New RA Flood Attack

Killing Mavericks

Killing Lion

Windows 8.1 Survives!

Older Contents (2012)

  1. Killing Mac OS X and Windows Server 2012
  2. Microsoft's IPv6 Readiness Update
  3. Wireless: Injuring the iPad 3
  4. Killing Mac OS X Reliably with a better switch
  5. Wireless: Freezing the iPad Mini
  6. BayThreat 3 Talk
  7. Killing Mac OS X with a Crossover Cable
  8. Killing Mac OS X on a Wireless LAN
  9. Notifying Apple
  10. IPv6 Attack Kills MacBook Air & 3 iPads
  11. Freezing an Android Phone With an IPv6 Attack
  12. Google Notified
  13. Killing the Microsoft Surface with an IPv6 Attack

Killing the Microsoft Surface with a Wireless IPv6 Attack

This attack is realistic and practical, although somewhat sloppy in concept. The attacker is a MacBook Air running Backtrack in VMware, on a WPA-encrypted 802.11g network. The target is a Microsoft Surface. Although the Mac is not immune from this attack, under these conditions the attack does not kill the Mac, but it kills the Surface.

You can get the attack script at http://pastebin.com/aXUxBXxk

To use it, first download and compile thc-ipv6-2.0.

BE GOOD--don't attack any devices without proper authorization.

Google Notified

I sent this message to security@android.com:
Hello:

I have been studying IPv6 vulnerabilities for a few years, and they were a large problem for Windows but not for the Mac or Linux.

But with the recent release of thc-ipv6-2.0 that has all changed. The new RA flood tool freezes an Android device, as shown in the videos here:

http://samsclass.info/ipv6/proj/RA_flood2.htm

I think you should be aware of this. It might be good to block excessive RA packets with a firewall, or implement some other countermeasure.

--Sam Bowne
City College San Francisco

Freezing an Android Phone With an IPv6 Attack

A slightly modified version of the attack, used on an Android phone. It also kills the Mac and the iPad 1, all on a 2.4 GHz wireless network.

IPv6 Attack Kills MacBook Air & 3 iPads

This is an improved Router Advertisement flood attack: First it simulates ten normal routers, and then sends the new flood_router26 RA flood. That makes it much more effective against all Apple devices we have tried. As the video shows, it can now kill four devices at once via a wireless network.

Notifying Apple

The new version of the attack is powerful enough that I decided to formally notify Apple. I don't expect them to care much--Microsoft certainly didn't think this was important to them, and Windows is much more vulnerable.

But I wanted to make sure they knew, so I sent this message to product-security@apple.com:

Hello:

I have been studying IPv6 vulnerabilities for a few years, and they were a large problem for Windows but not for the Mac.

But with the recent release of thc-ipv6-2.0 that has all changed. It can bring a Mac down in seconds, as shown in the videos here:

http://samsclass.info/ipv6/proj/RA_flood2.htm

I think you should be aware of this. It might be good to block excessive RA packets with a firewall.

--Sam Bowne
City College San Francisco

Killing Mac OS X on a Wireless LAN

This is even more exciting: a wireless attack powerful enough to kill the Mac. Just as in the video below, six simulated routers are sending router advertisements to the target at one RA per second, and a seventh process sends a flood of RAs. The Mac dies in seconds.

Killing Mac OS X with a Crossover Cable

This is a major advance in the attack: the essential ingredient is routers on the network, not a fast flood. With six simulated routers and one process running the flood, the Mac OS X dies in seconds reliably, even in a very simple network consisting of a crossover cable.

This makes the attack MUCH more practical than the one I demonstrated at BayThreat, which required an expensive and bulky switch and a separate router.

Data Breaches and Password Hashes WITH the New IPv6 RA Flood Attack

This is a talk I gave at BayThreat 3. First I discuss other issues, then I gave a live demo of the IPv6 attack killing Mac OS X and Windows 8, which WORKED, thanks to K. Yang who set it up and was extremely helpful designing and performing the attack.

The IPv6 attack starts in Part 2.

Videos: Part 1       Part 2       Part 3      

Wireless: Freezing the iPad Mini

The iPad Mini is more vulnerable than the iPad 1 or the iPad 3, as shown in this video. But adding a second iPad to the wireless LAN reduces the attack effect greatly. This is interesting because it's the opposite of what we see in a wired network, where adding a router to the LAN is necessary to kill the Mac OS X reliably.

Killing Mac OS X Reliably with a better switch

We used a business-class Gigabit switch, a Vyatta router on the LAN, and a Gigabit adapter on the Mac OS X.

This kills the Mac OS X reliably, showing a crash of the Ethernet adapter so it stops configuring addresses, followed by the whole OS freezing.

Wireless Attack on iPad 3

We finally got a wireless version of the attack working. It isn't powerful enough to kill any device we tested reliably, but it makes the iPad 3 run slowly and some apps crash, and the whole OS crashes sometimes.

The other devices we tested were Windows 8, iPad 1, and MacBook Air. They all slowed down during the attack, but remained usable. The iPad 1 was the most resistant to this attack, all it did was consume about 10% - 20% of the CPU, making no significant difference in its performance.

Posted 11-30-12

Microsoft's IPv6 Readiness Update

Microsoft's IPv6 Readiness Update greatly alleviates this vulnerability:

http://support.microsoft.com/kb/2750841

However, it's only available for Win 7 and Win Server 2008 R2. In addition, it only provides partial protection: a patched machine freezes totally during the attack, but recovers quickly when it stops. It is possible to do better--Ubuntu Linux completely shrugs off the attack, adding a few new IPv6 addresses and showing no deleterious effect at all.

Here's a video showing the attack killing Windows 8, Server 2008, and Mac OS X:

Here's a video showing the extent to which the Microsoft IPv6 Readiness Update protects Windows 7 and Server 2008 R2. It also shows the attack's effect on Windows XP and Ubuntu Linux.

Details of an earlier test using virtual machines are here.

Killing Mac OS X and Server 2012

We tested the new attack from Marc Hause, and it is MUCH more powerful. It kills Mac OS X and Server 2012 in a few seconds, as shown in the video below:

How it Works

Here is a captured packet from the previous, weaker attack that the flood_router6 tool uses.

It's a normal RA, with these ICMPv6 Options:

Here's a captured packet from the newer attack, shown in two images because it's too big to fit in one.

It's a normal RA, with these ICMPv6 Options:

So each packet burdens the recipients a lot more.

I think Microsoft and Apple need to pay attention this time, because this one crashes the Mac, and it makes Server 2012 restart, which makes me suspect it could be exploited further, perhaps into a remote code execution attack.

Packet Captures

Here is a PCAP file with one new RA and one of the old type:

RAs.pcap

References

My previous page about the old attack, with mitigation recommendations:
http://samsclass.info/ipv6/proj/flood-router6a.htm

Marc Hause's slides presenting thc-ipv6 version 2
http://conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf

Step-by-step instructions for testing the older tool
http://samsclass.info/ipv6/proj/projL9-flood-router.htm

First posted: 7:30 am 11-20-12 by Sam Bowne

Page reorganized with Contents section 11-30-12 10:36 am

New videos 4 and 5 added 12-5-12

BayThreat Videos added 12-8-12 11:19 pm

Attacks on the Mac OS X with simulated routers added 7:45 pm, 12-10-12.

Apple notified 12-11-12

3 iPads video added 11:37 PM 12-11-12

Android attack and Google notification added 4:36 PM 12-12-12

Microsoft Surface attack added 7 am 12-15-12

Mavericks & Win 8.1 added 11-12-13