SlideShare ist ein Scribd-Unternehmen logo

IPv6 Threat Presentation

J
johnmcclure00
1 von 31
Downloaden Sie, um offline zu lesen
IPv6  Threats IPV6  THREATS   TO   GOVERNMENT   NETWORKS JOHN@KIMBERSYSTEMS.COM
Agenda ◦ Introduction ◦ IPv6  background ◦ How  we  got  here ◦ Advantages  of  IPv6 ◦ IPvX interesting  facts ◦ IPv6  and  the  Federal  Government ◦ How  do  IPv6  threats  differ   from  IPv4  threats ◦ Specific  IPv6  Threats ◦ Are  you  ready  to  defend  IPv6  threats? ◦ IPv6  threat  detection  and  mitigation ◦ Q&A 2
Introduction ◦ About  me ◦ KimberSystems,  LLC ◦ Supported  multiple  USG  entities:  USDA,  GSA,  DOC,  FBI,  DOD ◦ Background  in  security,  networking,  and  data  centers ◦ Focused  on  cybersecurity,   cloud,  and  threat  intelligence 3
IPv6  Background ◦ How  we  got  here ◦ IPv4  is  a  REALLY  old  protocol  (1980) ◦ We  are  running  out  of  usable  IPv4  addresses ◦ Advantages  of  IPv6 ◦ Extremely  large  address  space ◦ Autoconfiguration /  network  management ◦ Jumbograms ◦ No  fragmentation ◦ Unique  addressing ◦ Security:  IPSec  built-­‐in 4
Just  How  Big  is  IPv6? ◦ IPv4 has  32  bits,  allowing  approximately  4.3  billion  addresses.   Not  even  enough  to  give  a  unique  address  to  each  human   being  on  Earth. ◦ IPv6 has  128  bits,  allowing   340,282,366,920,938,000,000,000,000,000,000,000,000 (340   undecillion)  unique  addresses. ◦ 79,228,162,514,264,229,685,068,130,493 IPv4  Internets   can   fit  into  IPv6  address   space. ◦ IPv6  could  provide  each  and  every  square  micrometer  of  the   earth’s  surface  with  5,000  unique  addresses.   What’s  a   micrometer?  About  one  tenth  the  diameter  of  a  droplet  of   fog! 5
252 6
IPvX Interesting  Facts ◦ IPv4  depleted  in  early  2011 ◦ IPv6  is  still  less  than  1%  of  all  Internet   traffic ◦ Windows  7,  Windows  8,  OS  X,  and  Linux  can  all  suffer   from  IPv6   attacks  that  are  invisible  to  IPv4 ◦ Standard  subnet  size  for  IPv6  is  a  /64  (18,446,744,073,709,551,616   addresses) ◦ 6in4  traffic  is  identified  as  IP  protocol  41 7
IPv6  and  the  Federal   Government ◦ Required  backbone  move  to  IPv6  by  2008  (OMB  memo  05-­‐22) ◦ Required  move  as  per  OMB  memo  from  Federal  CIO  dated   September   2010 ◦ Upgrade  public/external   facing  servers  and  services  (e.g.  web,  email,  DNS,   ISP  services,  etc.)  to  operationally  use  native  IPv6  by  the  end  of  FY  2012 ◦ Upgrade  internal  client  applications  that  communicate  with  public  Internet   servers  and  supporting  enterprise  networks  to  operationally  use  native   IPv6  by  the  end  of  FY  2014 ◦ 29%  complete  (September   2013) ◦ Why  aren’t  we  moving  faster? ◦ Challenges 8
IPv6  and  the  Federal   Government Completed  USG  IPv6  Enabled  Domains 1,318  Domains  tested  on  4  September  2013 9
IPv6  CND  Challenges ◦ It  won’t  solve  or  mitigate  current  cyber  threats  (e.g.  SQLi,  buffer   overflows,   XSS,  spear  phishing,  etc.) ◦ Shadow  networks  /  latent  threat ◦ NDP  spoofing ◦ SLAAC  attacks ◦ Privacy  (no  NAT) ◦ If  using  Privacy  IPv6  addresses  it  may  create  challenges   in  attribution,   incident  response,  forensic  analysis,  firewall  policies,  etc. 10
IPv6  CND  Challenges ◦ New  approaches   to  management,   troubleshooting,   administration,   etc. ◦ Vulnerability  scanning ◦ Deep  packet  inspection ◦ Don’t  know  you’re  running  it ◦ Threat  detection  models  aren’t  current/configured   for  IPv6  threats ◦ Analysts  may  not  understand  the  protocol 11
IPv6  Threats ◦ They  are  real  and  bad  guys  are  leveraging  IPv6 ◦ Under  the  radar ◦ Tunneling  (e.g.  Teredo) ◦ Multiple  addresses   for  single  host ◦ Detection  infrastructure   not  ready  to  support ◦ Rest  of  the  threat  community  isn’t  focused  on  it ◦ You  think  it  doesn’t  matter 12
IPv6  Threat  Ready? NOPE! ◦ Tools  aren’t  ready ◦ Analysts  aren’t  ready ◦ Threat  intelligence  still  focused  on  IPv4 ◦ Blackholes ◦ IP  reputation  services BYOD  over  IPv6  – the  perfect  storm! 13
Threats Everything  we  see  in  IPv4  plus… ◦ NDP  Spoofing ◦ SLAAC  Attack ◦ Teredo Tunneling 14
NDP  Spoofing NDP  (Neighbor  Discovery  Protocol)  is  the  new  ARP  (in  this  example) ◦ An  attacker  can  spoof  an  address  by  snooping  a  Neighbor  Solicitation ◦ Attacker  then  conducts  attack  via  Neighbor  Advertisement ◦ Similar  to  ARP  poisoning  by  advertising  L2  address 15
Network  Discovery  Protocol Happy  IPv6 16
NDP  Neighbor  Solicitation Neighbor  Solicitation 17
NDP  Network  Advertisement Neighbor  Advertisement 18
Happy  IPv6  Remix Happy  IPv6 19
Network  Discovery  Protocol Happy  IPv6 20
NDP  NA  (bad  guy) Neighbor  Advertisement 21
Unhappy  IPv6  (bad  guy  wins) Unhappy  IPv6 22
SLAAC  Attack Rogue  Router  Announcements   (RA)  as  being  able  to  route  IPv6  traffic ◦ Host  that  is  configured  to  use  IPv6  (most  current  operating  systems)  will   begin  to  route  traffic  to  the  RA  host;  no  verification/authorization ◦ SuddenSix attack  (SLAAC  attack):  https://github.com/Neohapsis/suddensix 23
Happy  IPv4 24
Rogue  Router 25
Rogue  Router  Advertisement 26
Teredo Tunneling ◦ Like  most  things,  it  wasn’t  designed  to  be  bad ◦ Can  be  used  for  legitimate  purposes ◦ Built  into  Microsoft  products ◦ IPv6  tunneling  across  NAT  boundaries ◦ Doesn’t  require  firewall  to  support  IPv6  or6to4   ◦ IPv4  over  UDP 27
28 Teredo Tunneling
IPv6  Threat  Detection Similar  to  IPv4 ◦ Smart  analysts ◦ Know  your  traffic ◦ Know  what  you’re  looking  for ◦ Protocol  41   ◦ Tunneling  ? ◦ Upgrade/update  your  detection  mechanisms ◦ Don’t  trust  v4  rules  to  detect  v6  traffic;  regardless  of  what  your  vendors  say ◦ Talk  to  your  vendors 29
Things  to  Consider ◦ Do  you  know  how  many  or  which  of  your  hosts  are  using  IPv6? ◦ How  many  of  your  blackhole and  block  lists  have  IPv6  entries? ◦ Do  all  of  your  logging  devices   and  infrastructure   log  IPv6  correctly   (frequently   truncated)? ◦ Hosts  with  multiple  IPv6  addresses;   can  send  spam/badness   from   many  addresses ◦ 2002::/16  6to4  tunnel  prefix ◦ Don’t block ICMP;  needed for  MTU  discovery ◦ You have to  wrap addresses in  brackets because of  “:”  e.g.  scp file.txt [2001::1] 30
Q&A For  more  information: John  F.  McClure ◦ john@kimbersystems.com ◦ (202)  630-­‐0726 ◦ @johnmcclure00 ◦ linkedin.com/in/johnmcclure KimberSystems,   LLC ◦ kimbersystems.com ◦ @KimberSystems ◦ linkedin.com/company/kimbersystems-­‐llc ◦ facebook.com/KimberSystems 31

Empfohlen

DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
Deploy360 Programme (Internet Society)
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
Srikrupa Srivatsan
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
ThousandEyes
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 

Empfohlen

DNS Security
DNS SecurityDNS Security
DNS Security
johnmcclure00
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
Deploy360 Programme (Internet Society)
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
Srikrupa Srivatsan
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
Peter R. Egli
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
AFRINIC
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
ThousandEyes
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
Frank Victory
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
AFRINIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
Christiaan Ottow
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
Marta Pacyga
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
Sam Bowne
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSEC
ICANN
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
Christopher Grayson
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
Men and Mice
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Dan York
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White Paper
Ryan Ellingson
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
Shumon Huque
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
APNIC
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
IKT-Norge
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Wardner Maia
 

Weitere ähnliche Inhalte

Was ist angesagt?

How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
jgrahamc
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 

Was ist angesagt? (20)

DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
 
Dns security threats and solutions
Dns security threats and solutionsDns security threats and solutions
Dns security threats and solutions
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSEC
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
Windows 2012 and DNSSEC
Windows 2012 and DNSSECWindows 2012 and DNSSEC
Windows 2012 and DNSSEC
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White Paper
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
 

Ähnlich wie IPv6 Threat Presentation

Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
EdgeUno
 
IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
Rochester Security Summit
 

Ähnlich wie IPv6 Threat Presentation (20)

Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 WorldHKNOG 1.0 - DDoS attacks in an IPv6 World
HKNOG 1.0 - DDoS attacks in an IPv6 World
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
IPv6 enterprise security - The NAT Returns
IPv6 enterprise security - The NAT ReturnsIPv6 enterprise security - The NAT Returns
IPv6 enterprise security - The NAT Returns
 
IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6
 
IPv6 Security und Hacking
IPv6 Security und HackingIPv6 Security und Hacking
IPv6 Security und Hacking
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
 
Tech f42
Tech f42Tech f42
Tech f42
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
 

IPv6 Threat Presentation

  • 1. IPv6  Threats IPV6  THREATS   TO   GOVERNMENT   NETWORKS JOHN@KIMBERSYSTEMS.COM
  • 2. Agenda ◦ Introduction ◦ IPv6  background ◦ How  we  got  here ◦ Advantages  of  IPv6 ◦ IPvX interesting  facts ◦ IPv6  and  the  Federal  Government ◦ How  do  IPv6  threats  differ   from  IPv4  threats ◦ Specific  IPv6  Threats ◦ Are  you  ready  to  defend  IPv6  threats? ◦ IPv6  threat  detection  and  mitigation ◦ Q&A 2
  • 3. Introduction ◦ About  me ◦ KimberSystems,  LLC ◦ Supported  multiple  USG  entities:  USDA,  GSA,  DOC,  FBI,  DOD ◦ Background  in  security,  networking,  and  data  centers ◦ Focused  on  cybersecurity,   cloud,  and  threat  intelligence 3
  • 4. IPv6  Background ◦ How  we  got  here ◦ IPv4  is  a  REALLY  old  protocol  (1980) ◦ We  are  running  out  of  usable  IPv4  addresses ◦ Advantages  of  IPv6 ◦ Extremely  large  address  space ◦ Autoconfiguration /  network  management ◦ Jumbograms ◦ No  fragmentation ◦ Unique  addressing ◦ Security:  IPSec  built-­‐in 4
  • 5. Just  How  Big  is  IPv6? ◦ IPv4 has  32  bits,  allowing  approximately  4.3  billion  addresses.   Not  even  enough  to  give  a  unique  address  to  each  human   being  on  Earth. ◦ IPv6 has  128  bits,  allowing   340,282,366,920,938,000,000,000,000,000,000,000,000 (340   undecillion)  unique  addresses. ◦ 79,228,162,514,264,229,685,068,130,493 IPv4  Internets   can   fit  into  IPv6  address   space. ◦ IPv6  could  provide  each  and  every  square  micrometer  of  the   earth’s  surface  with  5,000  unique  addresses.   What’s  a   micrometer?  About  one  tenth  the  diameter  of  a  droplet  of   fog! 5
  • 7. IPvX Interesting  Facts ◦ IPv4  depleted  in  early  2011 ◦ IPv6  is  still  less  than  1%  of  all  Internet   traffic ◦ Windows  7,  Windows  8,  OS  X,  and  Linux  can  all  suffer   from  IPv6   attacks  that  are  invisible  to  IPv4 ◦ Standard  subnet  size  for  IPv6  is  a  /64  (18,446,744,073,709,551,616   addresses) ◦ 6in4  traffic  is  identified  as  IP  protocol  41 7
  • 8. IPv6  and  the  Federal   Government ◦ Required  backbone  move  to  IPv6  by  2008  (OMB  memo  05-­‐22) ◦ Required  move  as  per  OMB  memo  from  Federal  CIO  dated   September   2010 ◦ Upgrade  public/external   facing  servers  and  services  (e.g.  web,  email,  DNS,   ISP  services,  etc.)  to  operationally  use  native  IPv6  by  the  end  of  FY  2012 ◦ Upgrade  internal  client  applications  that  communicate  with  public  Internet   servers  and  supporting  enterprise  networks  to  operationally  use  native   IPv6  by  the  end  of  FY  2014 ◦ 29%  complete  (September   2013) ◦ Why  aren’t  we  moving  faster? ◦ Challenges 8
  • 9. IPv6  and  the  Federal   Government Completed  USG  IPv6  Enabled  Domains 1,318  Domains  tested  on  4  September  2013 9
  • 10. IPv6  CND  Challenges ◦ It  won’t  solve  or  mitigate  current  cyber  threats  (e.g.  SQLi,  buffer   overflows,   XSS,  spear  phishing,  etc.) ◦ Shadow  networks  /  latent  threat ◦ NDP  spoofing ◦ SLAAC  attacks ◦ Privacy  (no  NAT) ◦ If  using  Privacy  IPv6  addresses  it  may  create  challenges   in  attribution,   incident  response,  forensic  analysis,  firewall  policies,  etc. 10
  • 11. IPv6  CND  Challenges ◦ New  approaches   to  management,   troubleshooting,   administration,   etc. ◦ Vulnerability  scanning ◦ Deep  packet  inspection ◦ Don’t  know  you’re  running  it ◦ Threat  detection  models  aren’t  current/configured   for  IPv6  threats ◦ Analysts  may  not  understand  the  protocol 11
  • 12. IPv6  Threats ◦ They  are  real  and  bad  guys  are  leveraging  IPv6 ◦ Under  the  radar ◦ Tunneling  (e.g.  Teredo) ◦ Multiple  addresses   for  single  host ◦ Detection  infrastructure   not  ready  to  support ◦ Rest  of  the  threat  community  isn’t  focused  on  it ◦ You  think  it  doesn’t  matter 12
  • 13. IPv6  Threat  Ready? NOPE! ◦ Tools  aren’t  ready ◦ Analysts  aren’t  ready ◦ Threat  intelligence  still  focused  on  IPv4 ◦ Blackholes ◦ IP  reputation  services BYOD  over  IPv6  – the  perfect  storm! 13
  • 14. Threats Everything  we  see  in  IPv4  plus… ◦ NDP  Spoofing ◦ SLAAC  Attack ◦ Teredo Tunneling 14
  • 15. NDP  Spoofing NDP  (Neighbor  Discovery  Protocol)  is  the  new  ARP  (in  this  example) ◦ An  attacker  can  spoof  an  address  by  snooping  a  Neighbor  Solicitation ◦ Attacker  then  conducts  attack  via  Neighbor  Advertisement ◦ Similar  to  ARP  poisoning  by  advertising  L2  address 15
  • 21. NDP  NA  (bad  guy) Neighbor  Advertisement 21
  • 22. Unhappy  IPv6  (bad  guy  wins) Unhappy  IPv6 22
  • 23. SLAAC  Attack Rogue  Router  Announcements   (RA)  as  being  able  to  route  IPv6  traffic ◦ Host  that  is  configured  to  use  IPv6  (most  current  operating  systems)  will   begin  to  route  traffic  to  the  RA  host;  no  verification/authorization ◦ SuddenSix attack  (SLAAC  attack):  https://github.com/Neohapsis/suddensix 23
  • 27. Teredo Tunneling ◦ Like  most  things,  it  wasn’t  designed  to  be  bad ◦ Can  be  used  for  legitimate  purposes ◦ Built  into  Microsoft  products ◦ IPv6  tunneling  across  NAT  boundaries ◦ Doesn’t  require  firewall  to  support  IPv6  or6to4   ◦ IPv4  over  UDP 27
  • 29. IPv6  Threat  Detection Similar  to  IPv4 ◦ Smart  analysts ◦ Know  your  traffic ◦ Know  what  you’re  looking  for ◦ Protocol  41   ◦ Tunneling  ? ◦ Upgrade/update  your  detection  mechanisms ◦ Don’t  trust  v4  rules  to  detect  v6  traffic;  regardless  of  what  your  vendors  say ◦ Talk  to  your  vendors 29
  • 30. Things  to  Consider ◦ Do  you  know  how  many  or  which  of  your  hosts  are  using  IPv6? ◦ How  many  of  your  blackhole and  block  lists  have  IPv6  entries? ◦ Do  all  of  your  logging  devices   and  infrastructure   log  IPv6  correctly   (frequently   truncated)? ◦ Hosts  with  multiple  IPv6  addresses;   can  send  spam/badness   from   many  addresses ◦ 2002::/16  6to4  tunnel  prefix ◦ Don’t block ICMP;  needed for  MTU  discovery ◦ You have to  wrap addresses in  brackets because of  “:”  e.g.  scp file.txt [2001::1] 30
  • 31. Q&A For  more  information: John  F.  McClure ◦ john@kimbersystems.com ◦ (202)  630-­‐0726 ◦ @johnmcclure00 ◦ linkedin.com/in/johnmcclure KimberSystems,   LLC ◦ kimbersystems.com ◦ @KimberSystems ◦ linkedin.com/company/kimbersystems-­‐llc ◦ facebook.com/KimberSystems 31