SlideShare une entreprise Scribd logo

Attacking IPv6 Implementation Using Fragmentation

M
michelemanzotti

This document provides an overview of attacking IPv6 implementations using fragmentation. It begins with background on fragmentation in IPv4 and IPv6. The presenter then examines fragmentation issues in popular OS implementations through examples. Target OSes include Ubuntu, FreeBSD, OpenBSD and Windows. Small fragments and overlapping fragments are demonstrated. The document discusses the security implications of these attacks, such as firewall evasion. It also covers different reassembly policies using the Paxson/Shankar model of fragmentation. The overall summary is that fragmentation can be used to bypass security controls by manipulating the packet payload across fragments.

Technologie
1  sur  82
Télécharger pour lire hors ligne
ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science
Bio • Independent IT Security analyst and researcher. • Over 20 years of diverse Information Technology experience. • Instructor and software developer, etc. • Hobbies: bug-finding. • Recently joined the Centre for Strategic Cyberspace + Security Science non-profit organisation. • E-mail: antonios.atlasis@cscss.org
Presentation Outline • Some background regarding fragmentation in IPv4 and its consequences. • Fragmentation in IPv6. • Examination of fragmentation issues in IPv6 implementation against some of the most popular OS – Examples. • Conclusions
Some Background
IP Fragmentation • Usually a normal event. • Required when the size of the IP datagram is bigger than the Maximum Transmission Unit (MTU) of the route that the datagram has to traverse (e.g. Ethernet MTU=1500 bytes). • Packets reassembled by the receiver.
Fragmentation in IPv4 • Share a common fragment identification number (which is the IP identification number of the original datagram). • Define its offset from the beginning of the corresponding unfragmented datagram, the length of its payload and a flag that specifies whether another fragment follows, or not. • In IPv4, this information is contained in the IPv4 header.
IPv4 Header RFC 791 0 1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7 8 9 2 1 2 3 4 5 6 7 8 9 3 1 0 0 0 Verson IHL Type of Service Total Length Identification x D M Fragment Offset TTL Protocol Header Checksum Source Address Destination Address IP Options (optional) Don't Fragment Don't Fragment More Fragments to Follow
IPv4 Fragmentation e.g. MTU: 1500 bytes (Ethernet) Unfragmented packet IPv4 Embedded protocol plus payload header (e.g.3200 bytes) IPv4 Fragment 1 header MF=1, MF=0 IPv4 Fragment 2 Offset=2960 offset =0 header length=1480 Length=240 MF=1, Offset=1480, IPv4 Fragment 3 length=1480 header
(some of the) Consequences of malformed fragmentation
When it all started • “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, by Thomas H. Ptacek, Timothy N. Newsham, , Secure Networks, Inc. , January, 1998. • Three classes of attacks were defined against IDS/IPS: – insertion, – evasion and – Denial of Service attacks.
Insertion • When an IDS accepts a packet that the end- system rejects. • An attacker can use this type of attacks to defeat signature analysis and to pass undetected through an IDS.
Insertion Target Ouch! IDS E X P LO R I T E X P L OX I T R The target rejects character “R”, which IDS accepts; this breaks the IDS signature. Signature content: EXPLOIT
Evasion • When an end-system accepts a packet that an IDS rejects. • Such attacks are exploited even more easily that insertion attacks.
Evasion Target Ouch! IDS X E X P LO IT E XPL OIT The target accepts character “O”, which IDS rejects; this breaks the IDS signature. Signature content: EXPLOIT
Fragmentation Attacks • Disordered arrival of fragments. • IDS flooding by partial fragmented datagrams. • Selective dropping of old and incomplete fragmented datagram. • Overlapping fragments. • IP Options in Fragment Streams.
What Changes in IPv6 (regarding fragmentation)
In IPv6 • Fragmentation fields (offset, D and M bits) have been totally removed. • IPv6 header length is limited to 40 bytes, BUT the use of Extension Headers has been introduced. • These IPv6 Extension Headers add additional functionality.
IPv6 Extension Headers • IPv6 header • Hop-by-Hop Options header • Destination Options header • Routing header • Fragment header • Authentication header • Encapsulating Security Payload header • Destination Options header (processed only by the receiver). This is the recommended order • Upper-layer header by RFC2460
IPv6 Fragment Header • 0 1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7 8 9 2 1 2 3 4 5 6 7 8 9 3 1 0 0 0 • Next Header Reserved Fragment Offset Res M Identification • M: More Fragment bit. • Fragment offset: Offset in 8-octet units. • The is no DF (Don't Fragment) bit, because in IPv6 the fragmentation is performed only by the source nodes and not by the routers along a packet's delivery path. Each fragment, except possibly the last one, is an integer multiple of 8 octets long.
IPv6 Fragmentation Unfragmented packet Unfragmentable Fragmentable part part IPv6 header + some of the extension headers Unfragmentable Fragment Fragment 1 part Header Unfragmentable Fragment Fragment 2 part Header Unfragmentable Fragment Fragment 3 part Header
Recommended Handling of IPv6 Fragmentation • IPv6 attempts to minimise the use of fragmentation by: – Minimising the supported MTU size to 1280 octets or greater. If required, link-specific fragmentation and reassembly must be provided at a layer below IPv6. – Allowing only the hosts to fragment datagrams.
Recommended Handling of IPv6 Fragmentation • RFC5722 recommends that overlapping fragments should be totally disallowed: – when reassembling an IPv6 datagram, if one or more of its constituent fragments is determined to be an overlapping fragment, the entire datagram (and any constituent fragments, including those not yet received) must be silently discarded.
Let's play a bit!
Our Targets Ubuntu 10.04.3 LTS FreeBSD 8.2-p3 OpenBSD 5.0 Windows 7 2.6.32-38 i386 i386 i386 i386 IPv6: fec0::2/64 IPv6: fec0::4/64 IPv6: fec0::5/64 IPv6: fec0::6/64 Ubuntu 11.10 FreeBSD 9 3.0.0-15 i386 amd64 IPv6: fec0::3/64 IPv6: fec0::7/64
Our Attacking Tool • Scapy – A powerful interactive packet manipulation program. – http://www.secdev.org/projects/scapy/
The Used Protocol for our Testing Purposes • As an upper-layer protocol, the ICMPv6 was used (Echo Request type): – It is the simplest protocol that can invoke a response. – It also echoes back the payload of the Echo Request packet • Hence, using unique payload per packet, the fragmentation reassembly policy of the target can be easily identified.
Using Tiny Fragmentation (without overlapping)
Using of Small Fragments 8 bytes time 8 bytes Payload of fragment 2 = payload of ICMPv6 Payload of fragment 1 = ICMPv6 Header IPv6 net packet payload per fragment
The Code #!/usr/bin/python IPv6 header payload: 16 bytes from scapy.all import * 8 bytes fragment header + 8 bytes #IPv6 parameters embedded protocol sip="fec0::1" dip="fec0::2" conf.route6.add("fec0::/64",gw="fec0::1") Offset: 1 octet payload1="AAAAAAAA" no overlapping ipv6_1=IPv6(src=sip, dst=dip, plen=16) icmpv6=ICMPv6EchoRequest(cksum=0x7d2b) #Fragment frag1=IPv6ExtHdrFragment(offset=0, m=1, id=502, nh=58) frag2=IPv6ExtHdrFragment(offset=1, m=0, id=502, nh=58) packet1=ipv6_1/frag1/icmpv6 packet2=ipv6_1/frag2/payload1 send(packet1) send(packet2)
Demo: tiny fragmentation
Results • All of the tested OS sent an echo reply to the sender. • Hence, all major OS accept fragments as small as 56 bytes (including IPv6 header = 40 bytes IPv6 Header + 8 bytes Fragment Header + 8 bytes of ICMPv6 Header).
So, what's the big deal?
Tiny Fragmentation Consequences • In IPv4, the embedded protocol's header, e.g. st TCP (or at least a part of it) has to be in the 1 fragment. • Firewall evasions could occur if a subsequent fragment would overwrite the TCP header (e.g. the destination port, the SYN/ACK flags, etc.) • To this end, RFC 1858 defined that: IF FO=1 and PROTOCOL=TCP then DROP PACKET.
Tiny Fragmentation Consequences in IPv6 • At least one extension header can follow the Fragment Header: The Destination header. • But, the total length of the Destination Options header can reach 264 bytes (RFC 2462). • Hence, using 8-bytes fragments, we can split the Destination Option headers to 33 fragments!
What does this mean? • The layer-4 protocol header will start at the 34th fragment! • And unless Deep Packet Inspection (= complete IP datagram reassembly before forwarding it), this can lead to firewall evasion, without having to overlap any fragments (as it was the case in IPv4)!
What does this mean? • This number can increase if we increase the number of the used extension headers that follow the fragment extension header (although not recommended by RFC 2460, but, who cares?).
Creating a very simple fragmentation overlapping
Testing Fragmentation Overlapping 12 overlapping Payload of fragment 2 time 10 8 6 Payload of fragment 1 Column 1 Column 2 Column 3 4 IPv6 net packet payload per fragment 2 0 Row 1 Row 2 Row 3 Row 4
(part of) the code payload1 = '' for i in range(1272): payload1 = payload1 + 'A' 8 bytes fragment header + payload2 = '' 1280 bytes of payload = 160 octets of payload for i in range(1280): payload2 = payload2 + "B" ipv6_1=IPv6(src=sip, dst=dip, plen=1288) icmpv6=ICMPv6EchoRequest(cksum=0x5610, data=payload1) #Fragment frag1=IPv6ExtHdrFragment(offset=0, m=1, id=511, nh=58) frag2=IPv6ExtHdrFragment(offset=1, m=0, id=511, nh=58) packet1=ipv6_1/frag1/icmpv6 packet2=ipv6_1/frag2/payload2 Correct offset = 160 send(packet1) send(packet2)
Demo: Simple fragmentation overlapping
Results • FreeBSD, Ubuntu 11.10 and Windows 7 were immune to this attack. • Ubuntu 10.04 and OpenBSD were susceptible to these attacks. – These two OS accept the fragmentation overlapping with the first fragment overwriting the second one.
and so? • Acceptance of fragmentation by two of our 12 targets implies that this attack can be used: 10 – For OS fingerprinting purposes 8 – For IDS Insertion / Evasion purposes (depending Column 1 6 for example on whether Ubuntu 10.04 is used as Column 2 Column 3 4 the host OS of the IDS or as a guest OS). • The fact that the 1st fragment overlaps the 2 0 second, seems that on its own cannot be exploited for firewall evasion purposes. Row 1 Row 2 Row 3 Row 4
The Paxson/Shankar Model
The Paxson/Shankar Model • At least one fragment that is wholly overlapped by a subsequent fragment with an identical offset and length. • At least one fragment that is partially overlapped by a subsequent fragment with an offset greater than the original. • At least one fragment this is partially overlapped by a subsequent fragment with an offset less than the original.
The Paxson/Shankar Model
Fragment Reassembly Methods • BSD favors an original fragment EXCEPT when the subsequent segment begins before the original segment. • BSD-right favors the subsequent segment EXCEPT when the original segment ends after the subsequent segment, or begins before the original segment and ends the same or after the original segment. • Linux favors the subsequent segment EXCEPT when the original segment begins before, or the original segment begins the same and ends after the subsequent segment. • First favors the original fragment. • Last favors the subsequent fragment.
The Paxson/Shankar Model • BSD policy: 111442333666 • BSD-right policy: 144422555666 • Linux policy: 111442555666 • First policy: 111422333666 • Last policy: 144442555666
(part of) the Code payload1 = "AABBCCDD" payload2 = "BBAACCDD" ... payload6 = "AADDBBCC" ... #Fragments icmpv6=ICMPv6EchoRequest(cksum=csum, data=payload1+payload1) frag1=IPv6ExtHdrFragment(offset=0, m=1, id=myid, nh=58) frag2=IPv6ExtHdrFragment(offset=4, m=1, id=myid, nh=58) frag3=IPv6ExtHdrFragment(offset=6, m=1, id=myid, nh=58) frag4=IPv6ExtHdrFragment(offset=1, m=1, id=myid, nh=58) frag5=IPv6ExtHdrFragment(offset=6, m=1, id=myid, nh=58) frag6=IPv6ExtHdrFragment(offset=9, m=0, id=myid, nh=58) ipv6_1=IPv6(src=sip, dst=dip, plen=2*8+8+8) ipv6_1=IPv6(src=sip, dst=dip, plen=2*8+8) packet2=ipv6_1/frag2/(payload2+payload2) ipv6_1=IPv6(src=sip, dst=dip, plen=3*8+8) packet3=ipv6_1/frag3/(payload3+payload3+payload3) ipv6_1=IPv6(src=sip, dst=dip, plen=4*8+8) packet4=ipv6_1/frag4/(payload4+payload4+payload4+payload4) ipv6_1=IPv6(src=sip, dst=dip, plen=3*8+8) packet5=ipv6_1/frag5/(payload5+payload5+payload5) ipv6_1=IPv6(src=sip, dst=dip, plen=3*8+8) packet6=ipv6_1/frag6/(payload6+payload6+payload6)
Demo: The Paxson/Shankar Model
Received ICMPv6 Responses • Ubuntu 10.04 • OpenBSD 5
Results • FreeBSD, Windows 7 and Ubuntu 11.10 are immune to these attacks. • Ubuntu 10.04 and OpenBSD are susceptible to these attacks. – OpenBSD: BSD reassembly policy – Ubuntu 10.04: Linux reassembly policy
So, up to now it seems that linux kernel 2.6.40, FreeBSD 8.2/9 and Windows 7 are immune to fragmentation overlapping attacks, right?
A simple 3-packet model where the parameters of the one fragment are varied.
A simple 3-packet model
Brief summary of Ubuntu 10.04 responses • The non-favoured packets are not discarded completely but they trimmed. • The Linux reassembly policy was confirmed nd with one exception (when the 2 fragment has a 0 offset and M=1). • Three notable behaviours are when atomic fragments overlap with other. In these cases we have two separate responses from the target.
Sample of Ubuntu 10.04 Responses
Sample of Ubuntu 10.04 Responses
Sample of Ubuntu 10.04 Responses Atomic fragments
Demo: Two responses from Ubuntu 10.04 in case of atomic fragments overlapping with others
Brief summary of OpenBSD 5 responses • Follows the BSD policy. • The non-favoured packets are not discarded completely but they trimmed. • No exceptions (e.g. in case of atomic fragments).
Sample of FreeBSD Responses
Brief summary of FreeBSD responses • It discards the overlapping fragment (as it should), but it doesn't discard the previous and the subsequent ones (as it also should, according to RFC5722). • This is the reason why in almost all the cases, fragments 1 and 3 are accepted (which do not overlap).
Ubuntu 11.10 Responses • Two responses when the one is an atomic fragment (offset = M = 0). • Should be discarded silently, according to the RFC 5722.
Windows 7 Responses • Responses when M=1 and the second fragment overlaps only with the first one, partially or completely, but without exceeding the last byte of the first offset. • It seems that they complies with RFC 5722 EXCEPT when only the 1st fragment is overlapped.
Windows 7 Responses • It seems that Windows 7 comply with RFC 5722 (discarding all the fragments, when overlapping occurs), unless only the 1st fragment is overlapped.
Demo: Ubuntu 11.10 and Windows 7 testing
Reversing the sending order of the fragments
Ubuntu 11.10 responses for reverse sending order • More responses are received than when the normal sending order is used. – When atomic fragments overlap with non-atomic ones. – In most of the other cases, only the overlapping fragment is discarded.
Sample of Ubuntu 11.10 Responses when reversing the order
Windows 7 Responses when reversing the order • Responses when fragments 2 and 3 completely and exactly overlap, in which case Windows 7 considering them probably as repeated packets.
Some final tests
Fragmentation Overlapping Sending Double Packets 1280 bytes Payload of fragment 1 1280 bytes time 8-octets bytes offset Payload of fragment 2 1280 bytes Payload of fragment 2 1280 bytes Payload of fragment 1 IPv6 net packet payload per fragment
(part of) the code ipv6_1=IPv6(src=sip, dst=dip, plen=1288) icmpv6=ICMPv6EchoRequest(cksum=0xb47b, data=payload1)#fec0::3 #Fragment frag1=IPv6ExtHdrFragment(offset=0, m=1, id=712, nh=58) frag2=IPv6ExtHdrFragment(offset=8, m=0, id=712, nh=58) frag3=IPv6ExtHdrFragment(offset=160, m=0, id=712, nh=58) packet1=ipv6_1/frag1/icmpv6 packet2=ipv6_1/frag2/payload2 packet3=ipv6_1/frag3/payload2 send(packet1) send(packet2) send(packet3) send(packet1)
Results • Ubuntu 10.04 and OpenBSD 5 send two responses back. • The two FreeBSDs send back a response even if the packet numbered 4 is not sent, showing again that they just discard the overlapping fragment. • Ubuntu 11.10 and Windows 7 do send a response only if all the four packets are sent (including the last one, with the 0 offset). • If the packet numbered 1 is not sent, none of the three sends back a response.
Demo: Sending double overlapping packets
Conclusions
Conclusions (1/5) • All the tested OS accepted really tiny fragments (e.g. two octets longs) which, under specific circumstances (i.e. when deep- packet inspection is not performed) and especially when combined with the use of other IPv6 extension headers, can lead to firewall evasion. • None of the tested OS is RFC 5722 compliant.
Conclusions (2/5) • Ubuntu 10.04 LTS (using linux kernel 2.6.32) and OpenBSD 5 were proven the most susceptible to fragmentation overlapping attacks among the tested OS, each one following the corresponding well-known reassembly policies (Linux and BSD respectively).
Conclusions (3/5) • FreeBSD 8.2/9 discards any overlapping fragments appearing to have the most consistent behaviour. • Although this is a very good practice, it does not fully comply with RFC 5722 which suggest the rejection of any constituent fragments too (including the ones not yet received).
Conclusions (4/5) • The two Ubuntu send two responses back when atomic fragments overlap with non- atomic ones. • The behaviour of Ubuntu 11.10 seems to deteriorate significantly when the sending order of the fragments is reversed. • Windows 7, although seem to have the fewer issues, there are cases that they also accept overlapping fragments.
Conclusions (5/5) • The impact of these issues, since it varies between the tested OS, starts from OS fingerprinting and can be extended, if used properly, to IDS insertion / evasion and in some cases, even to firewall evasions. • OS vendors need to create fully RFC compliant products.
Please complete the speakers' feedback survey forms. Thank you! antonios.atlasis@cscss.org

Recommandé

Living things and non living things
Living things and non living thingsLiving things and non living things
Living things and non living thingsMaría José Mora
 
A&M Records Inc v Napster
A&M Records Inc v NapsterA&M Records Inc v Napster
A&M Records Inc v NapsterBhaumik Oza
 
Paper review
Paper reviewPaper review
Paper reviewNadia Nahar
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
 
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiStonesoft
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 

Recommandé

Living things and non living things
Living things and non living thingsLiving things and non living things
Living things and non living thingsMaría José Mora
 
A&M Records Inc v Napster
A&M Records Inc v NapsterA&M Records Inc v Napster
A&M Records Inc v NapsterBhaumik Oza
 
Paper review
Paper reviewPaper review
Paper reviewNadia Nahar
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
 
Radware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware DefensePipe: Cloud-Based Attack Mitigation Solution
Radware DefensePipe: Cloud-Based Attack Mitigation SolutionRadware
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiStonesoft
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
THE VEIL FRAMEWORK
THE VEIL FRAMEWORKTHE VEIL FRAMEWORK
THE VEIL FRAMEWORKSukesh Shetty
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacksn|u - The Open Security Community
 
Polygon filling
Polygon fillingPolygon filling
Polygon fillingMohanlal Sukhadia University (MLSU)
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxingNick Straughan
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate TrainingNCS Computech Ltd.
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZIPMAX s.r.l.
 
Change Management PPT Slides
Change Management PPT SlidesChange Management PPT Slides
Change Management PPT SlidesYodhia Antariksa
 
Internet protocol
Internet protocolInternet protocol
Internet protocolOnline
 
IPv6 The Big Move
IPv6 The Big MoveIPv6 The Big Move
IPv6 The Big Movefrenildand
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesDon Anto
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewIPv6 Conference
 
3.Network
3.Network3.Network
3.Networkphanleson
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
IPv6
IPv6IPv6
IPv6Ahmad Haghighi
 
10 coms 525 tcpip - internet protocol - ip
10 coms 525 tcpip - internet protocol - ip10 coms 525 tcpip - internet protocol - ip
10 coms 525 tcpip - internet protocol - ipPalanivel Kuppusamy
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseThierry Zoller
 

Contenu connexe

En vedette

2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuceDb Cooper
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZIPMAX s.r.l.
 
Change Management PPT Slides
Change Management PPT SlidesChange Management PPT Slides
Change Management PPT SlidesYodhia Antariksa
 

En vedette (10)

THE VEIL FRAMEWORK
THE VEIL FRAMEWORKTHE VEIL FRAMEWORK
THE VEIL FRAMEWORK
 
Veil Evasion and Client Side Attacks
Veil Evasion and Client Side AttacksVeil Evasion and Client Side Attacks
Veil Evasion and Client Side Attacks
 
Polygon filling
Polygon fillingPolygon filling
Polygon filling
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
FortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZFortiGate Firewall HOW-TO - DMZ
FortiGate Firewall HOW-TO - DMZ
 
Change Management PPT Slides
Change Management PPT SlidesChange Management PPT Slides
Change Management PPT Slides
 

Similaire à Attacking IPv6 Implementation Using Fragmentation

Internet protocol
Internet protocolInternet protocol
Internet protocolOnline
 
IPv6 The Big Move
IPv6 The Big MoveIPv6 The Big Move
IPv6 The Big Movefrenildand
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesDon Anto
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewIPv6 Conference
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
10 coms 525 tcpip - internet protocol - ip
10 coms 525 tcpip - internet protocol - ip10 coms 525 tcpip - internet protocol - ip
10 coms 525 tcpip - internet protocol - ipPalanivel Kuppusamy
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseThierry Zoller
 
rpsec-4 (1).ppt
rpsec-4 (1).pptrpsec-4 (1).ppt
rpsec-4 (1).pptDeep Rajan
 
Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01Rimba Ari
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data DATA SECURITY SOLUTIONS
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityBrent Salisbury
 

Similaire à Attacking IPv6 Implementation Using Fragmentation (20)

Internet protocol
Internet protocolInternet protocol
Internet protocol
 
IPv6 The Big Move
IPv6 The Big MoveIPv6 The Big Move
IPv6 The Big Move
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of View
 
3.Network
3.Network3.Network
3.Network
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
IPv6
IPv6IPv6
IPv6
 
10 coms 525 tcpip - internet protocol - ip
10 coms 525 tcpip - internet protocol - ip10 coms 525 tcpip - internet protocol - ip
10 coms 525 tcpip - internet protocol - ip
 
Tech f42
Tech f42Tech f42
Tech f42
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
Internetworking - IP
Internetworking - IPInternetworking - IP
Internetworking - IP
 
Network Layer And I Pv6
Network Layer And I Pv6Network Layer And I Pv6
Network Layer And I Pv6
 
rpsec-4 (1).ppt
rpsec-4 (1).pptrpsec-4 (1).ppt
rpsec-4 (1).ppt
 
IPv6 Security und Hacking
IPv6 Security und HackingIPv6 Security und Hacking
IPv6 Security und Hacking
 
6lowpan introduction
6lowpan introduction6lowpan introduction
6lowpan introduction
 
Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01Ipv6 1-091110143246-phpapp01
Ipv6 1-091110143246-phpapp01
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 
The Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on SecurityThe Potential Impact of Software Defined Networking SDN on Security
The Potential Impact of Software Defined Networking SDN on Security
 

Plus de michelemanzotti

All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...michelemanzotti
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun michelemanzotti
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controllermichelemanzotti
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controllermichelemanzotti
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?michelemanzotti
 
Federate Identity and Access Management
Federate Identity and Access ManagementFederate Identity and Access Management
Federate Identity and Access Managementmichelemanzotti
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management Protocolmichelemanzotti
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazionemichelemanzotti
 
L'impatto dei Servizi Applicativi
L'impatto dei Servizi ApplicativiL'impatto dei Servizi Applicativi
L'impatto dei Servizi Applicativimichelemanzotti
 

Plus de michelemanzotti (11)

Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Cryp...
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun GDI Font Fuzzing in Windows Kernel For Fun
GDI Font Fuzzing in Windows Kernel For Fun
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
 
Lotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the ControllerLotus Domino: Penetration Through the Controller
Lotus Domino: Penetration Through the Controller
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
Federate Identity and Access Management
Federate Identity and Access ManagementFederate Identity and Access Management
Federate Identity and Access Management
 
Simple Network Management Protocol
Simple Network Management ProtocolSimple Network Management Protocol
Simple Network Management Protocol
 
Sistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di AutenticazioneSistema Federato Interregionale di Autenticazione
Sistema Federato Interregionale di Autenticazione
 
L'impatto dei Servizi Applicativi
L'impatto dei Servizi ApplicativiL'impatto dei Servizi Applicativi
L'impatto dei Servizi Applicativi
 

Dernier

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Dernier (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Attacking IPv6 Implementation Using Fragmentation

  • 1. ATTACKING IPV6 IMPLEMENTATION USING FRAGMENTATION Antonios Atlasis, antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science
  • 2. Bio • Independent IT Security analyst and researcher. • Over 20 years of diverse Information Technology experience. • Instructor and software developer, etc. • Hobbies: bug-finding. • Recently joined the Centre for Strategic Cyberspace + Security Science non-profit organisation. • E-mail: antonios.atlasis@cscss.org
  • 3. Presentation Outline • Some background regarding fragmentation in IPv4 and its consequences. • Fragmentation in IPv6. • Examination of fragmentation issues in IPv6 implementation against some of the most popular OS – Examples. • Conclusions
  • 5. IP Fragmentation • Usually a normal event. • Required when the size of the IP datagram is bigger than the Maximum Transmission Unit (MTU) of the route that the datagram has to traverse (e.g. Ethernet MTU=1500 bytes). • Packets reassembled by the receiver.
  • 6. Fragmentation in IPv4 • Share a common fragment identification number (which is the IP identification number of the original datagram). • Define its offset from the beginning of the corresponding unfragmented datagram, the length of its payload and a flag that specifies whether another fragment follows, or not. • In IPv4, this information is contained in the IPv4 header.
  • 7. IPv4 Header RFC 791 0 1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7 8 9 2 1 2 3 4 5 6 7 8 9 3 1 0 0 0 Verson IHL Type of Service Total Length Identification x D M Fragment Offset TTL Protocol Header Checksum Source Address Destination Address IP Options (optional) Don't Fragment Don't Fragment More Fragments to Follow
  • 8. IPv4 Fragmentation e.g. MTU: 1500 bytes (Ethernet) Unfragmented packet IPv4 Embedded protocol plus payload header (e.g.3200 bytes) IPv4 Fragment 1 header MF=1, MF=0 IPv4 Fragment 2 Offset=2960 offset =0 header length=1480 Length=240 MF=1, Offset=1480, IPv4 Fragment 3 length=1480 header
  • 9. (some of the) Consequences of malformed fragmentation
  • 10. When it all started • “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, by Thomas H. Ptacek, Timothy N. Newsham, , Secure Networks, Inc. , January, 1998. • Three classes of attacks were defined against IDS/IPS: – insertion, – evasion and – Denial of Service attacks.
  • 11. Insertion • When an IDS accepts a packet that the end- system rejects. • An attacker can use this type of attacks to defeat signature analysis and to pass undetected through an IDS.
  • 12. Insertion Target Ouch! IDS E X P LO R I T E X P L OX I T R The target rejects character “R”, which IDS accepts; this breaks the IDS signature. Signature content: EXPLOIT
  • 13. Evasion • When an end-system accepts a packet that an IDS rejects. • Such attacks are exploited even more easily that insertion attacks.
  • 14. Evasion Target Ouch! IDS X E X P LO IT E XPL OIT The target accepts character “O”, which IDS rejects; this breaks the IDS signature. Signature content: EXPLOIT
  • 15. Fragmentation Attacks • Disordered arrival of fragments. • IDS flooding by partial fragmented datagrams. • Selective dropping of old and incomplete fragmented datagram. • Overlapping fragments. • IP Options in Fragment Streams.
  • 16. What Changes in IPv6 (regarding fragmentation)
  • 17. In IPv6 • Fragmentation fields (offset, D and M bits) have been totally removed. • IPv6 header length is limited to 40 bytes, BUT the use of Extension Headers has been introduced. • These IPv6 Extension Headers add additional functionality.
  • 18. IPv6 Extension Headers • IPv6 header • Hop-by-Hop Options header • Destination Options header • Routing header • Fragment header • Authentication header • Encapsulating Security Payload header • Destination Options header (processed only by the receiver). This is the recommended order • Upper-layer header by RFC2460
  • 19. IPv6 Fragment Header • 0 1 2 3 4 5 6 7 8 9 1 1 2 3 4 5 6 7 8 9 2 1 2 3 4 5 6 7 8 9 3 1 0 0 0 • Next Header Reserved Fragment Offset Res M Identification • M: More Fragment bit. • Fragment offset: Offset in 8-octet units. • The is no DF (Don't Fragment) bit, because in IPv6 the fragmentation is performed only by the source nodes and not by the routers along a packet's delivery path. Each fragment, except possibly the last one, is an integer multiple of 8 octets long.
  • 20. IPv6 Fragmentation Unfragmented packet Unfragmentable Fragmentable part part IPv6 header + some of the extension headers Unfragmentable Fragment Fragment 1 part Header Unfragmentable Fragment Fragment 2 part Header Unfragmentable Fragment Fragment 3 part Header
  • 21. Recommended Handling of IPv6 Fragmentation • IPv6 attempts to minimise the use of fragmentation by: – Minimising the supported MTU size to 1280 octets or greater. If required, link-specific fragmentation and reassembly must be provided at a layer below IPv6. – Allowing only the hosts to fragment datagrams.
  • 22. Recommended Handling of IPv6 Fragmentation • RFC5722 recommends that overlapping fragments should be totally disallowed: – when reassembling an IPv6 datagram, if one or more of its constituent fragments is determined to be an overlapping fragment, the entire datagram (and any constituent fragments, including those not yet received) must be silently discarded.
  • 23. Let's play a bit!
  • 24. Our Targets Ubuntu 10.04.3 LTS FreeBSD 8.2-p3 OpenBSD 5.0 Windows 7 2.6.32-38 i386 i386 i386 i386 IPv6: fec0::2/64 IPv6: fec0::4/64 IPv6: fec0::5/64 IPv6: fec0::6/64 Ubuntu 11.10 FreeBSD 9 3.0.0-15 i386 amd64 IPv6: fec0::3/64 IPv6: fec0::7/64
  • 25. Our Attacking Tool • Scapy – A powerful interactive packet manipulation program. – http://www.secdev.org/projects/scapy/
  • 26. The Used Protocol for our Testing Purposes • As an upper-layer protocol, the ICMPv6 was used (Echo Request type): – It is the simplest protocol that can invoke a response. – It also echoes back the payload of the Echo Request packet • Hence, using unique payload per packet, the fragmentation reassembly policy of the target can be easily identified.
  • 27. Using Tiny Fragmentation (without overlapping)
  • 28. Using of Small Fragments 8 bytes time 8 bytes Payload of fragment 2 = payload of ICMPv6 Payload of fragment 1 = ICMPv6 Header IPv6 net packet payload per fragment
  • 29. The Code #!/usr/bin/python IPv6 header payload: 16 bytes from scapy.all import * 8 bytes fragment header + 8 bytes #IPv6 parameters embedded protocol sip="fec0::1" dip="fec0::2" conf.route6.add("fec0::/64",gw="fec0::1") Offset: 1 octet payload1="AAAAAAAA" no overlapping ipv6_1=IPv6(src=sip, dst=dip, plen=16) icmpv6=ICMPv6EchoRequest(cksum=0x7d2b) #Fragment frag1=IPv6ExtHdrFragment(offset=0, m=1, id=502, nh=58) frag2=IPv6ExtHdrFragment(offset=1, m=0, id=502, nh=58) packet1=ipv6_1/frag1/icmpv6 packet2=ipv6_1/frag2/payload1 send(packet1) send(packet2)
  • 31. Results • All of the tested OS sent an echo reply to the sender. • Hence, all major OS accept fragments as small as 56 bytes (including IPv6 header = 40 bytes IPv6 Header + 8 bytes Fragment Header + 8 bytes of ICMPv6 Header).
  • 32. So, what's the big deal?
  • 33. Tiny Fragmentation Consequences • In IPv4, the embedded protocol's header, e.g. st TCP (or at least a part of it) has to be in the 1 fragment. • Firewall evasions could occur if a subsequent fragment would overwrite the TCP header (e.g. the destination port, the SYN/ACK flags, etc.) • To this end, RFC 1858 defined that: IF FO=1 and PROTOCOL=TCP then DROP PACKET.
  • 34. Tiny Fragmentation Consequences in IPv6 • At least one extension header can follow the Fragment Header: The Destination header. • But, the total length of the Destination Options header can reach 264 bytes (RFC 2462). • Hence, using 8-bytes fragments, we can split the Destination Option headers to 33 fragments!
  • 35. What does this mean? • The layer-4 protocol header will start at the 34th fragment! • And unless Deep Packet Inspection (= complete IP datagram reassembly before forwarding it), this can lead to firewall evasion, without having to overlap any fragments (as it was the case in IPv4)!
  • 36. What does this mean? • This number can increase if we increase the number of the used extension headers that follow the fragment extension header (although not recommended by RFC 2460, but, who cares?).
  • 37. Creating a very simple fragmentation overlapping
  • 38. Testing Fragmentation Overlapping 12 overlapping Payload of fragment 2 time 10 8 6 Payload of fragment 1 Column 1 Column 2 Column 3 4 IPv6 net packet payload per fragment 2 0 Row 1 Row 2 Row 3 Row 4
  • 39. (part of) the code payload1 = '' for i in range(1272): payload1 = payload1 + 'A' 8 bytes fragment header + payload2 = '' 1280 bytes of payload = 160 octets of payload for i in range(1280): payload2 = payload2 + "B" ipv6_1=IPv6(src=sip, dst=dip, plen=1288) icmpv6=ICMPv6EchoRequest(cksum=0x5610, data=payload1) #Fragment frag1=IPv6ExtHdrFragment(offset=0, m=1, id=511, nh=58) frag2=IPv6ExtHdrFragment(offset=1, m=0, id=511, nh=58) packet1=ipv6_1/frag1/icmpv6 packet2=ipv6_1/frag2/payload2 Correct offset = 160 send(packet1) send(packet2)
  • 41. Results • FreeBSD, Ubuntu 11.10 and Windows 7 were immune to this attack. • Ubuntu 10.04 and OpenBSD were susceptible to these attacks. – These two OS accept the fragmentation overlapping with the first fragment overwriting the second one.
  • 42. and so? • Acceptance of fragmentation by two of our 12 targets implies that this attack can be used: 10 – For OS fingerprinting purposes 8 – For IDS Insertion / Evasion purposes (depending Column 1 6 for example on whether Ubuntu 10.04 is used as Column 2 Column 3 4 the host OS of the IDS or as a guest OS). • The fact that the 1st fragment overlaps the 2 0 second, seems that on its own cannot be exploited for firewall evasion purposes. Row 1 Row 2 Row 3 Row 4
  • 44. The Paxson/Shankar Model • At least one fragment that is wholly overlapped by a subsequent fragment with an identical offset and length. • At least one fragment that is partially overlapped by a subsequent fragment with an offset greater than the original. • At least one fragment this is partially overlapped by a subsequent fragment with an offset less than the original.
  • 46. Fragment Reassembly Methods • BSD favors an original fragment EXCEPT when the subsequent segment begins before the original segment. • BSD-right favors the subsequent segment EXCEPT when the original segment ends after the subsequent segment, or begins before the original segment and ends the same or after the original segment. • Linux favors the subsequent segment EXCEPT when the original segment begins before, or the original segment begins the same and ends after the subsequent segment. • First favors the original fragment. • Last favors the subsequent fragment.
  • 47. The Paxson/Shankar Model • BSD policy: 111442333666 • BSD-right policy: 144422555666 • Linux policy: 111442555666 • First policy: 111422333666 • Last policy: 144442555666
  • 48. (part of) the Code payload1 = "AABBCCDD" payload2 = "BBAACCDD" ... payload6 = "AADDBBCC" ... #Fragments icmpv6=ICMPv6EchoRequest(cksum=csum, data=payload1+payload1) frag1=IPv6ExtHdrFragment(offset=0, m=1, id=myid, nh=58) frag2=IPv6ExtHdrFragment(offset=4, m=1, id=myid, nh=58) frag3=IPv6ExtHdrFragment(offset=6, m=1, id=myid, nh=58) frag4=IPv6ExtHdrFragment(offset=1, m=1, id=myid, nh=58) frag5=IPv6ExtHdrFragment(offset=6, m=1, id=myid, nh=58) frag6=IPv6ExtHdrFragment(offset=9, m=0, id=myid, nh=58) ipv6_1=IPv6(src=sip, dst=dip, plen=2*8+8+8) ipv6_1=IPv6(src=sip, dst=dip, plen=2*8+8) packet2=ipv6_1/frag2/(payload2+payload2) ipv6_1=IPv6(src=sip, dst=dip, plen=3*8+8) packet3=ipv6_1/frag3/(payload3+payload3+payload3) ipv6_1=IPv6(src=sip, dst=dip, plen=4*8+8) packet4=ipv6_1/frag4/(payload4+payload4+payload4+payload4) ipv6_1=IPv6(src=sip, dst=dip, plen=3*8+8) packet5=ipv6_1/frag5/(payload5+payload5+payload5) ipv6_1=IPv6(src=sip, dst=dip, plen=3*8+8) packet6=ipv6_1/frag6/(payload6+payload6+payload6)
  • 50. Received ICMPv6 Responses • Ubuntu 10.04 • OpenBSD 5
  • 51. Results • FreeBSD, Windows 7 and Ubuntu 11.10 are immune to these attacks. • Ubuntu 10.04 and OpenBSD are susceptible to these attacks. – OpenBSD: BSD reassembly policy – Ubuntu 10.04: Linux reassembly policy
  • 52. So, up to now it seems that linux kernel 2.6.40, FreeBSD 8.2/9 and Windows 7 are immune to fragmentation overlapping attacks, right?
  • 53. A simple 3-packet model where the parameters of the one fragment are varied.
  • 55. Brief summary of Ubuntu 10.04 responses • The non-favoured packets are not discarded completely but they trimmed. • The Linux reassembly policy was confirmed nd with one exception (when the 2 fragment has a 0 offset and M=1). • Three notable behaviours are when atomic fragments overlap with other. In these cases we have two separate responses from the target.
  • 56. Sample of Ubuntu 10.04 Responses
  • 57. Sample of Ubuntu 10.04 Responses
  • 58. Sample of Ubuntu 10.04 Responses Atomic fragments
  • 59. Demo: Two responses from Ubuntu 10.04 in case of atomic fragments overlapping with others
  • 60. Brief summary of OpenBSD 5 responses • Follows the BSD policy. • The non-favoured packets are not discarded completely but they trimmed. • No exceptions (e.g. in case of atomic fragments).
  • 61. Sample of FreeBSD Responses
  • 62. Brief summary of FreeBSD responses • It discards the overlapping fragment (as it should), but it doesn't discard the previous and the subsequent ones (as it also should, according to RFC5722). • This is the reason why in almost all the cases, fragments 1 and 3 are accepted (which do not overlap).
  • 63. Ubuntu 11.10 Responses • Two responses when the one is an atomic fragment (offset = M = 0). • Should be discarded silently, according to the RFC 5722.
  • 64. Windows 7 Responses • Responses when M=1 and the second fragment overlaps only with the first one, partially or completely, but without exceeding the last byte of the first offset. • It seems that they complies with RFC 5722 EXCEPT when only the 1st fragment is overlapped.
  • 65. Windows 7 Responses • It seems that Windows 7 comply with RFC 5722 (discarding all the fragments, when overlapping occurs), unless only the 1st fragment is overlapped.
  • 66. Demo: Ubuntu 11.10 and Windows 7 testing
  • 67. Reversing the sending order of the fragments
  • 68. Ubuntu 11.10 responses for reverse sending order • More responses are received than when the normal sending order is used. – When atomic fragments overlap with non-atomic ones. – In most of the other cases, only the overlapping fragment is discarded.
  • 69. Sample of Ubuntu 11.10 Responses when reversing the order
  • 70. Windows 7 Responses when reversing the order • Responses when fragments 2 and 3 completely and exactly overlap, in which case Windows 7 considering them probably as repeated packets.
  • 72. Fragmentation Overlapping Sending Double Packets 1280 bytes Payload of fragment 1 1280 bytes time 8-octets bytes offset Payload of fragment 2 1280 bytes Payload of fragment 2 1280 bytes Payload of fragment 1 IPv6 net packet payload per fragment
  • 73. (part of) the code ipv6_1=IPv6(src=sip, dst=dip, plen=1288) icmpv6=ICMPv6EchoRequest(cksum=0xb47b, data=payload1)#fec0::3 #Fragment frag1=IPv6ExtHdrFragment(offset=0, m=1, id=712, nh=58) frag2=IPv6ExtHdrFragment(offset=8, m=0, id=712, nh=58) frag3=IPv6ExtHdrFragment(offset=160, m=0, id=712, nh=58) packet1=ipv6_1/frag1/icmpv6 packet2=ipv6_1/frag2/payload2 packet3=ipv6_1/frag3/payload2 send(packet1) send(packet2) send(packet3) send(packet1)
  • 74. Results • Ubuntu 10.04 and OpenBSD 5 send two responses back. • The two FreeBSDs send back a response even if the packet numbered 4 is not sent, showing again that they just discard the overlapping fragment. • Ubuntu 11.10 and Windows 7 do send a response only if all the four packets are sent (including the last one, with the 0 offset). • If the packet numbered 1 is not sent, none of the three sends back a response.
  • 77. Conclusions (1/5) • All the tested OS accepted really tiny fragments (e.g. two octets longs) which, under specific circumstances (i.e. when deep- packet inspection is not performed) and especially when combined with the use of other IPv6 extension headers, can lead to firewall evasion. • None of the tested OS is RFC 5722 compliant.
  • 78. Conclusions (2/5) • Ubuntu 10.04 LTS (using linux kernel 2.6.32) and OpenBSD 5 were proven the most susceptible to fragmentation overlapping attacks among the tested OS, each one following the corresponding well-known reassembly policies (Linux and BSD respectively).
  • 79. Conclusions (3/5) • FreeBSD 8.2/9 discards any overlapping fragments appearing to have the most consistent behaviour. • Although this is a very good practice, it does not fully comply with RFC 5722 which suggest the rejection of any constituent fragments too (including the ones not yet received).
  • 80. Conclusions (4/5) • The two Ubuntu send two responses back when atomic fragments overlap with non- atomic ones. • The behaviour of Ubuntu 11.10 seems to deteriorate significantly when the sending order of the fragments is reversed. • Windows 7, although seem to have the fewer issues, there are cases that they also accept overlapping fragments.
  • 81. Conclusions (5/5) • The impact of these issues, since it varies between the tested OS, starts from OS fingerprinting and can be extended, if used properly, to IDS insertion / evasion and in some cases, even to firewall evasions. • OS vendors need to create fully RFC compliant products.
  • 82. Please complete the speakers' feedback survey forms. Thank you! antonios.atlasis@cscss.org