Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6...
Transcript of Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6...
![Page 1: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/1.jpg)
www.ernw.de
Evasion of High-End IDPS Devices at the IPv6 EraAntonios Atlasis
Enno Rey
ERNW [email protected]
Rafael Schaefer
ERNW [email protected]
![Page 2: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/2.jpg)
www.ernw.de
¬ Enno Rey Old school network security guy. Back
in 2001 founder of ERNW & still proudly running the team.
¬ Antonios Atlasis IT Security enthusiast.
Researching security issues for fun.
¬ Rafael Schaefer ERNW student
Young researcher
10/17/2014 #2
Who We Are
![Page 3: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/3.jpg)
www.ernw.de
¬ Introduction IPv6 is here
What IPv6 brings with it:The Extension Headers
¬ Problem Statement. Describe the Mess
¬ Tested IDPS devices: Suricata
Tipping Point
Sourcefire
Snort
¬ Mitigation & Conclusions10/17/2014 #3
Outline of the Presentation
![Page 4: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/4.jpg)
www.ernw.de
¬ The trend in other European countries is similar.
10/17/2014 #4
IPv6 is Real
![Page 5: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/5.jpg)
www.ernw.de
But I don’t Use it in my Environment
¬ 1) Default Behaviour of Windows 7 Service Pack 1
¬ 2) Without IPv6 Router in the environment
¬ 3) These are just a small portion :)
10/17/2014 #5
![Page 6: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/6.jpg)
www.ernw.de
Still, what is the big deal?
● Just an IPv4 replacement with huge address space, correct?
● Many things have changed, for good (??).
● IPv6 Extension Headers probably being the most devastating!
10/17/2014 #6
![Page 7: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/7.jpg)
www.ernw.de
What an IPv6 Datagrams Looks Like…
10/17/2014 #7
¬ This is the root of 3 significant problems…
![Page 8: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/8.jpg)
www.ernw.de
The IPv6 Extension Headers¬ Currently defined:
Hop-by-Hop Options [RFC2460] Routing [RFC2460] Fragment [RFC2460] Destination Options [RFC2460] Authentication [RFC4302] Encapsulating Security Payload [RFC4303] MIPv6, [RFC6275] (Mobility Support in IPv6) HIP, [RFC5201] (Host Identity Protocol) shim6, [RFC5533] (Level 3 Multihoming Shim Protocol for IPv6)
¬ There is a RECOMMENDED order.¬ All (but the Destination Options header) SHOULD occur at most once.¬ How a device should react if NOT ?
10/17/2014 #8
![Page 9: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/9.jpg)
www.ernw.de
Transmission & Processing of IPv6 Ext. Hdrs
¬ RFC 7045. Any forwarding node along an IPv6 packet’s path: should forward the packet regardless of any
extension headers that are present.
MUST recognize and deal appropriately with all standard IPv6 extension header types.
SHOULD NOT discard packets containing unrecognised extension headers.
10/17/2014 #9
![Page 10: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/10.jpg)
www.ernw.de
Problem 1: Too Many Things to Vary
¬ Variable types
¬ Variable sizes
¬ Variable order
¬ Variable number of occurrences of each one.
¬ Variable fields
10/17/2014 #10
IPv6 = f(v,w,x,y,z,)
![Page 11: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/11.jpg)
www.ernw.de10/17/2014 #11
¬ Both the Fragmentable and the Unfragmentable parts may contain any IPv6 Extension headers.
¬ Problem 1 becomes more complicated.
Problem 2: Fragmentation
![Page 12: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/12.jpg)
www.ernw.de
Problem 3: How IPv6 Extension Headers are Chained?
10/17/2014 #12
¬ Next header fields: Contained in IPv6 headers, identify the type of
header immediately following the current one.
They use the same values as the IPv4 Protocol field.
![Page 13: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/13.jpg)
www.ernw.de
Why IPv6 Header Chaining is a Problem?
10/17/2014 #13
IPv6 main header
Next header value = 43
(part 1 out of 2 of the fragmentable
part)
Unfragmentable part Fragmentable part
1st
fra
gm
en
t2
nd
fra
gm
en
t
IPv6 main header
Next header value = 43
IPv6 Fragment Hdr
Next header value =
(part 2 out of 2 of the fragmentable
part)
IPv6 DestOpt Hdr
Next header value = 6
TCP TCP payloadFragmentable
part
IPv6 Fragment Hdr
Next header value =
IPv6 Routing Hdr
Next header value = 44
IPv6 Routing Hdr
Next header value = 44
?
?
60
60
![Page 14: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/14.jpg)
www.ernw.de
¬ Vary: The types of the IPv6 Extension headers
The order of the IPv6 Extension headers
The number of their occurrences.
Their size.
Their fields.
The Next Header values of the IPv6 Fragment Extension headers in each fragment.
Fragmentation (where to split the datagram)
¬ And combine them.
10/17/2014 #14
To sum up the Mess in IPv6
![Page 15: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/15.jpg)
www.ernw.de
Did You Notice?
¬ When designing/writing IPv6 protocols & parsers they didn‘t pay too much attention to #LANGSEC.
¬ Please visit www.langsec.org.
10/17/2014 #15
![Page 16: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/16.jpg)
www.ernw.de
We May Have a Fundamental Problem Here…
¬ There is too much flexibility and freedom…
¬ Which is usually inverse proportional to security :-)
¬ And it can potentially lead to a complete cha0s…
10/17/2014 #16
![Page 17: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/17.jpg)
www.ernw.de
So, What Can Possibly Go Wrong?
¬ Detection Signatures, e.g. used by IDPS rules, etc. are based on blacklisting traffic.
¬ What if we confuse their parsers by abusing IPv6 Extension headers in an unusual / unexpected way?
10/17/2014 #17
![Page 18: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/18.jpg)
www.ernw.de
All this is not just a theory
¬ You can reproduce all the results that we shall demonstrate using Chiron
¬ It can be downloaded from:http://www.secfu.net/tools-scripts/
10/17/2014 #18
![Page 19: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/19.jpg)
www.ernw.de
Our Tests at a Glance
10/17/2014 #19
• Four (4) IDPS (two open-source, two high-end commercial ones).
• At least twelve (12) different evasion techniques, in total.
• All of them 0-days at the time of the finding.
• All of them were reported (disclosed responsibly).
• Most of them were patched, either promptly or not that promptly .
• Some guys were too busy though, so two of the products still suffer from 0-days IPv6 evasion techniques.
![Page 20: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/20.jpg)
www.ernw.de
Evading Suricata¬ Versions 2.0.1, 2.0.2 and 2.0.3
were evaded one by one by using various techniques.
¬ All of them can be found in the white paper and can be reproduced by using Chiron.
¬ We will demonstrate the latest one.
10/17/2014 #20
![Page 21: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/21.jpg)
www.ernw.de
Evading Suricata 2.0.3
10/17/2014 #21
IPv6 main header
IPv6 Type-0 Routing Hdr
IPv6 Fragment Hdr
IPv6 DestOpt Hdr
Unfragmentable part Fragmentable part
1st
fra
gm
en
t2
nd
fra
gm
en
t
IPv6 Type-0 Routing Hdr
IPv6 main header
IPv6 Fragment Hdr
Layer-4 header
Layer-4 Payload
Note: Other combinations of Extension Headers can also work (your …homework)
![Page 22: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/22.jpg)
www.ernw.de
Time for Action
¬ Demo against Suricata 2.0.3
10/17/2014 #22
![Page 23: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/23.jpg)
www.ernw.de
Suricata Developers in Each Reported Case Reacted really Fast
10/17/2014 #23
![Page 24: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/24.jpg)
www.ernw.de
Evading TippingPoint, “the Old Way” (March 2014)
10/17/2014 #24
IPv6 main header
Next header value = 44
(part 1 out of 2 of the fragmentable
part)
Unfragmentable part Fragmentable part
1st
fra
gm
en
t2
nd
fra
gm
en
t
IPv6 main header
Next header value = 44
IPv6 Fragment Hdr
Next header value = 6
(part 2 out of 2 of the fragmentable
part)
IPv6 DestOpt Hdr
Next header value = 6
TCP TCP payload
Fra
gm
en
tab
lep
art
Note: Layer-4 header can be in the 1st fragment and the attack still works
IPv6 Fragment Hdr
Next header value = 60
![Page 25: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/25.jpg)
www.ernw.de
Evading TippingPoint, “The Old Way”
10/17/2014 #25
![Page 26: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/26.jpg)
www.ernw.de
¬ Configured to: Operate inline at Layer 2.
Block any HTTP traffic.
Additional XSS rules (to test attacks at the payload too).
10/17/2014 #26
That First One Was Patched…But Again We Had a New One ;-)
![Page 27: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/27.jpg)
www.ernw.de
IPv6 Fragment hdr
Next hdr value = 6
Evading TippingPoint, after First Patching
10/17/2014 #27
IPv6 main header
Next header value = 44
IPv6 Fragment Hdr
Next header value = 60
(part 1 out of 2 of the fragmentable
part)
Unfragmentable part Fragmentable part
1st
fra
gm
en
t2
nd
fra
gm
en
t
IPv6 main header
Next header value = 44
(part 2 out of 2 of the fragmentable
part)
Note: Layer-4 header can be in the 1st fragment and the attack still works
IPv6 main header
Next header value = 44
(part 2 out of 2 of the fragmentable
part)
2n
d
fra
gm
en
t (a
ga
in)
IPv6 Fragment hdr
Next hdr value = 60/6
![Page 28: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/28.jpg)
www.ernw.de
Time for some more …Action
¬ Evading TippingPoint 3.6.2demonstration
10/17/2014 #28
![Page 29: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/29.jpg)
www.ernw.de
Snort / Sourcefire¬ Quite similar situations, as
expected.
¬ Still, the commercial device suffers from a 0-day evasion technique that the latest open-source version does not!
10/17/2014 #29
![Page 30: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/30.jpg)
www.ernw.de
The Chronicle of the Communication
¬ We first contacted the Snort devson17th of June.
“Please, send us the pcap files”
We did; no news since then…
¬ Reported a Sourcefire issue in Sep 14, and Sep 25, etc., including pcap files.
A kind of “don’t waste my time” approach.
“Please, contact the customer support…”
10/17/2014 #30
![Page 31: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/31.jpg)
www.ernw.de
Fair enough!
¬ Time for a full disclosure!
¬ Live demos for both.
10/17/2014 #31
![Page 32: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/32.jpg)
www.ernw.de
Evading Sourcefire
¬ Sourcefire, Model 3D7020 (81) Version 5.2.0.3 (Build 48).
¬ Preproc decoder rules were enabled: GID 116 family and specifically, SID 458
(IPV6_BAD_FRAG_PKT), 272 and 273 are enabled.
10/17/2014 #32
![Page 33: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/33.jpg)
www.ernw.de
Evading Sourcefire
10/17/2014 #33
IPv6 main header
IPv6 DestOpt Hdr
IPv6 Fragment Hdr
IPv6 DestOpt Hdr
IPv6 DestOpt Hdr
IPv6 DestOpt Hdr
IPv6 main header
IPv6 DestOpt Hdr
IPv6 Fragment Hdr
IPv6 DestOpt Hdr
IPv6 DestOpt Hdr
IPv6 DestOpt Hdr
Layer 4 header
Unfragmentable part Fragmentable part
1st
fra
gm
en
t2
nd
fra
gm
en
t
Note: Next header values for Fragment Extension headers: The correct ones (60)
![Page 34: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/34.jpg)
www.ernw.de
Evading Snort¬ Latest Snort version, 2.9.6.2
¬ Preproc decoder rules are enabled: GID 116 family and specifically, SID 458
(IPV6_BAD_FRAG_PKT), 272 and 273 are enabled.
10/17/2014 #35
![Page 35: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/35.jpg)
www.ernw.de
Evading Snort
10/17/2014 #36
IPv6 main header
IPv6 Hop-by-Hop
IPv6 Fragment Hdr
IPv6 Type-3 Routing Hdr
IPv6 DestOpt Hdr
IPv6 DestOpt Hdr
IPv6 main header
IPv6 Hop-by-Hop
IPv6 Fragment Hdr
IPv6 Type-3 Routing Hdr
IPv6 DestOpt Hdr
Layer 4 header
Layer 4 payloadr
Unfragmentable part Fragmentable part
1st
fra
gm
en
t2
nd
fra
gm
en
t
Note: Next header values for Fragment Extension headers: the correct ones (60)
![Page 36: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/36.jpg)
www.ernw.de
¬ RFCs should strictly define the exact legitimate usage.
“Loose” specifications result in ambiguities and so they introduce potential attack vectors.
Functionality and flexibility are definitely good things, but security is non-negotiable.
¬ Make fully-compliant IPv6 products and test them thoroughly.
10/17/2014 #37
“Culture” Mitigations
![Page 37: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/37.jpg)
www.ernw.de
¬ Implementation of RFC 7112. An intermediate system (e.g., router or
firewall) that receives an IPv6 First Fragment that does not include the entire IPv6 Header Chain MAY discard that packet.
Still, not a panacea…
¬ For the time being: Configure your devices to drop IPv6
extension headers not used in your environment. OR
At least sanitize traffic before the IDPS.
10/17/2014 #38
Technical Mitigations
![Page 38: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/38.jpg)
www.ernw.de© ERNW GmbH | Carl-Bosch-Str. 4 | D-69115 Heidelberg #39
This Is how a Certain Vendors Interprets This
![Page 39: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/39.jpg)
www.ernw.de
In Case You still Want to Use an IDPS …
10/17/2014 #40
IDPS
¬ you MUST (header-wise) scrub the traffic before entering the IDPS.
Scrubbing
![Page 40: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/40.jpg)
www.ernw.de
¬ These are just some of the IPv6 “grey areas”. Other may also exist. Hint: MLD comes to mind…
[see our upcoming DeepSec talk]
¬ IPv6 security awareness. Test it and use it, in your lab.
You will have to do it, sooner or later, anyway…
10/17/2014 #41
The Most Important “Take Away”
![Page 41: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/41.jpg)
www.ernw.de
Tool & Slides:https://www.insinuator.net
http://www.secfu.net/tools-scripts/
There’s never enough time…
THANK YOU… ...for yours!
10/17/2014 © ERNW GmbH | Carl-Bosch-Str. 4 | D- 69115 Heidelberg #42
![Page 42: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/42.jpg)
www.ernw.de
Questions?
¬ You can reach us at: [email protected], www.secfu.net
[email protected], www.insinuator.net
¬ Follow us at: @AntoniosAtlasis
@Enno_Insinuator
10/17/2014 #43
![Page 43: Evasion of High-End IDPS Devices at the IPv6 Era · Evasion of High-End IDPS Devices at the IPv6 Era Antonios Atlasis secfu.net aatlasis@secfu.net Enno Rey ERNW GmbH erey@ernw.de](https://reader033.fdocuments.us/reader033/viewer/2022041920/5e6bb9d57af667578f23b958/html5/thumbnails/43.jpg)
www.ernw.de
March, 16-20 2015Heidelberg, GermanyMake the world a safer place.
REGISTRATION OPEN: www.troopers.de
10/17/2014 © ERNW GmbH | Carl-Bosch-Str. 4 | D-69115 Heidelberg | www.ernw.de #44
There are few things to know about TROOPERS: