Windows 7 Networks Vulnerable to RA DoS Attack
This has to be seen to be believed. In this video, Sam Bowne, of the City College San Fransisco, shows how rogue IPv6 Router Advertisements can crash all Windows IPv6 enabled systems on your network.
Sam (and others) notified Microsoft of the problem, only to be told that it was a known issue and Microsoft has no plans on patching it! It can be found on the DHS US-CERT Vulnerability Database as CVE-2010-4669.
Sam has an excellent Executive Summary on his site explaining the problem, and several remedies including:
- Disable IPv6. This is drastic, and will break services you may want, such as HomeGroups and DirectAccess. But it will protect you.
- Turn off Router Discovery — this is a simple solution, requiring only one command, but it will prevent you from using Stateless Autoconfiguration. It’s probably appropriate for servers, but not as good for client machines.
- Use a firewall to block rogue Router Advertisements, while still allowing them from your authorized gateway. This is the most precise solution, but it is easily defeated.
- Get a switch with RA Guard — details here: http://goo.gl/PlVlt
Check out Sam’s site for more information.