EVASION OF HIGH-END IPS DEVICES IN THE AGE OF IPV6 presented at blackhatsummer 2014

by Rafael Schaefer,

Summary : IPv6-era is here, whetheryou already use it or if you continue to ignore it. However, even in the last case, this does not mean that your "nodes"(end-hosts, networking devices, security devices) are not already pre-configured with IPv6 connectivity - at least to some extent. At the same time, ARIN states that they are currently in phase three of a 4-phased "IPv4 CountdownPlan,"being already down to about 0.9/8s in aggregate. On the other hand, RIPE NCC has reached its last /8 IPv4 address space quite some time ago.
What IPv6 does not forgive, for sure, is the lack of security awareness. Several times in the past it has been shown that this "new" layer-3 protocol, apart from the huge address space and other new functionalities, brings with it several security issues. In this paper, it will be shown that significant security issues still remain unsolved. Specifically, three different but novel techniques will be presented that allow attackers to exploit even a really minor detail in the design of the IPv6 protocol, to make security devices like high-end commercial IDPS devices completely blind. These techniques allow the attackers to launch any kind of attack against their targets - from port scanning to SQLi - while remaining undetected. After presenting detailed analysis of the attacks and the corresponding exploitation results against IDPS devices, potential security implications to other security devices, like firewalls, will be examined. Finally, specific mitigation techniques will be proposed, both short-term and long-term, in order to protect your network from them.