Project Slot 13 - Improving IPv6 Attack Detection

Student: Jianjun Chen (CN)
Primary mentor: Tan Kean Siong (MY)
Backup mentor: Xu Weilin (CN/US)

Google Melange: https://www.google-melange.com/gsoc/proposal/review/google/gsoc2013/jianjunchen/1

Project Overview:
The goal of the project is to improve current IPv6 honeypot (6Guard) detection mechanism for various latest IPv6 attacks, get the results and have a proper logging method. Currently IPv6 honeypot (6Guard) is capable to detect certain IPv6 attacks. As there are various new IPv6 attacks technique discovered and tools were released since last year, we need to improve the detection mechanism. For example, it should be able to fully detect the attack scenarios with various Extension headers combination, fragmentation techniques, RA-Guard bypass tricks, packet DoS attempts and etc. We also need a proper logging mechanism for the collected results, e,g, a DB for better results analysis.

Project Plan:

  • May 27th - June 17th: Community Bonding Period
  • June 17th : GSoC 2013 coding officially starts
  • June 17th - July 1st: Write a standalone module to check the packet extension header in details and add it to 6Guard
  • July 2nd - July 16st: Write a standalone module to reassemble the normal fragments and add it to 6Guard
  • July 17st - July 31st: Write a standalone module to reassemble the overlapping fragments and it to 6Guard
  • July 9st - July 28st: Write more standalone modules to detect more new attacks in THC-IPv6
  • July 29 - August 2: Submit the middle evaluation to Google.
  • August 3 - August 23:Write a log module and improve the logging mechanism of 6Guard
  • August 24 - Semptember 19: Write more standalone modules to detect more new attacks in Nmap and other tools
  • September 20 - September 27th: Submit sample codes to Google.

    Project Deliverables:
    The new version of 6Guard will be able to detect attacks from latest thc-ipv6 tools ,nmap and other tools, including the abuse of extension headers ,fragment attacks. Besides, 6Guard will have a good and easy-to-use log module to log the attack information

    Project Source Code Repository:
    https://github.com/chenjj/ipv6-attack-detector

    Student Weekly Blog: http://www.honeynet.org/blog

    Project Useful Links:
    Black Hat 2012 Europe - Attack IPv6 Implementation Using Fragmentation
    Attacking the IPv6 Protocol Suite - THC
    2013 - IPv6 Attacks and Countermeasures presentation at the North American IPv6 Summit
    A Complete Guide on IPv6 Attack and Defense

    Project Updates:

    June 24st

    Done last week:

    • Fixed bug in 6Guard about stopping it using Ctrl+C
    • Tested 6Guard to ensure its stability
    • Read some papers about the IPv6 extension headers

    Plan for next week

    • Develop a pacth to check the extension headers
    • Test 6Guard with some tools