Abusing IPv6 Extension Headers and Fragmentation attack
by Jianjun Chen
I have read some Antonios Atlasis’ papers these days and have a better understanding of IPv6 attack.Now I write it here according to my understanding.Maybe my description about the attacks is not accurate and complete, so I hope you could point it out if you find it.
As is known to all, When more than one extension header is used in the same packet, it is recommended that those headers appear in the following order [RFC 2460, 1998]:
●IPv6 header
●Hop-by-Hop Options header
●Destination Options header
●Routing header
●Fragment header
●Authentication header
●Encapsulating Security Payload header
●Destination Options header (for options to be processed only by the final destination of the packet.)
●Upper-layer header
Apart from that,All (but the Destination Options header which should occur at most twice) should occur at most once.
As we shall see, this can be proven to be an advantage for the attackers if used in combination with fragmentation in order to bypass IDS or even firewall detection.
Case 1:
Multiple Occurrences of Various Extension Headers in an Atomic Fragment
such a malformed packet as follow should not exist, but many OS accept this packet.
Case 2:
Upper Layer Protocol Header at a Fragment other than the 1st Fragment
If ULP not in first packet, stateless ACLs can be bypassed. The packets as follow can pass the ordinary stateless ACL easily, and many OS accept these packets.
Case 3:
Mixing Extension Headers and Sending the Upper-Layer Protocol Header at a Fragment other than the 1st
if the attacker mix case 1 and case 2, more other variants will be created.
Case 4:
Creating Overlapping Extension headers
Another famous attack technique is to use overlapped extension headers.
Case 5:
Transfer of arbitrary data at the IP level
If we put arbitrary data into such a header using this specific Options Type, this data will be transferred even if they do not form a valid packet.But many OS accept this packets,and many IDS don’t inspect the data in extension headers.
Case 6:
Using small fragmentation
Although the use of IPv6 fragmentation is discouraged by not allowing fragments smaller than 1280 octets, all major OS accept such small fragments.