EVASION OF HIGH-END IDPS DEVICES AT THE IPV6 ERA presented at BlackHatEU 2014

by Enno Rey, Antonios Atlasis, Rafael Schaefer,

Summary : The forthcoming depletion of IPv4 addresses is now closer than ever. For instance, ARIN states that they are currently in phase three of a 4-phased "IPv4 Countdown Plan," being already down to about 0.9/8s in aggregate. On the other hand, RIPE NCC has reached its last /8 IPv4 address space quite some time ago. Moreover, the nodes of the networks (end-hosts, networking devices, security devices, etc.) are already pre-configured with IPv6 connectivity, at least to some extent. All the latest popular Operating Systems, from Windows to Linux or FreeBSD, send IPv6 messages out-of-the-box while the hosts are reachable by using at least IPv6 link-local addresses. So, IPv6 is finally here and it is definitely going to stay.
However, what IPv6 does not forgive is the lack of security awareness. IPv6 is not IPv4 with just extended address space. Several times in the past has been shown that this "new" layer-3 protocol, apart from the huge address space and other new functionalities, it also brings with it several security issues. In this talk, we are going to present our latest research findings regarding the evasion of high-end commercial and open-source IDPS, all with latest patches, extending our previously presented work even further. These techniques allow the attackers to launch any kind of attack against their targets, from port scanning to SQLi, while remaining undetected. During the talk, not only these issues will be demonstrated with live demos, but, moreover, the used techniques that allow attackers to exploit even a really minor detail in the design of the IPv6 protocol will be described in detail and simple ways to reproduce them will be given. Finally, specific mitigation techniques will be proposed, both short-term and long-term ones, in order to protect your network from them.

Enno Rey: Daniel and Enno are long time network geeks who love to explore network devices & protocols and to break flawed ones.