Enno Rey – Page 9 – Insinuator.net

January 8, 2015 by Enno Rey

DHCPv6 Guard: Do It Like RA Guard Evasion

Or: When Cisco ACL Can Count Up to Five 🙂

This is a guest post by Antonios Atlasis.

Hi all,

RA Guard Evasion is well-known in the IPv6 “circles”; there is RFC 7113 Advice for IPv6 Router Advertisement Guard (RA-Guard) and many interesting blog-posts like this one here, here, and this excellent write-up here that discuss this issue.
Moreover, as Jim Smalls states in his comprehensive “IPv6 Attacks and Countermeasures” presentation given at the North American IPv6 Summit 2013, DHCPv6 Guard or a corresponding IPv6 ACL can stop a DHCPv6 Rogue Servers, but (only?) for non-malicious/non-fragmented DHCPv6 packets (slide 35). However, at that time there wasn’t any known attack tool in the wild that had the fragmentation evasion built in.

Continue reading “DHCPv6 Guard: Do It Like RA Guard Evasion”

Building

January 5, 2015 by Enno Rey

Should IPv6 Packets With Source Address ::1 Be Processed When Received on an External Interface?

This is a guest post from Antonis Atlasis.

Most of you are probably aware of the recently discovered/-closed severe ntpd vulnerabilities (CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, see also the initial ntp.org security notice). Some days ago the Project Zero team at Google published a blog post “Finding and exploiting ntpd vulnerabilities” with additional details. In this one they mentioned a seemingly minor but quite important detail: on a default OS X installation one of the built-in protection mechanisms of ntpd (that is the restriction to process certain packets only if they are sourced on the local machine) can easily be circumvented by sending IPv6 packets with a spoofed source address of ::1 (the equivalent to 127.0.0.1 in IPv4 which would be discarded by the kernel once received from an external source).

This brought up a number of more generic questions:

a) Should such packets having as source address the IPv6 loopback one be processed at all?
b) Which OSs process such packets?
c) How can we protect our systems from them?

Continue reading “Should IPv6 Packets With Source Address ::1 Be Processed When Received on an External Interface?”

Events

January 3, 2015 by Enno Rey

Troopers15 – 5th Round of Talks Selected

Happy new year and all the best for 2015 to everybody!
Here’s the next round of Troopers15 talks (all the others can be found here):

Continue reading “Troopers15 – 5th Round of Talks Selected”

Events

December 29, 2014 by Enno Rey

Troopers15 – Fourth Round of Talks Selected

As we promised some days ago here’s the fourth round of Troopers15 talks (the first three can be found here). We really can’t wait for the con ourselves 😉 !

Continue reading “Troopers15 – Fourth Round of Talks Selected”

Building

December 22, 2014 by Enno Rey

IPv6 Hardening Guide for Windows Servers

After we recently released the “Linux IPv6 Hardening Guide” we got a number of suggestions “could you pls provide a similar document for $OS?” (btw: thanks to you all for the overwhelming interest in the Linux document and the active discussion of ip6tables rule approaches on the ipv6hackers mailing list).

Continue reading “IPv6 Hardening Guide for Windows Servers”

Events

December 20, 2014 by Enno Rey

Troopers15 – Third Round of Talks Selected

As we promised some days ago here’s the third round of Troopers15 speakers (first one here, second here). It’s going to be awesome!

Continue reading “Troopers15 – Third Round of Talks Selected”

Building

December 17, 2014 by Enno Rey

IPv6 Hardening Guide for Linux Servers

We were recently approached by a customer asking us for support along the lines of “do you have any recommendations as for strict hardening of IPv6 parameters on Linux systems?”. It turned out that the systems in question process quite sensitive data and are located in certain, not too big network segments with very high security requirements.

Continue reading “IPv6 Hardening Guide for Linux Servers”

Breaking

December 11, 2014 by Enno Rey

Penetration Testing Tools that (do not) Support IPv6

We just released a white paper authored by Antonios Atlasis that provides an overview which pentesting tools currently support IPv6 and how to (still) use them if that’s not the case. It can be found in our newsletter section.

Best

Enno

Events

December 5, 2014 by Enno Rey

Troopers15 – Second Round of Talks Selected

As we promised some days ago when we published the first round, here we go with the second:

Continue reading “Troopers15 – Second Round of Talks Selected”

Building

December 1, 2014 by Enno Rey

Security Implications of Using IPv6 GUAs Only

When planning for IPv6 addressing, many organizations – rightfully & wisely – decide to go with global unicast addresses (GUAs) only (hence not to use unique local addresses/ULAs as of RFC 4193 at all), in order to avoid address selection hell or just for simplicity & consistency reasons. This post discusses security implications and complementary security controls of such an approach.

Continue reading “Security Implications of Using IPv6 GUAs Only”