Sunteți pe pagina 1din 24

DoS/DDoS Attack,

Prevention and Zero


Day DoS
Vulnerability in IPv6
- Kumar Sourav
kumarsourav.net@gmail.com

License

THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE


TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL"
OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT
AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK
OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR
COPYRIGHT LAW IS PROHIBITED.
BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE,
YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF
THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE
CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU
THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR
ACCEPTANCE OF SUCH TERMS AND CONDITIONS
Attribution - You must attribute the work in the manner specified by
the author or licensor (but not in any way that suggests that they
endorse you or your use of the work).
Noncommercial -You may not use this work for commercial
purposes.
No Derivative Works - You may not alter, transform, or build upon
this work.

CONTENTS
SL NO. TOPICS

PAGE NO.

1 INTRODUCTION .. 4
1.1 DoS OVERVIEW .............................................. 5
1.2 DDoS OVERVIEW ........................................................................... 6
2 TOOLS USED IN DOS/DDOS
3 DOS ATTACK

..... 9
... 9

3.1 DEFINING DoS ATTACK

3.2 CLASSIFICATION OF DoS ATTACK


4 DDoS ATTACK

....9

. 11

4.1 DEFININIG DDoS ATTACKS


4.2 DDoS STRATEGIES

11

11

4.3 DDoS CLASSIFICATION

13

5 CLASSIFICATION OF DDOS PREVENTION MECHANISM .. 16


5.1 INTRUSION PREVENTION
5.2 INTRUSION DETECTION
5.3 INTRUSION RESPONSE

... 16
.18
.. 18

5.4 CLASSIFICATION BY DEPLOYMENT LOCATION


6 ZERO DAY DoS VULNERABILITY IN IPv6
7 CONCLUSION

.. 19

20

. 24

1.

INTRODUCTION

The number of Internet users is increasing exponentially and hence the services. We can avail
almost all the services like Banking, Medical, Business, and Education etc via web. One can find
almost every service online now days.

Fig.1.1 Increase in number of Internet users in recent years


http://www.google.com/publicdata

The above graph [1] shows the number of Internet users in percentage in different years. All
important services which are based on Internet needs to be maintained properly so that the users can
avail them whenever they need. If the services are not available in time it will create a crisis. As the
number of hosts in Internet is increasing, the threats to it are also increasing. DoS are one of the most
deadly threats rising in Internet. DoS may be used as DDoS or Distributed Denial-of-service for
more efficiency.
In DoS or DDoS attacks the attacker use various means to exhaust the resources of a desired
server/system so that the other requests can not be processed and hence brining the service down.
The amount of DoS/DDoS attack has been increasing drastically in recent years.

1.1

DoS OVERVIEW

DoS or Denial-of-Service is a attack methodology by which a single or very few


attackers attack any service which depends on Internet or network resources to function, in order to
prevent the legitimate users from using the resources.

Server

Attackers

Legitimate Users
Fig. 1.2 A format of DoS attack

As shown in above figure, there are very less attackers who create enough of traffic to overload the
server. When all the resources of the server gets exhausted or are currently being used by the traffic
generated by the attackers, proper or legitimate users requests can not be completed hence causing a
system failure on the server side and thus server will not be able to serve any other requests.

1.2

DDoS OVERVIEW

A Distributed Denial of Service attack is commonly characterized as an event in which a legitimate


user or organization is deprived of certain services, like web, email or network connectivity, that they
would normally expect to have. DDoS is basically a resource overloading problem. The resource can
be bandwidth, memory, CPU cycles, file descriptors, buffers etc. The attackers bombard scare
resource either by flood of packets or a single logic packet which can activate a series of processes to
exhaust the limited resource .In the Fig. below, simplified Distributed DoS attack scenario is
illustrated. The figure shows that attacker uses three zombies to generate high volume of malicious
traffic to flood the victim over the Internet thus rendering legitimate user unable to access the service

Fig. 1.3 An example of DDoS attack scenario

In DDoS attack a single attacker can cause a massive damage to the server. It creates botnets or
zombies and compromises them to launch the attack.

2.

TOOLS USED IN DoS/DDoS

There are many tools available to launch a DoS/DDoS attack. Using these tools attacker(s) can
launch a successful DoS/DDoS attack easily because these tools are easily available online and are
easy to use. Different tools have different method of working. Some of the most used tools are listed
below.

Tool Name

Type of Attack Generated

Trinoo

UDP Flooding

TFN

ICMP/TCP/UDP Flooding

TFN2K

ICMP/TCP/UDP Flooding, Mix


flood

Shaft

ICMP/TCP/UDP Flooding

Mstream

TCP flooding

Knight

TCP/UDP flooding

Trinity

TCP/UDP flooding

Table. 2.1 Name of tools and their attack methodology

Trinoo : Trinoo is used to launch a coordinated attack using UDP flooding against any target. Trinoo
deploys a master-slave model and the attacker controls a number of master machines which in turn
controls a lot of compromised slave machines. Communication between master and attacker, and
master and slave is TCP and UDP respectively. It also protects master and slave with password so
that other attacker cannot gain access to them.
TFN: TFN uses a command line interface to communicate with master-slave and the attacker, it
doesnt protects master and slaves with passwords. It can implement SYN flood, ICMP flood and
UDP flood attacks.

TFN2K: It is more advanced version of the primitive TFN network. It uses TCP, UDP, ICMP or all
three to communicate between the control master program and the slave machines.
8

TFN2K can implement Smurf, SYN, UDP, and ICMP Flood attacks. Communication between the
real attacker and control master is encrypted. In addition to flooding, TFN2K can also perform some
vulnerability attacks by sending malformed or invalid packets
Shaft : Its working methodology is very similar to Trinoo. In addition to that it also has ability to
switch control in master servers and switch ports which are being used which makes it more difficult
to trace or stop using IDS tools.
Mstream : It attacks target machine with a flood of TCP ACK packets. Communication between
master and zombies is done by telnet. Communication is not encrypted and is performed through
TCP and UDP packets and the master connects via telnet to zombie. Masters can be controlled
remotely by one or more attackers using a password protected interactive login. Source addresses in
attack packets are spoofed at random. Unlike other DDoS tools, here, masters are informed of access,
successful or not, by competing parties.
Knight : It uses IRC channels to communicate, it can perform UDP and TCP SYN flood. It is
designed to run mainly on windows operating system. It also has features like automatic updating
etc.
Trinity : It also uses IRC channels to communicate. It can implement TCP ACK, TCP SYN and UDP
flood attacks . After being installed in compromised machines it joins a specific IRC channel and
waits for commands.

3.

DoS Attack
3.1

Defining DoS attacks

According to w3 security FAQ [2] Denial of Service (DoS) is an attack designed to render a
computer or network incapable of providing normal services. A DoS attack is considered to take
place only when access to a computer or network resource is intentionally blocked or degraded as a
result of malicious action taken by another user. These attacks dont necessarily damage data directly
or permanently, but they intentionally compromise the availability of the resources. The most
common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth
attacks flood the network with such a high volume of traffic that all available network resources are
consumed and legitimate user requests cannot get through. Connectivity attacks flood a computer
with such a high volume of connection requests, that all available operating system resources are
consumed, and the computer can no longer process legitimate user requests.

3.2

DoS attack classification

DoS attack can be classified into 5 categories according to attacked protocol level, as
illustrated in fig. 3.1

Denial of Service attacks

Network
Device Level

OS Level

Application
Level

Data flood

Protocol
feature
attack

Fig.3.1 Classification of DoS attacks

DoS attack in Network Device Level can be caused by exploiting bugs or weaknesses in software, or
by trying to exhaust the hardware resources of the network devices.

10

One of the example of this attack is buffer overrun error in password checking routine. Using this
error one can cause the cisco 7xx routers to crash by connecting to the router via telnet and enter an
extremely long password[2] .
DoS attack in OS Level takes advantage of how a particular OS handles the protocols. One example
of this attack is the Ping of Death attack in which ICMP echo requests having greater size then
maximum IP standard size. This will cause the buffer storing the requests will not be able to handle
the over-sized packet and will tend to crash.
DoS attack in Application Level try to settle a machine or a service out of order either by taking
advantage of specific bugs in network applications that are running on the target host or by using
such applications to drain the resources of their victim. It is also possible that the attacker may have
found points of high algorithmic complexity and exploits them in order to consume all available
resources on a remote host. One example of an application based attack is the finger bomb. A
malicious user could cause the finger routine to be recursively executed on the hostname, potentially
exhausting the resources of the host.
In Data Flood, the attacker attempts to exhaust the bandwidth of any network, host or device to its
maximum extent. The attacker sends a massive quantity of data to the target which causes the target
to process it and thus eating up its memory. Attacker sends a huge amount of spoofed and
meaningless packets.

DoS attacks based on protocol features take advantage of certain standard protocol features. For
example several attacks exploit the fact that IP source addresses can be spoofed. Several types of
DoS attacks have focused on DNS, and many of these involve attacking DNS cache on name servers.
[3]

11

4. DDoS Attack
4.1 DEFINING DDoS ATTACKS
According to w3 FAQ A Distributed Denial of Service (DDoS) attack uses many
computers to launch a coordinated DoS attack against one or more targets. Using client/server
technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly
by harnessing the resources of multiple unwitting accomplice computers which serve as attack
platforms. Typically a DDoS master program is installed on one computer using a stolen account.
The master program, at a designated time, then communicates to any number of "agent" programs,
installed on computers anywhere on the internet. The agents, when they receive the command,
initiate the attack. Using client/server technology, the master program can initiate hundreds or even
thousands of agent programs within seconds. It is different and much more efficient from DoS
because of its distributed nature. This attack is launched from several systems which makes it much
more efficient then DoS. DDoS has a very good success rate due to architecture of internet, some
issues are listed below.

Security is interdependent: No matter how secure the victim is, the security from DDoS
attack depends on rest of the internet.

Limited resources: Internet resources are limited which can be consumed sooner or later by
attacker.

Many attacker: Its an one against many scenario. If the resources of the attackers are more
than the victim then chances of successful attack are very high.

4.2 DDoS STRATEGY


DDoS attack has following 4 components:

The attacker

The handlers/masters, which is used to handle other zombies. These are machines on which
some specific tool/software is installed and configure to control more compromised zombies

The zombies/slaves/agents, which are compromised systems and these systems are
responsible for generating the traffic. These systems has some specific software installed
which is being controlled by attacker via masters

The victim is the target host

12

Attacker

Handlers

Agents

Victim

Fig. 4.1 The DDoS Architecture

Following actions are taken while preparing for the attack:

Selection of Agents and handlers: In this step the attacker chooses the agents and handlers
that will take part in the attack. These machines must have some vulnerability which can be
exploited by the attacker in order to gain access. These machines also need to have enough
resources to generate powerful traffic

Gaining access: The attacker then exploits the vulnerability using some tools like Metasploit
Framework, BeEF or HconSTF. After successfully gaining access to the machines, attacker
installs some tools that will automate the attack according to the plan. These tools run in the
background so the owner and users of the agents/handler machines have no idea that they are
participating in a DDoS attack

Communication: The attacker communicates with any number of handlers to identify which
agents are up and running, when to schedule attacks, or when to upgrade agents. Depending
on how the attacker configures the DDoS attack network, agents can be instructed to
communicate with a single handler or multiple handlers. The communication between
attacker and handler and between the handler and agents can be via TCP, UDP, or ICMP
protocols

13

Attack: At this step the attacker commands the onset of the attack. The victim, the duration of
the attack as well as special features of the attack such as the type, length, TTL, port numbers
etc, can be adjusted. The variety of the properties of attack packets can be beneficial for the
attacker, in order to avoid detection

4.3 DDoS CLASSIFICATION


In order to understand the nature of DDoS, it is necessary to classify the attack. In here Ill focus on
mainly two categories as shown in figure.
Classification by
degree of automation

DDoS Attack

Classification by exploited
vulnerability

Flood attack

Manual

UDP flood

Semi Automatic

ICMP flood

Direct
Indirect

Amplification attack
Smurf attack

Automatic

Fraggle attack
Protocol exploits
attacks
Malformed packet
attack
Fig 4.2 Classification of DDoS attack

CLASSIFICATION BY DEGREE OF AUTOMATION

Earlier DDoS attacks were manual. The attacker has to manually scan for hosts that could be
compromised, then scanning for vulnerabilities etc

In semi-automatic attacks, the DDoS attack belongs in the agenthandler attack model. The
attacker scans and compromises the handlers and agents by using automated scripts. The
attack type, the victims address and the onset of the attack are specified by the handler
machines. Semi-automatic attacks can be divided further to attacks with direct
communication and attacks with indirect communication. Attacks with direct communication
include attacks, during which the agent and handler need to know each others identity in
order to communicate. This approach includes the hard coding of the IP address of the
14

handler machines. The main drawback of this approach is that the discovery of one
compromised machine can expose the whole DDoS network. Attacks with indirect
communication use indirection in order to achieve a greater survivability of DDoS attacks

In Automated attacks the communication between attacker and the handler is minimal.
Sometime only a single command is enough to initiate and carry on the attack. All the
features of the attack, for example the attack type, the duration and the victims address, are
preprogrammed in the attack code. This way, the attacker has a minimal exposure and the
possibility of revealing his identity is small

CLASSIFICATION BY EXPLOITED VULNERABILITY


The DDoS attack which takes advantage of vulnerability present in the machine can be divided in
following categories:
Flood attack: In flood attack, the attacker sends a huge amount of traffic to the victim via
zombies in order to consume the resources. This attack results in slowing down the target
system or crashing it or overloads the targeted network bandwidth so that other legitimate
users would not be able to get any service. Flood attack can be divided into two categories
UDP flood and ICMP flood attacks.
A UDP flood attack is possible when the attacker sends a large number of UDP packets to
the victim machine which causes the victim network to saturate and depletion of
bandwidth. UDP flood attack can be done on a specific port of victim machine or some
random ports. Mostly it is done on random ports. When the victim machine receives the
UDP packet on a specific port, it try to determine which service is running on that port. If
no service is running in that particular port then it replies with an ICMP error packet with
Destination Unreachable message. Provided enough UDP packets, the system can go
down. Using IP spoofing the source address can be changed in the packets so when the
victim does a reply, the attacker will never get it and the resources of attacker will not be
exhausted.
In ICMP flood attack the attacker uses Internet Control Message Protocol (ICMP). This
protocol allows the user to send ICMP_ECHO packets to check the connectivity to any
remote system. In this attack, the attacker sends a huge amount of ICMP_ECHO_REPLY
packets to the victim, then victim processes all the packets and if the amount of sent
packet is enough all the resources of victim will be exhausted and it will not be able to
serve other legitimate users
Amplification attacks: In this attack the attacker or the agents exploit the broadcast IP
address feature found on most routers to amplify and reflect the attack and send messages
to a broadcast IP address. This instructs the routers servicing the packets within the
network to send them to all the IP addresses within the broadcast address range. This way
the malicious traffic that is produced reduces the victim systems bandwidth. In this type
15

of DDoS attack, the attacker can send the broadcast message directly, or by the use of
agents to send the broadcast message in order to increase the volume of attacking traffic.
If the broadcast message is sent directly, the attacker can use the systems within the
broadcast network as agents without needing to infiltrate them or install any agent
software. Some well known amplification attacks are Smurf and Fraggle attacks.
Smurf [4] attacks sends ICMP echo requests with a spoofed IP address of the victim to a
number of IP broadcast addresses. Generally there are a lot of hosts in a broadcast
network. In most of the cases all hosts on that network accepts the ICMP echo request and
reply to the source address which is the address of the victim. Thus victim will get a huge
amount of ICMP packets and itll not be able to service properly. The use of network in
order to create a large amount of response from a single request is known as
amplification
Fraggle attack is almost same as Smurf attack, the only difference is, it uses UDP echo
packets instead of ICMP echo packets. UDP echo packets can create even more traffic
then ICMP echo packets and the result can be much more dangerous

Protocol Exploit Attacks: Protocol exploit attack exploits a specific feature or weakness of
implemented protocol at the victim machines in order to consume a excessive amount of
resources. An example of this attack is TCP SYN attack
The TCP SYN attacks exploit the inherent weakness of the three-way handshake involved
in the TCP connection setup. A server, upon receiving an initial SYN (synchronize/start)
request from a client, sends back a SYN/ACK (synchronize/acknowledge) packet and
waits for the client to send the final ACK (acknowledge). An attacker initiates an SYN
flooding attack by sending a large number of SYN packets and never acknowledges any
of the replies, essentially leaving the server waiting for the nonexistent ACKs
Considering that the server only has a limited buffer queue for new connections, SYN
Flood results in the server being unable to process other incoming connections as the
queue gets overloaded

Malformed Packet Attack: These attacks rely on malformed IP or HTTP packets which are
sent to the victim and cause the system to overload while trying to process them. An
example of this attack is Incomplete HTTP Request attack.
Incomplete HTTP Request attack is very recent and take advantage of the virtue of
servers to hold the segments of the packets until all of the segments comes in. A tool
called SLOWLORIS written in Perl can implement this attack very efficiently. This tool
can only be used in Linux as it requires to build multiple sockets and other operating
system doesnt allow it. This tool sends only a segment of HTTP request packets in huge
amount which causes the buffer of server to overrun
16

5. CLASSIFICATION OF DDoS PREVENTION MECHANISMS


Detection and defence from DDoS is difficult because of some factors like DDoS attacks have no
particular behaviour which can be used to detect DDoS, its distributive nature is also a hurdle in the
way of detecting it and preparing defence against it , furthermore attacker can use IP spoofing which
makes it harder to trace the attacker. Tools used in DDoS attack are easily available and anyone can
download them from internet.
Still there are defence mechanisms which acts on different level to detect and prevent DDoS attacks
from known characteristics. We may classify DDoS detection and prevention techniques mainly in
two categories. First category is the way in which it is deployed in other words activity deployed.
Under this category we have four subcategories:
Intrusion Detection
Intrusion Prevention
Intrusion Response

The second category is based on the deployment location of DDoS which results into following three
categories:
Victim Network
Intermediate Network
Source Network

5.1 INTRUSION PREVENTION


Intrusion Prevention is the best strategy to fight against DDoS attack. In this strategy we completely
prevent the attack to take place. There are many techniques that can be implemented in order to stop
DDoS from taking place.
USING GLOBAL FILTERING TECHNIQUES
Filtering techniques can be used to prevent the attack from happening. Following are the most
effective filtering techniques which can be used :
Ingress Filtering [5]: Its an approach to setup a router such that it filters illegitimate traffic.
Illegitimate traffic means the traffic coming from illegitimate source addresses or fake sources.
This technique is a restrictive mechanism to drop traffic with IP address that does not match a
domain prefix connected to the ingress router. It checks the source address of the incoming packet
and if the address does not matches with the domain or network prefix of that particular router it
17

discards the packet. By this technique IP spoofing can be eliminated if it is deployed on all the
routers.
Egress Filtering [6, 7]: It is a filter for packets leaving the network. This technique is based on the
fact that no outgoing traffic from a network can bear a source address which is not allocated to that
network. This technique is similar to the Ingress Filtering technique.

DISABLING UNUSED SERVICES


This is another approach to prevent attack from taking place. One can shut down the unused services
and resources serving them. In UDP flooding the UDP packets targets many ports which are open so
by disabling those services we can disable those ports and efficiently lower the chances of attack.

APPLYING SECURITY PATCHES


Hosts with updated security patches are less likely to become victim of the attacks then the host
which has not applied security patches. Security patches are based on the new security holes found
and reported. Hence host should be updated with latest security patches.

LOAD BALANCING
Load balancing is very efficient approach in order to minimize the impact of the attack. Load
balancing enables users to increase the provided bandwidth and distribute the incoming traffic to
multiple servers.

HONEYTPOTS
Honeypots are special system equipped with honeypot tools like honeyd, honeydctl, spamhole etc.
These hosts can be used to trick the attacker to attack them instead of the real servers. Meanwhile it
tries to trace the origin of the attack. These hosts are provided with limited security and they exhibit
same behavior as real servers.

18

5.2 INTRUSION DETECTION


Intrusion Detection is very effective in defending the host computers from getting attacked. This
technique uses previously known signature of attack or detects anomaly in incoming traffic.
Anomaly Detection relies on detecting behaviour that are not normal to the standards. If any anomaly
in the incoming traffic is detected then its forwarded for further analysis or it is blocked. Many
intrusion Detection Systems( IDS ) have been deployed in order to detect the attack when it takes
place.
Another detection method of DDoS attacks uses the Management Information Base (MIB) data from
routers. The MIB data from a router includes parameters that indicate different packet and routing
statistics. It looks promising for possibly mapping ICMP, UDP and TCP packet statistical
abnormalities to specific DDoS attacks. Although, this approach can be effective for controlled
traffic loads, it needs to be further evaluated in a real network environment. This research area could
provide important information and methods that can be used in the identification and filtering of
DDoS attacks.
Misuse Detection identifies well-defined patterns of known exploits and then looks out for the
occurrences of such patterns. Intrusion patterns can be any packet features, conditions, arrangements
and interrelationships among events that lead to a break-in or other misuse. These patterns are
defined as intrusion signatures.

5.3 INTRUSION RESPONSE


Once the attack is identified the next step is to stop it and trace the origin of the attack. There are
some techniques which can be implemented to achieve above goal.
IP TRACEBACK
IP traceback techniques allow the victim to trace the attacker. Following are some IP Traceback
techniques.
ICMP TRACEBACK [8]: According to this technique the intermediate routers marks the IP packets
with additional information so that the victim can use them to determine the attack path. Every
intermediate router samples the forwarding packet with a low probability and sends an ICMP
traceback message to destination. The traceback message contains information of the router from
which packet is coming, the information of the router to which packet is going and the timestamp of
the packet. If enough packets are collected at the victim side then its possible to reconstruct the attack
path.
PROBABILISTIC PACKET MARKING [9]: It is an approach that can be applied during or after an
attack, and it does not require any additional network traffic, router storage, or packet size increase.
Even though it is not impossible to reconstruct an ordered network path using an unordered
collection of router samples, it requires the victim to receive a large amount of packets.
19

The advantage of this approach is that no extra traffic is generated, since the extra information is
bound to the packets. Furthermore, there is no interaction with ISPs and this mechanism can be used
to trace attacks after an attack has completed.
In this approach to the IP traceback problem, each router X performs, for each packet it processes, an
information injection event that occurs with a set probability p (e.g., p = 1/20). The information
injection involves using b bits in the IP header that are typically not used or changed by routers (they
identify the 16-bit IP identification field). They use 5 bits of this field for a hop count, which helps
their reconstruction algorithm. The remaining bits are used for the message MX that the router X
wishes to send. If that message is too big, they break it into fragments and use the b5 bits of usable
IP header to store a fragment offset and its data fragment. By then including a hash interleaved with
the message MX, the victim can reconstruct MX from the packets it receives during the DOS attack

TRAFFIC PATTERN ANALYSIS is another method in order to response to DDoS attacks. During a
DDoS attack, traffic pattern data can be stored and then analyzed after the attack in order to find
specific characteristics and features that may indicate an attack. The results from this analysis of data
can be used in order to update load balancing and throttling techniques as well as in developing new
filtering mechanisms in order to achieve the prevention from DDoS attacks.

5.4 CLASSIFICATION BY DEPLOYMENT LOCATION


DDoS defence mechanisms can be classified according to the deployment location in following
ways:

Victim Network Mechanisms: Most of the systems for combating DDoS attacks have been
designed to work on the victim side, since this side suffered the greatest impact of the attack.
The victim has the greatest incentive to deploy a DDoS defense system, and maybe sacrifice
some of its performance and resources for increased security. These mechanisms help victim
to recognize that it is under attack and gives time to respond

Intermediate Network Mechanisms: The defence mechanisms deployed in the intermediate


networks are more efficient then ones deployed in victim site because it processes the traffic
before reaching the victim. PPM, DPM and other filtering techniques are example of
Intermediate Network Mechanisms

Source Network Mechanisms: DDoS defense mechanisms deployed at the source network
can stop attack flows before they enter the Internet core and before they aggregate with other
attack flows. Being close to the sources, they can facilitate easier traceback and investigation
of the attack. Techniques like reverse firewalls are example of this mechanism

6. ZERO DAY DoS VULNERABILITY IN IPv6


20

IPv6 will be used in few years instead of IPv4, as predicted by analysts IPv4 will be exhausted in
few years. So, IPv6 is already came into existence and windows machines already supporting IPv6.
In windows machines , now IPv6 is pre-installed and enabled by default. So any server or any PC of
windows comes with IPv6 enabled.
ICMPv6 router announcements by IPv6 router are automatically detected by any host in the network.
That means whenever a system receives a new router announcement , it updates its routing table
according to it. If the flag in the announcement packet is set to autoconfiguration then the host
chooses any IPv6 address from the announced router space.
Now if a network is flooded by IPv6 router announcements, systems in that network tends to update
their routing tables and configure their IPv6 address. Routing table and IPv6 address configuration
takes a lot of CPU and RAM resources.
Windows and FreeBSD systems allow autoconfiguration of routing table and IPv6 address which
makes them vulnerable
This vulnerability can be exploited by sending router announcements from lot of routers or a tool
from the thc-ipv6 package , called flood_router6. This vulnerability can be used to affect multiple
system in any network with a very good efficiency. Victim machine's CPU and RAM uses reaches
100% in minutes and it remains like that for a long time after even flooding is terminated.
Figures below represent the CPU uses of a windows 7 system before and after the exploitation.

Fig.6.1 CPU uses before the attack

21

Fig.6.2 CPU uses after the attack

The sudden spike in CPU uses in fig. 6.2 is clearly visible in CPU Usage History span.

CHECK FOR VULNERABILITY


I have created a batch file to check if the system is vulnerable or not. This batch file enables
router discovery option in IPv6 ( if disables ) and advertises some virtual routers, if the systems
in the network have joined the routers advertised addresses then those systems are vulnerable.
To check if the system ( windows ) is vulnerable or not, run this bat file and issue the command
ipconfig and check if your system has joined a network starting with def:: or not. If it has
joined then it is vulnerable.
ECHO TESTING YOUR NETWORK FOR IPv6 ROUTER ADVERTISEMENT VULNERABILITY
@ECHO OFF
netsh int ipv6 set addr "Local Area Connection" def:1::1/64
netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=enabled

netsh int ipv6 add route def:407::/64 "Local Area Connection" siteprefixlength=64 publish=yes
netsh int ipv6 del route def:407::/64 "Local Area Connection"
ECHO ADVERTISING ROUTER#1

22

netsh int ipv6 add route def:408::/64 "Local Area Connection" siteprefixlength=64 publish=yes
netsh int ipv6 del route def:408::/64 "Local Area Connection"
ECHO ADVERTISING ROUTER#2

netsh int ipv6 add route def:409::/64 "Local Area Connection" siteprefixlength=64 publish=yes
netsh int ipv6 del route def:409::/64 "Local Area Connection"
ECHO ADVERTISING ROUTER#3
ECHO RUN IPCONFIG ON EACH MACHINE AND LOOK FOR ADDRESSES STARTING def::

PREVENTION
Till now no patches are available for windows system so there are two ways by which we can
temporarily prevent our systems from getting attacked.
Manually disable IPv6 protocol: In windows PCs there is an option to deactivate IPv6
manually. If IPv6 is disabled then there is absolutely no chance that the system will get
attacked
Manually disable router discovery: Because this vulnerability is caused by exploiting router
discovery, so one can manually disable the router discovery and prevent themselves from
getting attacked. Following command can be issued in command prompt in order to
disable the router discovery:
netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled

23

7. CONCLUSION
DoS/DDoS attack is a very dangerous and serious problem which is causing severe damage to the
internet continuously.
In this paper I tried to present a clear view of different aspects of DoS/DDoS in brief with methods to
protect the systems from this attack. The detection and prevention mechanisms needs to be updated
as new bugs, weaknesses or loopholes are found which can be exploited. DDoS attacks are not only a
serious threat for wired networks but also for wireless infrastructures. Some progress has been made
in order to defend wireless networks against DDoS attacks. There are some models exists which
provides mechanisms to defend against wireless issues. Further work is though needed that combines
well known security drawbacks of wireless protocols with defense techniques that are already mature
in a wireless environment.
All the mechanisms are very tough to implement simultaneously so more efficient mechanisms are
required.

24