Fast IPv6 Network Periphery Discovery and Security Implications

摘要

Numerous measurement researches have been performed to discover the IPv4 network security issues by leveraging the fast Internet-wide scanning techniques. However, IPv6 brings the 128-bits address space and renders brute-force network scanning impractical. Although significant efforts have been dedicated to enumerating active IPv6 hosts, limited by technique efficiency and probing accuracy, large-scale empirical measurement studies under the increasing IPv6 networks are infeasible now.
To fill this research gap, by leveraging the extensively adopted IPv6 address allocation strategy, we propose a novel IPv6 network periphery discovery approach. Specifically, XMap, a fast network scanner, is developed to find the periphery, such as a home router. We evaluate it on twelve prominent Internet service providers and harvest 52M active peripheries. Grounded on these found devices, we explore IPv6 network risks of the unintended exposed security services and the flawed traffic routing strategies. First, we demonstrate the unintended exposed security services in IPv6 networks, such as DNS, and HTTP, have become emerging security risks by analyzing 4.7M peripheries. Second, by inspecting the periphery’s packet routing strategies, we present the flawed implementations of IPv6 routing protocol affecting 5.8M router devices. Attackers can exploit this common vulnerability to conduct effective routing loop attacks, inducing DoS to the ISP’s and home routers with an amplification factor of >200. We responsibly disclose those issues to all involved vendors and ASes and discuss mitigation solutions. Our research results indicate that the security community should revisit IPv6 network strategies immediately.

Overview

在IPv4网络空间中,网络扫描技术具备着巨大的应用前景,可以被用来完成大规模的测量研究工作,诸如多种协议部署的测量、僵尸网络行为的追踪、潜在网络漏洞的发现。然而,IPv6引入了海量的128位地址空间,使得传统的枚举遍历扫描技术变得不太可行。即便学术界已经针对性地提出了多种有效的IPv6终端地址发现方案,但这些方案仍受到扫描效率和精度的影响,并不能被直接采用来进行IPv6网络空间中的大规模测量研究。
本工作从全新的扫描角度出发,提出了一种新型的IPv6网络扫描技术,用于发现位于网络拓扑中重要位置的IPv6网络边界设备,同时设计并实现了全新的IPv6网络扫描器:XMap,可被用来进行大规模的扫描探测工作。通过利用XMap,本工作在若干个运营商的网络环境下发现了数以千万计的IPv6网络边界设备,并对其暴露的关键网络服务进行了深入的安全分析。此外,利用XMap,本工作发现了一个普遍存在的通用型路由循环漏洞(影响数十家路由器厂商),申请到了多于109个漏洞编号,并向厂商提供了合理的披露和有效的修复方案。

漏洞编号:CNVD/CNNVD/CVE. (109/2/22)

CNVD-2021-03270 CNVD-2021-03271 CNVD-2021-03291 CNVD-2021-03312

CNVD-2021-03318 CNVD-2021-03320 CNVD-2021-03326 CNVD-2021-03327

CNVD-2021-03328 CNVD-2021-03331 CNVD-2021-03375 CNVD-2021-03376

CNVD-2021-03380 CNVD-2021-03399 CNVD-2021-03423 CNVD-2021-03424

CNVD-2021-03425 CNVD-2021-03473 CNVD-2021-03495 CNVD-2021-03503

CNVD-2021-03505 CNVD-2021-03507 CNVD-2021-03508 CNVD-2021-03511

CNVD-2021-04817 CNVD-2021-04818 CNVD-2021-04829 CNVD-2021-04830

CNVD-2021-05370 CNVD-2021-05371 CNVD-2021-05372 CNVD-2021-05373

CNVD-2021-05374 CNVD-2021-05375 CNVD-2021-05380 CNVD-2021-05435

CNVD-2021-05470 CNVD-2021-05472 CNVD-2021-05492 CNVD-2021-05493

CNVD-2021-06623 CNVD-2021-06624 CNVD-2021-06625 CNVD-2021-06626

CNVD-2021-06627 CNVD-2021-06628 CNVD-2021-06629 CNVD-2021-08384

CNVD-2021-08385 CNVD-2021-08386 CNVD-2021-08387 CNVD-2021-08388

CNVD-2021-08389 CNVD-2021-08390 CNVD-2021-08391 CNVD-2021-08394

CNVD-2021-08395 CNVD-2021-10397 CNVD-2021-10398 CNVD-2021-10399

CNVD-2021-10400 CNVD-2021-10401 CNVD-2021-10402 CNVD-2021-10403

CNVD-2021-10404 CNVD-2021-10405 CNVD-2021-10406 CNVD-2021-10407

CNVD-2021-10408 CNVD-2021-10409 CNVD-2021-10410 CNVD-2021-10411

CNVD-2021-10412 CNVD-2021-10413 CNVD-2021-10414 CNVD-2021-10415

CNVD-2021-10416 CNVD-2021-10417 CNVD-2021-10418 CNVD-2021-10419

CNVD-2021-10420 CNVD-2021-10421 CNVD-2021-10422 CNVD-2021-10423

CNVD-2021-10424 CNVD-2021-10425 CNVD-2021-12861 CNVD-2021-12883

CNVD-2021-12886 CNVD-2021-12887 CNVD-2021-12890 CNVD-2021-13250

CNVD-2021-13251 CNVD-2021-13252 CNVD-2021-13253 CNVD-2021-13254

CNVD-2021-13255 CNVD-2021-13256 CNVD-2021-13257 CNVD-2021-13259

CNVD-2021-13260 CNVD-2021-13261 CNVD-2021-13469 CNVD-2021-16327

CNVD-2021-16400 CNVD-2021-29189 CNVD-2021-29190 CNVD-2021-29191

CNVD-2021-29195

CNNVD-202102-570 CNNVD-202103-1624 CNNVD-202104-652

CNNVD-202104-659 CNNVD-202104-697

CVE-2021-3107 CVE-2021-3108 CVE-2021-3112

CVE-2021-3125 CVE-2021-3128 CVE-2021-3173 CVE-2021-3379

CVE-2021-21727 CVE-2021-22161 CVE-2021-22162 CVE-2021-22163

CVE-2021-22164 CVE-2021-22165 CVE-2021-23238 CVE-2021-23268

CVE-2021-23269 CVE-2021-23270 CVE-2021-23831 CVE-2021-23832

CVE-2021-23833 CVE-2021-23834 CVE-2021-23898

相关