IPv6 router bug: Juniper spins out hotfix to thwart DDoS attacks

Datetime:2016-08-22 21:40:32          Topic:          Share

Juniper Networks has found and mostly patched a flaw in the way the firmware on its routers process IPv6 traffic, which allowed malicious users to simulate Direct Denial of Service attacks.

The vulnerability, which seems to be common to all devices processing IPv6 address, meant that purposely crafted neighbour discovery packets could be used to flood the routing engine from a remote or unauthenticated source, causing it to stop processing legitimate traffic, and leading to a DDoS condition.

According to Juniper's advisory report :

The crafted packet, destined to the router, will then be processed by the routing engine (RE).  A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out.

Note that this is similar to the router's response to any purposeful malicious IPv6 ND flood destined to the router. The difference is that the crafted packet identified in the vulnerability is such that the forwarding controllers/ASICs should disallow this traffic from reaching the RE for further processing. Additionally, due to the routable nature of the crafted IPv6 ND packet, the attack may be launched from beyond the local broadcast domain.

The bug was first spotted in late May, when it was isolated in the firmware Cisco deploys to run IPv6 routers. Cisco released workarounds and a partial fix in July , though these are still marked as being on an "interim" basis. Juniper's hotfixes, meanwhile, were made available yesterday evening . Both firms have reported the issue, and a fix should be forthcoming in a future release of IPv6.

According to Cisco, "any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware is affected by this vulnerability."

The 20-year-old IPv6 protocol is slowly catching on around the world as the system it was designed to replace, IPv4, is rapidly running out of unused public addresses. There's much still to be done, however, with the UK only 10.5 percent migrated onto the newer 128-bit system, putting it in 15th place overall in the world .

Belgium is the only major country to have made significant inroads, with 42.1 percent of its traffic now using IPv6; the US has just over a fifth of its addresses migrated, but China, which has more than 710 million Internet users, is nowhere, with just 0.4 percent of its traffic using it. Sky and BT have major plans to bring the bulk of their user bases onto the new architecture by the end of 2016.