Upload
vanngoc
View
237
Download
2
Embed Size (px)
Citation preview
Adopting Innovative Detection Technique To Detect ICMPv6
Based Vulnerability Attacks
Navaneethan C. Arjuman [email protected] .my National Advanced IPv6 Centre January 2014
1 Copyright Nava 2012
Introduction � IPv6 was introduced to overcome the exhaustion of IPv4
address � IPv6 has a lot of advantages compare to IPv4 � IPv6 also has similar and new security threats as
compare to IPv4 � IPv6 Network is no longer exist if ICMPv6 are blocked
or dropped in contrast with ICMP packets blocking and dropping as of in the IPv4 network
� Internet Control Message Protocol for IPv6 (ICMPv6) based attacks would be one of the key known security threats for both the Dual Stack and IPv6 Native networks
2 Copyright Nava 2012
Problem Statement � ICMPv6 has bigger role in IPv6 networks
compare to ICMPv4 in IPV4 networks ◦ Role of ARP protocol in IPv4 has already absorbed
under ICMPv6 under IPv6 networks
� Similar to ICMPv4, ICMPv6 also has weakness that will be exploited by attackers to attack the network
� Managing ICMPv6 issues under dual stack and native IPv6 would more complex compare just pure IPv4 networks
3 Copyright Nava 2012
Problem Statement � The existing ICMPv4 solution no longer
sufficient to detect ICMPv6 attacks � Modified and New Approaches required to
address ICMPv6 exploitation
4 Copyright Nava 2012
Objectives
� To investigate and study the weakness of ICMPv6 protocols
� To analyse the ICMPv6 traffics with various attack scenarios
� To propose new algorithm to detect ICMPv6 attacks
� To test and evaluate the proposed algorithm
5 Copyright Nava 2012
Known ICMPv4 Attacks Below are known ICMPv4 Attacks that also can be present in ICMPv6 � ICMP Sweep � Inverse mapping � Trace Route network mapping � OS fingerprinting � ICMP route re-direct � Ping of Death � ICMP Smurf attack � ICMP Nuke attack � Attack using source quench
6 Copyright Nava 2012
Key ICMPv4 Type and Code that contributes the attacks in
IPv4 network A"acks on ICMP Protocol Significant Parameters ICMP Sweep
Type=8 and code=0
Inverse mapping Type=0 without sending type=8 Traceroute network mapping TTL=0 and type=8 OS fingerprinAng Type=8 and code other than 0 ICMP route redirect Type=5 Ping of death Total size of IP packet >65535
bytes
ICMP Smurf aJack Type=0 without sending type=8 ICMP Nuke aJack Invalid packet AJack using source quench
Type=4 and code=0
7
Atul Kant Kaushik and R C Joshi, International Journal of Computer Application (0975-8887) Volume 2 – N0. , May 2010
Focusing on ICMPv6 Attacks There are many ICMPv6 attacks, the common attacks are � Man in the Middle (MITM) � Denial of Services
8 Copyright Nava 2012
Man in the Middle Attacks � Sniffing and session hijacking � IPv4 ◦ ARP cache poisoning ◦ DHCP spoofing
� IPv6 ◦ ARP replaced by ICMPv6 neighbor discovery process ◦ DHCP may be replaced by the alternative process
called stateless auto-configuration
9 Copyright Nava 2012
Man in the Middle Attacks MITM some known techniques � Man in the middle with spoofed ICMPv6 neighbor
advertisement. � Man in the middle with spoofed ICMPv6 router
advertisement. � Man in the middle using ICMPv6 redirect or ICMPv6
too big to implant route. � Man in the middle to attack mobile IPv6 but requires
ipsec to be disabled. � Man in the middle with rogue DHCPv6 Server
10 Copyright Nava 2012
Man in the Middle Attacks MITM some known techniques � Man in the middle with spoofed ICMPv6 neighbor
advertisement. � Man in the middle with spoofed ICMPv6 router
advertisement. � Man in the middle using ICMPv6 redirect or ICMPv6
too big to implant route. � Man in the middle to attack mobile IPv6 but requires
ipsec to be disabled. � Man in the middle with rogue DHCPv6 Server
11 Copyright Nava 2012
MITM With Spoofed ICMPv6 Neighbor Advertisement
12 Copyright Nava 2012
ICMPv6 neighbor discovery requires two types of ICMPv6 • ICMPv6 Neighbor solicitation (ICMPv6 Type 135) • ICMPv6 neighbor advertisement (ICMPv6 type 136).
MITM With Spoofed ICMPv6 Neighbor Advertisement
13 Copyright Nava 2012
MITM With Spoofed ICMPv6 Router Advertisement
14 Copyright Nava 2012
MITM With Spoofed ICMPv6 Router Advertisement
15 Copyright Nava 2012
Denial of Services � Traffic flooding with ICMPv6 router
advertisement, neighbor advertisement, neighbor solicitation, multicast listener discovery, or smurf
attack. � Denial of Service which prevents new IPv6
attack on the network. � Denial of Service which is related to
fragmentation. � Traffic flooding with ICMPv6 neighbor
solicitation and a lot of crypto stuff to make CPU target busy.
16 Copyright Nava 2012
Smurf Attack
17 Copyright Nava 2012
Duplicate Address Detection (DAD)
18 Copyright Nava 2012
Duplicate Address Detection (DAD)
19 Copyright Nava 2012
Methodology Proposed to develop ICMPv6 Based Vulnerability Attack Detection System’s that has the following sub approaches � ICMPv6 Traffic Reduction Technique ◦ To collect all the ICMPv6 packets with specific type
and code that contributes for known ICMPv6 attacks
20 Copyright Nava 2012
Methodology � ICMPv6 Statistical Aggregation Technique ◦ Aggregating and classifying the filtered ICMPv6 traffics
based on significant parameters
� Ruled Based Severity Alert ◦ Ruled based severity alert technique involves
correlating the aggregated traffic with particular ICMPv6 based attacks and also provide indication of the severity level
21 Copyright Nava 2012
Sample capture of iNetmon ICMP Fault Monitoring Module
22 Copyright Nava 2012
23
Thank You
Copyright Nava 2012