Adopting Innovative Detection Technique To Detect ICMPv6

Based Vulnerability Attacks

Navaneethan C. Arjuman nava@nav6.usm .my National Advanced IPv6 Centre January 2014

1 Copyright Nava 2012

Introduction �  IPv6 was introduced to overcome the exhaustion of IPv4

address �  IPv6 has a lot of advantages compare to IPv4 �  IPv6 also has similar and new security threats as

compare to IPv4 �  IPv6 Network is no longer exist if ICMPv6 are blocked

or dropped in contrast with ICMP packets blocking and dropping as of in the IPv4 network

�  Internet Control Message Protocol for IPv6 (ICMPv6) based attacks would be one of the key known security threats for both the Dual Stack and IPv6 Native networks

2 Copyright Nava 2012

Problem Statement �  ICMPv6 has bigger role in IPv6 networks

compare to ICMPv4 in IPV4 networks ◦  Role of ARP protocol in IPv4 has already absorbed

under ICMPv6 under IPv6 networks

�  Similar to ICMPv4, ICMPv6 also has weakness that will be exploited by attackers to attack the network

�  Managing ICMPv6 issues under dual stack and native IPv6 would more complex compare just pure IPv4 networks

3 Copyright Nava 2012

Problem Statement �  The existing ICMPv4 solution no longer

sufficient to detect ICMPv6 attacks �  Modified and New Approaches required to

address ICMPv6 exploitation

4 Copyright Nava 2012

Objectives

�  To investigate and study the weakness of ICMPv6 protocols

�  To analyse the ICMPv6 traffics with various attack scenarios

�  To propose new algorithm to detect ICMPv6 attacks

�  To test and evaluate the proposed algorithm

5 Copyright Nava 2012

Known ICMPv4 Attacks Below are known ICMPv4 Attacks that also can be present in ICMPv6 �  ICMP Sweep �  Inverse mapping �  Trace Route network mapping �  OS fingerprinting �  ICMP route re-direct �  Ping of Death �  ICMP Smurf attack �  ICMP Nuke attack �  Attack using source quench

6 Copyright Nava 2012

Key ICMPv4 Type and Code that contributes the attacks in

IPv4 network A"acks  on  ICMP  Protocol   Significant  Parameters    ICMP  Sweep    

 Type=8  and  code=0  

Inverse  mapping   Type=0  without  sending  type=8  Traceroute  network  mapping     TTL=0  and  type=8  OS  fingerprinAng   Type=8  and  code  other  than  0  ICMP  route  redirect   Type=5  Ping  of  death   Total   size   of   IP   packet   >65535  

bytes  

ICMP  Smurf  aJack   Type=0    without  sending  type=8  ICMP  Nuke  aJack   Invalid  packet    AJack  using  source  quench  

 Type=4  and  code=0  

7

Atul Kant Kaushik and R C Joshi, International Journal of Computer Application (0975-8887) Volume 2 – N0. , May 2010

Focusing on ICMPv6 Attacks There are many ICMPv6 attacks, the common attacks are �  Man in the Middle (MITM) �  Denial of Services

8 Copyright Nava 2012

Man in the Middle Attacks �  Sniffing and session hijacking �  IPv4 ◦  ARP cache poisoning ◦  DHCP spoofing

�  IPv6 ◦  ARP replaced by ICMPv6 neighbor discovery process ◦  DHCP may be replaced by the alternative process

called stateless auto-configuration

9 Copyright Nava 2012

Man in the Middle Attacks MITM some known techniques �  Man in the middle with spoofed ICMPv6 neighbor

advertisement. �  Man in the middle with spoofed ICMPv6 router

advertisement. �  Man in the middle using ICMPv6 redirect or ICMPv6

too big to implant route. �  Man in the middle to attack mobile IPv6 but requires

ipsec to be disabled. �  Man in the middle with rogue DHCPv6 Server

10 Copyright Nava 2012

Man in the Middle Attacks MITM some known techniques �  Man in the middle with spoofed ICMPv6 neighbor

advertisement. �  Man in the middle with spoofed ICMPv6 router

advertisement. �  Man in the middle using ICMPv6 redirect or ICMPv6

too big to implant route. �  Man in the middle to attack mobile IPv6 but requires

ipsec to be disabled. �  Man in the middle with rogue DHCPv6 Server

11 Copyright Nava 2012

MITM With Spoofed ICMPv6 Neighbor Advertisement

12 Copyright Nava 2012

ICMPv6 neighbor discovery requires two types of ICMPv6 •  ICMPv6 Neighbor solicitation (ICMPv6 Type 135) •  ICMPv6 neighbor advertisement (ICMPv6 type 136).

MITM With Spoofed ICMPv6 Neighbor Advertisement

13 Copyright Nava 2012

MITM With Spoofed ICMPv6 Router Advertisement

14 Copyright Nava 2012

MITM With Spoofed ICMPv6 Router Advertisement

15 Copyright Nava 2012

Denial of Services �  Traffic flooding with ICMPv6 router

advertisement, neighbor advertisement, neighbor solicitation, multicast listener discovery, or smurf

attack. �  Denial of Service which prevents new IPv6

attack on the network. �  Denial of Service which is related to

fragmentation. �  Traffic flooding with ICMPv6 neighbor

solicitation and a lot of crypto stuff to make CPU target busy.

16 Copyright Nava 2012

Smurf Attack

17 Copyright Nava 2012

Duplicate Address Detection (DAD)

18 Copyright Nava 2012

Duplicate Address Detection (DAD)

19 Copyright Nava 2012

Methodology Proposed to develop ICMPv6 Based Vulnerability Attack Detection System’s that has the following sub approaches �  ICMPv6 Traffic Reduction Technique ◦  To collect all the ICMPv6 packets with specific type

and code that contributes for known ICMPv6 attacks

20 Copyright Nava 2012

Methodology �  ICMPv6 Statistical Aggregation Technique ◦  Aggregating and classifying the filtered ICMPv6 traffics

based on significant parameters

�  Ruled Based Severity Alert ◦  Ruled based severity alert technique involves

correlating the aggregated traffic with particular ICMPv6 based attacks and also provide indication of the severity level

21 Copyright Nava 2012

Sample capture of iNetmon ICMP Fault Monitoring Module

22 Copyright Nava 2012

23

Thank You

Copyright Nava 2012