IPv6-Unidad3-1

ICMPv6 Format You need to know the details about ICMPv6 in order to filter it properly, to understand how it is used, and to protect your network from attacks using ICMPv6. Type. Code. Checksum. Message Body.

Extended Format To send additional information in an ICMPv6 message, RFC4884 defines two things: extension structure. length.

Error vs Informational Messsages. Destination unreachable. Packet Too Big. Time Exceeded. Parameter Problem. Echo Request. Echo Reply. Neighbour Discovery Protocol (NDP). Multicast Listener Discovery (MLD).

Destination Unreachable. No route to destination. Communication with destination administratively prohibited. Beyond scope of source address. Address Unreachable. Port Unreachable. Source address failed ingress/egress policy. Reject route to destination. Error in Source Routing Header.

Filtering ICMPv6. What is the difference between filtering ICMPv4 and ICMPv6. In IPv6, if you filter all ICMPv6, the basic data service doesn’t work. in IPv4, if you filter all ICMPv4, you can still have communication. There are not differences between them.

What is a recommendation about Packet with Multicast Destination Address. no ICMPv6 error messages should be sent in response to receiving a packet destined to a multicast address. no ICMPv6 error messages should be sent in response to receiving a packet destined to a unicast address. no ICMPv6 error messages should be sent in response to receiving a packet destined to a multicast or unicast address.

no ICMPv6 error messages allowed as response avoids. Hosts Discovery. Amplification Attacks. Reflection Attacks. MITM Attack. Ransomware Attack.

how does Amplification attack work. try to generate a lot of traffic leveraging any mechanism that multiplies the size and/or the number of messages sent by the attacker. To be able to target a specific host the attacker uses a spoofed IP address, the victim's address, making the amplified traffic go towards the desired target. try to generate a lot of traffic leveraging any mechanism that multiplies the size and/or the number of messages sent by the attacker. To be able to target a specific host the attacker uses a real IP address, the victim's address, making the amplified traffic go towards the desired target.

The ICPMv6 standard states that it is optional to send an Echo Reply when an Echo Request is sent to a multicast address. It is not recommended to send the Echo Reply because it can be used for a. Smurf Attack. MITM Attack. Ransomware Attack. Phishing Attack.

Select the measures for IPv6 security issues related to ICMPv6. Two answers are correct. Filter ICMPv6 as you filter ICMPv4. Filter ICMPv6 carefully. ICMPv6 error messages must be sent in response to receiving a packet destined to a multicast address. Send an Echo Reply when receiving an Echo Request sent to a multicast address as a destination. If an ICMPv6 informational message of unknown type is received, it must be silently discarded.

Select the option that only contains ICMPv6 error messages. Destination unreachable, Packet too big, Erroneous IP packets, Parameter problem. Echo request, Echo reply, NDP, MLD. Destination unreachable, Packet too big, Time exceeded, Parameter problem. Multicast traffic, Erroneous IP packets, NDP, MLD.

"If you filter all ICMPv6, as you can do with ICMP for IPv4, …. you will always have communication.". communication will never work.". it works because protocols like NDP or MLD don’t use ICMPv6.".

"No ICMPv6 error messages should be sent in response to... receiving a packet destined to a multicast address.". an IPv6 multicast or anycast address.". a packet whose source address uniquely identifies a single node.".

NDP is used on a link for: Discovery. Duplicate Address Detection (DAD). Address Resolution. Address Autoconfiguration. Network Unreachability Detection (NUD).

NDP Messages For all these NDP uses, only five messages are defined: Neighbor Solicitation (NS). Neighbor Advertisement (NA). Router Solicitation (RS). Router Advertisement. Redirect.

Match each NDP message type with its purpose. Neighbor Solicitation. Neighbor Advertisement. Router Solicitation. Router Advertisement. Redirect.

What are three NDP threats. Neighbor Solicitation/Advertisement Spoofing. Neighbor Unreachability Detection (NUD) Failure. Duplicate Address Detection (DAD) DoS Attack. Router Solicitation/Advertisement Spoofing. Router Unreachability Detection (RUD) Failure. Duplicate Router Detection (DAD) DoS Attack.

The attacker _________ with a changed/wrong “source link-layer” option (the option used to inform other neighbors about a link-layer address).

The attacker ________ with a changed/wrong “target link-layer” option (the option that includes information about the sender's link-layer). The sending of the NA could be after seeing an NS sent by a neighbor, or can even be sent in an unsolicited way to explain about a change in information (this is included in the standard and has to be accepted by IPv6 hosts. It is the same in IPv4 with ARP).

NS Spoofing Let’s start with Neighbor Solicitation Spoofing to change values in the victim's neighbor cache. If the attacker sends an invalid MAC address (not used in the network) then it will be a _______ because traffic will reach no destination at all. DoS Attack. Ransomware Attack. Phishing Attack.

NS Spoofing Let’s start with Neighbor Solicitation Spoofing to change values in the victim's neighbor cache. This attack can also be used to create a _____. MITM attack. Ransomware Attack. Phishing Attack.

Another attack to NDP is Neighbor Unreachability Detection (NUD) Failure [RFC3756]. In this DoS attack, an NA message is used by the attacker to add a wrong link-layer address to the victim's neighbor cache during the NUD process. In this DoS attack, an NA message is used by the attacker to add a wrong link-layer address to the victim's neighbor cache during the NS process. In this DoS attack, an NA message is used by the attacker to add a wrong link-layer address to the victim's neighbor cache during the DAD process.

In this exercise, test your knowledge about different attacks to NDP based on NS/NA messages. Select the correct statements. Two answers are correct. Almost all the attacks related to NDP need local access to the network by the attacker. Neighbor Solicitation/Advertisement Spoofing can be done sending NS with "target link-layer" option changed. Neighbor Unreachability Detection failure can be used to create a MITM attack. Duplicate Address Detection attack can be used as a DoS attack because the victim can’t use any addresses.

The Malicious Last Hop Router attack [RFC3756] uses rogue RA messages to achieve a redirection or a DoS. And. The attacker (with access to the link) pretends to be a router for the hosts in the network, specifically to become the default gateway. Once accepted as a legitimate router, the attacker could send Redirect messages to hosts and then disappear, covering their tracks. The attacker (with access to the link) sends an RA message including a prefix for address autoconfiguration, and all the corresponding flags set to the right values (A=1, M=0). The attacker (with access to the link) sends out a valid-seeming RA that duplicates the RAs from the legitimate default router, except the included parameters that are designed to disrupt legitimate traffic.

Another attack that uses RA messages is the Bogus Address Configuration Prefix [RFC3756]. This is a DoS attack. And. The attacker (with access to the link) pretends to be a router for the hosts in the network, specifically to become the default gateway. Once accepted as a legitimate router, the attacker could send Redirect messages to hosts and then disappear, covering their tracks. The attacker (with access to the link) sends an RA message including a prefix for address autoconfiguration, and all the corresponding flags set to the right values (A=1, M=0). The attacker (with access to the link) sends out a valid-seeming RA that duplicates the RAs from the legitimate default router, except the included parameters that are designed to disrupt legitimate traffic.

Parameter Spoofing [RFC3756] is another attack that uses RA messages to cause a DoS. And. The attacker (with access to the link) pretends to be a router for the hosts in the network, specifically to become the default gateway. Once accepted as a legitimate router, the attacker could send Redirect messages to hosts and then disappear, covering their tracks. The attacker (with access to the link) sends an RA message including a prefix for address autoconfiguration, and all the corresponding flags set to the right values (A=1, M=0). The attacker (with access to the link) sends out a valid-seeming RA that duplicates the RAs from the legitimate default router, except the included parameters that are designed to disrupt legitimate traffic.

In this exercise, you can test your knowledge about different attacks based on RS/RA messages. Select the correct statements. Two answers are correct. Parameter Spoofing is a NDP threat based in NA and/or NS messages. Bogus Address Configuration Prefix is a DoS attack. During Malicious Last Hop Router attacks, the attacker pretends to be a router for the hosts in the network, to become the default gateway. Bogus On-Link Prefix is a MITM attack because the destination address is not reachable.

When talking about ACLs and configuring filtering rules, many things will be the same for IPv6 and IPv4, like transport layer protocols (TCP, UDP, etc.) and application layer protocols (HTTP/HTTPS, DNS, SMTP, SNMP, etc.). The main difference when filtering for IPv6 will be: When using ICMPv6. When using extension headers.

There are two ways of implementing RA-GUARD: Stateless RA-Guard:. Stateful RA-Guard:.

Other NDP Attacks. Spoofed Redirect Message. Neighbor Discovery DoS Attack.

Other NDP Attacks and solutions. Spoofed Redirect Message. Neighbor Discovery DoS Attack.

Please Select the threat. NS Spoofing. Rogue RA. Malicious Last Hop Router. DAD Dos Attack. NUD Failure. Bogus On-Link Prefix. Parameter Spoofing. Bogus Address Configuration Prefix. Unsolicited NA.

Select the correct statements. Three answers are correct. Neighbor Discovery DoS attacks can be made from outside the local network. First Hop Security are security mechanisms for IPv6 implemented on switches. Parameter Spoofing is an attack based in Redirect messages. Rogue Router Advertisements can be generated by mistake or wrong configuration or by an attacker. SEND is a Rogue RA solution widely used.

You receive a report with the following information about what was discovered by the IT support team: The hosts were not able to access some external services, while others were working normally. DNS resolution was working fine. Looking at the network configuration, IPv4 was correct, but the IPv6 one had an extra IPv6 address auto configured using an unknown prefix. There was also an extra default gateway pointing to an unknown link-local address. This was detected on all the hosts in the link. What do you think was the cause of the problem?. The users changed the network configuration. NA message sent on the link by an attacker or by error. RA message sent on the link by an attacker or by error. Redirect message sent on the link by an attacker or by error.

You receive a report with the following information about what was discovered by the IT support team: The hosts were not able to access some external services, while others were working normally. DNS resolution was working fine. Looking at the network configuration, IPv4 was correct, but the IPv6 one had an extra IPv6 address auto configured using an unknown prefix. There was also an extra default gateway pointing to an unknown link-local address. This was detected on all the hosts in the link. What would be your recommendation to avoid this problem in the future?. Use DHCPv6 to configure the hosts on that link to avoid RAs. Use RA-guard on the switch to filter out rogue RAs. Use MLD Snooping on the switch to protect against multicasted traffic. Implement SEND on that link to protect NDP messages.

Select The correct Threat. Neighbor Solicitation/Advertisement Spoofing (NS Spoofing and Unsolicited NA). Neighbor Unreachability Detection (NUD) Failure. Duplicate Address Detection (DAD) DoS Attack. Rogue Router Advertisements. Malicious Last Hop Router. Bogus On-Link Prefix. Bogus Address Configuration Prefix. Parameter Spoofing.

How to choose a suitable and available security measure for IPv6 security issues related to NDP, namely: RA-Guard. IPv6 Snooping. IPv6 Source/Prefix Guard. IPv6 Destination Guard. Link Monitoring. SEND. Host Packet Filtering. Router Preference Option. ACLs on Switches. RA Snooping on Switches (RA-Guard).

Using Scapy, you have been able to reproduce the two types of messages detected by the IDS. You found out what the attackers were trying to do: changing the neighbor cache of the victim's host. In both cases, the consequences were pretty much the same. The main difference is the use of two different NDP messages: NS and NA. Now you have completed these steps, what will you report back to your boss and other colleagues about what the IDS reported?. There is no problem, we can go on with our lives. There is a small problem, probably a malfunctioning Operating System implementation. There is a big problem, there is a malicious host attacking your network. It is unclear what the problem was.

Using Scapy, you have been able to reproduce the two types of messages detected by the IDS. You found out what the attackers were trying to do: changing the neighbor cache of the victim's host. In both cases, the consequences were pretty much the same. The main difference is the use of two different NDP messages: NS and NA. Your boss is very concerned and nervously asks what the first action should be right now. Keep looking at the IDS logs. Disconnect the attacking host from the network. Elevate the warning level of the IDS for that kind of messages. That all your colleagues learn about the problem.

MLDv2. Router asks for listeners. General. Specific Multicast Address. Specific Multicast Address and Source. Current state. State change (filter/sources). Sent to FF02::16.

Built-in MLD Security MLD Message. Source:. Hop Limit =. Router Alert.

Attacker becomes the DNS server of the victim using: Man-in-the-Middle. Neighbor Cache Poisoning. SLAAC. DHCPv6.