[LACNIC/Seguridad] TCP idlle scans en IPv6

Iván Arce ivan.w.arce en gmail.com
Vie Oct 18 10:02:28 BRT 2013


Abstract de una charla a presentarse la conferencia de seguridad
informática Hack.lu el próximo jueves.

Esperemos que el autor haya leido

http://tools.ietf.org/id/draft-ietf-6man-predictable-fragment-id-00.txt


The most stealthy port scan technique in IPv4 is the TCP Idle Scan,
which hides the identity of the attacker. With this technique, the
attacker spoofs messages of a third computer, the so-called idle host,
and utilizes the identification value in the IPv4 header to see the
results of the scan.

With the slowly approaching upgrade of IPv4 with IPv6, one will not be
able anymore to conduct the TCP Idle Scan as previously, as the
identification value is not statically included in the IPv6 header. This
article shows that the TCP Idle Scan is also possible in IPv6, albeit in
a different way, namely by using the identification value in the IPv6
extension header for fragmentation.

It is described how the idle host can be forced to use the IPv6
extension header for fragmentation, which contains an identification
value, by using ICMPv6 Echo Request messages with large amounts of data
as well as ICMPv6 Packet Too Big messages specifying a Maximum
Transmission Unit (MTU) smaller than the IPv6 minimum MTU. The attack in
IPv6 is trickier than in IPv4, but has the advantage that we only
require the idle host not to create fragmented traffic, whereas in IPv4
the idle host is not allowed to create traffic at all.

After discovering how to conduct the TCP Idle Scan in IPv6, 21 different
operating systems and versions have been analyzed regarding their
properties as idle host. Among those, all nine tested Windows systems
could be used as idle host. This shows that the mistake of IPv4 to use
predictable identification fields is being repeated in IPv6. Compared to
IPv4, the idle host in IPv6 is also not expected to remain idle, but
only not to send fragmented packets. To defend against this bigger
threat, the article also introduces short-term defenses for
administrators as well as long term defenses for vendors.

Ref:
http://2013.hack.lu/index.php/List#Mathias_Morbitzer_-_TCP_Idle_Scans_in_IPv6

-ivan



Más información sobre la lista de distribución Seguridad