Internet Control Message Protocol version 6 is a core part of the IPv6 protocol suite, and it is employed for functions...
ranging from stateless address auto-configuration to troubleshooting or fault isolation -- error reporting. Unfortunately, there is a denial-of-service attack vector that can disrupt the communications between two arbitrary systems with a single ICMPv6 packet.
Among the functions performed with ICMPv6 is a mechanism known as Path Maximum Transfer Unit Discovery (PMTUD), which is used to discover the maximum packet size that can be employed from a source system to a destination system. Employing PMTUD to dynamically discover such packet sizes allows IPv6 to operate over a wide range of technologies that employ different maximum packet sizes.
While the PMTUD mechanism was already present in the IPv4 protocol suite, there are a number of associated details that dramatically change from IPv4 to IPv6, thus creating a new attack vector that did not exist in the IPv4 world. This article explains how an ICMPv6 packet can be used maliciously and provides advice for mitigating this attack vector in IPv6 networks; it will also show how to reproduce the attack with a free software tool so protections against this attack can be assessed.
PMTUD in IPv6
Since it is impossible for a host to know a priori the maximum packet size or maximum transfer unit (MTU) that can be employed to an arbitrary destination system, the PMTUD mechanism is employed to dynamically discover the MTU to a given destination system. The idea behind PMTUD is quite simple: The source node will send packets of the largest possible size, and it will reduce that packet size upon notification that there is an intervening network that only supports a packet size smaller than the one being employed. The source system will, iteratively, try smaller packet sizes as requested by the network until the packets get to the destination system.
More specifically, whenever an IPv6 router finds a packet is too large to be forwarded on a given network, it will notify the source system with an ICMPv6 Packet Too Big (PTB) error message and drop the offending packet. The aforementioned ICMPv6 error message will contain two important pieces of information: the recommended MTU -- that is, the MTU of the network on which the packet must be forwarded -- and a chunk of the packet that generated the error so the message can be matched by the receiving system to the communication flow that generated it.
The structure of an ICMPv6 PTB error message is illustrated in the following figure:
It should be noted that the source address of the ICMPv6 packet need not be forged, since ICMPv6 errors could be reported by any router on the way toward the destination system, and it is not possible for the attacked system to know the possible list of such routers.
Consider the following network scenario:
In this figure, the IPv6 addresses of each network interface have been identified with lowercase letters -- from A to F -- to illustrate the IPv6 addresses being employed for each of the packets. In this scenario, if Host A needed to transfer data to Host B, it would initially try sending 1,500-byte packets. However, when Router C tried to forward this packet toward its destination, it would find that the packet is too big for the outgoing network. As a result, it would report the error condition to Host A by means of an ICMPv6 PTB error message. Upon receipt of this message, Host A would reduce the packet size to that advertised in the error message and retransmit the data in packets of the recommended packet size.
The IPv6 core specification specifies that the IPv6 minimum MTU is 1,280 bytes -- network technologies that do not support an MTU of at least 1,280 bytes must implement some sort of adaptation layer such that an MTU of at least 1,280 bytes is provided to IPv6. This means the packet size need never be reduced further than 1,280 bytes. However, as a result of IPv4 to IPv6 translators, IPv6 nodes may receive ICMPv6 PTB messages advertising an MTU smaller than 1,280 bytes.
The IPv6 core specification states that, upon receipt of such error messages, the receiving node need not reduce the packet size further than 1,280 bytes, but must include a fragment header in all subsequent packets sent to that destination. This will result in so-called atomic fragments -- packets that are not really broken into multiple fragments, but that just happen to contain a fragment header. This information will be cached for about 10 minutes, as is the case for the normal MTU values learned as part of PMTUD.
Stay tuned for part two of this series, which will explore IPv6 atomic fragments and packet filtering.
Discover how DNS reverse mapping can scan IPv6 addresses
Read more on the best ways to mitigate denial-of-service attacks
Learn how to monitor outbound traffic for signs of threats