A brief discussion on IPv6 intrusion and defense

Preface

Recently, some customers started the transition from IPv4 to IPv6 since the year before last. So far, most of the equipment is in dual stack or some systems have not been updated for transition.

After all, we were the client, so the work progressed steadily. When it was handed over to us, we only needed to output the attack, defense and optimization solutions for IPv6.

The Beginning

When it comes to IPv6, many people may have some understanding of it, so if you ping the target domain name right away, it will 100% resolve to an IPv4 address.

As shown in the figure, because the target server client has set up a ping ban on the firewall, we only look at the resolved address here. Obviously, this is an IPv4 address.

So how do we resolve it to an IPv6 address and allow it to use IPv6 traffic?

Under linux:

(1) ping6 (domain name or ipv6 address)

However, if the PC requester is configured incorrectly, the following may occur:

How to parse IPv6 when it is supported in Windows?

(2) ping -6 (ipv6 address)

Configuration

1. windows

The DNS server is set to 240c:6666.

The simple principle is: the smaller the hop number, the higher the network priority. The theoretical range of hop number is 1 ~ 999, but if the hop number is less than 10, some network access may fail.

2. Basic configuration:

(1) Attacker

• Hardware: One Alibaba Cloud IPv6 host
• Network: IPv6 address (xxxx)

(2) Server

• Hardware: Redundant hosts with the same configuration as the external website
• Network: IPv6 address (xxxx)
• Verification tools: IPv6 attack tool kit, AWVS vulnerability, pocsuite.

Current status of IPv6:

Although IPv6 has improved the security of the protocol compared to IPv4, the basic mechanism of transmitting datagrams has not changed. There are still some attacks that are the same as those of IPv4, such as attacks on the application layer (HTTP) and the transport layer (TCP), which also pose a great threat to the IPv6 network. Since the IPv6 protocol was released earlier, with the gradual expansion of IPv6 promotion, some new attack methods have also emerged, such as attacks using IPv6 extension headers, NDP protocol and ICMPv6, which are all aimed at various defects in the IPv6 protocol. In addition, the long-term coexistence of IPv4 to IPv6 has also caused new security challenges, such as lax filtering of the dual stack mechanism and the use of tunnel mechanisms to bypass security devices.

To summarize, when designing a verification scheme, it is divided into three categories according to the direction of verification: security shared by IPv4 and IPv6, IPv6-specific security, and security of long-term coexistence of IPv4/v6 transition.

It mainly evaluates the protection effect of the customer's website security equipment against traditional network and application attacks based on IPv6 traffic, and verifies and selects some typical attack methods, such as SQL injection, XSS, remote overflow, etc. for testing.

The test case design is as follows:

It mainly evaluates the protection effect of the customer's external website security equipment against attacks exploiting IPv6 protocol vulnerabilities.

Attacks that exploit IPv6 protocol vulnerabilities. Currently known IPv6 attack methods include NDP spoofing attacks, routing redirection attacks, ICMPv6 protocol attacks (Overlarge Ping, etc.), and IPv6-based SYN Flood attacks. Among them, NDP spoofing attacks and routing redirection attacks are LAN-based attacks and are not within the scope of this verification. Therefore, ICMPv6 protocol attacks and IPv6-based SYN Flood attacks are selected for testing. The test case design is as follows:

Test No. B-01 Test Item IPv6 Protocol CVE Vulnerability Combination Test

The purpose of the test is to verify the protection effect of firewalls and other security devices against known vulnerabilities (CVE vulnerabilities) in the IPv6 protocol.

The main purpose is to evaluate the protection effect of the customer's external website security equipment on security issues faced under the transition mechanism in a network environment that supports dual-stack protocols. The dual-stack mechanism allows devices along the access path to support both IPv4 and IPv6 packets. If an attacker controls an IPv4 device, they can establish a tunnel with an IPv6 address and use the two protocols to work together, thereby bypassing firewalls or IDS devices.

In this verification, it is assumed that the attacker has controlled the server host and attempts to establish an IPv6 tunnel to test the penetration effect on the IDS device. The test case design is as follows:

3. Test summary:

The customer purchased a large number of security devices, but only captured IPv6 attack traffic on two devices. The security development of IPv6 in China still has a long way to go.

After verification and testing, it was found that the security protection of IPv6 network has the following problems:

(1) Some security devices do not support IPv6 enough. For example, some security devices cannot query IPv6 attack logs, and even have problems with IPv6 network connectivity. For example, when testing the IPv4 and IPv6 addresses of an external website through an IPS device, there are differences in network connectivity.

The IPv4 address network is reachable, but the IPv6 address network is not reachable.

(2) Security devices are not capable of detecting intranet penetrations through IPv6over4 tunnels. Such intranet penetrations usually occur inside firewalls and are difficult for firewalls to detect. By establishing IPv6over4 tunnels, attacks are concealed and can bypass security devices such as IPS.

postscript

The trend of switching from IPv4 to IPv6 is irreplaceable, just like 5G. Although it is not progressing very fast due to various reasons, this era will come one day, so brothers who are interested can start learning.

When I was writing the plan, I consulted a lot of academic papers. There were many articles from the 2000s. I couldn't help but sigh at the passage of time and the foresight of my predecessors.

Due to the involvement of sensitive information, some of the information is censored and the tools and scripts in the article are not yet public.