Evasion of High-End IPS Devices in the Age of IPv6

IPv6 era is here, either if you already use it or if you continue to ignore it. However, even in the last case, this does not mean that your “nodes” (end-hosts, networking devices, security devices) are not already pre-configured with IPv6 connectivity, at least to some extent. At the same time, ARIN states that they are currently in phase three of a 4-phased “IPv4 Countdown Plan”, being already down to about 0.9/8s in aggregate. On the other hand, RIPE NCC has reached its last /8 IPv4 address space quite some time ago. And what IPv6 does not forgive for sure is the lack of security awareness. Several times in the past it has been shown that this “new” layer-3 protocol, apart from the huge address space and other new functionalities, it also brings with it several security issues. In this paper it will be shown that significant security issues still remain unsolved. Specifically, three different but novel techniques will be presented that allow attackers to exploit even a really minor detail in the design of the IPv6 protocol to make security devices like high-end commercial IDPS devices completely blind. These techniques allow the attackers to launch any kind of attack against their targets, from port scanning to SQLi, while remaining undetected. Moreover, in this paper, after presenting detailed analysis of the attacks and the corresponding exploitation results against IDPS devices, potential security implications to other security devices, like firewalls will also be examined. Finally, specific mitigation techniques will be proposed, both short-term and long-term ones, in order to protect your network from them.