SLAAC Attack – 0day Windows Network Interception Configuration Vulnerability

This article describes a proof of concept of an interesting application of IPv6. I’m going to show you how to impose a parasitic IPv6 overlay network on top of an IPv4-only network so that an attacker can carry out man-in-the-middle (MITM) attacks on IPv4 traffic.

So watch your six :wink:

Haven’t read the whole article yet so have no advise on how to mitigate this except for disabling IPv6 or enabling IPv6 on CIS FW.

I think it would be safe to assume that if you aren’t already utilizing IPv6, then check it off on all your network adapters. Problem solved. I wouldn’t even rely on the IPv6 filtering on CIS.

Read this post by former moderator Toggie about how to completely disable IPv6.

Good job Eric. I forgot about that registry entry.

An interesting article and unfortunately, well known. It does, however, continue to raise much needed awareness of a potential problem with poorly administered networks and some inherent risks associated with allowing someone physical access. In essence, this attack would be similar to introducing a rogue DHCP server into a ipv4 network.

With regard to mitigating this attack via CIS, we have a small problem, as CIS currently doesn’t differentiate between icmpv6 types, so we either have to block all icmpv6 or none. The former will cause problems elsewhere and the latter is less than ideal.

We can or course choose to disable ipv6 and for a lot of people, at least at this time, this is reasonable advice, however, we can’t continue to ignore it. One option, without disabling the entire stack, would be to disable router advertisements, via netsh:

netsh interface ipv6 set interface “Local Area Connection” routerdiscovery=disabled

Additional reading:
RFC 5006 - IPv6 Router Advertisement Option for DNS Configuration …
RFC 6104 - Rogue IPv6 Router Advertisement Problem Statement - The …
RFC 6105 - IPv6 Router Advertisement Guard
RFC 6106 - IPv6 Router Advertisement Options for DNS Configuration
RFC 3041 - Privacy Extensions for Stateless Address Autoconfigur …
RFC 3971 - SEcure Neighbor Discovery (SEND) (RFC3971)

Edit: forgot I had this Attacking the IPv6 Protocol Suite (PDF)

Disabling IPv6 will disable Windows Homegroup as well… not really the ideal solution. Question: If the router only supports IPv4, is there still danger of getting hit by this?

Indeed, Windows 7 Homegroups are one of the things that will fail, if ipv6 is completely disabled.

With regard to this specific attack type, unless you foresee a rogue router being placed on your LAN, it’s not the most important potential attack vector for the home user.

If you wish to use ipv6, you can simply disable the tunnelling components, such as Teredo. This will close the door on some attacks that can exploit these avenues, but will let you use Homegroups.

If you don’t have native ipv6 from your ISP, but still wish to use the ipv6 Internet, you can always use a tunnel from a broker such as HE. Doing so is a lot safer than using Teredo.