ipv6 threat presentation
TRANSCRIPT
Agenda◦ Introduction◦ IPv6 background◦ How we got here◦ Advantages of IPv6
◦ IPvX interesting facts◦ IPv6 and the Federal Government◦ How do IPv6 threats differ from IPv4 threats◦ Specific IPv6 Threats◦ Are you ready to defend IPv6 threats?◦ IPv6 threat detection and mitigation◦ Q&A
2
Introduction◦ About me◦ KimberSystems, LLC◦ Supported multiple USG entities: USDA, GSA, DOC, FBI, DOD◦ Background in security, networking, and data centers◦ Focused on cybersecurity, cloud, and threat intelligence
3
IPv6 Background◦ How we got here◦ IPv4 is a REALLY old protocol (1980)◦ We are running out of usable IPv4 addresses
◦ Advantages of IPv6◦ Extremely large address space◦ Autoconfiguration / network management◦ Jumbograms◦ No fragmentation◦ Unique addressing◦ Security: IPSec built-‐in
4
Just How Big is IPv6?◦ IPv4 has 32 bits, allowing approximately 4.3 billion addresses. Not even enough to give a unique address to each human being on Earth.
◦ IPv6 has 128 bits, allowing 340,282,366,920,938,000,000,000,000,000,000,000,000 (340 undecillion) unique addresses.
◦ 79,228,162,514,264,229,685,068,130,493 IPv4 Internets can fit into IPv6 address space.
◦ IPv6 could provide each and every square micrometer of the earth’s surface with 5,000 unique addresses. What’s a micrometer? About one tenth the diameter of a droplet of fog!
5
2526
IPvX Interesting Facts◦ IPv4 depleted in early 2011◦ IPv6 is still less than 1% of all Internet traffic◦ Windows 7, Windows 8, OS X, and Linux can all suffer from IPv6 attacks that are invisible to IPv4
◦ Standard subnet size for IPv6 is a /64 (18,446,744,073,709,551,616 addresses)
◦ 6in4 traffic is identified as IP protocol 41
7
IPv6 and the Federal Government◦ Required backbone move to IPv6 by 2008 (OMB memo 05-‐22)◦ Required move as per OMB memo from Federal CIO dated September 2010◦ Upgrade public/external facing servers and services (e.g. web, email, DNS, ISP services, etc.) to operationally use native IPv6 by the end of FY 2012
◦ Upgrade internal client applications that communicate with public Internet servers and supporting enterprise networks to operationally use native IPv6 by the end of FY 2014
◦ 29% complete (September 2013)◦ Why aren’t we moving faster?◦ Challenges
8
IPv6 and the Federal Government
Completed USG IPv6 Enabled Domains
1,318 Domains tested on 4 September 2013
9
IPv6 CND Challenges◦ It won’t solve or mitigate current cyber threats (e.g. SQLi, buffer overflows, XSS, spear phishing, etc.)
◦ Shadow networks / latent threat◦ NDP spoofing◦ SLAAC attacks◦ Privacy (no NAT)◦ If using Privacy IPv6 addresses it may create challenges in attribution, incident response, forensic analysis, firewall policies, etc.
10
IPv6 CND Challenges◦ New approaches to management, troubleshooting, administration, etc.
◦ Vulnerability scanning◦ Deep packet inspection◦ Don’t know you’re running it◦ Threat detection models aren’t current/configured for IPv6 threats◦ Analysts may not understand the protocol
11
IPv6 Threats◦ They are real and bad guys are leveraging IPv6◦ Under the radar◦ Tunneling (e.g. Teredo)◦ Multiple addresses for single host◦ Detection infrastructure not ready to support◦ Rest of the threat community isn’t focused on it◦ You think it doesn’t matter
12
IPv6 Threat Ready?NOPE!◦ Tools aren’t ready◦ Analysts aren’t ready◦ Threat intelligence still focused on IPv4◦ Blackholes◦ IP reputation services
BYOD over IPv6 – the perfect storm!
13
ThreatsEverything we see in IPv4 plus…◦ NDP Spoofing◦ SLAAC Attack◦ Teredo Tunneling
14
NDP SpoofingNDP (Neighbor Discovery Protocol) is the new ARP (in this example)◦ An attacker can spoof an address by snooping a Neighbor Solicitation◦ Attacker then conducts attack via Neighbor Advertisement◦ Similar to ARP poisoning by advertising L2 address
15
Network Discovery Protocol
Happy IPv6
16
NDP Neighbor Solicitation
Neighbor Solicitation
17
NDP Network Advertisement
Neighbor Advertisement
18
Happy IPv6 Remix
Happy IPv6
19
Network Discovery Protocol
Happy IPv6
20
NDP NA (bad guy)
Neighbor Advertisement
21
Unhappy IPv6 (bad guy wins)
Unhappy IPv6
22
SLAAC AttackRogue Router Announcements (RA) as being able to route IPv6 traffic◦ Host that is configured to use IPv6 (most current operating systems) will begin to route traffic to the RA host; no verification/authorization
◦ SuddenSix attack (SLAAC attack): https://github.com/Neohapsis/suddensix
23
Happy IPv4
24
Rogue Router
25
Rogue Router Advertisement
26
Teredo Tunneling◦ Like most things, it wasn’t designed to be bad◦ Can be used for legitimate purposes◦ Built into Microsoft products◦ IPv6 tunneling across NAT boundaries◦ Doesn’t require firewall to support IPv6 or6to4 ◦ IPv4 over UDP
27
28
Teredo Tunneling
IPv6 Threat DetectionSimilar to IPv4◦ Smart analysts◦ Know your traffic◦ Know what you’re looking for◦ Protocol 41 ◦ Tunneling ?
◦ Upgrade/update your detection mechanisms◦ Don’t trust v4 rules to detect v6 traffic; regardless of what your vendors say◦ Talk to your vendors
29
Things to Consider◦ Do you know how many or which of your hosts are using IPv6?◦ How many of your blackhole and block lists have IPv6 entries?◦ Do all of your logging devices and infrastructure log IPv6 correctly (frequently truncated)?
◦ Hosts with multiple IPv6 addresses; can send spam/badness from many addresses
◦ 2002::/16 6to4 tunnel prefix◦ Don’t block ICMP; needed for MTU discovery◦ You have to wrap addresses in brackets because of “:” e.g. scp file.txt\[2001::1\]
30
Q&AFor more information:
John F. McClure◦ [email protected]◦ (202) 630-‐0726◦ @johnmcclure00◦ linkedin.com/in/johnmcclure
KimberSystems, LLC◦ kimbersystems.com◦ @KimberSystems◦ linkedin.com/company/kimbersystems-‐llc◦ facebook.com/KimberSystems
31