New RA Flood Attack
Windows 8.1 Survives!
Older Contents (2012)
- Killing Mac OS X and Windows Server 2012
- Microsoft's IPv6 Readiness Update
- Wireless: Injuring the iPad 3
- Killing Mac OS X Reliably with a better switch
- Wireless: Freezing the iPad Mini
- BayThreat 3 Talk
- Killing Mac OS X with a Crossover Cable
- Killing Mac OS X on a Wireless LAN
- Notifying Apple
- IPv6 Attack Kills MacBook Air & 3 iPads
- Freezing an Android Phone With an IPv6 Attack
- Google Notified
- Killing the Microsoft Surface with an IPv6 Attack
Killing the Microsoft Surface with a Wireless IPv6 Attack
This attack is realistic and practical, although somewhat
sloppy in concept. The attacker is a MacBook Air running
Backtrack in VMware, on a WPA-encrypted 802.11g network. The
target is a Microsoft Surface. Although the Mac is not immune
from this attack, under these conditions the attack does not
kill the Mac, but it kills the Surface.
You can get the attack script at http://pastebin.com/aXUxBXxk
To use it, first download and compile thc-ipv6-2.0.
BE GOOD--don't attack any devices without proper authorization.
this message to email@example.com:
I have been studying IPv6 vulnerabilities for a few years, and they were a large problem for Windows but not for the Mac or Linux.
But with the recent release of thc-ipv6-2.0 that has all changed. The new RA flood tool freezes an Android device, as shown in the videos here:
I think you should be aware of this. It might be good to block excessive RA packets with a firewall, or implement some other countermeasure.
City College San Francisco
Freezing an Android Phone With an IPv6 Attack
A slightly modified version of the attack, used
on an Android phone. It also kills the Mac and
the iPad 1, all on a 2.4 GHz wireless network.
IPv6 Attack Kills MacBook Air & 3 iPads
This is an improved Router Advertisement flood attack: First it simulates ten normal routers, and then sends the new flood_router26 RA flood. That makes it much more effective against all Apple devices we have tried. As the video shows, it can now kill four devices at once via a wireless network.
The new version of the attack is powerful enough that
I decided to formally notify Apple. I don't expect them
to care much--Microsoft certainly didn't think this was
important to them, and Windows is much more vulnerable.
But I wanted to make sure they knew, so I sent
this message to firstname.lastname@example.org:
I have been studying IPv6 vulnerabilities for a few years, and they were a large problem for Windows but not for the Mac.
But with the recent release of thc-ipv6-2.0 that has all changed. It can bring a Mac down in seconds, as shown in the videos here:
I think you should be aware of this. It might be good to block excessive RA packets with a firewall.
City College San Francisco
Killing Mac OS X on a Wireless LAN
This is even more exciting: a wireless attack
powerful enough to kill the Mac. Just as
in the video below, six simulated routers
are sending router advertisements to the target
at one RA per second, and a seventh process sends
a flood of RAs. The Mac dies in seconds.
Killing Mac OS X with a Crossover Cable
This is a major advance in the attack: the essential
ingredient is routers on the network, not a fast flood.
With six simulated routers and one process running the
flood, the Mac OS X dies in seconds reliably, even in a
very simple network consisting of a crossover cable.
This makes the attack MUCH more practical than the one
I demonstrated at BayThreat, which required an expensive
and bulky switch and a separate router.
Data Breaches and Password Hashes WITH the New IPv6 RA Flood Attack
This is a talk I gave at BayThreat 3. First I discuss other
issues, then I gave a live demo of the IPv6 attack
killing Mac OS X and Windows 8, which WORKED, thanks
to K. Yang who set it up and was extremely
helpful designing and performing the attack.
The IPv6 attack starts in Part 2.
Wireless: Freezing the iPad Mini
The iPad Mini is more vulnerable than the
iPad 1 or the iPad 3, as shown in this
video. But adding a second iPad
to the wireless LAN reduces the attack
effect greatly. This is interesting because
it's the opposite of what we see in a
wired network, where adding a router to the
LAN is necessary to kill the Mac OS X
Killing Mac OS X Reliably with a better switch
We used a business-class Gigabit switch, a Vyatta
router on the LAN, and a Gigabit adapter on the Mac OS X.
This kills the Mac OS X reliably, showing a crash of
the Ethernet adapter so it stops configuring addresses,
followed by the whole OS freezing.
Wireless Attack on iPad 3
We finally got a wireless version of the
attack working. It isn't powerful
enough to kill any device we tested
reliably, but it makes the iPad 3 run
slowly and some apps crash, and the
whole OS crashes sometimes.
The other devices we tested were
Windows 8, iPad 1, and MacBook Air.
They all slowed down during the attack,
but remained usable. The iPad 1 was
the most resistant to this attack,
all it did was consume about 10% - 20%
of the CPU, making no significant difference
in its performance.
Microsoft's IPv6 Readiness Update
Microsoft's IPv6 Readiness Update greatly
alleviates this vulnerability:
However, it's only available for Win 7 and Win Server 2008 R2.
In addition, it only provides partial protection:
a patched machine freezes totally during the attack,
but recovers quickly when it stops. It is possible
to do better--Ubuntu Linux completely shrugs off the
attack, adding a few new IPv6 addresses
and showing no deleterious effect at all.
Here's a video showing the attack killing
Windows 8, Server 2008, and Mac OS X:
Here's a video showing the extent to which
the Microsoft IPv6 Readiness Update
protects Windows 7 and Server 2008 R2.
It also shows the attack's effect on Windows
XP and Ubuntu Linux.
Details of an earlier test using virtual machines are
Killing Mac OS X and Server 2012
We tested the new attack from Marc Hause,
and it is MUCH more powerful. It kills
Mac OS X and Server 2012 in a few seconds,
as shown in the video below:
How it Works
Here is a captured
packet from the previous, weaker attack
that the flood_router6 tool uses.
It's a normal RA, with these ICMPv6
- Prefix Information
- Source link-layer address
Here's a captured packet from the newer
attack, shown in two images because
it's too big to fit in one.
It's a normal RA, with these ICMPv6
- 17 Route Information sections
- 18 Prefix Information sections
- 1 Source link-layer address
So each packet burdens the recipients a lot
I think Microsoft and Apple need to pay attention
this time, because this one crashes the Mac, and it makes Server 2012 restart, which makes me suspect it could be exploited further, perhaps into a remote code execution attack.
Here is a PCAP file with one new RA and one
of the old type:
My previous page about the old attack, with mitigation recommendations:
Marc Hause's slides presenting thc-ipv6 version 2
Step-by-step instructions for testing the older tool
First posted: 7:30 am 11-20-12 by Sam Bowne
Page reorganized with Contents section 11-30-12 10:36 am
New videos 4 and 5 added 12-5-12
BayThreat Videos added 12-8-12 11:19 pm
Attacks on the Mac OS X with simulated routers added 7:45 pm, 12-10-12.
Apple notified 12-11-12
3 iPads video added 11:37 PM 12-11-12
Android attack and Google notification added 4:36 PM 12-12-12
Microsoft Surface attack added 7 am 12-15-12
Mavericks & Win 8.1 added 11-12-13