mailing list archives
Fwd: IPv6 DOS vulnerabilities
From: Marc Heuse <mh () mh-sec de>
Date: Wed, 10 Oct 2012 18:55:07 +0200
Alexander kicked me several times in the ass to finally forward this
email to oss-security as the embargo time is gone ... so here it is.
-------- Original-Nachricht --------
Betreff: IPv6 DOS vulnerabilities
Von: Marc Heuse <mh () mh-sec de>
An: Microsoft Security Response Center <secure () microsoft com>,
security-officer () FreeBSD org, product-security () apple com
Kopie (CC): distros () vs openwall org
this is just a short, quick email about two unspectecular IPv6
implementation weaknesses that result in local network denial-of-service
issues in Windows, *BSD (Free and Net, Open not tested) and OS X.
distros@ is in cc: for information purposes, although it seems that
Linux is not affected, you might want to test though as I have only
tested this with a 2.6.x kernel.
Flooding the local target with ICMPv6 Neighbor Solicitation messages.
As this is handled by the kernel, it consumes all CPU power that is
there, leaving no or too little CPU for the user space.
All except of OS/X went to 100% CPU, OS X went to 60%+ on a QuadCore
Macbook Pro. But my test machine was not able to produce enough packets
to even closely get to the satturation point of the network, so the 100%
CPU might be reachable there too.
In short: a fast multicore CPU helps to negate the impact (unless you
are Windows, then this does not help).
Test tool: flood_solicate eth0 <IPv6-Linklocal-Address-of-Target>
(from the package at www.thc.org/thc-ipv6)
Flooding the local network with ICMPv6 Router Advertisement packets
containing multiple Routing entries result in either 100% CPU (Windows
all Versions with IPv6 enabled) or some noticable CPU impact however
IPv6 seem to break for *BSD and OS X. The BSD based systems do not reply
to any ICMPv6 Neighbor Solicitation requests anymore, when trying to
send locally from the victim systems you get errors (e.g. "connect
failed" or "no multicast address on interface")
(yes, this is basically a similar issue like RA flooding with autoconfig
prefixes from two years ago)
I have an unreleased test tool for this attack, if necessary I can
package it and send it if needed.
(I am sitting on this for over a half year now, sorry for that)
PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
- Fwd: IPv6 DOS vulnerabilities Marc Heuse (Oct 10)