i386/157410: IPv6 Router Advertisements Cause Excessive CPU Use
Sam Bowne
sbowne at ccsf.edu
Sun May 29 23:20:12 UTC 2011
>Number: 157410
>Category: i386
>Synopsis: IPv6 Router Advertisements Cause Excessive CPU Use
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun May 29 23:20:10 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Sam Bowne
>Release: FreeBSD 8.2
>Organization:
City College San Francisco
>Environment:
FreeBSD .localdomain 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011 root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
IPv6 Router Advertisement packets cause a denial of service by CPU consumption. This is a known vulnerability in Windows systems, and it works against FreeBSD too.
Here is a screen captures of the attack in action, with a slow attack of 100 packets per second:
http://samsclass.info/ipv6/proj/FreeBSD-100RAps.png
Here is a detailed vulnerability report I wrote about the Windows version:
http://samsclass.info/ipv6/proj/flood-router6a.htm
Thanks to ty Justin Hohner for telling me about this.
>How-To-Repeat:
To reproduce it, use Linux and the thc-ipv6 tools from http://www.thc.org/thc-ipv6/
If you run
./flood_router6 eth0
on the attacker, a FreeBSD network on the same LAN will freeze.
>Fix:
Mac OS X and Ubuntu Linux are not vulnerable, because they ignore all RAs after the first ten or so.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-i386
mailing list