Project 9 - IPv6 attack detector (Xu)

Student: Xu Weilin
Primary mentor: Ryan Smith
Backup mentor: Thanh Nguyen, Jianwei Zhuge

Google Melange: http://www.google-melange.com/gsoc/project/google/gsoc2012/mzweilin/26002

Project Overview:
The ultimate goal of this proposal is developing a cross-platform software that can detect specific IPv6 attacks from THC-IPv6 and can even secure the IPv6 network against some types of attack.

Project Plan:

  • April 23 - May20: Community Bonding Period
  • May 21 : GSoC 2012 coding officially starts
  • May 21 - June 17: Design and implement a low-interaction IPv6 Honeypot.
  • June 18 - June 24: Analyse the existing approaches to detect local IPv6 attacks, then design a new one.
  • June 25 - July 8: Implement the first alpha version of IPv6 attack detection tool.
  • July 9 - July 13: Mid Term Assessments
  • July 9 - July 29: Improve the program, especially the detection engine and the fingerprints, then release beta versions.
  • July 30 - August 12: Implement the detection of IPv6 tunneling.
  • August 13: Suggested "pencils down" date, coding close to done
  • August 13 - August 19: Documentation.
  • August 20: Firm "pencils down" date, coding must be done
  • August 24 - August 27: Final Assessments
  • August 31 - Public code uploaded and available to Google

Project Deliverables:

  • A low-interaction IPv6 honeypot.
  • A host-level IPv6 attack detection tool.

Project Source Code Repository:
https://github.com/mzweilin/ipv6-attack-detector

Student Weekly Blog: https://www.honeynet.or/blog/346

Project Useful Links:
Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol: http://dl.acm.org/citation.cfm?id=2070444

Possible Attacks based on IPv6Features and Its Detection: http://master.apan.net/meetings/xian2007/publication/031_lin.pdf

A Complete Guide on IPv6 Attack and Defense: http://www.sans.org/reading_room/whitepapers/detection/complete-guide-ipv6-attack-defense_33904

Neighbor Discovery Shield (ND-Shield): Protecting against Neighbor Discovery Attacks: http://tools.ietf.org/id/draft-gont-opsec-ipv6-nd-shield-00.txt

Project Updates:

9th weekly report on 2012/8/20
Done last week:
* Improved the detection.
+ Added an extra decision condition to distinguish kill_router6 and SLAAC-based host discovery.
+ Fixed a false positive of THC-IPv6: rsmurf6 | sendpeesmp6.
+ Fixed a false negative of dos-new-ip6.
+ Made the pcap files could be read in Wireshark.

*Improved the UI.
+ Added support to configuration file in Globalpot.
+ Added support to save the genuine Router Advertisement message in ./conf/.
+ Improved the configuration file generator.
+ Updated some attack messages and log messages.
+ Give a hint to user, if no configuration files are found.

* Improved the performance.
+ Added BPF filters, so that it can replace the lfilter of scapy when applicable.
+ Removed the prefix of the filename in ./pcap/*, avoiding duplicated files.

* Removed some dead code.

* Updated README.md.

Planed for next week:
* Release the first version.

8th weekly report on 2012/8/13
Done last week:
* Implemented the Globalpot module.
+ Improved the RAguard's implementation, and integrated it into Globalpot.
+ Added support to detecting fake_advertise6, flood_advertise6, flood_solicitate6, rsmurf6, sendpeesmp6, flood_dhcpc6 in Globalpot.
+ Add support to detecting the three advanced host discovery methods used by Nmap or THC-IPv6-alive6 in Globalpot.

* Improved the Honeypot module.
+ Added support to detecting redir6, smurf6, sendpees6,
+ Added support to generating the honeypot configuration in batches.
+ Added some necessary timers.
+ Added support to report security-related events, including [DAD: address in use], and [Neighbor Advertisement].

* Implemented the event module.
+ Added support to detecting dos_new_ip6 and parasite6 by implementing the event module for handling and analyzing the security events submitted by Honyepots.

* Implemented the message module.
+ Added some necessary details in the message entity.
+ Added support to output the captured attacking packets as a pcap file.
+ Avoided the flood messages of the same within a second.

* Improved the logger module.
+ Added support to log the attacking alert in a suitable format.

Planed for next week:
* Improving the detection.
* Improving the UI.
* Testing the whole system called '6guard'.
* Documentation.

7th weekly report on 2012/8/6
Done last week:
* Added support to multiple configuration files and multi-threading honeypots.
* Defined an attack message format, and applied it in some types of attacks.
* Added support to some attack messages of honeypots.

Planed for next week:
* Implement the detection of other IPv6 attacks.
* Combine the honeypots and other detection methods.

6th weekly report on 2012/7/9
Done last week:
* Added some timers to improve the SLAAC implementation.
* Improved ipv6-ra-guard.py to detect different attack types from fake_router6, flood_router6 or kill_router6 of THC-IPv6.
* Improved the usability and robustness of the code.

Planed for next week:
* Implement the detection of NA/NS Spoofing.
* Implement the detection of other IPv6 attacks.
* Use honeypots to detect attacks.
* Combine the honeypots and other detection methods.

5th weekly report on 2012/7/2
Done last week:
* Implemented the detection of RA Spoofing.
* Implemented the log system.
* Implemented mac2vendor.
* Improved the existing code and fixed some bugs.

Planed for next week:
* Improved the existing code.
* Implement the detection of NA/NS Spoofing.
* Implement the detection of other IPv6 attacks.

4th weekly report on 2012/6/25
Done last week:
* Added support to honeypot configuration file.
* Improved the honeypot code.

Planed for next week:
* Implement the detection of RA Spoofing.
* Implement the detection of NA/NS Spoofing.

3rd weekly report on 2012/6/18
Done last week:
* Add support to StateLess Address AutoConfiguration (SLAAC) mechanism.
* Add support to host discovery with invalid extension header.

Planed for next week:
* Add support to DHCPv6.
* Add support to honeypot configuration file.
* Improve the honeypot framework.

2nd weekly report on 2012/6/11
Done last week:
* Submitted the first version code to Github.
* Implemented a rough low-interaction IPv6 honeypot. (NDP, Unicast Echo Ping, Multicast Echo Ping)
* Implemented the detection of spoofing packets.

Planned for next week
* Add support to StateLess Address AutoConfiguration (SLAAC) mechanism.
* Add support to DHCPv6.
* Add support to host discovery with invalid extension header.
* Add support to honeypot configuration file.
* Improve the honeypot framework.

1st weekly report on 2012/6/4
Done last week:
* Drawn up the project plan with mentors.
* Started coding.

Planned for next week
* Submit some code to Github.
* Record the thought from coding and improve the plan.

Blocking issues
* Undergraduate graduation thesis on Stateful IPv6-to-IPv6 NAT. Fortunately this is the lask week for it.