ipv6ddos

Windows Denial of Service by IPv6 RA Packets

Any version of Windows with IPv6 installed and running is vulnerable to a DoS attack by sending thousands of Router Assignment (RA) packets. This vulnerability has been known since mid 2010, and you’re not the only one wondering why this hasn’t been patched yet. Here is a video demonstrating the attack on a LAN with 7, XP and virtual machines.

So as you can imagine, I wanted to give this a shot. I setup my VLAN and was astonished by the simplicity of the attack.

The Attack

I ran the attack from Backtrack 5 R1 running in a virtual machine on my VLAN. (thc-ipv6 suite is installed by default in BT).

flood_router6 int

The program ran for no more than 1 second, but that is enough to bring down anyone on the network. My Windows 7 machine instantly went to 100% CPU usage and stayed there until I rebooted the machine. Running ipconfig will show you the fake networks that Windows is joining.

Even after disabling the NIC and dropping all connections, the CPU is at 100%, and will stay there until you reboot the machine.

Mitigation

Disable IPv6 (not a good idea), Turn off Router Discovery (great for servers, not for workstations), set rules in your firewall to drop rogue RA packets and install hardware with RA guards.

Sam Bowne has suggested the following:

Turning Off Router Discovery - I recommend turning off Router Discovery on all servers and any other machines that do not need “Stateless Autoconfiguration” (automatically configured IPv6 addresses), with this command (execute it from an Administrator Command Prompt):

netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled

I found that solution here: http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/768252f8-8872-453b-aa8f-1c4fd6c52856

Blocking Rogue Router Advertisements with Windows Firewall - This method allows you to use Stateless Autoconfiguration from your authorized gateways, but block dumb rogues. However, a smart rogue could just sniff your Router Advertisement packets and spoof the authorized source address, to bypass the firewall rule. So this is a weak defense.

To do this, open “Windows Firewall with Advanced Security” and double-click the “Core Networking – Router Advertisement (ICMPv6-In)” rule.

In the Properties sheet, on the Scope tab, in the “Remote IP address” section, the IP address starts at fe80::/64, which allows any host on the LAN to send Router Advertisements. Edit this to a more specific address which matches your authorized servers…”

Sources 

http://samsclass.info/ipv6/proj/flood-router6a.htm

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4669

http://www.securityfocus.com/bid/45760/info

2 thoughts on “Windows Denial of Service by IPv6 RA Packets

Share Your Comment!