Review of Security Vulnerabilities in the IPv6 Neighbor ... - Springer Link

8 downloads 0 Views 210KB Size Report
Discovery Protocol (NDP), that replaces Address Resolution Protocol (ARP) in ... addresses provided by IPv4 are nearly exhausted [13]. The Internet ...
Review of Security Vulnerabilities in the IPv6 Neighbor Discovery Protocol Mohammed Anbar, Rosni Abdullah, Redhwan M.A. Saad, Esraa Alomari and Samer Alsaleem

Abstract&Internet Protocol version 6 (IPv6) contains a new protocol, Neighbor Discovery Protocol (NDP), that replaces Address Resolution Protocol (ARP) in Internet Protocol version 4 (IPv4), router discovery, and redirect. If implemented without any security mechanism, NDP contains vulnerabilities. Using spoofed Media Access Control (MAC) addresses in an NDP message, a malicious host can launch Denial-of -Service or Man-in-the-Middle attacks. IPv6 depends heavily on NDP, which appears in the network in the form of ICMPv6. If ICMP is disabled or dropped from the network, IPv6 does not operate, in contrast to IPv4. The importance of the NDP protocol in the IPv6 network is that it catches attackers’ attention on NDP vulnerabilities that they can exploit. This paper describes and reviews some of the fundamental attacks on NDP, prevention mechanisms, and current detection mechanisms for NDP-based attacks. Keywords Internet Protocol version 6 (IPv6) · Neighbor Discovery Protocol (NDP) · Address Resolution Protocol (ARP) · Man-in-the-Middle (MiTM) · Denial-of-Service (DoS)

1

Introduction

The dramatic increase in the number of devices connected to the Internet has resulted in the allocation of many Internet Protocol versions 4 (IPv4) addresses, but the number of available address spaces is rapidly diminishing. The 4.3 billion addresses provided by IPv4 are nearly exhausted [13]. The Internet Engineering Task Force (IETF) [8] has been working on IPv6 specifications to overcome these address limitations. IPv6 provides much larger address spaces of 340 undecillion addresses to meet this demand [15]. IPv6 is an improved version of IPv4 designed to coexist with IPv4, while providing better internetworking M. Anbar() · R. Abdullah · R.M.A. Saad · E. Alomari · S. Alsaleem National Advanced IPv6 Centre of Excellence, Universiti Sains Malaysia, George Town, Penang, Malaysia e-mail: {anbar,rosni,redhwan,esraa,samer}@nav6.usm.my © Springer Science+Business Media Singapore 2016 K.J. Kim and N. Joukov (eds.), Information Science and Applications (ICISA) 2016, Lecture Notes in Electrical Engineering 376, DOI: 10.1007/978-981-10-0557-2_59

603

604

M. Anbar et al.

capabilities than IPv4 and resolving unanticipated IPv4 design issues [4, 14]. IPv6 technology is currently being deployed in numerous components worldwide, enabling express end-to-end device addressability. IPv6 might become an institutional imperative in the final analysis, but security considerations continue to be critically important [11]. IPv6 and IPv4 are both network layer protocols, with many similar Network layer vulnerabilities. Protection is required for every device participating in networked communication. IP security (IPSec) must be considered more seriously to provide the necessary authentication, integrity, and confidentiality services. Thus, connecting to IPv6 natively is necessary [17]. In an IPv6 network, one of the functions of Neighbor Discovery Protocol (NDP) is to resolve the MAC address of the target host. NDP is stateless. Given the lack of authorization in NDP messages, many attacks, such as Man-in-the-Middle (MiTM) and Denial-of-Service (DoS), can be initiated through the use of this essential protocol of IPv6 [17, 12]. Nevertheless, IPv6 is slightly better than IPv4 in terms of security, but IPv6 is not necessarily more secure than IPv4 [19].

2

NDP

NDP is a supporting protocol used with IPv6. It operates in the link layer of the Internet model (RFC 1122) and is responsible for the address auto configuration of nodes, discovery of other nodes on the link, determining the link- layer addresses of other nodes, duplicate address detection, detecting available routers and Domain Name System (DNS) servers, address prefix discovery, and maintaining reachability information about paths to other active neighbor nodes (RFC 4861) [2, 6]. NDP defines five ICMPv6 packet types for the purpose of router solicitation (RS), router advertisement (RA), neighbor solicitation (NS), neighbor advertisement (NA), and network redirects [3]. Table 1 shows the ICMPv6 messages defined for NDP. By default, all IPv6 hosts are joined with the multicast address group FF02::1 and other groups (see Figure 1). The looking up of a MAC address of the target host in an IPv6 network can be performed by sending an ICMPv6 packet to the multicast address FF02::1. The sent packet will reach all active link-local addresses on the network (RFC 3513). Exchanging ICMPv6 messages on top of the IPv6 protocol is crucial for IPv6 communication. However, this communication can be abused by sending fake, carefully crafted response messages for DoS, traffic re-routing, or other malicious purposes. A detailed explanation regarding NDP-based attacks will be provided in Section 3.

Fig. 1 Joined multicast groups for an IPv6 address

Review of Security Vulnerabilities in the IPv6 Neighbor Discovery Protocol

605

Table 1 ICMPv6 messages defined for NDP ICMPv6 packet type

RS (Type 133)

RA (Type 134)

NS (Type 135)

NA (Type 136) Redirect (Type 137)

3

Description Hosts inquire with RS messages to Locate routers on an attached link. Nodes that forward packets not addressed to them generate RAs immediately upon receipt of this message, rather than at their next scheduled time. Routers advertise their presence together with various link and Internet parameters, either periodically or in response To an RS message. Neighbor solicitations are used by nodes to Determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address. NAs are used by nodes to respond To an NS message. Routers may inform hosts Of a better first hop router for a destination.

NDP-Based Attacks

NDP-based attacks are categorized into two groups: (1) MiTM and (2) DoS.

3.1

MiTM Attacks

MiTM is an attack during the access gaining phase in which the attacker positions himself in the middle of the data communication between two parties. This attack is useful for conducting further attacks, such as sniffing and session hijacking. In IPv4, MiTM can be performed in various ways, such as Address Resolution Protocol (ARP) cache poisoning or Dynamic Host Configuration Protocol (DHCP) spoofing. ARP in IPv6 is replaced by the ICMPv6 neighbor discovery process, while DHCP can be replaced by an alternative process, stateless autoconfiguration [1]. Following are the common MiTM attacks. Spoofed ICMPv6 NA. In a link local network, the communication between two nodes can be performed normally by exchanging two types of ICMPv6 messages, NS and NA. The two types of ICMPv6 messages are used to bind the MAC of the IPv6 address on the network. Unfortunately, these exchanges are completely unsecured. No countermeasures are in place to prevent an attacker from generating an NA advertising his own layer-two address as belonging to other hosts on the link. Figure 2 shows an example of a normal process of looking up the MAC of the IPv6 address on the network.

606

M. Anbar et al.

Fig. 2 Example of a normal process of looking up the MAC of the IPv6 address on the network

In Figure 2, node A needs to communicate with Node B to perform data transmission. Thus, Node A sends ICMPv6 NS to a multicast address (FF02::1) specified by the target address. If the target node is present, it can be expected to be listening to the multicast address. Upon receiving the solicitation, it replies with an NA message to Node A with a solicited (S) flag enabled. Node A receives the advertisement and knows that IPv6 of Node B is on the Node B MAC address. This process also has vulnerabilities that can be used to perform MiTM Attacks. Figure 3 shows an example of an NA spoofing of the IPv6 network.

Fig. 3 Example of NA spoofing

When an attacker joins the IPv6 network, it is automatically given an IPv6 address and listens to the FF02::1 multicast group. As shown in Figure 3, the attacker node and Node A are in the same LAN. When Node A sends an ICMPv6 NS to FF02::1 to inquire about Node B, Node B and the attacker node will receive an NS message from Node A. Node B responds with NA to Node A with an S flag enabled. An attacker then responds with an ICMPv6 NA to Node A with the S and override (O) flags enabled. Node A receives the advertisement from Node B and the attacker. However, given that the attacker enables the O flags, it overwrites and creates a neighbor cache entry for Node A. Node A is deceived, thereby knowing that IPv6 of Node B is on the attacker’s MAC address. Thus, all traffic between Nodes A and node B will go through the attacker node. A practical example of NA spoofing is listed in Table 2. Table 2 shows the MAC and IP addresses for Nodes A and B and the attacker.

Review of Security Vulnerabilities in the IPv6 Neighbor Discovery Protocol

607

Table 2 MAC and IP addresses for Nodes A and B and the attacker Node IPv6 address A Fe80::3 B Fe80::4 Attacker Fe80::5

Mac Address aa:bb:cc:dd:ee:aa aa:bb:cc:dd:ee:11 aa:bb:cc:dd:ee:22

In the presence of a spoofed ICMPv6 NA in the network, the neighbor cash entry in node A after performing a ping6 command triggered from Nodes A to B is as follows: Fe80::5 link-layer address aa:bb:cc:dd:ee:22 Fe80::4 link-layer address aa:bb:cc:dd:ee:22 Notably, the Node B address is attached to the link-layer address of the attacker node. Therefore, all traffic from Nodes A to B goes through the attacker. Spoofed ICMPv6 RA. In an IPv6 local link network, a router announces its network prefix, lifetime, and configuration type periodically every 200 s by sending an RA to the FF02::1 multicast group. All nodes in the local link will receive the RA message and configure their routing table based on the RA and implant default gateway. Figure 4 shows the default periodic time for the RA message. The IPv6 node can then promote the router to send an RA message by sending the RS to the FF02::2 multicast group. All routers in the network will receive the RS and respond by sending an RA to the FF02:1 multicast group, with all nodes receiving the RA and configuring their routing tables.

Fig. 4 Default periodic time for an RA message

However, anyone can claim to be the router and send the periodic RA to the network. Thus, anyone can be the default gateway on the network. Figure 5 shows the spoofed ICMPv6 RA process. In Figure 5, the attacker sends a rogue RA to all nodes in the link with the highest priority. Node A receives the rogue RA from the attacker node and configures the default gateway on the routing table to the attacker node. Therefore, all traffic from Node a goes through the attacker node.

608

M. Anbar et al.

Fig. 5 Spoofed ICMPv6 RA process

Replay Attack. A replay attack is a replay of any previous neighbor or router discovery message to obtain network access [20]. The attacker can capture the NDP message and send it again later. The attacker might also be modifying the content of the NDP message. A Replay attack occurs when a third party captures a command in transmission and replays it at a later time. By capturing the correct messages, an intruder might be able to gain access to a secure computer or execute commands that are normally encrypted and unreadable. It is often not necessary to decipher the command to use it. It is not difficult to capture the commands to be replayed. A user on a network can run a sniffer program and capture all packets that travel over the network. A user sends a computer command or transmission from one machine to another with the intention that the communication be secure. There are three different attributes that secure communications must have: secrecy, integrity, and authentication.

3.2

DoS Attacks

In a DoS attack, the attacker makes an organization’s network services or resources unavailable to legitimate users. A DoS attack on an IPv6 network can be launched by exploiting vulnerabilities in IPv6. Any deliberate effort to cut off a web site or network from its intended users qualifies as a DoS attack. Such attacks have been successfully deployed against major online businesses, including Visa, MasterCard, Twitter, and WordPress. DoS attacks effectively render the services offline, resulting in lost business and negative publicity [9]. Following are the common DoS attacks that exploit NDP vulnerabilities. Duplicate Address Detection (DAD). To generate an interface network address, a node first sends an RS message to the ”all routers” multicast address (FF02::2) to find a router and obtain the network prefix value. Once a tentative address has been generated, the node uses DAD to check that the address is unique. In DAD, the node sends an NS packet containing its tentative IP address, Which sends a multicast address (FF02::16) to all nodes. This packet’s purpose is to seek a response from any node that might already have been assigned the newly generated address. If there is no reply to the NS message, the node that generated the address assumes it is unique and uses it [7].

Review of Security Vulnerabilities in the IPv6 Neighbor Discovery Protocol

609

An attacker on the local link waits until a node sends an NS packet to the multicast group (FF02::16). The attacker falsely responds with a neighbor advertisement packet, informing the new node that it is already using that address. Upon receiving the NA, the new node generates another address and repeats the DAD procedure; the attacker again falsely responds with an NA packet. Eventually, the new node gives up without initializing its interface. Smurf Attack. A Smurf attack aims to flood the target machine with a large amount of traffic with the intention of keeping the target machine busy respond- in to the incoming requests [10]. In an IPv6 network, a Smurf attack occurs when an attacker sends spoofed ICMP echo request packets to a multicast group (FF02::1) with the target machine as the source. All nodes receive the packets and respond to the spoofed source IP. Sufficiently many machines on the network receiving and responding to these packets will flood the target computer with traffic. This scenario can slow down the target computer to the point where it becomes impossible to work on.

3.3

ICMPv6 Flooding Attack

ICMPv6 can be used to generate DoS attacks in a number of ways, including simply sending excessive numbers of ICMPv6 packets to destinations in the site and sending error messages that disrupt established communications by causing sessions to be dropped. In addition, if the spurious communication establishment or maintenance messages can be infiltrated onto a link, it might be possible to invalidate legitimate addresses or disable interfaces [16]. ICMPv6 Flooding Attacks (RA Flooding). Routers in IPv6 can use the ND protocol to discover each other’s presence and determine their link-layer addresses and prefix information. However, this also permits a malicious node to impersonate a network segment’s default gateway. A receiving node does not validate router advertisements. Thus, any node that receives a fake RA updates its communication parameters blindly based on the RA. A malicious node can propagate bogus address prefix information to reroute legitimate traffic to prevent the victim from accessing the desired network [18]. Flooding the local network with completely different network prefixes, hosts, and routers updates the network information based on the announced prefix, consuming all available CPU resources, rendering the systems unusable and unresponsive. As IPv6 and auto configuration are enabled by default in most operating systems, all are affected in their default configuration. For Windows, a personal firewall or similar security product does not protect against this attack. RA’s message is sent to FF02::1 multicast group so that all hosts on the same link will receive the announced fake prefixes; thus, these hosts will configure their default gateway based on the fake announced prefixes. There is a flag in IPv6 router advertisements that determines default router preference. First, by default, the legitimate router sends out RAs with the router preference flag set to “Medium,” The fake RAs will set the preference flag to “high,” forcing hosts to use it as their default gateway.

610

M. Anbar et al.

The attacker sends hundreds or thousands of RAs to all hosts on the same link, with the result that the nodes’ resources (CPU and memory) are consumed, because these nodes continue generating a new IPv6 address for each announced prefix. ICMPv6 Flooding Attacks (Multicast Listener Discovery (MLD) Report Message Flooding). MLD is an IPv6 protocol that a host uses to request multicast data for a particular group. Using the information obtained through MLD, the software maintains a list of multicast group or channel memberships on a perinterface basis (RFC 2710). The devices that receive MLD packets send the multicast data that they receive for requested groups or channels out the network segment of the known receivers [6]. The following describes the essential operation of MLD: – – – –

One router periodically broadcasts MLD Query messages onto the link. Hosts respond to the query messages by sending MLD report messages indicating their group memberships. All routers receive the report messages and note the membership of hosts on the link. If a router does not receive a report message for a specific group for a period of time, the router assumes there are no more members of the group on the link.

MLD report message flooding aims to target a specific multicast group to compromise all multicast group listeners. The MLD report message flooding targeted (FF02::02) a multicast group, with the result that all routers on the link are listening to FF02::2; thus, these routers are compromised by the flooded traffic. ICMPv6 Flooding Attacks (NS Flooding). In a normal situation, any IPv6 node can send an NS message at any time to request a target node’s link-layer address, while also providing its own link-layer address to the target node. NS messages are sent via multicast to the Solicited Node Multicast Address (SNMA) of the target node when the sending node is performing address resolution. An NS flooding attack aims to poison the neighbor cache at the victim machine, introducing a mapping from a victim IPv6 address to a multicast link-layer address. This has a negative impact on the performance of the network and of the attached nodes, and also allows an attacker to capture (“sniff”) network. Traffic even in switched networks, as packets intended to travel from the target node to the victim IPv6 address are sent instead to a link-layer multicast address, thus allowing the attacker to receive a copy of such packets [5]. An NS flooding attack occurs, when a victim node is flooded with NS messages, thereby inducing the victim machine to create an entry (map IPv6 address- MAC address) in the neighbor cache of the victim machine. If the victim

Review of Security Vulnerabilities in the IPv6 Neighbor Discovery Protocol

611

machine does not enforce any limits on the size of the neighbor cache, the kernel memory could be exhausted. NS messages are sent to FF02::1 multicast group messages, with the result that all hosts in the same link receive these NS messages and update their neighbor caches accordingly.

4

Conclusion

IPv6 is slightly better than IPv4 in terms of security, but IPv6 is not necessarily more secure than IPv4 [10]. NDP is a key protocol of IPv6. NDP has its own vulnerabilities that can be exploited by an attacker. This paper highlighted the common NDP-based attacks (i.e., NA spoofing, RA spoofing, DAD, Smurf, and replay). These attacks occur basically because NDP relies on ICMPv6 exchange messages that are completely unsecured, and no countermeasures are in place to prevent such attacks. In addition, this paper highlighted prevention mechanisms with IPv6, namely, IPsec and SEND. Unfortunately, attackers still successfully bypass the prevention techniques and gain access to the IPv6 network. Finally, this paper addressed the detection mechanisms for NDP-based attacks. The detection mechanisms are divided into two categories: passive and active [34] [35]. According to the literature, active mechanisms successfully overcome the drawbacks of passive mechanisms, such as the lack of dynamism, scalability, false alarms, and protocol stack violation. Active mechanisms also outperform passive mechanisms in terms of detection accuracy. Acknowledgement The authors would like to thank National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia for supporting this research paper.

References 1. Amante, S., Carpenter, B., Jiang, S., Rajahalme, J.: IPv6 flow label specification. Network Working Group Request for Comments 6437 (2011) 2. Barbhuiya, F.A., Bansal, G., Kumar, N., Biswas, S., Nandi, S.: Detection of neigh- bor discovery protocol based attacks in IPv6 network. Networking Science 2(3–4), 91–113 (2013) 3. Barbhuiya, F.A., Biswas, S., Nandi, S.: Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol. In: Proceedings of the 4th International Conference on Security of Information and Networks, pp. 111–118. ACM (2011) 4. Batiha, K., Batiha, K., AbuAli, A.: The need for ipv6. International Journal of Academic Research 3(3) (2011) 5. Caicedo, C., Joshi, J., Tuladhar, S.: IPv6 security challenges. Computer 42(2), 36–42 (2009) 6. Conta, A., Gupta, M.: Internet control message protocol (icmpv6) for the internet protocol version 6 (ipv6) specification. Tech. Rep. 1885 (1995). rFC 2463, DEC

612

M. Anbar et al.

7. Dart, E., Beebee, W., George, W., Asati, R., Pignataro, C., Singh, H.: Enhanced duplicate address detection (2012) 8. DiBona, C., Ockman, S.: Open sources: Voices from the open source revolution. O’Reilly Media, Inc. (1999) 9. Everett, C.: Cloud computing–a question of trust. Computer Fraud & Security 2009(6), 5–7 (2009) 10. Gont, F., et al.: Security implications of IPv6 options of type 10xxxxxx (2013) 11. Hamarsheh, A., Goossens, M., Al-Qerem, A.: Assuring interoperability between heterogeneous (IPv4/IPv6) networks without using protocol translation. IETE Technical Review 29(2), 114–132 (2012) 12. Hubballi, N., Biswas, S., Roopa, S., Ratti, R., Nandi, S.: Lan attack detection using discrete event systems. ISA Transactions 50(1), 119–130 (2011) 13. Korhonen, J., Savolainen, T., Soininen, J.: Introduction to IPv6. Deploying IPv6 in 3GPP Networks: Evolving Mobile Broadband from 2G to LTE and Beyond, pp. 79–162 (2013) 14. Minoli, D., Kouns, J.: Security in an ipv6 environment. CRC Press (2008) 15. Sailan, M., Hassan, R., Patel, A.: A comparative review of IPv4 and IPv6 for research test bed. In: International Conference on Electrical Engineering and Informatics, ICEEI 2009, vol. 02, pp. 427–433, August 2009 16. Soryal, J., Saadawi, T.: IEEE 802.11 DoS attack detection and mitigation utilizing cross layer design. Ad Hoc Netw. 14, 71–83 (2014) 17. Supriyanto, Hasbullah, I.H., Murugesan, R.K., Ramadass, S.: Survey of internet protocol version 6 link local communication security vulnerability and mitigation methods. IETE Technical Review 30(1), 64–71 (2013) 18. Yang, X., Ma, T., Shi, Y.: Typical dos/ddos threats under ipv6. In: International MultiConference on Computing in the Global Information Technology, ICCGI 2007, pp. 55–55, March 2007 19. Yoo, H.S., Cagalaban, G.A., Kim, S.H.: A study on the connectivity of ipv6 to ipv4 domains and its security issues. International Journal of Advanced Science and Technology 10, 1–10 (2009) 20. Yu Beng, L., Ramadass, S., Manickam, S., Soo Fun, T.: A survey of intrusion alert correlation and its design considerations. IETE Technical Review 31(3), 233–240 (2014)