|
DEFCON 2010 Who Cares About IPv6?Abstract: What is IPv6? Why should you care? If we ignore it, will it just go away? The current Internet Protocol numbering scheme, IPv4, is nearing its end-of-life. Within two years, all the IPv4 numbers will be allocated, so that new devices will not be able to connect directly to the Internet. We all will be forced to adapt to the new IPv6 system soon. But how can we get started? This talk explains why IPv6 is necessary, how it works, and how everyone can quickly and easily start using it now. I will explain and demonstrate how to set up a free tunnel to access the Internet via IPv6. I will also explain the Hurricane Electric IPv6 certifications. The certifications are great because they guide a novice through the stages of IPv6 knowledge: connecting as a client, setting up an IPv6-enabled Web server, email server, DNS server, and glue records. There are large security implications to IPv6 too. I will explain several important IPv6 vulnerabilities and countermeasures, including auto-configuration privacy risks, torrents over IPv6, bypassing VPNs with IPv6, Routing Header Zero packet amplification attacks, and the ping-pong IPv6 DoS vulnerability. My goal is to convince the audience to pay attention to IPv6 and to guide them to an easy way to start learning about it and using it now. All my students at City College San Francisco will have IPv6 homework from now on--you need to get on board now or be left behind! LinksDefcon-talk-1: crowded-train.jpgDefcon-talk 2: Essential Next Steps in the US Government Transition to Internet Protocol version 6 (IPv6) (pdf) Defcon-talk 3: IPv4 Address Report Defcon-talk 4: DoD IPv6 Timeline Defcon-talk 5: gogo6 | IPv6 products, community and services Defcon-talk 6: SixXS - IPv6 Deployment & Tunnel Broker Defcon-talk 7: Hurricane Electric Free IPv6 Tunnel Broker Defcon-talk 8: Scanning on IPv6 with THC-IPv6 Defcon-talk 9: utorrent app now supports IPv6/teredo directly Decfon-talk 10: Routing Header Zero Packet Amplification Vulnerability Defcon-talk 11: The ping-pong phenomenon with p2p links Defcon-talk 12: Hurricane Electric Free IPv6 Certification DEFCON 2009 Materials Hijacking Web 2.0 Sites with SSLstrip and Slowloris--Hands-on Training sslstrip PowerPoint Slowloris PDF SSLstrip Instructions Wall of Stripped Sheep Slowloris Instructions Hijacking Web 2.0 Sites with SSLstrip and SlowlorisSam Bowne Instructor, City College San Francisco, Computer Networking and Information Technology Department Many Websites mix secure and insecure content on the same page, like Facebook. This makes it possible to steal all the data entered on such a page easily, using Moxie Marlinspike's SSLstrip tool. I will explain and demonstrate this attack. Slowloris is a very new layer 7 denial-of-service attack created by RSnake that stops Apache web servers completely with very low bandwidth--one packet every 2 seconds. The Apache developers were notified of this vulnerability and decided it was unimportant and not worth patching. I will explain and demonstrate this attack, and discuss various ways to protect your Apache servers. I will provide complete instructions so that anyone can easily set up both these attacks on their own machines. |
Last modified: 6-30-10
