際際滷

際際滷Share a Scribd company logo

IPv6 Threat Presentation

J
johnmcclure00

This document discusses IPv6 threats to government networks. It provides an overview of IPv6 including its large address space and advantages over IPv4. It notes that while the US government is required to transition to IPv6, progress has been slow. Specific IPv6 threats are examined such as NDP spoofing, SLAAC attacks, and Teredo tunneling. It is concluded that most organizations are not fully prepared to detect and mitigate IPv6 threats due to limitations in tools, analyst expertise, and threat intelligence focusing primarily on IPv4.

1 of 31
Downloaded 15 times
IPv6 Threats IPV6 THREATS TO GOVERNMENT NETWORKS JOHN@KIMBERSYSTEMS.COM
Agenda Introduction IPv6 background How we got here Advantages of IPv6 IPvX interesting facts IPv6 and the Federal Government How do IPv6 threats differ from IPv4 threats Specific IPv6 Threats Are you ready to defend IPv6 threats? IPv6 threat detection and mitigation Q&A 2
Introduction About me KimberSystems, LLC Supported multiple USG entities: USDA, GSA, DOC, FBI, DOD Background in security, networking, and data centers Focused on cybersecurity, cloud, and threat intelligence 3
IPv6 Background How we got here IPv4 is a REALLY old protocol (1980) We are running out of usable IPv4 addresses Advantages of IPv6 Extremely large address space Autoconfiguration / network management Jumbograms No fragmentation Unique addressing Security: IPSec built-足in 4
Just How Big is IPv6? IPv4 has 32 bits, allowing approximately 4.3 billion addresses. Not even enough to give a unique address to each human being on Earth. IPv6 has 128 bits, allowing 340,282,366,920,938,000,000,000,000,000,000,000,000 (340 undecillion) unique addresses. 79,228,162,514,264,229,685,068,130,493 IPv4 Internets can fit into IPv6 address space. IPv6 could provide each and every square micrometer of the earths surface with 5,000 unique addresses. Whats a micrometer? About one tenth the diameter of a droplet of fog! 5
252 6
IPvX Interesting Facts IPv4 depleted in early 2011 IPv6 is still less than 1% of all Internet traffic Windows 7, Windows 8, OS X, and Linux can all suffer from IPv6 attacks that are invisible to IPv4 Standard subnet size for IPv6 is a /64 (18,446,744,073,709,551,616 addresses) 6in4 traffic is identified as IP protocol 41 7
IPv6 and the Federal Government Required backbone move to IPv6 by 2008 (OMB memo 05-足22) Required move as per OMB memo from Federal CIO dated September 2010 Upgrade public/external facing servers and services (e.g. web, email, DNS, ISP services, etc.) to operationally use native IPv6 by the end of FY 2012 Upgrade internal client applications that communicate with public Internet servers and supporting enterprise networks to operationally use native IPv6 by the end of FY 2014 29% complete (September 2013) Why arent we moving faster? Challenges 8
IPv6 and the Federal Government Completed USG IPv6 Enabled Domains 1,318 Domains tested on 4 September 2013 9
IPv6 CND Challenges It wont solve or mitigate current cyber threats (e.g. SQLi, buffer overflows, XSS, spear phishing, etc.) Shadow networks / latent threat NDP spoofing SLAAC attacks Privacy (no NAT) If using Privacy IPv6 addresses it may create challenges in attribution, incident response, forensic analysis, firewall policies, etc. 10
IPv6 CND Challenges New approaches to management, troubleshooting, administration, etc. Vulnerability scanning Deep packet inspection Dont know youre running it Threat detection models arent current/configured for IPv6 threats Analysts may not understand the protocol 11
IPv6 Threats They are real and bad guys are leveraging IPv6 Under the radar Tunneling (e.g. Teredo) Multiple addresses for single host Detection infrastructure not ready to support Rest of the threat community isnt focused on it You think it doesnt matter 12
IPv6 Threat Ready? NOPE! Tools arent ready Analysts arent ready Threat intelligence still focused on IPv4 Blackholes IP reputation services BYOD over IPv6 the perfect storm! 13
Threats Everything we see in IPv4 plus NDP Spoofing SLAAC Attack Teredo Tunneling 14
NDP Spoofing NDP (Neighbor Discovery Protocol) is the new ARP (in this example) An attacker can spoof an address by snooping a Neighbor Solicitation Attacker then conducts attack via Neighbor Advertisement Similar to ARP poisoning by advertising L2 address 15
Network Discovery Protocol Happy IPv6 16
NDP Neighbor Solicitation Neighbor Solicitation 17
NDP Network Advertisement Neighbor Advertisement 18
Happy IPv6 Remix Happy IPv6 19
Network Discovery Protocol Happy IPv6 20
NDP NA (bad guy) Neighbor Advertisement 21
Unhappy IPv6 (bad guy wins) Unhappy IPv6 22
SLAAC Attack Rogue Router Announcements (RA) as being able to route IPv6 traffic Host that is configured to use IPv6 (most current operating systems) will begin to route traffic to the RA host; no verification/authorization SuddenSix attack (SLAAC attack): https://github.com/Neohapsis/suddensix 23
Happy IPv4 24
Rogue Router 25
Rogue Router Advertisement 26
Teredo Tunneling Like most things, it wasnt designed to be bad Can be used for legitimate purposes Built into Microsoft products IPv6 tunneling across NAT boundaries Doesnt require firewall to support IPv6 or6to4 IPv4 over UDP 27
28 Teredo Tunneling
IPv6 Threat Detection Similar to IPv4 Smart analysts Know your traffic Know what youre looking for Protocol 41 Tunneling ? Upgrade/update your detection mechanisms Dont trust v4 rules to detect v6 traffic; regardless of what your vendors say Talk to your vendors 29
Things to Consider Do you know how many or which of your hosts are using IPv6? How many of your blackhole and block lists have IPv6 entries? Do all of your logging devices and infrastructure log IPv6 correctly (frequently truncated)? Hosts with multiple IPv6 addresses; can send spam/badness from many addresses 2002::/16 6to4 tunnel prefix Dont block ICMP; needed for MTU discovery You have to wrap addresses in brackets because of : e.g. scp file.txt [2001::1] 30
Q&A For more information: John F. McClure john@kimbersystems.com (202) 630-足0726 @johnmcclure00 linkedin.com/in/johnmcclure KimberSystems, LLC kimbersystems.com @KimberSystems linkedin.com/company/kimbersystems-足llc facebook.com/KimberSystems 31

More Related Content

IPv6 Threat Presentation

  • 1. IPv6 Threats IPV6 THREATS TO GOVERNMENT NETWORKS JOHN@KIMBERSYSTEMS.COM
  • 2. Agenda Introduction IPv6 background How we got here Advantages of IPv6 IPvX interesting facts IPv6 and the Federal Government How do IPv6 threats differ from IPv4 threats Specific IPv6 Threats Are you ready to defend IPv6 threats? IPv6 threat detection and mitigation Q&A 2
  • 3. Introduction About me KimberSystems, LLC Supported multiple USG entities: USDA, GSA, DOC, FBI, DOD Background in security, networking, and data centers Focused on cybersecurity, cloud, and threat intelligence 3
  • 4. IPv6 Background How we got here IPv4 is a REALLY old protocol (1980) We are running out of usable IPv4 addresses Advantages of IPv6 Extremely large address space Autoconfiguration / network management Jumbograms No fragmentation Unique addressing Security: IPSec built-足in 4
  • 5. Just How Big is IPv6? IPv4 has 32 bits, allowing approximately 4.3 billion addresses. Not even enough to give a unique address to each human being on Earth. IPv6 has 128 bits, allowing 340,282,366,920,938,000,000,000,000,000,000,000,000 (340 undecillion) unique addresses. 79,228,162,514,264,229,685,068,130,493 IPv4 Internets can fit into IPv6 address space. IPv6 could provide each and every square micrometer of the earths surface with 5,000 unique addresses. Whats a micrometer? About one tenth the diameter of a droplet of fog! 5
  • 7. IPvX Interesting Facts IPv4 depleted in early 2011 IPv6 is still less than 1% of all Internet traffic Windows 7, Windows 8, OS X, and Linux can all suffer from IPv6 attacks that are invisible to IPv4 Standard subnet size for IPv6 is a /64 (18,446,744,073,709,551,616 addresses) 6in4 traffic is identified as IP protocol 41 7
  • 8. IPv6 and the Federal Government Required backbone move to IPv6 by 2008 (OMB memo 05-足22) Required move as per OMB memo from Federal CIO dated September 2010 Upgrade public/external facing servers and services (e.g. web, email, DNS, ISP services, etc.) to operationally use native IPv6 by the end of FY 2012 Upgrade internal client applications that communicate with public Internet servers and supporting enterprise networks to operationally use native IPv6 by the end of FY 2014 29% complete (September 2013) Why arent we moving faster? Challenges 8
  • 9. IPv6 and the Federal Government Completed USG IPv6 Enabled Domains 1,318 Domains tested on 4 September 2013 9
  • 10. IPv6 CND Challenges It wont solve or mitigate current cyber threats (e.g. SQLi, buffer overflows, XSS, spear phishing, etc.) Shadow networks / latent threat NDP spoofing SLAAC attacks Privacy (no NAT) If using Privacy IPv6 addresses it may create challenges in attribution, incident response, forensic analysis, firewall policies, etc. 10
  • 11. IPv6 CND Challenges New approaches to management, troubleshooting, administration, etc. Vulnerability scanning Deep packet inspection Dont know youre running it Threat detection models arent current/configured for IPv6 threats Analysts may not understand the protocol 11
  • 12. IPv6 Threats They are real and bad guys are leveraging IPv6 Under the radar Tunneling (e.g. Teredo) Multiple addresses for single host Detection infrastructure not ready to support Rest of the threat community isnt focused on it You think it doesnt matter 12
  • 13. IPv6 Threat Ready? NOPE! Tools arent ready Analysts arent ready Threat intelligence still focused on IPv4 Blackholes IP reputation services BYOD over IPv6 the perfect storm! 13
  • 14. Threats Everything we see in IPv4 plus NDP Spoofing SLAAC Attack Teredo Tunneling 14
  • 15. NDP Spoofing NDP (Neighbor Discovery Protocol) is the new ARP (in this example) An attacker can spoof an address by snooping a Neighbor Solicitation Attacker then conducts attack via Neighbor Advertisement Similar to ARP poisoning by advertising L2 address 15
  • 21. NDP NA (bad guy) Neighbor Advertisement 21
  • 22. Unhappy IPv6 (bad guy wins) Unhappy IPv6 22
  • 23. SLAAC Attack Rogue Router Announcements (RA) as being able to route IPv6 traffic Host that is configured to use IPv6 (most current operating systems) will begin to route traffic to the RA host; no verification/authorization SuddenSix attack (SLAAC attack): https://github.com/Neohapsis/suddensix 23
  • 27. Teredo Tunneling Like most things, it wasnt designed to be bad Can be used for legitimate purposes Built into Microsoft products IPv6 tunneling across NAT boundaries Doesnt require firewall to support IPv6 or6to4 IPv4 over UDP 27
  • 29. IPv6 Threat Detection Similar to IPv4 Smart analysts Know your traffic Know what youre looking for Protocol 41 Tunneling ? Upgrade/update your detection mechanisms Dont trust v4 rules to detect v6 traffic; regardless of what your vendors say Talk to your vendors 29
  • 30. Things to Consider Do you know how many or which of your hosts are using IPv6? How many of your blackhole and block lists have IPv6 entries? Do all of your logging devices and infrastructure log IPv6 correctly (frequently truncated)? Hosts with multiple IPv6 addresses; can send spam/badness from many addresses 2002::/16 6to4 tunnel prefix Dont block ICMP; needed for MTU discovery You have to wrap addresses in brackets because of : e.g. scp file.txt [2001::1] 30
  • 31. Q&A For more information: John F. McClure john@kimbersystems.com (202) 630-足0726 @johnmcclure00 linkedin.com/in/johnmcclure KimberSystems, LLC kimbersystems.com @KimberSystems linkedin.com/company/kimbersystems-足llc facebook.com/KimberSystems 31