A New Model for Testing IPv6 Fragment Handling
Pages 277 - 294
Abstract
Since the origins of the Internet, various vulnerabilities exploiting the IP fragmentation process have plagued IPv4 protocol, many leading to a wide range of attacks. IPv6 modified the handling of fragmentations and introduced a specific extension header, not solving the related problems, as proved by extensive literature. One of the primary sources of problems has been the overlapping fragments, which result in unexpected or malicious packets when reassembled. To overcome the problem related to fragmentation, the authors of RFC 5722 decided that IPv6 hosts MUST silently drop overlapping fragments.
Since then, several studies have proposed methodologies to check if IPv6 hosts accept overlapping fragments and are still vulnerable to related attacks. However, some of the above methodologies have not been proven complete or need to be more accurate. In this paper we propose a novel model to check IPv6 fragmentation handling specifically suited for the reassembling strategies of modern operating systems. Previous models, indeed, considered OS reassembly policy as byte-based. However, nowadays, reassembly policies are fragment-based, making previous models inadequate. Our model leverages the commutative property of the checksum, simplifying the whole assessing process. Starting with this new model, we were able to better evaluate the RFC-5722 and RFC-9099 compliance of modern operating systems against fragmentation handling. Our results suggest that IPv6 fragmentation can still be considered a threat and that more effort is needed to solve related security issues.
References
[1]
Arends, R.: DNS security introduction and requirements. IETF RFC 4033 (2005)
[2]
Atlasis, A.: Attacking IPv6 implementation using fragmentation. In: Black Hat Europe Conference (2012)
[3]
Atlasis, A., Rey, E.: Evasion of high-end IPS devices in the age of IPv6. https://blackhat.com/docs/us-14/materials/us-14-Atlasis-Evasion-Of-HighEnd-IPS-Devices-In-The-Age-Of-IPv6-WP.pdf
[4]
Bethencourt, J., Franklin, J., Vernon, M.: Mapping internet sensors with probe response attacks. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, vol, 14, p. 13. USENIX Association, USA (2005)
[5]
Deering, S.E., Hinden, R.M.: Internet Protocol, version 6 (IPv6) specification. IETF RFC 2460 (1998)
[6]
Deering, S.E., Hinden, R.M.: Internet Protocol, version 6 (IPv6) specification. IETF RFC 8200 (2017)
[7]
Gilad Y and Herzberg A Fragmentation considered vulnerable ACM Trans. Inf. Syst. Secur. 2013 15 4 1-31
[8]
Gont, F.: Processing of IPv6 “Atomic" Fragments. IETF RFC 6946 (2013)
[9]
Gupta, M., Conta, A.: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification. RFC 4443 (2006)., https://www.rfc-editor.org/info/rfc4443
[10]
Göhring, M., Shulman, H., Waidner, M.: Path MTU discovery considered harmful. In: 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), pp. 866–874 (2018).
[11]
Heffner, J., Mathis, M., Chandler, B.: IPv4 reassembly errors at high data rates. IETF RFC 4963 (2007)
[12]
Kantarjiev, C.A., Mogul, J.C.: Fragmentation considered harmful. In: Proceedings of the ACM Workshop on Frontiers in Computer Communications Technology, SIGCOMM 1987, pp. 390–401. Association for Computing Machinery, New York (1987).
[13]
Kaufman, C., Hoffman, P.: Internet Key Exchange Protocol Version 2 (IKEv2). IETF RFC 5996 (2010)
[14]
Kaufman, C., Perlman, R., Sommerfeld, B.: Dos protection for UDP-based protocols. In: Proceedings of the 10th ACM Conference on Computer and Communication Security - CCS 2003 (2003).
[15]
Krishnan, S.: Handling of overlapping IPv6 fragments. IETF RFC 5722 (2009)
[16]
Li, Z., Goyal, A., Chen, Y., Paxson, V.: Automating analysis of large-scale botnet probing events. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009, pp. 11–22. Association for Computing Machinery, New York (2009).
[17]
Miller, I.: Protection Against a Variant of the Tiny Fragment Attack (RFC 1858). IETF RFC 3128 (2001)
[18]
Novak J Target-Based Fragmentation Reassembly 2005 Columbia Sourcefire
[19]
Postel, J.: Internet Protocol. IETF RFC 791 (1981)
[20]
Qian, Z., Mao, Z.M.: Off-path TCP sequence number inference attack - how firewall middleboxes reduce security. In: 2012 IEEE Symposium on Security and Privacy (2012).
[21]
Qian, Z., Mao, Z.M., Xie, Y.: Collaborative TCP sequence number inference attack. In: Proceedings of the 2012 ACM conference on Computer and communications security - CCS 2012 (2012).
[22]
Reed, D., Traina, P.S., Ziemba, P.: Security Considerations for IP Fragment Filtering. IETF RFC 1858 (1995)
[23]
Salutari F, Cicalese D, and Rossi DJ Beverly R, Smaragdakis G, and Feldmann A A closer look at IP-ID behavior in the wild Passive and Active Measurement 2018 Cham Springer 243-254
[24]
Shankar, U., Paxson, V.: Active mapping: resisting NIDS evasion without altering traffic. In: Proceedings 19th International Conference on Data Engineering (Cat. No.03CH37405) (2003).
[25]
Ullrich, J., Krombholz, K., Hobel, H., Dabrowski, A., Weippl, E.: IPv6 security: attacks and countermeasures in a nutshell. In: 8th USENIX Workshop on Offensive Technologies (WOOT 14) (2014)
[26]
Vyncke, E., Chittimaneni, K., Kaeo, M., Rey, E.: Operational Security Considerations for IPv6 Networks. RFC 9099 (2021). https://www.rfc-editor.org/info/rfc9099
[27]
Zalewski, M.: Strange attractors and TCP/IP sequence number analysis (2001). http://lcamtuf.coredump.cx/newtcp/
[28]
Zalewski, M.: A new TCP/IP blind data injection technique? (2003). https://seclists.org/bugtraq/2003/Dec/161
[29]
Zalewski M Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks 2005 San Francisco No Starch Press
Index Terms
- A New Model for Testing IPv6 Fragment Handling
Index terms have been assigned to the content through auto-classification.
Recommendations
Tracing the true source of an IPv6 datagram using policy based management system
APNOMS'06: Proceedings of the 9th Asia-Pacific international conference on Network Operations and Management: management of Convergence Networks and ServicesIn any (D)DoS attack, invaders may use incorrect or spoofed IP addresses in the attacking packets and thus disguise the factual origin of the attacks. Due to the stateless nature of the internet, it is an intricate problem to determine the source of ...
Research on DDoS Attacks in IPv6
CSAE '20: Proceedings of the 4th International Conference on Computer Science and Application EngineeringWith the gradual replacement of IPv4 by IPv6, Distributed Denial-of-Service (DDoS) attacks that have plagued IPv4 appear in IPv6 more or less, and affect the normal operation of IPv6. However, the current research on how to construct a secure DDoS ...
An approach for finding proper packet size in IPv6 networks
CompSysTech '11: Proceedings of the 12th International Conference on Computer Systems and TechnologiesThe Internet is near to one of the most important changes in its existence -- the migration of core protocol IP to a new version IPv6. Along with other changes, one of the important results is that the IPv6 network will no longer cares for ...
Comments
Information & Contributors
Information
Published In
Sep 2023
538 pages
ISBN:978-3-031-51475-3
DOI:10.1007/978-3-031-51476-0
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 11 January 2024
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 10 Feb 2025