Você está na página 1de 6

2012 IEEE Symposium on Humanities, Science and Engineering Research

IPv6 Attack Scenarios Testbed


* Wan Nor Ashiqin Wan Ali, * Abidah Hj Mat Taib, * Naimah Mohd Hussin and * Jamal Othman
* Faculty of Computer and Mathematical Sciences, Universiti Teknologi MARA Perlis Branch, Malaysia
wannorashiqin@gmail.com, abidah@perlis.uitm.edu.my





Abstract Deploying IPv6 in the enterprise network will increase


the security issues since some of IPv6 features bring
vulnerabilities. Thus, mitigating them with appropriate security
policy is vital. By having attack scenario testing, it will expose
network administrators to the IPv6 potential attack. For example,
Bad ACK-Reset attack is used by an attacker to reset a new
connection after exploiting network. Also, Packet Fragmentation
attack is capable to control over the packet fragmentation services
yet can cause problems in security measurement. Hence, this
paper tested Bad ACK-Reset and Packet Fragmentation attack
scenarios for analysis. This paper used Scapy (2.0.1) to generate
packets for testing. A testbed simulation has been designed by
using Graphical Network Simulator 3 (GNS3). Several ip6tables
rules and access control lists (ACLs) were implemented at the host
and the router respectively to counter Bad ACK-Reset and Packet
Fragmentation attack scenarios. Information gained from the
testing will provide a clear understanding on IPv6 security issues
and help to design a proper network security policy. The current
results from the testing can be used for future research in
generating the security policies. Thus, our further research will
focus on modelling the created security policy for IPv6
deployment.
Keywords IPv6 deployment; IPv6 attack scenarios; security
policy; GNS3; IP6tables

I. INTRODUCTION
Handling threats due to Internet Protocol version 6 (IPv6)
deployment become an important issue to be discovered [1],
[2], [3], [4]. Since enterprises need to deploy IPv6 sooner or
later, they must also consider about the security issues related
to IPv6 deployment. Therefore, we need to run a testing of
several attacks which related to the IPv6 deployment in order
to create an appropriate set of security policy that can be
implemented and enforced in the host firewall and also the
perimeter firewall.
This paper focuses on attacks testing setup using Graphical
Network Simulator 3 (GNS3) simulation software [5]. The
GNS3 supports any testbed simulation using Cisco routers.
The testbed simulation focuses on testing several attacks
which related to the Internet Control Message Protocol for
IPv6 (ICMPv6) [6]. Attacking activities have been conducted
using THC IPv6 Toolkits [7] and Scapy [8] in order to test on
IPv6 attacks. The documentation of ip6tables in RFC 4890 has
been considered in our testing simulation. However, some

attacks need to be filtered at router, thus, some of the Access


Control Lists (ACLs) have been configured to encounter the
attacks before they arrive at host.
The remainder of this paper is organized as follows: Section
2 discusses on IPv6 attacks scenarios, Section 3 describes a test
bed simulation using GNS3 application, Section 4 states the
purpose of testing, Sections 5 identifies the assessment criteria
and Section 6 designs the framework of testing. The rest of the
sub-topics are testbed of testing, experimental tools, test
procedure, findings, conclusion and last section closes the
paper with some conclusions.
II. IPV6 ATTACK SCENARIOS
IPv6 attacks are becoming possible due to wider application
of the IPv6 in the present network. Moreover, recent
development has shown that computer devices and networks
are enabled with IPv6 utilization. Unintentionally, when
enterprises start to deploy IPv6, they still need to maintain the
IPv4 concurrently. Hence, security issues have been increased
since enterprises need to maintain the coexistence condition of
IPv4 and IPv6 [4].
Researchers [9], [4], [10] found that the number of attacks
have been increased with the IPv6 deployment since attackers
manipulate the vulnerabilities of IPv6. However, with
knowledge and understanding about IPv6 attacks, administrator
is better equipped to counter the IPv6 security issues. For
instance, this paper demonstrates Bad ACK-Reset and Packet
Fragmentation attacks that can occur in IPv6 deployment.
The Bad ACK-Reset attack [11] can be used to generate a
connection after doing something bad to the victim host but
still desire to create an additional session without any
acknowledgement to that victim. Thus, an attacker can inject
any malicious packet which can harm the victim host again and
again by resetting new connection. The Bad ACK-Reset attack
indicates the IPv6 attacks which can be occurred when attacker
is capable to reset new connection between the victim host.
Meanwhile, Packet Fragmentation attack is usually being
used to make the content of data transferred become unclear,
thus it can be passed through the firewall [12]. It can also be
seriously misused by an attacker to inject various malicious
packets by using the packet fragmentation. The packet
fragmentation attack can occur in both IPv4 and IPv6 network.

This work was sustained in part by the Fundamental Research Scheme


Grant (FRGS), code project: 600-RMI/SSP/FRGS 5/3/Fsp (54/2010) and
Dana Kecemerlangan UiTM, code project: 600-RMI/ST/DANA 5/3/Dst
(455/2011).

978-1-4673-1310-0/12/$31.00 2012 IEEE

464

2012 IEEE Symposium on Humanities, Science and Engineering Research

However, since our works are focusing on IPv6 attacks, we


have tested this kind of attack by applying IPv6 addresses. This
attack is adopted from [12] and re-testing in our experimental
testbed.
III. TESTBED SIMULATION USING GNS3 APPLICATION
Graphical Network Simulator 3 (GNS3) provides researcher
to emulate complex or simple networks. In addition, the GNS3
application can combine the actual devices and virtual devices
together in one or more networks. The virtual devices can be
expressed as virtual machine, router and other virtual network
devices.
Besides, GNS3 supports the Cisco IOS by using Dynamips
which can make thing easier since it provides GUI. Users are
capable to run any commands as long as the commands and
parameters used are sustained by Cisco IOS. Besides Cisco,
GNS3 also supports Juniper routers and PIX Firewall.

implementation is crucial for enterprises to manage their


organization security properly.
This testing was performed in a private network to isolate it
from the running network. Hence, the testing did not create any
conflict with the public network or organization network
because it is hazardous to test the attacks scenarios by using
organization network.
Figure 1 shows the basic of organization network topology
which adopt the distributed firewall concept [18]. The
distributed firewall concept point out that it is important to
manage the host firewall besides perimeter firewall [18], [19].
Thus, this testing will provide appropriate mechanisms that can
represent host firewall which are ip6tables rules and ACLs.

In addition, GNS3 application is an open source which is


free, can be installed and available to be used in various types
of operating system such as Windows, MacOS, Linux and
others. However, GNS3 does not replace the router because it
is used for education and lab testing purposes.
A. Purpose
The aim of the testing presented here is to point out Bad
ACK-Reset and Packet Fragmentation attacks can occur in
IPv6 deployment. Indirectly, there are solutions provided in
this testing which can be practiced to prevent the attacks from
occurring.
B. Assessment Criteria
The attack scenarios have been tested and evaluated using
Wireshark which is an open-source packet analyzer [13].
Therefore, packets are observed according to each frame inside
the packets. After the packets are observed, some prevention is
applied to counter the attack scenarios. Then, the testing is
repeated two times; the first testing is without any filtering rule
and the second condition is with appropriate filtering rules. The
attack scenarios are tested several times with some filtering
rules until we get the appropriate rules. Packets are captured
and analyzed again to see whether the rules are capable to
counter those attacks.
C. Framework
This attack scenario testing is conducted as a preliminary
study to prove that enterprises need to properly manage their
host firewall. Several studies have revealed the importance of
firewall management and some security issues when users start
to deploy IPv6 [14], [15], [16], [9]. Indirectly, enterprises must
protect their own organization firewall in order to sustain their
business activities since they are using much more network
applications compared to individual user.
With the existence of IPv6, enterprises cannot totally rely on
perimeter firewall since it is a mandatory of IP Security (IPsec)
in IPv6 installation [17]. The perimeter firewall cannot see the
content of any packet if the attacker uses IPsec. If end-to-end
IPsec is used, it means that transmitted data are encrypted and
only destination host can decrypt it. Therefore, host firewall

Figure 1. Organization Network Topology

D. Experimental Testbed Setup


The testbed simulation was designed by using GNS3
application. The existing firewall was tested to review whether
it can support IPv6 traffic or not. Some of the attacks which
related to IPv6 deployment were tested and the packet of traffic
was captured for depth analysis.
The testing simulation was designed by using one virtual
router and two computers (Windows XP, Centos). A guest
operating system (Virtual Ubuntu) was installed in the host
operating system (Windows XP) to support this testing setup.
All computers are connected using virtual router which has
been configured using GNS3 application.
Two nodes which represent Node A (Centos) and Node B
(Virtual Ubuntu) have been configured with dual-stack
addresses. The dual-stack addresses have been configured to

465

2012 IEEE Symposium on Humanities, Science and Engineering Research

represent the coexistence condition of IPv4 and IPv6 addresses.


IV. FINDINGS DISCUSSION
Even though the experimental setup was in dual-stack
addresses, but this testing only focuses on IPv6 attack scenarios. A. Bad ACK-Reset Attack
The Bad ACK-Reset attack [21] can be used to generate a
Figure 2(a) shows the testbed topology designed using GNS3
connection after doing something wrong to the victim host but
application.
still desire to create an additional session without any
acknowledgement. The Bad ACK-Reset attack has been tested
in IPv4 network and some rules to counter the attack which are
applied [11]. Hence, the same Bad ACK-Reset code has been
adapted in this testing to test whether it is possible to be
occurred in IPv6 addresses. TABLE I shows the captured packet
from the testing.
I,
the
Node
B
Based
on
T ABLE
(2607:f0d0:1002:53:a00:27ff:fe96:b186) has been attacked
with a sort of content rule for "BAD STUFF" by Node A
(2607:f0d0:1002:52:230:18ff:fea3:7559). The content was
separated into two parts to urge TCP reassembly, thus victim
host did not aware the content rule as it came with single
segment. The attacker could send any SYN packet without
victims acknowledgement because the Bad ACK-Reset attack
would reset the connection again.
The Bad ACK-Reset attack can be prevented by using the
ip6tables rules which has been tested with the testbed
simulation:

Figure 2(a). Testbed Topology Using GNS3 Application

R1#sh run
Building configuration...
!
ipv6 unicast-routing
!
interface FastEthernet0/0
ip
address
192.168.32.2
255.255.255.0
duplex auto
speed auto
ipv6
address
2607:F0D0:1002:52::2/64
ipv6 enable

#ip6tables A INPUT s ipv6_address j DROP


#ip6tables
A
INPUT
s
ipv6_network_prefix
d
ipv6_network_prefix j ACCEPT
#ip6tables -A OUTPUT -p tcp -s ipv6_address -d
ipv6_network_prefix --tcp-flags RST, RST --destination-port 80
-j DROP

!
interface FastEthernet0/1
ip
address
192.168.33.3
255.255.255.0
duplex auto
speed auto
ipv6
address
2607:F0D0:1002:53::3/64
ipv6 enable
!
End

The Bad ACK-Reset attack has been tested again after


ip6tables are implemented. T ABLE II shows that attacker
cannot reset the connection once again. Therefore, the attacker
is restricted to continue the communication with the victim
nodes with those ip6tables rules.

Figure 2(b). Router Configuration

The virtual routers [20] have been configured by using


router emulator that is Dynamips. The router configuration for
this testing can be referred in Figure 2(b).
E. Test Procedure
Firstly, we created a private network for our testing by using
GNS3. Then, we configured the router and computers to ensure
that the connection was successful. Subsequently, we tested the
network with the Bad ACK-Reset and Packet Fragmentation
attacks using Scapy (2.0.1). Those attacks had been tested
without applying any rule at first. At that moment, they were
captured and analyzed by using Wireshark. The testing had
been repeated by applying some rules to counter the problem.
From there, we could define which rules are appropriate to
prevent the attacks from occurring.

466

2012 IEEE Symposium on Humanities, Science and Engineering Research

T ABLE I.
No.

Time

C APTURED P ACKET OF B AD ACK-R ESET ATTACK

Source

Destination

Protocol

Info

0.000000

c4:01:0a:74:00:01

c4:01:0a:74:00:01

LOOP

Reply

3.933787

2607:f0d0:1002:52:230:18ff:fea3:7559

2607:f0d0:1002:53:a00:27ff:fe96:b186

TCP

3.933804

2607:f0d0:1002:53:a00:27ff:fe96:b186

2607:f0d0:1002:52:230:18ff:fea3:7559

TCP

4.135994

2607:f0d0:1002:52:230:18ff:fea3:7559

2607:f0d0:1002:53:a00:27ff:fe96:b186

TCP

4.136011

2607:f0d0:1002:53:a00:27ff:fe96:b186

2607:f0d0:1002:52:230:18ff:fea3:7559

TCP

4.209749

2607:f0d0:1002:52:230:18ff:fea3:7559

2607:f0d0:1002:53:a00:27ff:fe96:b186

HTTP

9415 > http [SYN] Seq=0


Win=8192 Len=0
http > 9415 [RST, ACK] Seq=1
Ack=1 Win=0 Len=0
9415 > http [ACK] Seq=1 Ack=3
Win=8192 Len=0
http > 9415 [RST] Seq=3 Win=0
Len=0
Continuation or non-HTTP traffic

4.209755

2607:f0d0:1002:53:a00:27ff:fe96:b186

2607:f0d0:1002:52:230:18ff:fea3:7559

TCP

T ABLE II.
No.
1

Time

http > 9415 [RST] Seq=2 Win=0


Len=0

C APTURED P ACKET OF B AD ACK-R ESET ATTACK USING IP6 TABLES

Source

Destination

Protocol

Info

0.00000
0
2.85805
7
7.87003
9

c4:01:0a:74:00:01

c4:01:0a:74:00:01

LOOP

Reply

2607:f0d0:1002:52:230:18ff:fea3:7
559
fe80::c601:aff:fe74:1

2607:f0d0:1002:53:a00:27ff:fe96:
b186
2607:f0d0:1002:53:a00:27ff:fe96:
b186

TCP

7.87006
4

2607:f0d0:1002:53:a00:27ff:fe96:b
186

fe80::c601:aff:fe74:1

ICMPv6

10.0072
76

c4:01:0a:74:00:01

c4:01:0a:74:00:01

LOOP

47916 > http [SYN] Seq=0 Win=8192


Len=0
Neighbor
Solicitation
for
2607:f0d0:1002:53:a00:27ff:fe96:b186
from c4:01:0a:74:00:01
Neighbor
Advertisement
2607:f0d0:1002:53:a00:27ff:fe96:b186
(sol)
Reply

2
3

B. Packet Fragmentation Attack


Fragmentation is the method of IP packet separation where
an IP packet is divided into smaller packets. Thus, the packet
can easily be transmitted through the network which does not
allow huge packets transmission [12]. However, this
fragmentation method can be misused by an attacker to send
any hidden attack inside the packet. Attacker can hide their
attacks into countless small fragments, so that it can bypass the
network attack detection or network filtering. We have injected
the testing with a single packet of Packet Fragmentation attack.
Figure 3 shows the snapshot of testing when we injected a
Packet Fragmentation attack; we got a reply from the victim
host.

Figure 3. Snapshot of Packet Fragmentation Attack


Based
on
T ABLE
III,
Node
A
(2607:f0d0:1002:52:230:18ff:fea3:7559) sent the IPv6 packet
fragmentation
to
the
Node
B
(2607:f0d0:1002:53:a00:27ff:fe96:b186).

ICMPv6

Then, the Node A gets a Parameter Problem message from


the Node B which means there is a parameter problem because
of an invalid header. However, the Node A can still keep on
sending the fragmented packet to the Node B. Thus, the
network administrator can implement Access Control List
(ACL) to block the Packet Fragmentation attack. Some ACL
rules are implemented at the router to counter the attack:
(config)#ipv6 access-list BLOCKFRAGMENTS
(config-ipv6-acl)#permit 88 any any
(config-ipv6-acl)#permit 103 any any
(config-ipv6-acl)#permit icmp any any router-advertisement
(config-ipv6-acl)#permit icmp any any router-solicitation
(config-ipv6-acl)#deny ipv6 any 2607:f0d0:1002:52::/64
(config-ipv6-acl)#interface FastEthernet 0/1
(config-if)#ipv6 traffic-filter BLOCKFRAGMENTS in

T ABLE IV shows the captured packet of Packet


Fragmentation attack which has been filtered using ACL rules.
From the T ABLE IV, we can see that Node A
(2607:f0d0:1002:52:230:18ff:fea3:7559) tries to send the IPv6
packet
fragmentation
again
to
the
Node
B
(2607:f0d0:1002:53:a00:27ff:fe96:b186). The Node A then still
gets a Parameter Problem message from the Node B.
However, Node A cannot keep on sending the fragmented
packet to the Node B since the fragmented packet is blocked at
the router.

467

2012 IEEE Symposium on Humanities, Science and Engineering Research

T ABLE III.
No.
1
2
3
4
5

Time

Source

Destination

0.0000
00
0.0000
29
2.5597
02
2.5597
25
2.6295
53

2607:f0d0:1002:52:230:18ff:fea3:
7559
2607:f0d0:1002:53:a00:27ff:fe96:
b186
2607:f0d0:1002:52:230:18ff:fea3:
7559
2607:f0d0:1002:53:a00:27ff:fe96:
b186
c4:02:05:08:00:01

2607:f0d0:1002:53:a00:27ff:fe96:
b186
2607:f0d0:1002:52:230:18ff:fea3:
7559
2607:f0d0:1002:53:a00:27ff:fe96:
b186
2607:f0d0:1002:52:230:18ff:fea3:
7559
c4:02:05:08:00:01

T ABLE IV.
No.
1

C APTURED P ACKET OF PACKET FRAGMENTATION ATTACK

LOOP

Destination
c4:02:05:08:00:01

Protocol
LOOP

2607:f0d0:1002:52:230:18ff:fea
3:7559

2607:f0d0:1002:53:a00:27ff:fe96
:b186

IPv6

IPv6 fragment (nxt=TCP (0x06) off=800


id=0x2)

1.6065
23

2607:f0d0:1002:53:a00:27ff:fe9
6:b186

2607:f0d0:1002:52:230:18ff:fea3
:7559

ICMPv6

Problem (erroneous header field encountered)

6.6037
58

fe80::a00:27ff:fe96:b186

fe80::c602:5ff:fe08:1

ICMPv6

Neighbor Solicitation for fe80::c602:5ff:fe08:1


from 08:00:27:96:b1:86

6.6190
23
6.6218
43

fe80::c602:5ff:fe08:1

fe80::a00:27ff:fe96:b186

ICMPv6

fe80::c602:5ff:fe08:1

2607:f0d0:1002:53:a00:27ff:fe96
:b186

ICMPv6

Destination Unreachable (Administratively


prohibited)
Neighbor Solicitation for
2607:f0d0:1002:53:a00:27ff:fe96:b186 from
c4:02:05:08:00:01

V. CONCLUSION

[5]

Currently, we are testing on several IPv6 attack scenarios in


order to study in depth about IPv6 deployment and its
vulnerabilities. Indirectly, we can define appropriate security
policies in designing a security policy model for IPv6
deployment based on the testing result. Therefore, for the out
coming, there will be an implementation of prototype security
policy model based on distributed firewall concept.
ACKNOWLEDGMENT

[6]
[7]
[8]

[9]

[10]

[11]

We would like to thank the reviewers, participants of the


research project and other individuals who have indirectly
contributed to this research.

[12]
[13]

REFERENCES

[4]

ICMPv6

C APTURED P ACKET OF PACKET FRAGMENTATION ATTACK USING ACL R ULES

The experiment presented in this paper supports the need


for a more persistent and distributed security policy which
focuses on managing the host firewall appropriately. This
paper highlights some IPv6 attack scenarios analysis which
uses GNS3 application in modelling the testing topology.

[3]

IPv6

Source
c4:02:05:08:00:01

[2]

ICMPv6

Info
IPv6 fragment (nxt=TCP (0x06) off=800
id=0x2)
Parameter Problem (erroneous header field
encountered)
IPv6 fragment (nxt=TCP (0x06) off=800
id=0x2)
Parameter Problem (erroneous header field
encountered)
Reply

Time
0.0000
00
1.6064
98

[1]

Protocol
IPv6

D. Zagar and K. Grgic, "IPv6 Security Threats and Possible Solutions,"


in Automation Congress, 2006. WAC '06. World, 2006, pp. 1-7.
Y. Xinyu, M. Ting and S. Yi., "Typical DoS/DDoS Threats under IPv6,"
in Computing in the Global Information Technology, 2007. ICCGI 2007.
International Multi-Conference on, 2007, pp. 55-55.
R. Radhakrishnan, M. Jamil, S. Mehfuz and Moinuddin, "Security issues
in IPv6," in Networking and Services, 2007. ICNS. Third International
Conference on, 2007, pp. 110-110.
E. DurdagI and A. Buldu, "IPV4/IPV6 security and threat comparisons,"
Procedia - Social and Behavioral Sciences, vol. 2, pp. 5285-5291, 2010.

[14]

[15]

[16]

468

Info
Reply

GNS3. (2011, 9th May). GNS3 Graphical Network Simulator. Available:


http://www.gns3.net/
E. Davies and J. Mohacsi, "Recommendations for Filtering ICMPv6
Messages in Firewalls [RFC 4890]," 2007.
v. Hauser. (2005, 20th May). Attacking the IPv6 Protocol Suite.
Available: http://www.thc.org/thc-ipv6/
J. Novak. (2011, 10th June). A Taste of Scapy. Available:
http://www.sans.org/reading_room/whitepapers/testing/tastescapy_33249
Y. Dequan, S. Xu, G. Qiao, "Security on IPv6," in Advanced Computer
Control (ICACC), 2010 2nd International Conference on, 2010, pp. 323326.
W. Hui, Y. Sun, J. Liu and K. Lu, "DDoS/DoS Attacks and Safety
Analysis of IPv6 Campus Network: Security Research under IPv6
Campus Network," in Internet Technology and Applications (iTAP),
2011 International Conference on, 2011, pp. 1-4.
J. Novak, W. Josh, M. Tim, P. Mike. (2010, 10th August). Packetstan.
Available: http://www.packetstan.com/2010/06/scapy-code-for-bad-ackreset.html
S. Hogg and E. Vynke, IPv6 Security vol. 1. Indianapolis: Cisco Press,
2008.
Ulf Lamping, S. Richard and W. Ed, Wireshark User's Guide: for
Wireshark 1.7: Free Software Foundation, 2004-2011.
D. Barrera and P. C. van Oorschot, "Security visualization tools and
IPv6 addresses," in Visualization for Cyber Security, 2009. VizSec 2009.
6th International Workshop on, 2009, pp. 21-26.
F. Beck, O. Festor, I. Chrisment and R. Droms, "Automated and secure
IPv6 configuration in enterprise networks," in Network and Service
Management (CNSM), 2010 International Conference on, 2010, pp. 6471.
A. R. Choudhary and A. Sekelsky, "Securing IPv6 network
infrastructure: A new security model," in Technologies for Homeland
Security (HST), 2010 IEEE International Conference on, 2010, pp. 500506.

2012 IEEE Symposium on Humanities, Science and Engineering Research

[17]

N. M. Ahmad and A. H. Yaacob, "End to End Ipsec Support across


Ipv4/Ipv6 Translation Gateway," in Network Applications Protocols and
Services (NETAPPS), 2010 Second International Conference on, 2010,
pp. 222-227.
[18] S. Ioannidis, A.D. Keromytis, S.M. Bellovin and J.M. Smith,
"Implementing a distributed firewall," presented at the Proceedings of
the 7th ACM conference on Computer and communications security,
Athens, Greece, 2000.

[19]

Z.-g. Xiong and X.-m. Zhang, "Research and design on distributed


firewall based on LAN," in Computer and Automation Engineering
(ICCAE), 2010 The 2nd International Conference on, 2010, pp. 517-520.
[20] T. Li, W.E. Thain and T. Fallon, "On the use of virtualization for router
network simulation," 2010.
[21] C. L. Schuba, I.V. Krsul, M.G. Kuhn, E.H. Spafford, A. Sundaram and D.
Zamboni, "Analysis of a Denial of Service Attack on TCP," IEEE
Symposium on Security and Privacy, pp. 208-223, 1997.

469