Evasion of High-End IDPS Devices at the IPv6 Era

Presented at Black Hat Europe 2014, Oct. 17, 2014, 9 a.m. (60 minutes).

The forthcoming depletion of IPv4 addresses is now closer than ever. For instance, ARIN states that they are currently in phase three of a 4-phased "IPv4 Countdown Plan," being already down to about 0.9/8s in aggregate. On the other hand, RIPE NCC has reached its last /8 IPv4 address space quite some time ago. Moreover, the nodes of the networks (end-hosts, networking devices, security devices, etc.) are already pre-configured with IPv6 connectivity, at least to some extent. All the latest popular Operating Systems, from Windows to Linux or FreeBSD, send IPv6 messages out-of-the-box while the hosts are reachable by using at least IPv6 link-local addresses. So, IPv6 is finally here and it is definitely going to stay.However, what IPv6 does not forgive is the lack of security awareness. IPv6 is not IPv4 with just extended address space. Several times in the past has been shown that this "new" layer-3 protocol, apart from the huge address space and other new functionalities, it also brings with it several security issues. In this talk, we are going to present our latest research findings regarding the evasion of high-end commercial and open-source IDPS, all with latest patches, extending our previously presented work even further. These techniques allow the attackers to launch any kind of attack against their targets, from port scanning to SQLi, while remaining undetected. During the talk, not only these issues will be demonstrated with live demos, but, moreover, the used techniques that allow attackers to exploit even a really minor detail in the design of the IPv6 protocol will be described in detail and simple ways to reproduce them will be given. Finally, specific mitigation techniques will be proposed, both short-term and long-term ones, in order to protect your network from them.


Presenters:

  • Antonios Atlasis - secfu.net
    Antonios Atlasis, MPhil, PhD, is an independent IT Security Analyst and Researcher having over 20 years of diverse Information Technology experience. He is also an accomplished instructor and software developer and he has been granted a number of awards both for his academic work and his professional achievements. His main research interests include vulnerability discoveries in IPv6, SCADA systems, and other critical protocols.
  • Enno Rey - ERNW GmbH
    Enno is a long time network geek who loves to explore network devices and protocols and to break flawed ones.
  • Rafael Schaefer - ERNW GmbH
    Rafael is studying Informatics and specializing in Telecommunication at the Bonn-Rhein-Sieg University of Applied Sciences (Department of Computer Science). His research focuses on network and IPv6 security issues. He is working on his Bachelor Thesis about the "IDS -Recognition and Validation of IPv6 Extension Header."

Links:

Similar Presentations: