The video demonstrates how to bypass an access control list on HP A5800 switch using IPv6 and extension headers. The attacker uses kernel modul which adds empty destination-options headers to the whole TCP session, thus is able to connect to any service on the server. The video is temporarily removed … Read More
Hiding TCP Traffic: Threats and Counter-measuresLibor Polčák
Computer networks were designed to be simple and routers do not validate the integrity of the processed traffic. Consequently, an attacker can modify his or her traffic with the aim of confusing any analyser that intercepts the traffic, e.g. monitoring and security software or lawful interception. This paper studies the … Read More
Rogue Router Advertisement AttackJozef Pivarnik, Matej Gregr
This article describes first hop security issue of IPv6 Neighbor Discovery Protocol. Vulnerability of this protocol is exploited to perform a Rogue Router Advertisement attack. Currently, there are few mitigation techniques available against this type of attack. Most of them, however are useful only in specific scenarios, or not widely used, mainly because insufficient support of vendors. This article presents probably the most applicable mitigation technique against the Rogue RA attack — RA Snooping. Specifically, its implementations by Cisco and HP (H3C).
IPv6 RA flood DoS attack in Windows 8Tomas Podermanski
RA flood attack is known for a few years. It appeared in many operating systems. Some vendors have already fixed the issue. Unfortunately Microsoft Windows product are still vulnerable including the latest version of Windows 8. Following video demonstrates the flood attack on on the latest version Windows 8 using thc-ipv6 toolkit.
Deploying IPv6 – practical problems from the campus perspectiveTomas Podermanski, Matej Gregr, Miroslav Švéda
On February 2011, IANA has run out of IPv4 addresses. On April 2011, APNIC pool reached the final /8 IPv4 address block. Projected address pool exhaustion for other RIRs varies from the beginning of the 2012 to the end of 2014. This situation pushes organizations to think about transition to IPv6. Unfortunately IPv4 and IPv6 are incompatible protocols that make the transition more difficult and raise new security issues. This paper shares experiences of deploying IPv6 in the university campus network, describes the most significant troubles that we have been faced with and describes the best practices in the practical IPv6 deployment. The article discusses differences in IPv6 and IPv4 networks with focus on the first hop security, autoconfiguration (SLAAC, DHCP, DHCPv6) and different client’s support.
Deploying IPv6 in University Campus Network – Practical ProblemsTomas Podermanski, Matej Gregr
IPv4 addresses are still running out. Global IPv4 address pool administered by IANA organization is depleted together with IPv4 pool of APNIC Routing Registry. This situation pushes organizations to think about IPv6 transition. Unfortunately IPv4 and IPv6 are incompatible protocols which raise new security issues and problems with user monitoring and accounting. The article shares experiences of deploying IPv6 on the university campus network and describes the most significant troubles that we have been faced with. It describes and compares differences in first hop security in IPv6 and IPv4 networks. Issues connected with user addressing, accounting and monitoring are also discussed. The experience is mainly based on the deployment of IPv6 on the campus network at Brno University of Technology which is one of the biggest universities in the Czech Republic.
Security concerns and solutions with IPv6Tomas Podermanski
Growing number of IPv6 devices in the network would bring new security challenges. Are there any security improvements comparing to IPv4 or IPv6 brings some new security threads. IPv6 have been developed for more than 15 years so far and presentation tries to find the answer if IPv6 cold be … Read More
Fake router detection – practical experienceMatej Gregr
6to4 (RFC 3056) is a transition mechanism allowing users to communicate with IPv6 enabled sites and services with minimal manual configuration. Globally unique IPv4 address is the only prerequisite. Together with anycast prefix for 6to4 routers (defined in RFC 3068) provides a simple solution, how even an end site can … Read More
Network Monitoring Based on IP Data FlowsMartin Zadnik
Do you monitor your network? Try to answer the following questions. Which users and which services use the most network bandwidth, and do they exceed authorised limits? Do users use only the permitted services, or do they occasionally “chat” with friends during work hours? Is my network scanned or assaulted by attackers? NetFlow will answer these and other questions.
In the network world, NetFlow is synonymous with monitoring IP data flows. A flow is generally defined as a sequence of packets which share a common feature and pass through an observation point. In the NetFlow terminology this definition is narrowed down to a one-way packet sequence with identical source and destination IP addresses, source and destination ports and protocol number. Various indicators are monitored for each such quintuple, for instance, the duration or the amount of data transferred for a flow.