MLD Considered Harmful - Breaking Another IPv6 Subprotocol

Presented at Black Hat Asia 2015, Unknown date/time (Unknown duration).

Multicast Listener Discovery (MLD) and its successor, MLDv2, is a protocol of the IPv6 suite used by IPv6 routers for discovering multicast listeners on a directly attached link, much like IGMP is used in IPv4. Multicasting is a key feature of IPv6 which is supposed to be used even by the Neighbor Discovery process. Most modern Operating Systems (OS), like Windows, Linux, and FreeBSD, not only come per-configured with IPv6 enabled, but they also start-up by sending MLDv2 traffic, which is repeated periodically. Despite of the out-of-the-box usage of MLDv2, it is one of the IPv6 protocols that have not be studied yet to a suitable extent, especially as far as its potential security implications are concerned. These ones can vary from network scanning and OS fingerprinting on the local-link, to amplified DoS attacks and to consumption of resources at routers. To this end, we will discuss potential security issues related with the design of MLD and we will examine how they can be exploited by attackers. A live demo will show how such an attack can take place by using MLD messages in order to disrupt multicasting communication. Finally, specific security mitigation techniques will be proposed to defend against them, which will allow us to to secure IPv6 networks to the best possible extend in the emerging IPv6 era.


Presenters:

  • Antonios Atlasis - secfu.net
    Antonios Atlasis, MPhil, PhD, is an independent IT Security Analyst and Researcher having over 20 years of diverse Information Technology experience. He is also an accomplished instructor and software developer and he has been granted a number of awards both for his academic work and his professional achievements. His main research interests include vulnerability discoveries in IPv6, SCADA systems, and other critical protocols.
  • Jayson Salazar - ERNW GmbH
    Jayson Salazar currently works as a penetration tester in Germany. The focus of his work lies mostly in the areas of application and network security in enterprise environments, at the moment mainly IPv6.
  • Rafael Schaefer - ERNW GmbH
    Rafael Schaefer is a security researcher and a penetration tester working for ERNW. His research focuses on network security issues and especially to IPv6 ones. His work has led to the discover of several IDPS vulnerabilities related with IPv6.

Links:

Similar Presentations: