International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
A Review on Various Fragmentation attacks due to Manipulating IPv6
Extension Headers
Deepthi M R 1 , Mrs. Srividya B V 2
1
Department of Telecommunication Dayananda Sagar College of Engineering Bangalore
[email protected]
2
Department of Telecommunication Dayananda Sagar College of Engineering Bangalore
[email protected]
ABSTRACT
The lack of address space in IPv4 protocol has increased the usage of IPv6 protocol .IPv6, along with increased address
space also provides simplified header and the additional functionalities are added in the form of exten sion headers which
is the main cause for certain threats in the network, if misused. Operating systems and Network devices are not at the
matured stage to handle attacks against IPv6 protocol. Reason for this is not all network devices and operating system are
RFC complaints and experience with IPv6 protocol is less. Hence, there are possibilities of many unknown threats .Most
of the OS which are popular now such as Windows, Linux and open BS D are susceptible to attacks and it would be rather
disastrous in the rise of the IPv6 era if significant security incidents would take place due to its implementations. Various
threats due to misusing IPv6 fragmentation and destination extension headers are addressed here.
Keywords - IPv6, Extension Header, Tiny fragments, overlapped fragments, flooding, S capy, Wireshark.
----------------------------------------------------------------------------------------------------------------------------1. INTRODUCT ION
Internet Protocol version 6 is the recent revision of the Internet Protocol (IP).IPv6 was later developed by the
Internet Engineering Task Force (IETF) [1].IPv6 is not made compatible with IPv4 which complicates the transition
from IPv4 to IPv6.IPv6 is also prone to certain threats that are present in IPv4 networks and certain new threats are
feasible due to IPv6 features. The usage of the new IP version, IPv6, has made the pen testers and attackers to
potentially exploit the new fields leading to many attacks. Here, a review of several fragmentation attacks is
presented and their impact is also examined. It will be also shown that most of the operating systems which are
popular now such as Windows, Linux and OpenBSD are prone to such attacks. Such attacks, under specific
instances can result in OS fingerprinting, firewalls evasion and IDS insertion/evasion. These tests will also show
which OS is most vulnerable to IPv6 fragmentation attacks [2].
As of the end of 2011, 2012 vulnerabilities related with the IPv6 in various OS implementations have been
recorded, one of which are related specifically with the IPv6 fragmentation. Definitely, one of the key issues that
should be examined is the support of fragmentation, how it is handled and if it can be exploited by attackers for
several reasons, such as OS fingerprinting, IDS (Intrusion Detection Systems) insertion/evasion, or even remote
code execution. This work investigates certain threats due to misusing of IPv6 extension
headers like
fragmentation and destination extension headers.
IPv6 Extension Headers:
In IPv6 packets, the control information is further divided into a fixed header which is mandatory and optional
extension headers. The first 40 octets (320 bits) belong to the IPv6 fixed header. IPv6 options are present in separate
extension headers that are located between the IPv6 header and the transport-layer header in a packet. RFC2460
[3] specifies extension headers and the order in which they should be chained in an IPv6 packet is as follows: IPv6
main header, Hop by Hop Extension header, Destination Options header, Routing header, Fragment header ,
Authentication header, Encapsulating Security Payload header ,Destination Options header, Upper-layer header. The
Hop by Hop Extension Header is the only extension header that should be fully processed by all network devices.
Hop-by-hop extension header and destination options headers have three fields – Next header, header extension length
and options. Options field has the form of Type-Length-value (TLV).Highest-order two bits of TLV field specify the
action which must be undertaken if the processing IPv6 node is not able to recognize the option type”10” value states
which discard the packet whether or not the packet‟s destination address was a multicast address, send an ICMP
IJRISE| www.ijrise.org|[email protected][291-295]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
Parameter Problem, Code 2 [4], message to the packet‟s source address, pointing to the unrecognized option type.
Fragment header consists of next header, reserved, fragment offset, reserved, more bit and fragment identification
value. The Un Fragment able part of the packet consists of the IPv6 header in addition any extension headers that must
be processed by nodes through route to the destination. The Fragment able Part consis ts of any extension headers
which need to be processed only by the final destination node, plus the upper-layer header data. This paper reviews
various threats due to misusing certain fields of destination option header and fragmentation header.
2. LITERATURE REVIEW
Gont [5] has also addressed the issue of tiny fragments on his ongoing work. Due to tiny fragments and over-sized
IPv6 header chain first fragment of a packet may fail to include the entire IPv6 header chain. He has proposed
dropping of the packet if the first fragment of the packet doesn't contains the entire IPv6 header chain within the first
1280 bytes. He has proposed this solution as working Internet draft. If approved it updates RFC2460.
Gont [6] has worked on threat due to atomic fragments on his ongoing work. Some of the IPv6 implementation treats
atomic fragments as normal fragments and try to perform fragment reassembly. This may lead to dropping of the
packet if some fragment with the same ID from same source waiting for other fragments to arrive. So th is causes
fragment overlapping and if Ipv6 implementation is RFC 5722 compliant then overlapping fragment will be dropped.
He has proposed that atomic fragments should be reassemble from the contents of the sole fragment and should not
be consider as overlapping fragments in the case when credential matches with other fragments. He has proposed this
solution as working Internet draft. If approved it updates RFC 2460.
Gont [7] has worked on Security Implications of Predictable Fragment Identification Values .IPv6 specifies the
Fragment Header, which is employed for the fragmentation and reassembly mechanisms. The Fragment Header
contains an "Identification" field which, together with the IPv6 Source Address and the IPv6 Destination Address of
the packet, identifies fragments that correspond to the same original datagram, such that they can be reassembled
together at the receiving host. The only requirement for setting the "Identification" value is that it must be different
than that of any other fragmented packet sent recently with the same Source Address and Destination Address.
Some implementations simply use a global counter for setting the Fragment Identification field, thus leading to
predictable values. Gent, in his paper has analyzed the security implications of predictable Identification values, and
updates RFC 2460 specifying additional requirements for setting the Fragment Identification, such that the
aforementioned security implications are mitigated.
Atlasis [8] has addressed the issue of security impacts of misusing IPv6 extension headers. He has shown with the
experiments that security vulnerabilities due to abuse of extension headers can lead to significant security impacts. He
has shown the behaviour of most popular Operating Systems on hand ling various malformed IPv6 packets. He has
shown that this vulnerability can result in to evasion of IDS or creation of covert channels .He has also shown
effectiveness of two IDS –Snort and Suricata against IPv6 threats and found in certain cases Snort raises the alarm but
Suricata doesn‟t raise a single alarm.
Atlasis [9] has shown in his research, attacks due to misuse of fragmentation header and highlighted fragmentation
related attacks in IPv6 networks. In his paper the behaviour of some of the OS when fragmentation header is misused
and their potential compliance with the corresponding RFCs is shown. The operating system under study is Ubuntu
10.04.3, Ubuntu 11.10, and Windows 7 i386, FreeBSD 8.2, FreeBSD 9, OpenBSD 5.0. He found that that none of the
tested OS is fully RFC compliant. Windows 7 seem to have the fewer issues.
Ali et al. [10] have created attack scenarios test bed for attacks based on Bad ACK-Reset and fragmentation attack.
They have used Scapy for packet crafting, Dynamist for router emulation and Wireshark for capturing data and GNS3
for test bed simulation. Their proposed solution is modification of Ipv6 tables and Access Control List (ACL) of host
firewall. So for tested attack scenarios they had proposed prototype security policy model.
Manuel [11] has researched various ipv6 security risks. He addressed threats due t o covert channel creation by
manipulating parts of the ipv6 headers using PadN options, DOS attacks using router alert option, tiny fragment
attack, overlapping fragment attack, router exhaustion due to considerable amount of error messages of unknown
extension headers. He also demonstrated use of Cisco‟s virtual fragment reassembly (VFR) available on Cisco routers
IJRISE| www.ijrise.org|[email protected][291-295]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
which when enabled performs fragment reassembly and inspection to find out any problems. He suggested set of best
practices for IPv6 Security that could be used by IT staff and network administrators.
Kim et al. [13] have proposed mitigation techniques against the vulnerabilities caused by routing header and
fragmentation header. They suggested dropping of the packet with routing header of type 0 to prevent attack due to
routing header vulnerability. In fragmenting IPv6 packet due to many extension headers present upper layer header is
not present in the first fragment. This can be used to bypass firewall rule based on upper layer protocol. They
suggested limited number of fragments per packets and also limiting their arrival rate. They have shown in their
experiment that if the segment left field of the routing header is above 1, an attacker is able to send an attack packet to
a forbidden address through publically accessible address bypassing firewall rules.
3. PROBLEM FORMULATION
A.
Problem statement
IPv6 implementations are relatively new to the market and software created for these systems is not fully tested.
For these reasons, it is important to raise awareness of security issues related to IPv6 and provide methods to secure
the network organizations. Network devices are not always RFC compliant. Even in certain scenarios, there are not
clear recommendations in RFC‟s [15] for operating systems and network devices that can lead to ambiguities and
create attack vectors. Here, threats due to fragmentation header, Destination option header are addressed. Three
types of threats are identified which happens due to manipulating extension headers previously mentioned. Attacks
addressed are:
 Tiny Fragmentation Attack
 Overlapping Fragmentation Attack
 Flooding Attack due to unknown destination options
B.
Addressed threats
This section describes various threats in detail whose solution is proposed and implemented.
1. Tiny fragmentation attack:
IPv6 header chain is long and packets are fragmented, the first fragment of a packet may fail to include the
entire IPv6 header chain. Due to this attacker can evade network security devices like firewalls when firewall
makes blocking or allowing decision only based on first fragment and does not have capability of fragment
reassembly before applying rules. If firewall makes blocking decision then legitimate packets will be dropped
resulting in to denial service attack. If it allows the packet then attacker‟s malicious fragmented packets can
enter the network.
Fig 1. Attack Scenario where TCP Header is not present in the first Fragment
IJRISE| www.ijrise.org|[email protected][291-295]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
As shown in figure 1 second packet can have TCP connection request to protected port/service. In IPv6 this is very
common to happen as IPv6 packet can contain long chain of headers. Due to this upper layer protocol can go to the
subsequent fragments. So attacker can send packet with many extension headers causing fragmentation to occur
and pushing upper layer protocol in some later fragment so that it can bypass firewall without detected. This
attack in turn leads to „Tear drop attack‟ which results in rebooting or sometimes crashing of the OS. This
attack is verified against Ubuntu 14.04 and results are present in result section.
2. Overlapping Fragmentation Attack:
Overlapping fragmentation attack occurs when two fragments contained within the same IP datagram have offsets
that overlap each other in the datagram. For example, fragment 1 is being completely or partially overwritten by
fragment 2.Some operating systems do not properly handle overlapping fragments and behave in undesirable ways.
As shown in figure 2 first fragment contains TCP header with SYN flag set=0 and ACK flag set =1.It passes
through firewall as this is legitimate fragment. Second fragment contains overlapped TCP header with SYN=1 and
ACK=0.This second overlapped fragment will pass through firewall as firewall makes blocking decision only
based on first fragment unless it is configured to perform deep packet inspection and fragment reassembly. Now
depending upon destination operating system‟s fragment reassembly policy fragments are reassembled. If OS
favors second fragment then TCP connection request is made and which goes undetected.
Fig 2. Overlapping Fragmentation attack
Fig.3 Flooding Attack
3. Flooding Attack by creating Spoofed packets with unknown Destination Option Header:
Attacker can cause flooding attack by creating many spoofed packets with destination option header in which
higher two bits of TVL field are “10”.If TLV field starts with leading “10” then it means discard the packet and
regardless of whether or not the packet‟s destination address is a multicast address, send an ICMP Parameter
IJRISE| www.ijrise.org|[email protected][291-295]
International Journal of Research In Science & Engineering
Volume: 1 Special Issue: 2
e-ISSN: 2394-8299
p-ISSN: 2394-8280
Problem, Code 2 message to the packet‟s Source Address, pointing to the unrecognized option type [3].By many
such packets by spoofing source address of victim node attacker can make any node to send many ICMP messages
to the victim causing flooding effect. In IPv6 certain ICMPv6 messages are integral part of the IPv6 operation so
these messages are not filtered by firewalls generally which otherwise the case with IPv4.
4. CONCLUSION AND FUTURE WORK
IPv6 capable infrastructures are not fully RFC complaint. This leads to IPv6 networks prone to threats. Due to new
features introduced in IPv6 specifications which creates new and/or unknown attack vectors and network becomes
vulnerable to these new threats. IDS and firewall are at immature stage to handle IPv6 related threats. Even if
devices have capability to handle IPv6 threats, there is a lack of knowledge in network administrators. This review
paper addresses how misusing some of the fields of IPv6 extension headers affect the IPv6 protocol and creates new
attack vectors systems. So goal of this review is to find the vulnerabilities due to manipulating and misusing IPv6
extension headers and find solution which can work in existing infrastructure. The extension headers under study
are Destination extension header and fragmentation extension header. We can summarize the main contribution
of this research as follows:
•
To study various attacks due to manipulating IPv6 headers
•
To test certain attacks in real test network setup in future
Future work would be to devise detection logic for various attacks and also propose prevention logic for the
addressed threats.
REFERENCES
[1] http://www.ietf.org
[2] http://www.secdev.org/projects/scapy
[3] http://www.ietf.org/rfc/rfc2460.t xt
[4] http://www.iana.org/assignments/ipv6-parameters/ipv6parameters.xml
[5] F. Gont,” Security and Interoperability Implications of Oversized IPv6 Header chains”, draft -ietf-6manoversizedheader-chain-02, 2013, work in progress.
[6] F. Gont ,” Processing of IPv6 "atomic" fragments “, draftietf-6man-ipv6-atomic-fragments-04 ,2013, work in
progress.
[7] F. Gont,” Security Implications of Predictable Fragment Identification Values “, draft -gont-6manpredictablefragment-id-03, 2013, work in progress.
[8] Antonios Atlasis. “Security impacts of abusing ipv6 extension headers “, Black Hat security conference, pages 110, 2012.
[9] Antonios Atlasis. “Attacking ipv6 implementation using fragmentation “, Black Hat security conference, pages
110, 2012.
[10] W.N.A.W. Ali , A.H.M.taib , N.M.Hussin ,J.Othman,” IPv6 attack scenarios testbed”, IEEE Symposium on
Humanities, Science and Engineering Research , 2012 , pp 927-932.
[11] Vitor Manuel Carujo Leitao. "Ipv6 a new security challenges", Department of Computer Science, University of
Lisbon, 2011, pp 1-149.
[12] Youngseok Lee, Seongho Shin, Soonbyoung Choi, Hyeongu Son,” IPv6 Anomaly Traffic Monitoring with
IPFIX “, Second International Conference on Internet Monitoring and Protection, 2007, pp 1-10.
[13] Jeong-Wook Kim, Hyug-Hyun Cho, Gil-Jong Mun, JaeHyun Seo ,Bong-Nam Noh, Yong-Min Kim
,”Experiments and Countermeasures of Security Vulnerabilities on Next Generation Netwo rk “,Future Generation
Communication and Networking , 2007 ,pp 559 – 564.
[14] Haipeng Qu, China, Purui Su, Dengguo Feng,”A typical noisy covert channel in the IP protocol,” International
Carnahan Conference on, security technology, 2004, pp 89-192.
[15] http://www.ietf.org/rfc/rfc5722.t xt
IJRISE| www.ijrise.org|[email protected][291-295]