Published using Google Docs
Abusing IPv6 Extension Headers and Fragmentation attack
Updated automatically every 5 minutes

Abusing IPv6 Extension Headers and Fragmentation attack

by Jianjun Chen

I have read some Antonios Atlasis’ papers these days and have a better understanding of IPv6 attack.Now I write it here according to my understanding.Maybe my description about the attacks is not accurate and complete, so I hope you could point it out if you find it.

As is known to all, When more than one extension header is used in the same packet, it is recommended that those headers appear in the following order [RFC 2460, 1998]:

●IPv6 header

●Hop-by-Hop Options header

●Destination Options header

●Routing header

●Fragment header

●Authentication header

●Encapsulating Security Payload header

●Destination Options header (for options to be processed only by the final destination of the packet.)

●Upper-layer header

Apart from that,All (but the Destination Options header which should occur at most twice) should occur at most once.

As we shall see, this can be proven to be an advantage for the attackers if used in combination with fragmentation in order to bypass IDS or even firewall detection.

Case 1:

Multiple Occurrences of Various Extension Headers in an Atomic Fragment

such a malformed packet as follow should not exist, but many OS accept this packet.

Case 2:

Upper Layer Protocol Header at a Fragment other than the 1st Fragment

If ULP not in first packet, stateless ACLs can be bypassed. The packets as follow can pass the ordinary stateless ACL easily, and many OS accept these packets.

Case 3:

Mixing Extension Headers and Sending the Upper-Layer Protocol Header at a Fragment other than the 1st

if the attacker mix  case 1 and case 2, more  other variants  will be created.

Case 4:

Creating Overlapping Extension headers

Another famous attack technique is to use overlapped extension headers.

Case 5:

Transfer of arbitrary data at the IP level

If we put arbitrary data into such a header using this specific Options Type, this data will be transferred even if they do not form a valid packet.But many OS accept this packets,and many IDS don’t inspect the data in extension headers.

Case 6:

Using small fragmentation

Although the use of IPv6 fragmentation is discouraged by not allowing fragments smaller than 1280 octets, all major OS accept such small fragments.