MLD CONSIDERED HARMFUL - BREAKING ANOTHER IPV6 SUBPROTOCOL presented at BlackHatAsia 2015

by Antonios Atlasis, Rafael Schaefer, Jayson Salazar,

Summary : Multicast Listener Discovery (MLD) and its successor, MLDv2, is a protocol of the IPv6 suite used by IPv6 routers for discovering multicast listeners on a directly attached link, much like IGMP is used in IPv4. Multicasting is a key feature of IPv6 which is supposed to be used even by the Neighbor Discovery process. Most modern Operating Systems (OS), like Windows, Linux, and FreeBSD, not only come per-configured with IPv6 enabled, but they also start-up by sending MLDv2 traffic, which is repeated periodically. Despite of the out-of-the-box usage of MLDv2, it is one of the IPv6 protocols that have not be studied yet to a suitable extent, especially as far as its potential security implications are concerned. These ones can vary from network scanning and OS fingerprinting on the local-link, to amplified DoS attacks and to consumption of resources at routers. To this end, we will discuss potential security issues related with the design of MLD and we will examine how they can be exploited by attackers. A live demo will show how such an attack can take place by using MLD messages in order to disrupt multicasting communication. Finally, specific security mitigation techniques will be proposed to defend against them, which will allow us to to secure IPv6 networks to the best possible extend in the emerging IPv6 era.