[REVS] IPv6 Address Cookies
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 14 Jun 2006 12:22:35 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IPv6 Address Cookies
------------------------------------------------------------------------
SUMMARY
It has long been known to researchers that address spoofing on the
Internet is a serious problem. While a great deal of effort has been put
into finding theoretical and practical solutions, spoofed attacks are
still globally endemic. They represent a simple nuisance to many, but a
business-halting bane to others. Enter IPv6. IPv6 is the next generation
of the Internet protocol designed to alleviate the existing global address
shortage and improve the scalability and extensibility of the aging IPv4
protocol. This new protocol provides an enormous 128-bit address space,
which should provide enough addresses for several decades, if not
centuries, of Internet expansion. In this paper, we propose methods which
utilize the large IPv6 address space to mitigate spoofed attacks.
DETAILS
Enter IPv6. IPv6 is the next generation of the Internet protocol designed
to alleviate the existing global address shortage and improve the
scalability and extensibility of the aging IPv4 protocol. This new
protocol provides a huge 128-bit address space which should provide enough
addresses for a great deal of Internet expansion. Individual Internet
users can easily obtain their own 80-bit block of addresses if they
currently have a single IPv4 address. This means it will be possible for
any user to effectively hide a system in such an address space without
ever being found. That is, if no DNS records point to them, and they don
t respond to broadcast requests, it would be effectively impossible to nd
a host through brute force probes.
To put this into perspective, let us suppose an attacker can scan
addresses of a network at 232 (more than four billion) packets/second
(which is probably a stretch for today s fastest routers [45]). It would
take on average, 247 seconds (or 4.5 million years) to nd a single live
address in a range of 280 addresses. For this reason, the only way to nd
systems that do not pick an obvious IPv6 address would be to query some
name resolution service (such as the DNS). In this paper, we propose
methods which utilize the large IPv6 address space to mitigate spoofed
attacks by forcing clients to always use the DNS prior to submitting
service requests.
The remainder of this chapter contains the problem statement and some
denitions of commonly used terms. Chapter 2 describes and classies the
popular types of attacks used on the current IPv4 Internet. Chapter 3
explores the impact IPv6 will have on scanning and spoong attacks. Chapter
4 gives an overview of the novel system proposed for combating spoofed
attacks in IPv6. Chapter 5 provides analysis of attacks against the
proposed system, as well as how it can be used to mitigate current
attacks. Chapter 6 proposes some solutions for the engineering challenges
faced with implementing the system and describes a prototype software
implementation used in testing. Chapter 7 describes experiments performed
with the prototype software implementation, and provides results of these
tests. Finally, chapter 8 offers some concluding remarks.
Problem Statment:
Spoofed denial of service attacks have plagued the Internet for a number
of years, and show no signs of abating. Research into mitigation
techniques has apparently not led to a nancially viable solution, and new
attacks have been discovered in the wild without being widely anticipated.
With the advent of a new Internet protocol, the world stands in a unique
position to get ahead of this criminal activity by fundamentally changing
the way the Internet works and being prepared for the attacks to come.
Whether by intention or chance, the vastly increased Internet address
space in IPv6 has done so. We seek to use this fundamental shift in
resource availability to develop a novel, lower cost solution to
mitigating spoofed attacks.
To read more please visit:
<http://www.sentinelchicken.com/research/tdm-ms-thesis/>
http://www.sentinelchicken.com/research/tdm-ms-thesis/
ADDITIONAL INFORMATION
The information has been provided by
<mailto:tim-security@xxxxxxxxxxxxxxxxxxx> Tim.
The original article can be found at:
<http://www.sentinelchicken.com/research/tdm-ms-thesis/>
http://www.sentinelchicken.com/research/tdm-ms-thesis/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Microsoft Exchange Server Outlook Web Access Script Injection (MS06-029)
- Next by Date: [UNIX] FreeType Integer Overflow Vulnerabilities
- Previous by thread: [NT] Microsoft Exchange Server Outlook Web Access Script Injection (MS06-029)
- Next by thread: [UNIX] FreeType Integer Overflow Vulnerabilities
- Index(es):
Relevant Pages
|
