Evading Intrusion Detection/Prevention Systems by Exploiting IPv6 Features

March 16, 2015 (at 1:45 p.m.)

During the last year we had the chance to test and evade several high-end commercial and open-source Intrusion Detection/Prevention Systems (IDPS) by combining IPv6 Extension Headers, Next Header values and fragmentation. Specifically, we came across with about a dozen of different ways or variants of techniques, all of them 0-day at the time of their finding, that can be used for such a purpose. In this talk, first we will review these methods and then, we will discuss their concept. We will also present an update of their status to find out if some of the tested devices still suffer from the discovered vulnerabilities (all of them were reported to the vendors promptly). Live demos will demonstrate the ease of the methods as well as their generic applicability (from port scanning to web hacking). Finally, a discussion will be triggered regarding potential mitigation techniques as well as the necessity of existence of all these IPv6 “handy” (from the attackers' perspective) features.

This is an update of the talk we gave a Black Hat US and Black Hat EU. It is planned to have half of the time slot available for discussion and practical demonstrations, so the participants can understand the techniques in detail. All the tested devices will be available in the room.

Antonios Atlasis

Antonios Atlasis is an IT Security researcher with a special interest in IPv6 (in)securities. His work has been presented in several IT Security conferences and it has resulted in the discovery of various IPv6-related vulnerabilities. He is the author of Chiron, an IPv6 specialized and very flexible security assessment tool.

Rafael Schaefer

Rafael has studied computer science with a specialization in telecommunication at the Bonn-Rhein-Sieg University of Applied Sciences (Department of Computer Science). His research interests include network and IPv6 security issues. He wrote his (highly rated) bachelor thesis on “IDS – Recognition and Validation of IPv6 Extension Header” and works as a security analyst at ERNW GmbH. He has presented on IPv6 security issues at several occasions, incl. Black Hat Sao Paulo, Black Hat Asia, Black Hat Europe, Troopers and Hack.lu.