Windows 7 Networks Vulnerable to RA DoS Attack

This has to be seen to be believed. In this video, Sam Bowne, of the City College San Fransisco, shows how rogue IPv6 Router Advertisements can crash all Windows IPv6 enabled systems on your network.

Sam (and others) notified Microsoft of the problem, only to be told that it was a known issue and Microsoft has no plans on patching it! It can be found on the DHS US-CERT Vulnerability Database as CVE-2010-4669.

Sam has an excellent Executive Summary on his site explaining the problem, and several remedies including:

  • Disable IPv6. This is drastic, and will break services you may want, such as HomeGroups and DirectAccess. But it will protect you.
  • Turn off Router Discovery — this is a simple solution, requiring only one command, but it will prevent you from using Stateless Autoconfiguration. It’s probably appropriate for servers, but not as good for client machines.
  • Use a firewall to block rogue Router Advertisements, while still allowing them from your authorized gateway. This is the most precise solution, but it is easily defeated.
  • Get a switch with RA Guard — details here: http://goo.gl/PlVlt

Check out Sam’s site for more information.

So what is IPv6 Anyways, and why Should I care?

TCP/IP is the communication protocol that the internet and most computer networks use. Even a lot of phones use it now. It is basically the language that systems use to talk to each other.

The current version of the protocol that we are using is IPv4. IP stands for “Internet Protocol”, and it is the 4th revision of the language.

Every device connected to the internet has an address so it can be found by other systems. It is called an IP Address.

A sample address is 72.43.32.2
If you type this address into your web browser you will end up at iCorning.com.

One of Google’s several addresses is 74.125.225.18
Same thing, if you type this in, you end up at Google.

A system exists called DNS that converts these numbered addresses to the more human readable addresses that we are used to using.

When IPv4 was created it allowed for about 4.3 billion addresses. Which seemed a lot at the time, but this was a long time ago, before there were smart phones and internet connected devices, and before many third world countries were starting to hook systems up to the web.

Now, new IPv4 addresses are all but depleted.

IPv6 was created to fix this issue, and to address some of the security issues in IPv4. There are 2^128 IPv6 Addresses, that is, oh roughly:

340,282,366,920,938,463,463,374,607,431,768,211,456 unique IPv6 adresses.
So we shouldn’t be running out anytime soon.

They look something like this:
fe80:0000:0000:0000:ad64:ca16:cf86:6ec6

The problem is that the US is switching to IPv6 very slowly. I believe that we are behind China and Japan in the switchover. And many US companies have no immediate plans to even make the transition. Google currently has a single Linux box set up to handle the IPv6 Google traffic. But eventually we will all be using IPv6.

This is a response that I wrote to a forum question about IPv6 on iElmira.com.

How to configure IPv6 and get IPv6 Certified with Sam Bowne

IPv4 addresses are running out rapidly, the switch to IPv6 is inevitable.

This is Part One of Sam Bowne’s How to Configure IPv6 class. Learn about the problem with IPv4 addresses running out and a great intro to IPv6. The class also walks you through obtaining one of the only existing IPv6 certifications through Hurricane Electric.

Sam Bowne is a professor at the City College of San Francisco, and shares a lot of his ethical computer class information on his website Sams Class Info. He also speaks at several industry security conferences.

This video is from the Convergence Technology Center’s Winter Retreat, at Collin College in Frisco Texas from December 16, 2010.

IPvX: A Better Replacement for IPV4 than IPv6?

Sam Bowne, IT instructor at City College of San Francisco, has a very interesting page on his site entitled: IPvX: Better than IPv6?

Apparently the question was asked at the recent Defcon conference, “Why isn’t IPv6 backwards-compatible with IPv4?”

Well, that is a pretty good question, and Bill Chimiak just might have the answer. With IPv4 addresses rapidly depleting, many companies are looking at converting to IPv6. Bill has created a proposal for an IPv4 replacement that could save a lot of time, money and effort compared to what would be needed if companies switched to IPv6.

A draft RFC can be found on Sam’s site and a help wanted add:

Right now, this is just a fantastic idea. We need help to make it real. Here are the immediate needs:

  • Criticism: if this is a bad idea, we need to know that.
  • Promotion: please help spread the word! We want everyone who cares to find out this idea quickly.
  • Coding: There aren’t any devices ready to use this system yet. We need to program end devices and routers so we can start experimenting with it. I would imagine the place to start would be to program a Linux IPvX router and client, hopefully followed quickly by a Windows port. Maybe a Python module would suffice for now.

Check it out, you might be able to able to be involved on the ground floor of the next big internet project.