Securing OS's againt IPv6 attacks

In this blog post we will overview some firewall rules to protect a specific OS against IPv6 threats. It is a given these should be some form of last resort since normally a perimeter firewall should be in place alongside an IDS or RA Guard. Because the configuration of these devices fall out of the scope for the internship they will not be discussed here. It can be noted however that all firewall rules reviewed in this blog post should be applicable to a perimeter firewall.

The configuration for these rules will be divided into Windows XP, the rest of the windows distributions, Linux Distributions and Unix.

Windows XP

Not much can be said about windows XP, since no extra firewall rules can be added. IPv6 is supported in the firewall configuration but these configurations run alongside their IPv4 counterpart. Meaning that ICMPv6 request and response are blocked but RS/RA, NA/RA or other IPv6 protocols that don't exist in IPv4 will not be affected by these firewall rules. If wanting to use Windows XP in an IPv6 network it should be secured by other firewalls since it's base firewall is not compatible enough with IPv6 to be effective.

Windows versions

All the rest of the tested windows versions (vista, 7, 8, 8.1, 2008, 2012) have the same firewall configurations so the same rules apply for each OS. Assuming only one router is present in the network, we'd want to limit getting router advertisements from anywhere but the router. This should be done on the local level for extra security. This can be achieved by going into the advanced firewall configuration, setting both incoming and outgoing traffic to deny and finding their respective RA/RS configs. You will also notice that most ICMPv6 types are allowed through on default even if in/out traffic is denied. Disable the rules of the ICMPv6 traffic you do not need or limit them to at least the local network. In our case, none of these were needed so we disabled all the extra rules.

Now for the RA/RS rules, you don't need to change anything except for the range. You will have a global and a local range. Since we only want RA/RA messages from our local network (only the router), you set the global range to "specified range" but don't fill in any range. For the local network you should do the same but here fill in a single address: the LLA address of your default router. You can also specify the global address of the router, but only the LLA should be enough.

Next up are the NS/NA messages. It is optional if you want to enable these if other traffic is allowed on the same private network, but since we don't want to limit every functionality of IPv6, only restricting it should be fine. In Windows it is not possible to limit the rate of packets coming in so be careful who you allow through. In our example we allowed NS/NA traffic from the local network, which is not ideal since a breach of the local network would nullify these rules. For the NS/NA rules, we specified on the local part that only traffic from and to fe80::/10 should be allowed.

These are all the firewall rules that should be changed in our setup for the attacks we tested. Almost all of the MITM / DoS attacks use these protocols and so should be limited.

Linux

In the Linux distributions the IPtables were used to restrict traffic through our network. A lot of these distributions have GUI versions for these IPtables, but these can be different in each version. So since IPtables are the core for all distributions, it is easier to use this.

First of all set the default policies to drop (by default they are set to accept) and flush them just to be sure. Normally now all traffic should be denied. We will take the same approach on which traffic to accept as with windows, only iptable rules can be modified more detailed and complex. First of all we would want to accept traffic from our default router. This can be done by allowing traffic from it's LLA to our system. e.g.
ip6tables -A INPUT -s fe80::a00:27ff:ff27:00a -j ACCEPT

With these we allow all trafiic from our default router. This ensures that the only RA/RS messages accepted will be those of the default router.

The NS/NA messages will also only be allowed from our local network but are limited.

ip6tables -A INPUT -s fe80::/10 -p icmpv6 --icmpv6-type 135 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT

This rule will ensure the use of the NDP but will also make it harder for attackers to flood our system with NA/NS packets.

Of course all these rules should be reversed at the output rules where -s (source) is changed to -d. Else the host will receive those packets but will not respond to them.

UNIX

FreeBSD has no IPtables like the linux distributions, but has IP filter /IP Firewall which are very much alike to iptables. As with the Microsoft and Linux distro's we will restrict all traffic from and to our system by only allowing traffic from the default router. A slight mix-up here in FreeBSD is that it does not support to specify NS/NA yet (with ipfw) so we a)block all traffic like usual but we can't add an allow NS/NA rule so NDP does not work anymore or b) we accept all icmpv6 traffic. I think it is safe to say for the purpose of these tests that we shouldn't allow all ICMPv6 traffic... You can however allow all ICMPv6 traffic and then block the specific ICMPv6 types that are available to overlap with each other.

An example of this is when we block RA/RA messages from the local network. You will notice since this is not iptables anymore, that the syntax is a little different for FreeBSD. First things first, we need to enable the firewall in the /etc/rc.conf. You add these sentences to the file:

firewall_enable="YES"
firewall_script="YES"
firewall_script="/etc/ipfw.rules"

These allow the firewall to be enabled on boot, and allow us to load a script with our firewall rules on load. You specify the rules you wish in the file /etc/ipfw.rules. Do not forget to flush ipfw first in the script, else there might be problems with the default rules.

An example of blocking RA/RS messages:

ipfw add deny ip6 from fe80::/10 to any icmp6types 5,9,10 in

These icmp6types can be found in the types list on the manpages of ipfw.

Conclusion

As we can see, these firewall rules can be a reasonable line of last defense in case the perimeter firewall is breached, but still most of these rules are to incomplete to work effectively. Most of the time some sacrifice has to be made either security wise where some protocols you do not wish to pass that do pass or where some protocols (like NDP) that you want to let through but can't. The most complete rules are those of the iptables since these have the most options available plus they can limit the rate of the packages let through. Unix is not bad either, but is more complex.