment on the similarity of the languages.
I second the opinion that the reference to an 'Estonian teenager' isn't very appropriate. It continues a strong, traditional and completely wrong tradition to separate 'us' and 'them'.
The patch was released on April 27. Now that's quick!
The OpenBSD project does a great job with security; other development teams could learn a lot from them.
The original reason I got an IPv6 connection was to see what it took to set up an IPv6 network, and I had this T1 to Sprint and Sprint offered free tunnels to the 6bone so, I figured, why not? I mean, IPv6 was the next big thing (or so they told me) in the late 90's, so I was trying to be ahead of the curve. Eventually, I set up tunnels between my ISP and what was then my day job and my house and I (briefly) enjoyed the benefits of being able to SSH directly from one workstation behind a NAT connection to another workstation behind a different NAT connection. Yahoo.
When my ISP went under, and the 6bone went away, I got a connection to one of the public tunnel brokers, and it worked for a while. Then I changed my feed to Time Warner and the first cablemodem filtered protocol 41, so the tunnel wouldn't work no matter what I did. After replacing the cablemodem for other reasons, (and waiting long enough for me to wonder if it would work with the new equipment) I was able to get a tunnel to a tunnel broker and I've had a block of addresses ever since. (2001:5c0:8305::/48, in case you're wondering.) Some people have a garden. I have a home network and I enjoy puttering about with it from time to time. (The rest of the time it's a freakin' nuisance.)
Neither does IPv4 - these things are seperate to the spec and could be added on to IPv6 as well - although NAT is a kludge to get around running out of addresses which you would not currently need for IPv6.
There are a lot of IPv6 firewalls out there, the traffic has to be routed to get to you and your firewall at the incoming connection can block everything other than the required ports so long as it can understand IPv6.
There's some good books out there on networking. I recommend the O'Reilly one with the crab on the cover to avoid furthur embarrassment. The old editions likely to be found in a library probably still cover IPv6 (too old and it will be describing this new NAT thing).
NAT is *not* a security mechanism.
Whether or not it was intended, NAT *is* a security mechanism. Obviously not the best or the prettiest, but to say it provides no additional security is just ignorant.
Th "security" of NAT is a side effect of it BREAKING the peer to peer model of the internet.
Side effect or not, it provides additional security no matter how you look at it. From a purist's point of view, it certainly does break the peer to peer model of the internet. But from a practical user's standpoint, it rarely if ever breaks anything, provides additional functionality and security, and is usually brain-dead simple to implement.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Excuse me, but i believe Russians are the DDOS attackers, specially lately, when they are bombing Estonia IT networks because of their stupid monument.
I live in Estonia, and no, i don't speak Russian language.
Now, maybe a big part of the world doesn't even know where Estonia is, but We are quite advanced IT country, here's some examples:
* We got National ID cards - and loads of services that use it as identification
* We just launched a cellphone based ID service, that basically replaces the need for a smart card reader and allows identification from anywhere in Estonia.
* We have E-Government
* Our internet banks are surely in the top 3 world wide from feature perspective
* And last, but not least, there's Skype
The CanSecWest presentation that started all this is available here.