Back in May of 2007, I was doing some research into IPv6. I had a single host (Windows XP SP2) and a IPv6 Router (Server 2K3) and I was publishing addresses via the router. As I was publishing addresses, I started to notice that they were continually being added to the XP host; older addresses never replaced newer addresses and there seems to be no upper limit on the number of addresses.
I decided to investigate further and setup a simple loop to publish numerous routes. Interestingly enough every published route was received and recorded by the host. I only tested 7500 addresses but at the end of this I was seeing some interesting results, which I've detailed in the advisory below.
Given the results, I decided to contact the MSRC and report it. Since Microsoft's current stance on Denial of Service being a stability issue and not a vulnerability (I guess we've removed A from CIA), they weren't releasing a security advisory for this but instead mentioned that they'd include a fix in XP SP3. They also asked that I follow their responsible disclosure guidelines and not release details until they had patched it.
Given that XP SP3 is now floating around publically I wanted to blog to mention this issue, so I contacted the MSRC to ensure that the fix had been included. After about a week, the response I received was that due to an extensive bug list, they decided not to include this fix.
Since I had mentioned my desire to blog on this issue, they asked that I send them my blog post for review prior to posting it. Since that's done... I now present you with the mini-advisory that I wrote and shared internally almost 12 months ago. It's nothing amazing on a single XP host but it is obviously an issue.
--- Original Mini-Advisory (Sent to Microsoft) ---
Title:
Minor Denial of Service via IPv6 Address Publication
Background:
An IPv6 Router (in this case a 2k3 server) will publish an address for every route that it knows. There doesn't seem to be a limit on how many IPv6 Addresses can be published. If you continually add new routes, it will continually publish new routes. Every IPv6 device on the subnet will listen for these published addresses and add them to its interface.
What I did:
On my IPv6 Router I setup a simple For loop that would effectively add 9999 x 9999 routes to be published, each route would be advertised to the subnet.
Command:
C:\Documents and Settings\Administrator>for /L %k in (0, 1, 9999) DO for /L %i in (0, 1, 9999) DO netsh interface ipv6 add route 2001:db8:%k:%i::/64 "Local Area Connection" publish=yes
Results:
So far, I've added ~7500 addresses... CPU utilization on my XP machine receiving the addresses never drops from 100%. What's more interesting though is the output of the two commands below:
ipconfig
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
An internal error occurred: The file name is too long.
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
netsh interface ipv6 show address
C:\Documents and Settings\Administrator>netsh interface ipv6 show address
Querying active state...
No entries were found.
The file name is too long.
Caveats:
It appears that this only works if the XP hosts are on the network when you are publishing addresses at the time. If you add the addresses and then a new host comes online, it appears to only receive the last ~50 addresses. However if the machine is on the network as each address is published, it seems to obtain every address published and just keeps appending them.
May 2008 Updates:
I decided to check other operating systems to see how they responded. I went with Server 2003 and Ubuntu (and another XP test case). The results were interesting. It seems as though other operating systems have protections against this flood built in. Server 2003 limits itself to 9600 IPv6 Addresses, and Ubuntu limits itself to 16. Meanwhile, after 24 hours of testing (using the simple for loop described above (which has it's own drawbacks, including the requirement that it add each of these addresses to the IPv6 router -- a program designed specifically to flood these multicast packets out would be much more efficient)) I have published over 20K addresses and the XP host is trying it's hardest to pick them all up. ipconfig and netsh are unresponsive the majority of the time (every now and then it'll successfully print the addresses) and my CPU is constantly held at 100% by svchost.exe (running as SYSTEM).
This could be interesting with a large network of XP hosts and a script dedicated to publishing large quantities of IPv6 addresses. Especially since these are small multicast packets with minimal amounts of data contained within them.
While you can't flood the 2K3 and Ubuntu systems, something interesting does happen... when they hit their limit they seem to just ignore future published addresses. This could be a potentially bigger problem then simple CPU exhaustion. I will state first that this discussion could be entirely theoretical at this point, as I had a single test case but here's a thought for you. Ubuntu hits it's 16 address limit and Server 2003 hits it's 9600 address limit, what happens next time a valid address is published? Neither of these hosts updated their address lists as I published new ones, suggesting you could deny hosts from learning new addresses.
This begs the question, which is the bigger security risk? Flooding your client operating system and forcing 100% CPU utilization or ensuring your server environments can't learn new published addresses.