recycling ipv4 attacks in ipv6 recycling ipv4 attacks in
play

Recycling IPv4 attacks in IPv6 Recycling IPv4 attacks in IPv6 - PowerPoint PPT Presentation

Jan 17, 2023 •656 likes •1.04k views

Recycling IPv4 attacks in IPv6 Recycling IPv4 attacks in IPv6 Francisco Jess Monserrat Coll Francisco Jess Monserrat Coll RedIRIS / Red.es RedIRIS / Red.es Jornadas de Seguridad Jornadas de Seguridad Buenos Aires, 4 de Octubre de 2005

  1. Recycling IPv4 attacks in IPv6 Recycling IPv4 attacks in IPv6 Francisco Jesús Monserrat Coll Francisco Jesús Monserrat Coll RedIRIS / Red.es RedIRIS / Red.es Jornadas de Seguridad Jornadas de Seguridad Buenos Aires, 4 de Octubre de 2005 Buenos Aires, 4 de Octubre de 2005

  2. Index • Why we need to care about IPv6 ? • Brief introduction to IPv6 • IPv6, it’s more secure ? • Problems recycling . • Solutions and future

  3. About RedIRIS Since 1988 provides Internet connection to Academic and Research centres in Spain. Pioneers in the launch of Internet services in Spain, (DNS, news, CSIRT, ...). Based in point of presence (POA) in each region that interconnects all the centres 250 organizations connected Since January 2004 , RedIRIS is part of red.es , a government agency to promote Information society Same backbone for normal and experimental (internet2) connections,

  4. Using Internet2 in the backbone Use of the backbone for advanced applications: Opera Oberta: High quality Live Opera transmission at fast speed > 10 Mbs. Use of multicast to distribute the contents Since May 2005 , testing of multicast over IPv6 for the transmission of the videos. • Could this increase the use of Could this increase the use of IPv6 ? IPv6 ?

  5. Use of IPv6 Some of the Spanish Universities are starting to use IPv6: http://www.uv.es/siuv/cas/zxarxa/ipv6.wiki

  6. IPv6 Security ? We are NOT going to talk about:: IPSEC and all the cryptographic stuff .. Traffic labelling, IP headers, etc. Why IPv6 is more secure than IPv4? Etc, etc, etc. ... For this you can: Search in google CISCO: http://www.cisco.com/security_services/ciag/documents/v6-v4-threats.pdf Michael H. Warfield’s (ISS) presentation at FIRST Conference 2004, http://www.first.org

  7. IPv6 Security ? We are NOT going to talk about:: IPSEC and all the cryptographic stuff .. Traffic labelling, IP headers, etc. Why IPv6 is more secure than IPv4? Etc, etc, etc. ... We are talking about: What kind of attacks and intrusions can we expect in systems connected to a IPv6 network ?

  8. IPv6 Security ? We are NOT going to talk about:: IPSEC and all the cryptographic stuff .. Traffic labelling, IP headers, etc. Why IPv6 is more secure than IPv4? Etc, etc, etc. ... We are talking about: What kind of attacks and intrusions can we expect in systems connected to a IPv6 network ? • The same that are in IPv4 The same that are in IPv4

  9. Why we need IPv6 ? Lack of address in the current IPv4 protocol. 32 bits directions Lack of address in some geographic areas that connected late to Internet. • Asia Asia • Latin America Latin America Use of IP to interconnect devices: • Home automation Home automation • increase of the devices that increase of the devices that need to talk in the net need to talk in the net Simplification of the protocol

  10. IPv6 structure te Increase of the number of address 4 bytes 2^32 addresses in IPv4 16 bytes 2^128 addresses in IPv6 Usually a home user get /64 (2^64 addresses) , from some ISP ) to assign r for all the devices in his network Header simplification No framentation Use of optional header to specify data encryption, routing, etc . Device auto configuration

  11. Iit’s IPv6 more secure? : encryptation IPSEC is an integral part of IPv6: It’s quite easy to stablish point to point encrypted communications • No more password sniffing !!! No more password sniffing !!! but: What is the throughput of movil devices when encrypting the traffic ? You still need to stablish a complex certification structure, PKI, certificates, etc. Sometimes difficult to configure if you want to use IPSEC !! From the point of view of a network monitoring , How can determine if a traffic is correct ? • Can the intruder use IPSEC to hide their connections ? Can the intruder use IPSEC to hide their connections ?

  12. It’s IPv6 more secure ?: Tunnels IPv6 allow to stablish tunnels between different systems and networks With IPSEC allow mobility of the users • Same address, with independence of the physical location (mobile user) Same address, with independence of the physical location (mobile user) • Allow remote connections to our offices Allow remote connections to our offices But also: Allow to circumvent the security policy of the organization • What’s happening with worms and scan ? What’s happening with worms and scan ? • Users exposed to attacks from outsider ? Users exposed to attacks from outsider ? Tunnels can be used also from attackers: • Use of IPv6 tunnels to hide connection with botnets and compromised Use of IPv6 tunnels to hide connection with botnets and compromised systems systems Some operating systems configure IPv6 tunnels by default

  13. It’s IPv6 more secure ?: end of the scans IPv6 will be the end of the worms and scanning: End of the worms , Which worm is going to find an address to compromise if home users have more address than the current (IPv4) internet ? But: There are more methods to find system that scanning : • Use of web search system like google, to find machines to compromise Use of web search system like google, to find machines to compromise • Logs from emails, netnews, irc, etc. Logs from emails, netnews, irc, etc. • Modified P2P can be also used to look for IP address . Modified P2P can be also used to look for IP address . • Use DNS brute forcing and zone transfer Use DNS brute forcing and zone transfer • How are the users going to internally configure their network ? How are the users going to internally configure their network ? At the end a network administrator need some tools to manage his network, and the same techniques could be used from outsider to find system

  14. It’s IPv6 more secure ? Security elements Almost all the networking companies announce support for IPv6: • routers y firewall: Did they support IPv6 with the same quality that IPv4 ? • Sometimes the filtering is done at “Software level”, instead hardware. Sometimes the filtering is done at “Software level”, instead hardware. This generate a higher CPU load for the same amount of traffic. This generate a higher CPU load for the same amount of traffic. • Most of the time you need the last version of the Operating System, that Most of the time you need the last version of the Operating System, that requires a hardware upgrade . requires a hardware upgrade . As mention before, how the firewall will manage the tunnels ? • Network IDS IPv6 header has a variable size, and the data can be encrypted, so the IDS need more power to analyse the application level data • Operating System Are the IPv6 TCP/IP stack as optimized as IPv4 stacks ?

  15. It’s IPv6 more secure ?: Applications Most of the security problem are DO NOT DEPENT ON the network Buffer Overflows Brute force against weak password Bad programming practices in Web development IPv6 don’t provide any response for th6s problems Most of the attacks using IPv4 can be also be adapted to IPv6. cle Can this attacks be recycled ?

  16. Indice • Computer Recycling a practical example • Configuration of a IPv6 Network • Attack demonstration • Solutions and future ways

  17. Recycling Hardware (I) Vax 3100 server: It’s not intel x86 based, nor a Sun, it ‘s a VAX ;-) 24 Mb RAM 100Mb hardisk 16Mz u No monitor, keyboard or CD OpenVMS In brief: A thing to go directly to the trash;-(

  18. Recycling Hardware (II) You can upgrade the system, open it, place a Cd and: NetBSD ;-) Unix, as usual • No bash or graphical interface No bash or graphical interface • Light , can be used in this old Light , can be used in this old hardware hardware IPv6 support directly in the installation Example of how old problems can be recycled also

  19. Generic configuration of an IPv4 network Link Internet Servers Other system

  20. Generic IPv6 configuration (II) Protection our network Link Internet Servers Internal network Users equipment

  21. Generic configuration IPv6 (III) Same IPv6 network Link Internet Servers Internal network Users

  22. Generic configuration of IPv6 net (IV) IPv6 link Internet Servers Internal network Users

  23. Generic configuration of IPv6 network Internet 2 Link Internet Servers Internal link Users equipment

  24. IPv6 is here !!! Most of the equipment support IPv6 IPv6 is quite common in the base operating system Are correctly updated the corporate server ? • Delayed updated due to maintain windows Delayed updated due to maintain windows • Fake security: We have a firewall to protect the server Fake security: We have a firewall to protect the server • Who is going to use IPv6 to attack us ? Who is going to use IPv6 to attack us ? Automatic IPv6 configuration and tunnels can made the system administration more difficult.

  25. Configuration fault in IPv6 Sometimes the filtered are only applied in IPv4 , not IPv6: Software filtering in some router modules IPv6 is an experimental service , running by research department, not by the operational team • Lack of security contact for this systems Lack of security contact for this systems lack of security concern IPv6 filtering is supported in Linux , but most of the commercial system that are based in this operating system don’t support . In Brief: Most of the IPv6 networks are completely open, without filtering from outside.

Recommend

IPv6 Avanzado Introduccin Toms Lynch LACNOG WHERE ARE WE? IPv4 Yes, the IPv4 pool

IPv6 Avanzado Introduccin Toms Lynch LACNOG WHERE ARE WE? IPv4 Yes, the IPv4 pool

IPv6 Avanzado Introduccin Toms Lynch LACNOG WHERE ARE WE? IPv4 Yes, the IPv4 pool IPv4 with NAT/Tunnels But we can use IPv4 and NAT or Tunnels!!! Yeah, right IPv6 IPv6 Readiness Laptops, pads, mobile phones, dongles,

477 views • 19 slides
SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36,

SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36,

SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36, London, January 2017 Incremental IPv6 deployment in DC IPv4-only IPv4-only + IPv6 via NAT/proxy/etc Dual-stacked public frontend, IPv4 BE Full

550 views • 15 slides
IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address IPv4 allowed for 4.3 billion possible addresses, IPv6 allows for 340 undecillion addresses 3.40E38, 7.9E28 more than IPv4 addresses, ~ 4.8x10

1.07k views • 28 slides
IPv6 Presentation Template (Make this title your own!) Whats happening with IPv4? IPv4

IPv6 Presentation Template (Make this title your own!) Whats happening with IPv4? IPv4

IPv6 Presentation Template (Make this title your own!) Whats happening with IPv4? IPv4 exhaustion (link to RIRs and highlight relevant trends for your region) Regional Internet Authorities are in various phases of IPv4 exhaustion

486 views • 13 slides
Comparing IPv4 and IPv6 from the perspec7ve of BGP dynamic

Comparing IPv4 and IPv6 from the perspec7ve of BGP dynamic

Comparing IPv4 and IPv6 from the perspec7ve of BGP dynamic ac7vity Geoff Huston APNIC February 2012 The IPv4 Table: 2004 - now The IPv6

770 views • 47 slides
Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com When will IPv6-only deployment happen? Hypothesis 1 1st node is All IPv4 nodes dual-stack speak also IPv6 IPv4-only IPv4 & IPv6 IPv6-only

675 views • 25 slides
IPv4 Exhaus,on And IPv6 Deployment Carlos Mar)nez @Sint-Maarten Internet Week IPv4 There

IPv4 Exhaus,on And IPv6 Deployment Carlos Mar)nez @Sint-Maarten Internet Week IPv4 There

IPv4 Exhaus,on And IPv6 Deployment Carlos Mar)nez @Sint-Maarten Internet Week IPv4 There are 4,294,967,296 IPv4 addresses (32 bits long) but not all of them can be used Looks like a lot, right? But... World popula)on currently stands

501 views • 27 slides
Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4

Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4

Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4 addresses have 32 bits only not enough for 1 IP address per person dynamic IPs, NAT, Manual configuration time consuming (in larger

655 views • 16 slides
Post IPv4 completion Making IPv6 deployable incrementally by making it backward compatible

Post IPv4 completion Making IPv6 deployable incrementally by making it backward compatible

Post IPv4 completion Making IPv6 deployable incrementally by making it backward compatible with IPv4. Alain Durand The Internet must support continued, un-interrupted growth regardless of IPv4 address availability DISCLAIMER:

614 views • 17 slides
Tunnel Broker Using IPv4 Anycast Xin LIU lx@ns.6test.edu.cn August 2003 Outline Transition

Tunnel Broker Using IPv4 Anycast Xin LIU lx@ns.6test.edu.cn August 2003 Outline Transition

Tunnel Broker Using IPv4 Anycast Xin LIU lx@ns.6test.edu.cn August 2003 Outline Transition from IPv4 to IPv6 Typical Tunnel Broker Tunnel Broker Utilizing IPv4 Anycast From IPv4 to IPv6 IPv6 = Internet Protocol Version 6

722 views • 14 slides
Dual-stack IPv4+IPv6 monitoring with Nagios Teemu Kiviniemi, CSC/Funet 6th June 2012 6th TF-NOC

Dual-stack IPv4+IPv6 monitoring with Nagios Teemu Kiviniemi, CSC/Funet 6th June 2012 6th TF-NOC

Dual-stack IPv4+IPv6 monitoring with Nagios Teemu Kiviniemi, CSC/Funet 6th June 2012 6th TF-NOC meeting Dublin, Ireland Introduction World IPv6 Launch is today! When enabling IPv6 support in services, it is crucial to monitor with both IPv4

1.09k views • 27 slides
Large-scale introduction of IPv6 system - 280 sites all over Japan VoIP carrier IPv4 - IPv6 Node

Large-scale introduction of IPv6 system - 280 sites all over Japan VoIP carrier IPv4 - IPv6 Node

Large-scale introduction of IPv6 system - 280 sites all over Japan VoIP carrier IPv4 - IPv6 Node as many as 20,000 IPv6/IPv4 The IP Centrex service, "IP Business Phone", Translator developed by FreeBit, has got a major contract with

752 views • 5 slides
IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net Australia's Academic and Research Network IPv6 policy Going forward, we seek to support IPv6 to the same extent as we support IPv4. Exceptions require

631 views • 52 slides
IPv4 Pricing and Transfer Update Sandra Brown IPv4 Market Group January 19, 2016 IPv4 Life

IPv4 Pricing and Transfer Update Sandra Brown IPv4 Market Group January 19, 2016 IPv4 Life

IPv4 Pricing and Transfer Update Sandra Brown IPv4 Market Group January 19, 2016 IPv4 Life Cycle Events ARIN Runout RIPE Inter-RIR Transfers /8s come to market IPv6 Adoption 2 Factors Affecting Pricing # OF IP TRANSFERS

223 views • 8 slides
From IPv4 to IPv6 From IPv4 to IPv6 T.R. Dua, Deputy Director General, COAI July 21, 2009

From IPv4 to IPv6 From IPv4 to IPv6 T.R. Dua, Deputy Director General, COAI July 21, 2009

From IPv4 to IPv6 From IPv4 to IPv6 T.R. Dua, Deputy Director General, COAI July 21, 2009 @ New Delhi

312 views • 27 slides
Some Sample LFBs: Netdevice, IPV4, and IPV6 Jamal Hadi Salim <hadi@znyx.com> Sample LFB

Some Sample LFBs: Netdevice, IPV4, and IPV6 Jamal Hadi Salim <hadi@znyx.com> Sample LFB

Some Sample LFBs: Netdevice, IPV4, and IPV6 Jamal Hadi Salim <hadi@znyx.com> Sample LFB topology Local: ICMP, IPV4 FWD UDP TCP etc ARP MPLS IPV6 IPV4 Ingress Egress Netdevice Netdevice Goal to show A simple example topology -

438 views • 18 slides
1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion

1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion

1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion practice) 3. IPv6 advantages over IPv4 4. IPv4 address structure 5. IPv6 address structure IPv4 Address 32 bit address (computer stores information

655 views • 53 slides
Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA <keiichi@iijlab.net> IIJ Research Laboratory / WIDE project Contents IPv6 service in Japan How I live Example of IPv6 configuration Some news of IPv6

653 views • 16 slides
IPv4 address exhaustion and IPv6 Glen Turner 2008-11-21 AIS IT managers' meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-11-21 AIS IT managers' meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-11-21 AIS IT managers' meeting aar net Australia's Academic and Research Network IPv4 address format Internet protocol v4 addresses are 32 bits long They are divided into three parts

1.18k views • 69 slides
dIVI-pd: Dual-Stateless IPv4/IPv6 Translation with Prefix Delegation X. Li, C. Bao, W. Dec, R.

dIVI-pd: Dual-Stateless IPv4/IPv6 Translation with Prefix Delegation X. Li, C. Bao, W. Dec, R.

dIVI-pd: Dual-Stateless IPv4/IPv6 Translation with Prefix Delegation X. Li, C. Bao, W. Dec, R. Asati, C. Xie, Q. Sun 2011-11-12 Introduction The dIVI-PD is an extension of stateless IPv4/IPv6 translation with address sharing RFC6052:

890 views • 15 slides
Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

A Comparative Security Evaluation for IPv4 and IPv6 Addresses Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security Scanning the Internet for profit, ethically. 2 Why do we need to know this? IPv6

279 views • 16 slides
1 Problems with IPv4: Header Limitations Problems with IPv4: Header Limitations Problems with

1 Problems with IPv4: Header Limitations Problems with IPv4: Header Limitations Problems with

Outline Outline IPv6: An Introduction IPv6: An Introduction Problems with IPv4 Problems with IPv4 Basic IPv6 Protocol Basic IPv6 Protocol IPv6 features IPv6 features Dheeraj Sanghi Dheeraj Sanghi Auto

512 views • 7 slides
Transicin a IPv6 rea de Ingeniera Telemtica Dpto. Automtica y Computacin

Transicin a IPv6 rea de Ingeniera Telemtica Dpto. Automtica y Computacin

Transicin a IPv6 rea de Ingeniera Telemtica Dpto. Automtica y Computacin http://www.tlm.unavarra.es/ Soluciones Doble pila Dispositivos con IPv4 e IPv6 Tneles Comunicar IPv6 a travs de zonas IPv4 Traduccin

631 views • 24 slides
IPv4 REVIEW AND IPv6 ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 07 NOVEMBER 2016

IPv4 REVIEW AND IPv6 ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 07 NOVEMBER 2016

IPv4 REVIEW AND IPv6 ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 07 NOVEMBER 2016 TELECOMMUNICATION SYLLABUS Principles of Telecom (IP Telephony and IP TV) - Key Issues to remember 1. IPv4 Header and how it is used for routing packets 2.

703 views • 23 slides

More recommend