Tuesday, May 30, 2017

Protect The LAN: IPv6 RA Guard

So while nerding on YouTube, one of my favorite YouTubers Quidsup did a demonstration of using Kali Linux to perform a pretty nifty denial of service attack against Windows 10. The attack has some minor caveats, but none the less is dangerous and relatively easy to pull off. It works by flooding the connected network segment with IPv6 router advertisements (RA). IPv6 RAs assist in stateless autoconfiguration, so that IPv6 hosts on the network can assign themselves an IP, and can also carry default router information. However, since hosts can have multiple IPv6 addresses, Windows ends up trying to autoconfigure an IPv6 address for every RA is receives. This results in pretty hefty CPU spikes, as well as the NIC being completely unresponsive. However; Cisco has a pretty neat little trick we can implement on our access layer switches to mitigate these types of attacks. Based on the title of this blog, I'm sure you guessed what that feature is; RA Guard.

I like to think of RA Guard as being somewhat akin to DHCP snooping. We build a policy, assign said policy to switch ports, and RA Guard will drop unauthorized RAs. The configuration is fairly straight forward, but seeing the difference it can make when implemented is impressive. See video below :-).

No comments:

Post a Comment