SlideShare a Scribd company logo

slides-95-v6ops-0

Mark Smith
Mark Smith
1 of 12
Download to read offline
IETF95 Further Mitigating Router ND Cache Exhaustion DoS Attacks Using Solicited-Node Group Membership Mark Smith markzzzsmith@gmail.com
Problem Router neighbor cache state resource exhaustion denial-of- service attack. Remote attacker attempts to consume router ND cache resources by sending packets to non-existent destinations on the link. Described in RFC3756, further described RFC6583 with suggested mitigations.
Solicited Node Multicast Group Mitigation Proposal: Use nodes' Solicited Node Multicast Group membership to reduce and try to make harder to find a router's exploitable Neighbor Cache resources.
Solicited Node Multicast Group (SNMG) Membership Per RFC4291 and RFC6434, nodes are to join SNMGs for each of their addresses, using MLDv1 or MLDv2. Solicited Node Multicast Group: FF02:0:0:0:0:1:FF00::<lower 24 bits IPv6 address> where address is either unicast or anycast.
Absence of SNMG Absence of SNMG means no addresses on-link that map to it. No point performing ND NS for an address that would map to an absent SNMG.
Method 1) Router collects on-link present SNMGs using MLDv1 or MLDv2. 2) Packet with unresolved D.A. arrives, SNMG for unresolved address is calculated. 3) Calculated SNMG is compared with the list of on- link SNMGs. 4) Perform ND NS if SNMG is present. If not, drop ND trigger packet. ND Cache DoS furtheroS further mitigatedmitigated.
MLD reliablity? Two Modes: Strict Mitigation Mode – drop ND NS trigger packets for unknown SNMGs when MLD known to be reliable. e.g., enterprise, content provider networks. Relaxed Mitigation Mode – drop ND NS trigger packets for unknown SNMGs only when DoS looks to be happening. e.g., default for home gateways, public networks
Survey of MLD for SNMGs The following send MLDv1 or MLDv2 joins for SNMGs: ● Linux: Chromecast v1 & v2, Android 6, Chrome OS, Fedora 20 ● Windows: XP, Vista, 7, 8.1 ● Apple: Mac OS X, iPhone (thanks to Fred Baker and Mark Prior) “MLD Considered Harmful”, Antonios Atlasis et. al., presentation says MLD disabled for OpenBSD. (of course, I don't agree with the title :-) )
Limitations 2^40 addresses maps to each SNMG in a /64 prefix. Attacker guessing or discovering an on-link SNMG can consume ND cache resources because ND NSes will be sent. Privacy Addresses or Stable Opaque IIDs, both with random IIDs, mitigates guessing. Discovery only possible if attacker is not blind to the success of the DoS. A link with /104 or shorter prefix length will have 2^24/16 million possible SNMGs.
So certainly not perfect! Could be useful in addition to mitigations in RFC6583.
Next Steps Current thinking on an implementation: ● pim6sd or mrd6 to collect SNMGs via MLD ● Linux kernel ND code modified to use multicast route table for SNMG checks Suggestions appreciated (I'm certainly not an expert kernel hacker!) Not specifically seeking v6ops WG adoption, certainly fine with that if that happens.
Some other thoughts Hosts could implement this method if they were willing to participate in MLD as a “router”. ND cache attacker would be user on multi-user host – DoS is on other users of the host. As MLDv2 does not supress reports, LL source addresses could be used to enumerate all on-link nodes' LL addresses (except OpenBSD!). Address registation protocol by combining MLDv2 LL source collection with hosts supporting Node Information Queries or Inverse ND?

Recommended

AusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATAusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATMark Smith
 
AusNOG 2015 - Why you should read RFCs and Internet Drafts (and what you need...
AusNOG 2015 - Why you should read RFCs and Internet Drafts (and what you need...AusNOG 2015 - Why you should read RFCs and Internet Drafts (and what you need...
AusNOG 2015 - Why you should read RFCs and Internet Drafts (and what you need...Mark Smith
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 SecurityProgreso Training
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
aaa
aaaaaa
aaahungnhatban
 
Sectools
SectoolsSectools
Sectoolssecuredome
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issuesbathinin1
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 

Recommended

AusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATAusNOG 2016 - The Trouble with NAT
AusNOG 2016 - The Trouble with NATMark Smith
 
AusNOG 2015 - Why you should read RFCs and Internet Drafts (and what you need...
AusNOG 2015 - Why you should read RFCs and Internet Drafts (and what you need...AusNOG 2015 - Why you should read RFCs and Internet Drafts (and what you need...
AusNOG 2015 - Why you should read RFCs and Internet Drafts (and what you need...Mark Smith
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 SecurityProgreso Training
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
aaa
aaaaaa
aaahungnhatban
 
Sectools
SectoolsSectools
Sectoolssecuredome
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issuesbathinin1
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
100197
100197100197
100197Abhishek Malik
 
Fiware: Connecting to robots
Fiware: Connecting to robotsFiware: Connecting to robots
Fiware: Connecting to robotsJaime Martin Losa
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalMusa Stephen HONLUE
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
Acid
AcidAcid
AcidMichael Boman
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data DATA SECURITY SOLUTIONS
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)Michael Boman
 
10 fn s05
10 fn s0510 fn s05
10 fn s05Scott Foster
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedFred Bovy
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...IOSR Journals
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSJaime Martin Losa
 
Peer-to-peer Internet telephony
Peer-to-peer Internet telephonyPeer-to-peer Internet telephony
Peer-to-peer Internet telephonyKundan Singh
 
Snort
SnortSnort
SnortMichael Boman
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
 
slides-85-v6ops-11
slides-85-v6ops-11slides-85-v6ops-11
slides-85-v6ops-11Mark Smith
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
AusNOG 2013 - IPv6 RAs Mostly Necessary
AusNOG 2013 - IPv6 RAs Mostly NecessaryAusNOG 2013 - IPv6 RAs Mostly Necessary
AusNOG 2013 - IPv6 RAs Mostly NecessaryMark Smith
 

More Related Content

What's hot

Fiware: Connecting to robots
Fiware: Connecting to robotsFiware: Connecting to robots
Fiware: Connecting to robotsJaime Martin Losa
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data DATA SECURITY SOLUTIONS
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)Michael Boman
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedFred Bovy
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...IOSR Journals
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSJaime Martin Losa
 
Peer-to-peer Internet telephony
Peer-to-peer Internet telephonyPeer-to-peer Internet telephony
Peer-to-peer Internet telephonyKundan Singh
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS SecurityAaron Zauner
 

What's hot (19)

100197
100197100197
100197
 
Fiware: Connecting to robots
Fiware: Connecting to robotsFiware: Connecting to robots
Fiware: Connecting to robots
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration Networks
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
 
Acid
AcidAcid
Acid
 
Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data Botprobe - Reducing network threat intelligence big data
Botprobe - Reducing network threat intelligence big data
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
Transition to ipv6 cgv6-edited
Transition to ipv6 cgv6-editedTransition to ipv6 cgv6-edited
Transition to ipv6 cgv6-edited
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in general
 
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
 
Fiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPSFiware - communicating with ROS robots using Fast RTPS
Fiware - communicating with ROS robots using Fast RTPS
 
Peer-to-peer Internet telephony
Peer-to-peer Internet telephonyPeer-to-peer Internet telephony
Peer-to-peer Internet telephony
 
Snort
SnortSnort
Snort
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
Introduction to and survey of TLS Security
Introduction to and survey of TLS SecurityIntroduction to and survey of TLS Security
Introduction to and survey of TLS Security
 

Viewers also liked

slides-85-v6ops-11
slides-85-v6ops-11slides-85-v6ops-11
slides-85-v6ops-11Mark Smith
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
AusNOG 2013 - IPv6 RAs Mostly Necessary
AusNOG 2013 - IPv6 RAs Mostly NecessaryAusNOG 2013 - IPv6 RAs Mostly Necessary
AusNOG 2013 - IPv6 RAs Mostly NecessaryMark Smith
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
AusNOG 2013 - The Rapid Rise of the Mobile Multihomed Host, and What it Might...
AusNOG 2013 - The Rapid Rise of the Mobile Multihomed Host, and What it Might...AusNOG 2013 - The Rapid Rise of the Mobile Multihomed Host, and What it Might...
AusNOG 2013 - The Rapid Rise of the Mobile Multihomed Host, and What it Might...Mark Smith
 
AusNOG 2015 - Some fairly recent IPv6 IETF RFCs, discussions and topics
AusNOG 2015 - Some fairly recent IPv6 IETF RFCs, discussions and topicsAusNOG 2015 - Some fairly recent IPv6 IETF RFCs, discussions and topics
AusNOG 2015 - Some fairly recent IPv6 IETF RFCs, discussions and topicsMark Smith
 

Viewers also liked (6)

slides-85-v6ops-11
slides-85-v6ops-11slides-85-v6ops-11
slides-85-v6ops-11
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
 
AusNOG 2013 - IPv6 RAs Mostly Necessary
AusNOG 2013 - IPv6 RAs Mostly NecessaryAusNOG 2013 - IPv6 RAs Mostly Necessary
AusNOG 2013 - IPv6 RAs Mostly Necessary
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
 
AusNOG 2013 - The Rapid Rise of the Mobile Multihomed Host, and What it Might...
AusNOG 2013 - The Rapid Rise of the Mobile Multihomed Host, and What it Might...AusNOG 2013 - The Rapid Rise of the Mobile Multihomed Host, and What it Might...
AusNOG 2013 - The Rapid Rise of the Mobile Multihomed Host, and What it Might...
 
AusNOG 2015 - Some fairly recent IPv6 IETF RFCs, discussions and topics
AusNOG 2015 - Some fairly recent IPv6 IETF RFCs, discussions and topicsAusNOG 2015 - Some fairly recent IPv6 IETF RFCs, discussions and topics
AusNOG 2015 - Some fairly recent IPv6 IETF RFCs, discussions and topics
 

Similar to slides-95-v6ops-0

Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018Roger Zhou 周志强
 
Deconstructing Apache Cassandra
Deconstructing Apache CassandraDeconstructing Apache Cassandra
Deconstructing Apache CassandraAlex Thompson
 
Faster Content Distribution with Content Addressable NDN Repository
Faster Content Distribution with Content Addressable NDN RepositoryFaster Content Distribution with Content Addressable NDN Repository
Faster Content Distribution with Content Addressable NDN RepositoryShi Junxiao
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC
 
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoNAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoCarlos Martinez Cagnazzo
 
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-Device
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-DeviceSUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-Device
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-DeviceSUSE
 
What CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDWhat CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDShapeBlue
 
IPv6 The Big Move
IPv6 The Big MoveIPv6 The Big Move
IPv6 The Big Movefrenildand
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerDavid Sweigert
 
Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Nguyen Thanh
 

Similar to slides-95-v6ops-0 (20)

Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
Tech f42
Tech f42Tech f42
Tech f42
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoN
 
IPv6 Overview
IPv6 OverviewIPv6 Overview
IPv6 Overview
 
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
延伸Linux关键业务到双活高速NVMe-oF存储-OpenInfraDays-China2018
 
Deconstructing Apache Cassandra
Deconstructing Apache CassandraDeconstructing Apache Cassandra
Deconstructing Apache Cassandra
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
 
Lecture-07 .pdf
Lecture-07 .pdfLecture-07 .pdf
Lecture-07 .pdf
 
IPv6
IPv6IPv6
IPv6
 
Faster Content Distribution with Content Addressable NDN Repository
Faster Content Distribution with Content Addressable NDN RepositoryFaster Content Distribution with Content Addressable NDN Repository
Faster Content Distribution with Content Addressable NDN Repository
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
 
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estadoNAT64 en LACNIC 18: Experimentos con NAT64 sin estado
NAT64 en LACNIC 18: Experimentos con NAT64 sin estado
 
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-Device
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-DeviceSUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-Device
SUSE Expert Days Paris 2018 - SUSE HA Cluster Multi-Device
 
What CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBDWhat CloudStackers Need To Know About LINSTOR/DRBD
What CloudStackers Need To Know About LINSTOR/DRBD
 
IPv6
IPv6IPv6
IPv6
 
IPv6 The Big Move
IPv6 The Big MoveIPv6 The Big Move
IPv6 The Big Move
 
CEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical HackerCEH v9 cheat sheet notes Certified Ethical Hacker
CEH v9 cheat sheet notes Certified Ethical Hacker
 
Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1
 

More from Mark Smith

NZNOG 2020 - IETF Highlights for Operators
NZNOG 2020 - IETF Highlights for OperatorsNZNOG 2020 - IETF Highlights for Operators
NZNOG 2020 - IETF Highlights for OperatorsMark Smith
 
NZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing RightNZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing RightMark Smith
 
NZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATNZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATMark Smith
 
IETF 106 - Pikachu Birds of a Feather (BoF)
IETF 106 - Pikachu Birds of a Feather (BoF)IETF 106 - Pikachu Birds of a Feather (BoF)
IETF 106 - Pikachu Birds of a Feather (BoF)Mark Smith
 
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast Addresses
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast AddressesIETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast Addresses
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast AddressesMark Smith
 
IETF 106 - Default IPv6 Local Only Addressing for Non-Internet Devices
IETF 106 - Default IPv6 Local Only Addressing for Non-Internet DevicesIETF 106 - Default IPv6 Local Only Addressing for Non-Internet Devices
IETF 106 - Default IPv6 Local Only Addressing for Non-Internet DevicesMark Smith
 
IETF 106 - In-flight IPv6 Extension Header Insertion Considered Harmful
IETF 106 - In-flight IPv6 Extension Header Insertion Considered HarmfulIETF 106 - In-flight IPv6 Extension Header Insertion Considered Harmful
IETF 106 - In-flight IPv6 Extension Header Insertion Considered HarmfulMark Smith
 
AusNOG 2019 - Lightning talk - A bit of UX for NEs
AusNOG 2019 - Lightning talk - A bit of UX for NEsAusNOG 2019 - Lightning talk - A bit of UX for NEs
AusNOG 2019 - Lightning talk - A bit of UX for NEsMark Smith
 
AusNOG 2019 - Getting IPv6 Private Addressing Right
AusNOG 2019 - Getting IPv6 Private Addressing RightAusNOG 2019 - Getting IPv6 Private Addressing Right
AusNOG 2019 - Getting IPv6 Private Addressing RightMark Smith
 
AusNOG 2018 - The Robots are Coming!
AusNOG 2018 - The Robots are Coming!AusNOG 2018 - The Robots are Coming!
AusNOG 2018 - The Robots are Coming!Mark Smith
 
AusNOG 2018 - A dirty trick to save a couple of IPv4 addresses on a LAN link.
AusNOG 2018 - A dirty trick to save a couple of IPv4 addresses on a LAN link.AusNOG 2018 - A dirty trick to save a couple of IPv4 addresses on a LAN link.
AusNOG 2018 - A dirty trick to save a couple of IPv4 addresses on a LAN link.Mark Smith
 
I Live Dangerously
I Live DangerouslyI Live Dangerously
I Live DangerouslyMark Smith
 

More from Mark Smith (12)

NZNOG 2020 - IETF Highlights for Operators
NZNOG 2020 - IETF Highlights for OperatorsNZNOG 2020 - IETF Highlights for Operators
NZNOG 2020 - IETF Highlights for Operators
 
NZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing RightNZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing Right
 
NZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NATNZNOG 2020 - The Trouble With NAT
NZNOG 2020 - The Trouble With NAT
 
IETF 106 - Pikachu Birds of a Feather (BoF)
IETF 106 - Pikachu Birds of a Feather (BoF)IETF 106 - Pikachu Birds of a Feather (BoF)
IETF 106 - Pikachu Birds of a Feather (BoF)
 
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast Addresses
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast AddressesIETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast Addresses
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast Addresses
 
IETF 106 - Default IPv6 Local Only Addressing for Non-Internet Devices
IETF 106 - Default IPv6 Local Only Addressing for Non-Internet DevicesIETF 106 - Default IPv6 Local Only Addressing for Non-Internet Devices
IETF 106 - Default IPv6 Local Only Addressing for Non-Internet Devices
 
IETF 106 - In-flight IPv6 Extension Header Insertion Considered Harmful
IETF 106 - In-flight IPv6 Extension Header Insertion Considered HarmfulIETF 106 - In-flight IPv6 Extension Header Insertion Considered Harmful
IETF 106 - In-flight IPv6 Extension Header Insertion Considered Harmful
 
AusNOG 2019 - Lightning talk - A bit of UX for NEs
AusNOG 2019 - Lightning talk - A bit of UX for NEsAusNOG 2019 - Lightning talk - A bit of UX for NEs
AusNOG 2019 - Lightning talk - A bit of UX for NEs
 
AusNOG 2019 - Getting IPv6 Private Addressing Right
AusNOG 2019 - Getting IPv6 Private Addressing RightAusNOG 2019 - Getting IPv6 Private Addressing Right
AusNOG 2019 - Getting IPv6 Private Addressing Right
 
AusNOG 2018 - The Robots are Coming!
AusNOG 2018 - The Robots are Coming!AusNOG 2018 - The Robots are Coming!
AusNOG 2018 - The Robots are Coming!
 
AusNOG 2018 - A dirty trick to save a couple of IPv4 addresses on a LAN link.
AusNOG 2018 - A dirty trick to save a couple of IPv4 addresses on a LAN link.AusNOG 2018 - A dirty trick to save a couple of IPv4 addresses on a LAN link.
AusNOG 2018 - A dirty trick to save a couple of IPv4 addresses on a LAN link.
 
I Live Dangerously
I Live DangerouslyI Live Dangerously
I Live Dangerously
 

slides-95-v6ops-0

  • 1. IETF95 Further Mitigating Router ND Cache Exhaustion DoS Attacks Using Solicited-Node Group Membership Mark Smith markzzzsmith@gmail.com
  • 2. Problem Router neighbor cache state resource exhaustion denial-of- service attack. Remote attacker attempts to consume router ND cache resources by sending packets to non-existent destinations on the link. Described in RFC3756, further described RFC6583 with suggested mitigations.
  • 3. Solicited Node Multicast Group Mitigation Proposal: Use nodes' Solicited Node Multicast Group membership to reduce and try to make harder to find a router's exploitable Neighbor Cache resources.
  • 4. Solicited Node Multicast Group (SNMG) Membership Per RFC4291 and RFC6434, nodes are to join SNMGs for each of their addresses, using MLDv1 or MLDv2. Solicited Node Multicast Group: FF02:0:0:0:0:1:FF00::<lower 24 bits IPv6 address> where address is either unicast or anycast.
  • 5. Absence of SNMG Absence of SNMG means no addresses on-link that map to it. No point performing ND NS for an address that would map to an absent SNMG.
  • 6. Method 1) Router collects on-link present SNMGs using MLDv1 or MLDv2. 2) Packet with unresolved D.A. arrives, SNMG for unresolved address is calculated. 3) Calculated SNMG is compared with the list of on- link SNMGs. 4) Perform ND NS if SNMG is present. If not, drop ND trigger packet. ND Cache DoS furtheroS further mitigatedmitigated.
  • 7. MLD reliablity? Two Modes: Strict Mitigation Mode – drop ND NS trigger packets for unknown SNMGs when MLD known to be reliable. e.g., enterprise, content provider networks. Relaxed Mitigation Mode – drop ND NS trigger packets for unknown SNMGs only when DoS looks to be happening. e.g., default for home gateways, public networks
  • 8. Survey of MLD for SNMGs The following send MLDv1 or MLDv2 joins for SNMGs: ● Linux: Chromecast v1 & v2, Android 6, Chrome OS, Fedora 20 ● Windows: XP, Vista, 7, 8.1 ● Apple: Mac OS X, iPhone (thanks to Fred Baker and Mark Prior) “MLD Considered Harmful”, Antonios Atlasis et. al., presentation says MLD disabled for OpenBSD. (of course, I don't agree with the title :-) )
  • 9. Limitations 2^40 addresses maps to each SNMG in a /64 prefix. Attacker guessing or discovering an on-link SNMG can consume ND cache resources because ND NSes will be sent. Privacy Addresses or Stable Opaque IIDs, both with random IIDs, mitigates guessing. Discovery only possible if attacker is not blind to the success of the DoS. A link with /104 or shorter prefix length will have 2^24/16 million possible SNMGs.
  • 10. So certainly not perfect! Could be useful in addition to mitigations in RFC6583.
  • 11. Next Steps Current thinking on an implementation: ● pim6sd or mrd6 to collect SNMGs via MLD ● Linux kernel ND code modified to use multicast route table for SNMG checks Suggestions appreciated (I'm certainly not an expert kernel hacker!) Not specifically seeking v6ops WG adoption, certainly fine with that if that happens.
  • 12. Some other thoughts Hosts could implement this method if they were willing to participate in MLD as a “router”. ND cache attacker would be user on multi-user host – DoS is on other users of the host. As MLDv2 does not supress reports, LL source addresses could be used to enumerate all on-link nodes' LL addresses (except OpenBSD!). Address registation protocol by combining MLDv2 LL source collection with hosts supporting Node Information Queries or Inverse ND?