As the end of GSoC 2012 will come in the next few days, i am proud to announce IPv6-guard. IPv6-guard is an IPv6 attack detector tool including some defense mechanisms to protect against most of recent attacks on ipv6 protocol suite.
2.1 How it works
At first, the tool will gather “genuine” informations of connected network. Those information includes IP and MAC address of neighbors and routers on the network.After first time run, IPv6-guard will save this information to use later, if anything has change,it will ask for confirmation ( User can edit “/data/genuine.info” to add more interface if need). If the network is under attack, some invalid information might be detected and it will ask you to verify what information is “genuine”. IPv6-Guard will use collected information and signatures against every received packet to detect and mitigate IPv6 attacks from the network.
This feature detect flood on a target with random neighbor advertisements. It is based on configured packet rate and a few heuristic algorithms.
• fake_router6 or flood_router6
This is an example to detect fake_router6 attack by announcing a host as a router on the network with the highest priority. To protect host against this attack, the tool will send a packet with routerlifetime=0 to reset that fake router and invalid route in routing table.
Also, when this attack is occured, the tool will also clean up host interface using “genuine” information collected earlier.
Detect smurf6 attack in which using our ip address with another MAC address.
2.3 Supported Attack Detections
Currently, this tool could detect various IPv6 attacks including:
• parasite6: icmp neighbor solitication/advertisement spoofer
• fake_router6: fake router address (mitm)
• flood_router6: flood router advertisement packet
• flood_advertise6: flood neighbor advertisement packet
• fake_advertiser6: fake neighbor ip (mitm)
• smurf6: flood icmp echo packet
• rsmurf6: remote smurfer
• fuzz_ip6: flood ipv6 packet
• fake_mld6: fake multicast group
• sendpees6: Generates a neighbor solicitation requests with a lot of CGAs.
For protection, some simple methods are being implemented such as
• Reset routerlifetime to delete fake route in routing table
• Clear all invalid entries on attacked interface
This tool includes a configuration file to detect attacks from thc-ipv6 tool. If another tool using similar techniques with different packet rate, you could add a new section for it
2.6 Future Works
• Improve detection method to lower false positive chance
• Improve protection method
-Check out at: http://code.google.com/p/ipv6-guard/
4. Final words
• Thanks Google for such a program for student
• Thanks Honeynet Project for this cool project
• Thanks Thanh Nguyen for help me finish this project