Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 10 Oct 2012 18:55:07 +0200
From: Marc Heuse <>
CC: Solar Designer <>
Subject: Fwd: IPv6 DOS vulnerabilities

Alexander kicked me several times in the ass to finally forward this
email to oss-security as the embargo time is gone ... so here it is.

-------- Original-Nachricht --------
Betreff: IPv6 DOS vulnerabilities
Von: Marc Heuse <>
An: Microsoft Security Response Center <>,,
Kopie (CC):

Hi folks,

this is just a short, quick email about two unspectecular IPv6
implementation weaknesses that result in local network denial-of-service
issues in Windows, *BSD (Free and Net, Open not tested) and OS X.
distros@ is in cc: for information purposes, although it seems that
Linux is not affected, you might want to test though as I have only
tested this with a 2.6.x kernel.

Issue #1:

Flooding the local target with ICMPv6 Neighbor Solicitation messages.
As this is handled by the kernel, it consumes all CPU power that is
there, leaving no or too little CPU for the user space.

All except of OS/X went to 100% CPU, OS X went to 60%+ on a QuadCore
Macbook Pro. But my test machine was not able to produce enough packets
to even closely get to the satturation point of the network, so the 100%
CPU might be reachable there too.

In short: a fast multicore CPU helps to negate the impact (unless you
are Windows, then this does not help).

Test tool: flood_solicate eth0 <IPv6-Linklocal-Address-of-Target>
(from the package at

Issue #2:

Flooding the local network with ICMPv6 Router Advertisement packets
containing multiple Routing entries result in either 100% CPU (Windows
all Versions with IPv6 enabled) or some noticable CPU impact however
IPv6 seem to break for *BSD and OS X. The BSD based systems do not reply
to any ICMPv6 Neighbor Solicitation requests anymore, when trying to
send locally from the victim systems you get errors (e.g. "connect
failed" or "no multicast address on interface")

(yes, this is basically a similar issue like RA flooding with autoconfig
prefixes from two years ago)

I have an unreleased test tool for this attack, if necessary I can
package it and send it if needed.

(I am sitting on this for over a half year now, sorry for that)


Marc Heuse

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.