Project 6 – IPv6 attack detector Report
1 Introduction
As the end of GSoC 2012 will come in the next few days, i am proud to announce IPv6-guard. IPv6-guard is an IPv6 attack detector tool including some defense mechanisms to protect against most of recent attacks on ipv6 protocol suite.
2 IPv6-Guard
2.1 How it works
At first, the tool will gather “genuine” informations of connected network. Those information includes IP and MAC address of neighbors and routers on the network.After first time run, IPv6-guard will save this information to use later, if anything has change,it will ask for confirmation ( User can edit “/data/genuine.info” to add more interface if need). If the network is under attack, some invalid information might be detected and it will ask you to verify what information is “genuine”. IPv6-Guard will use collected information and signatures against every received packet to detect and mitigate IPv6 attacks from the network.
Output:
<br />Trusted ? [Y/n] y Got fe80::9c4e:a8a4:c6b9:7e6c / 6c:62:6d:07:7e:8c <br />
2.2 Examples
• flood_advertise6
Output:
<br />[FLOOD PACKET] <br />Time : 2012-08-22 08:27:12 <br />From : 00:18:18:a5:65:5b (Cisco Systems) <br />To : 33:33:00:00:00:01 (Unknow) <br />Desc : flood_advertise6 <br />
This feature detect flood on a target with random neighbor advertisements. It is based on configured packet rate and a few heuristic algorithms.
• flood_solicitate6
Output:
<br />[FAKE NEIGHBOR SOLICITATION]<br />Time : 2012-08-22 08:22:14 <br />From : 90:84:0d:84:b7:b2 (Apple, Inc) <br />To : 33:33:ff:00:00:09 (Unknow) <br />Desc : parasite6<br />
• fake_router6 or flood_router6
Output:
<br />[FAKE ROUTER ADVERTISMENT] <br />Time : 2012-08-22 08:28:42 <br />From : 00:18:ab:36:4d:ac (BEIJING LHWT MICROELECTRONICS INC.) <br />To : 33:33:00:00:00:01 (Unknow) <br />Desc : fake_router6 <br />
This is an example to detect fake_router6 attack by announcing a host as a router on the network with the highest priority. To protect host against this attack, the tool will send a packet with routerlifetime=0 to reset that fake router and invalid route in routing table.
Also, when this attack is occured, the tool will also clean up host interface using “genuine” information collected earlier.
Before
<br />eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 <br />inet 192.168.56.1 netmask 255.255.255.0 broadcast 192.168.56.255 <br />inet6 2a01:9c11:db7e:d849:800:27ff:fe00:0 prefixlen 64 scopeid <br />inet6 2a01:99ac:6b62:841a:800:27ff:fe00:0 prefixlen 64 scopeid <br />inet6 2a01:b5ab:3408:9545:800:27ff:fe00:0 prefixlen 64 scopeid <br />inet6 2a01:43c1:e2c6:6d96:800:27ff:fe00:0 prefixlen 64 scopeid <br />inet6 fe80::800:27ff:fe00:0 prefixlen 64 scopeid 0x20<link>
Cleaning up
<br />Clean ip 2a01:9c81:e745:eef2:800:27ff:fe00:0<br />Mon Aug 20 21:16:44 2012<br />Delete an ipv6 address of interface eth0 from 2a01:9c81:e745:<br />eef2:800:27ff:fe00:0<br />
After
<br />eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 <br />inet 192.168.56.1 netmask 255.255.255.0 broadcast 192.168.56.255 <br />inet6 fe80::800:27ff:fe00:0 prefixlen 64 scopeid 0x20<link>ether 0a:00:27:00:00:00 txqueuelen 1000 (Ethernet)<br />
• smurf6
Output:
<br />[FLOOD NEIGHBOR SOLICITATION] <br />Time : 2012-08-22 08:28:42 <br />From : 00:18:ab:36:4d:ac (BEIJING LHWT MICROELECTRONICS INC.) <br />To : 33:33:00:00:00:01 (Unknow) <br />Desc : rsmurf6 | sendpees6 <br />
Detect smurf6 attack in which using our ip address with another MAC address.
2.3 Supported Attack Detections
Currently, this tool could detect various IPv6 attacks including:
• parasite6: icmp neighbor solitication/advertisement spoofer
• fake_router6: fake router address (mitm)
• flood_router6: flood router advertisement packet
• flood_advertise6: flood neighbor advertisement packet
• fake_advertiser6: fake neighbor ip (mitm)
• smurf6: flood icmp echo packet
• rsmurf6: remote smurfer
• fuzz_ip6: flood ipv6 packet
• fake_mld6: fake multicast group
• sendpees6: Generates a neighbor solicitation requests with a lot of CGAs.
For protection, some simple methods are being implemented such as
• Reset routerlifetime to delete fake route in routing table
• Clear all invalid entries on attacked interface
2.4 Synopsis
<br /># python2 6shield.py -i <interface> -c <config> <br />- interface interface to sniffing and detect attack<br />- config configuration file <br />ex:<br /># python2 6shield.py -i eth0 <br />
2.5 Configuration
This tool includes a configuration file to detect attacks from thc-ipv6 tool. If another tool using similar techniques with different packet rate, you could add a new section for it
<br />[generic] <br />manuFile=manuf ; mac/manufacturer file <br />; attack tool ( command line option)<br />[thc-ipv6] <br />routerLifetime=9999 ; router lifetime that attack using<br />naLimit=10 ; Neighbor Advertisement packet/second limitation<br />raLimit=10 ; Router Advertisement packet/second limitation<br />icmpLimit=10 ; ICMP Echo packet per second limitation<br />limitRate=20 ; IPv6 control packet per second limitation<br />
2.6 Future Works
• Improve detection method to lower false positive chance
• Improve protection method
3.Requirements:
-Python2
-scapy: www.secdev.org/projects/scapy/
-Check out at: http://code.google.com/p/ipv6-guard/
4. Final words
• Thanks Google for such a program for student
• Thanks Honeynet Project for this cool project
• Thanks Thanh Nguyen for help me finish this project
