Slashdot Mirror

← Back to Stories (view on slashdot.org)

IPv6 Flaw Could Greatly Amplify DDoS Attacks

Posted by Zonk on from the please-avoid-the-obvious-holes dept.

tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"

36 of 258 comments (clear)

  1. s anybody surprised that Paul Vixie by Anonymous Coward · · Score: 5, Funny

    was involved? If it weren't for those guys at sendmail, he'd be the number one source of Unix(tm) root exploits.

    1. Re:s anybody surprised that Paul Vixie by MROD · · Score: 4, Interesting

      Sendmail was the right tool for its time.

      This was a time when there were huge numbers of different network address formats which had to have mail routed to/from/between. That's why it's all about rewriting addresses and not about processing the message. It is also why it's so complex as it had to be flexible enough to handle IP, Usenet (i.e. bang paths), reversed domain-type addressing so you needed a complex language to deal with it.)

      Remember also, this was an age before the virus and when the most malicious thing was the war dialler or phone phreaker with his trusty 300baud accoustic coupler modem. Built in security and thinking about buffer overflows weren't really even in the background of the programmers minds back then.

      Times have changed, hence Sendmail just isn't an appropriate tool anymore, just like the stage coach. It doesn't mean that it's bad software.

      --

      Agrajag: "Oh no, not again!"
  2. Re:Greedy Estonian teenage overlords! by HomelessInLaJolla · · Score: 4, Funny

    I for one welcome our greedy teenage northern European Baltic overlords!

    They make awesome glaag.

    --
    the NPG electrode was replaced with carbon blac
  3. $300 Linux box... as if by Ice+Wewe · · Score: 5, Funny

    Please, if he were really that smart, he'd use an OLPC!

  4. Estonia? by Anonymous Coward · · Score: 5, Funny

    Clearly the problem here lies with Estonia, not IPv6.

  5. NOT COOL. by game+kid · · Score: 5, Funny

    Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'

    That roughly translates to "It's so easy, an Estonian can do it".

    Someone is gonna be buying them roast duck (with the mango salsa) soon.

    --
    You can hold down the "B" button for continuous firing.
    1. Re:NOT COOL. by Professor_UNIX · · Score: 5, Funny

      Seriously though, estonia? Raise your hand if you know where that is.
      Maybe he meant to say Elbonia.
    2. Re:NOT COOL. by ObjetDart · · Score: 3, Insightful
      I'm an American.

      I know where Estonia is.

      I, like a significant percentage of my fellow citizens, do not support Bush, his administration, nor the neo-con obsession with war-as-a-solution-to-everything.

      You sound like a bigot and I resent your smug stereotyping of Americans.

      --
      I read Usenet for the articles.
    3. Re:NOT COOL. by dch24 · · Score: 5, Funny

      I'm an American.

      I know where Estonia is. You insensitive clod.
      There. Fixed that for ya.
    4. Re:NOT COOL. by QuickFox · · Score: 3, Insightful

      You're right. I'm sorry. Sometimes frustration makes me overreact. My reaction was stupid. It's not the American people I'm frustrated with, it's the Bush administration. It does irk me that the American people re-elected such a destructive administration, but they were swayed by very skillful propaganda. It's no excuse for my stupidly generalizing outburst.

      You're right. I'm sorry.

      --
      Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
    5. Re:NOT COOL. by hardburn · · Score: 4, Insightful

      Quick! Find Liechtenstein on a map. How about San Marino? No cheating with Google Maps.

      There are a lot of countries and even more cultures within countries. Nobody can be expected to know all of them. While many Americans should be ashamed of not being able to find Iraq on a map, plenty of other countries play a much smaller role in world politics and nobody should blame anyone for not knowing about them.

      --
      Not a typewriter
    6. Re:NOT COOL. by Echnin · · Score: 4, Informative

      I was there for a couple of days in June last year. I was surprised to see that Linux is actually quite popular; they were selling Linux machines in the mall. The people were also very nice, and I enjoyed myself there. A half-litre of Staropramen was about an euro fifty, which added to the enjoyment. We were staying in a school there, and they had a very well-maintained computer lab (the machines weren't the fastest in the world admittedly, but more than adequate) which dual-booted XP and... I think Fedora or something. Now, Estonia is geographically a Baltic state, but culturally and linguistically they are very close to Finland, a Nordic state which as I expect most of you would know is the home of Linus Torvalds. Perhaps they feel a connection to Linus? Any Estonians here who want to shed some light on this?

      --
      Lalala
    7. Re:NOT COOL. by ivothamdrup · · Score: 5, Informative

      He may have chosen Estonia in particular because there's recently (in the last week) been DDoS attacks targeting Estonia's government websites.

      Those attacks were (still are, actually) carried out not by local "greedy teenagers", but top-level Russian authorities. The large-scale attacks were traced to IP addresses in Moscow owned by the Russian presidential administration and government.

  6. Better idea by Watson+Ladd · · Score: 4, Interesting

    Don't route stuff stupidly. Instead of banning RH0, make sure it doesn't do redundant routes.

    --
    Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
    1. Re:Better idea by Tuoqui · · Score: 4, Informative

      I think the idea of RH0 is the fact that you can specify an exceptionally long route rather than using the shortest possible route to your path.

      Imagine a network of 9 computers in a mesh topology. Now imagine instead of taking at most 4 hops to get to your destination you can specify it to go through every single computer on the network for a maximum of 9-10 hops. Because all of this traffic passes through each computer in the network you have amplified the power of your DoS attack by a factor of 2-3x because you are increasing the network congestion as well as potential collisions and everything else.

      Now imagine the internet. I can believe it would amplify the power of DoS attacks by 80x or more if this were permitted. The fact remains is that a good network administrator will let the routers know the best routes. Why specify the route with RH0 when the routers are already built to know the best possible route (through protocols like OSPF and BGP you can even have the routers let each other know about potential problems in the network).

      --
      09F911029D74E35BD84156C5635688C0
      +2 Troll is Slashdot's way of saying groupthink is confused
    2. Re:Better idea by Breakfast+Pants · · Score: 4, Informative

      From TFS, Originally envisioned as a way to let mobile users to retain a single IP for their devices...

      --

      --

      WHO ATE MY BREAKFAST PANTS?
  7. A better idea. by mustafap · · Score: 4, Funny

    Leave it in, but advise people to disable it for network security.

    That already works for other problems, right?

    --
    Open Source Drum Kit, LPLC deve board - mjhdesigns.com
    1. Re:A better idea. by Anonymous Coward · · Score: 3, Interesting

      The problem is that it's a mandatory part of the spec. BTW, Microsoft is not affected: The Windows IPv6 stack doesn't implement that feature. (It is the equivalent to source routing in IPv4, which is not allowed anywhere.)

  8. Insensitive Clod by Anonymous Coward · · Score: 5, Funny

    Where can I get one of these $300 Estonian Linux machines? To heck with Dellbuntu.

  9. Re:Just what we need! by McGiraf · · Score: 3, Funny

    hey! It's not nice to call people nerds.

  10. Who gives a $%##? by toadlife · · Score: 3, Insightful

    Why you say?

    Because IPv6 will never be implemented widely anyway.

    Why will it not you say?

    Because too many people are happy with the current IPv4 + NAT insanity that is in place now. Nevermind the fact that the insanely ridiculous kludge that is NAT and all of the insanely ridiculous mini-kludges (DynDNS, UDP Connection "Warming", etc.) that currently keep the internet glued together and working (sort of) like it is supposed to work probably cost as much or more time and energy that a multi-year dual-stack IPv4 to IPv6 transition would.

    Ok, I'm done ranting.

    Have a great weekend everyone! :)

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
    1. Re:Who gives a $%##? by kestasjk · · Score: 3, Insightful

      I predict mobile carriers and devices will use it for VoIP, where it's a necessity, everyone else will follow.

      --
      // MD_Update(&m,buf,j);
    2. Re:Who gives a $%##? by Organic+Brain+Damage · · Score: 5, Interesting

      Nevermind the fact that the insanely ridiculous kludge...

      Check our DNA. We are, essentially, insanely ridiculous kludges. Nothing but organically accreted fixes to a long series of problems. Why should anyone be surprised that our technology mirrors this fundamental aspect of our selves?
    3. Re:Who gives a $%##? by toadlife · · Score: 3, Insightful

      NAT is *not* a security mechanism.

      Th "security" of NAT is a side effect of it BREAKING the peer to peer model of the internet.

      --
      I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  11. The IETF screwed the pooch on this one by possible · · Score: 4, Insightful

    As I understand it, it is not sufficient to simply ignoring the rthdr0 headers. To protect the infrastructure, the safest thing is for all implementations to immediately DROP any packets containing these headers to keep them from propagating further.

    However, there are still people in the IETF who don't want to recognize the severity of their mistake. Why do we, as a community of implementors and consumers, continue to trust these guys as a protocol standards body? It is obvious that they don't understand how complexity is the enemy of security. They add features to protocols without any concrete examples of how the feature would be used, simply because they don't ever want to make a decision. Rather than saying "No, this feature is not worth the extra complexity, we are not going to include it", it is always "OK, we will allow this as an optional mode of operation".

    In this case, this was done in a particularly egregious fashion, considering the security issues with source routing have been known since at least '93 or so (in IPv4).

    1. Re:The IETF screwed the pooch on this one by Trepalium · · Score: 4, Insightful

      Standards bodies attract certain types of people, and it's no real surprise that the IETF is infested with them now. Read an ITU standard some day if you want to know how bad it can be. There's a reason why we use TCP/IP instead of the OSI protocol, why we use SMTP instead of X.400, LDAP instead of X.500, etc. For a rather depressing story about standards bodies, read the Wikipedia article about ATM about the choice of 48-byte payloads. I seriously doubt the IETF will ever be able to exercise these people from it's midst. Many of them were placed there to represent the interests of a particular corporation. Even if you replace the IETF with another standards organization, these same people would simply be moved into that organization.

      --
      I used up all my sick days, so I'm calling in dead.
  12. An article that discusses the actual vulnerability by slashdotmsiriv · · Score: 4, Informative

    http://www.potaroo.net/ispcol/2007-05/6pong.html

  13. Nothing New by jjeffrey · · Score: 4, Interesting

    How is this different to source routing packets in IPv4? Surely people will just configure firewalls and hosts to drop these packets in exactly the same way as is done for IPv4 now.

  14. Re:How many people use IPv6 by jguthrie · · Score: 3, Insightful

    I've been using IPv6 for nearly a decade, but most of the IPv6 traffic on my LAN is local to the LAN. There are very few interesting places on the Internet that have IPv6 addresses and fewer end users coming from IPv6 capable nodes.

  15. The Japanese? by jd · · Score: 4, Insightful
    They already deploy IPv6 nationally. Just because the US domestic market is more sluggish than a salted slug, it would be wrong to assume everyone else is as bad.

    What's more, IPv4+NAT (as standard) doesn't give you half the features of IPv6. I've listed them before, I'll list them again here. Sure, not many use them NOW, but most of these are major areas of growth and Internet-aware devices will (sooner or later) have to use IPv6 to get the support they need.

    • IPSec
    • Anycasting
    • Multicasting the ISPs can't turn off
    • Mobile IP
    • Mobile Networks
    • Extensible Headers
    • Router Discovery
    • Automatic Configuration
    • Per-destination MTU optimization

    There are probably a whole bunch of other advantages not listed here. Go to your local USAGI dealership and test drive an IPv6 today.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  16. Re:What's with all the anti-IPv6 stuff lately? by laffer1 · · Score: 3, Informative

    People are actually starting to look at IPv6 security. The recent OpenBSD issues highlighted the problem. OpenBSD, FreeBSD and MidnightBSD should all be patched for this issue. OpenBSD chose to turn it off completely for now. There is some talk about adding support to PF for blocking specific traffic. FreeBSD and MidnightBSD both used a patch that adds a new sysctl to disable the feature by default, but still allow it. As I recall, the reason its in the spec to begin with is for research purposes. I don't follow DragonFly or NetBSD enough to know if they've patched yet.

    --
    MidnightBSD: The BSD for Everyone
  17. Early IPv6 drafts had limited the Type 0 route len by Jim+Logajan · · Score: 5, Informative

    Some history and information:

    The earlier drafts of the IPv6 RFCs had limited the Type 0 routing addresses to 23 per extension header. The current limit is theoretically 128, though maximum packet size through any one link will tend to get in the way.

    The number of times an IPv6 packet may ping-pong is limited by the Hop Limit field, which is an 8 but unsigned integer (i.e. 255 times).

    While it is true that a very permissive router or host may process a packet with more than one Type 0 routing header, RFC 2460 strongly recommends that a router or host only process one such extension header.

    One product that has been designed to locate implementation problems with IPv6 stacks (it can't do anything about design flaws!) is the Maxwell product from http://www.iwl.com/. Truth in advertising requires that I point out I helped create some of the test cases for that product (however, I am not an employee of IWL or own any equity or options on equity in the company).

  18. Don't confuse Estonians with Russians by Goonie · · Score: 4, Informative
    Estonians don't like Russians very much. They got squished between Hitler and Stalin during WWII, and ended up part of the Soviet Union for 50 years, during which their language was suppressed, hundreds of thousands of Russians were brought in, and ran the place with their typical environmental consciousness and regard for the local ways (none at all, in other words). So mistaking Estonians for Russians isn't likely to be particularly popular with Estonians.

    In any case, Estonia writes with Latin characters and the language is more like Finnish than anything else, apparently.

    --

    Any sufficiently advanced technology is indistinguishable from a rigged demo
    --Andy Finkel (J. Klass?)
    1. Re:Don't confuse Estonians with Russians by teh+kurisu · · Score: 3, Funny

      ...when Soviet Russia occupied their country (and probably still do, but now via cable legally).

      Now that's the way to occupy a country!

  19. Estonian is like Finnish indeed - Not Russian by Siker · · Score: 3, Interesting

    My mother speaks Estonian and can with some level of adaptation understand and express herself in a way that is understood by the Finnish, which I know for certain as my father is Finnish. Unfortunately, as I grew up in Sweden and was too much of an ungrateful kid to actually learn the languages of my parents, I can't directly comment on the similarity of the languages.

    I second the opinion that the reference to an 'Estonian teenager' isn't very appropriate. It continues a strong, traditional and completely wrong tradition to separate 'us' and 'them'.

  20. Original CanSecWest presentation by mrogers · · Score: 3, Informative

    The CanSecWest presentation that started all this is available here.