/ipv6 firewall raw add action=drop chain=prerouting src-address-list=shitpit
/ipv6 firewall address-list add list=shitpit address=2001:0db8:85a3:0000:0000:8a2e:0370:7334
Thanks.And kudos for using the doc prefix in your example. :)
HiHope that helps someone who encounters this rather… pointless scanning.
This last suggestion sounds pretty awesome to me.Default IPv6 max-neighbor-entries table size is 8K, entries with status="failed" stay there nearly 30 secs. Quite easy to keep such table busy.
Unless we have some method to detect next candidate and update "shitpit" ACL automagically, more ideas would be welcome.
Should it be configurable ND cache expiration time? Dropping icmpv6 responses to attacker IP in firewall when certain threshold is reached? Clearing oldest entries in failed neighbor list when next one is probed?
/ipv6 firewall filter add connection-limit=6000,128 action=add-src-to-address-list ...[admin@rtr1] > ipv6 settings set max-neighbor-entries=
MaxNeighborEntries ::= 0..4294967295 (integer number)
[admin@rtr1] > ipv6 neighbor print count-only where interface=br1-vlan41
46883
[admin@rtr1] > system resource print
uptime: 1w1d2h33m40s
version: 6.41rc31 (testing)
build-time: Sep/20/2017 06:56:52
factory-software: 6.36.1
free-memory: 144.7MiB
total-memory: 256.0MiB
cpu: MIPS 1004Kc V2.15
cpu-count: 4
cpu-frequency: 880MHz
cpu-load: 2%
free-hdd-space: 6.0MiB
total-hdd-space: 16.3MiB
[admin@rtr1] > ipv6 settings print
forward: yes
accept-redirects: yes-if-forwarding-disabled
accept-router-advertisements: yes-if-forwarding-disabled
max-neighbor-entries: 8192Cache limits only limit the problem of complete resource (memory) exhaustion in the router, not the "denial of service" problem on the network itself.I know this has been mitigated by default in the latest Cisco routers for a while now with cache limits per interface.
That type of scanning technique is indeed pointless or dimwitted, however it may have served it's purpose... That might be the real context.A few days ago one of our routers was hitting IPv6 neighbor cache exhaustion. The symptoms were occasional unreachability via IPv6. I pulled up Torch and found someone was actually scanning our network, probing consecutive addresses in a /64 to see if anything responded!
....
Hope that helps someone who encounters this rather… pointless scanning.
It was still >2million more attempts (many hours) before this "attack" ceased. Maybe neighbour cache exhaustion was the purpose… never heard back from the university in question so probably not "real" research.That type of scanning technique is indeed pointless or dimwitted, however it may have served it's purpose... That might be the real context.
In the time it's taken me to email their network abuse contact, and shitpost about them on Twitter, they've probed ~150k addresses. Fun times.They're doing a sort of enumerative scan of IPv6 address space, depth-first, which results in about 100pps of IPv6 traffic from them. That soon fills up a neighbour cache on a smaller device (even if you've set it to 100k+ entries), and pretty soon afterwards your little device loses its connectivity (cue lots of Nagios alerts).
I received a reply just now:In the time it's taken me to email their network abuse contact, and shitpost about them on Twitter, they've probed ~150k addresses. Fun times.
If they're *actually* spreading things out evenly across routed prefixes, then to get the quantity of packets we were receiving they are scanning the Internet at somewhere around 20-40Mpps.Hi Marek,
We've added your prefix […] to our blacklist.
We spread probes as evenly as possible across routed prefixes, and shuffle targets within each prefix.
Regards,
6Gen Team
"mikrotik.com has IPv6 address 2a02:610:7501:1000::2"Seems like MikroTik needs a ND policer like everyone else implemented in 2012 or earlier.
Maybe a high severity CVE is needed to get MikroTik's attention to effectively mitigate this.
But of course that is not likely to cause a problem. Especially with an address like that."mikrotik.com has IPv6 address 2a02:610:7501:1000::2"Seems like MikroTik needs a ND policer like everyone else implemented in 2012 or earlier.
Maybe a high severity CVE is needed to get MikroTik's attention to effectively mitigate this.
It's only a matter of time before the researchers hit that…
MikroTik needs to support the usage of global unicast IPv6 at /64 hands down. That means they need a ND policer to begin to control this. Any recent Cisco IOS does this by not allowing the number of unresolved entries beyond a certain point. This does of course limit the discobery of a legitimate host that comes only using ND sourced from the router. That said it's far more likely to be added to the ND cache as a reachable entry from actual traffic sourced by the new client.But of course that is not likely to cause a problem. Especially with an address like that."mikrotik.com has IPv6 address 2a02:610:7501:1000::2"Seems like MikroTik needs a ND policer like everyone else implemented in 2012 or earlier.
Maybe a high severity CVE is needed to get MikroTik's attention to effectively mitigate this.
It's only a matter of time before the researchers hit that…
The issue only occurs when there are large (/64) subnets behind a router that does not do any filtering.
Hosting usually is on small subnets (/112) and often there will be a firewall on the router that only passes
traffic to a few wanted ports on some specific addresses. When you see addresses like ::2 it points
to a situation where the admin actually considered this.
As of 6.41rc it does not appear to work. Look at my post early on. I had set the cache limit and it easily exceeded that while slowly chewing up memory which would eventually OOM the router. I didn't actually get my HEX to crash though. So op, can you provide the models and RouterOS versions you're seeing that are effected?There already is a limit like that. It is not like in the original Cisco IOS where the ND cache simply allocated
out of the entire free memory pool and all memory was used (and thus the entire router got into trouble) as a
result of such a scan.
In RouterOS, like now in the Cisco routers, the size of the ND cache is limited. The only improvement could
be in the handling of extra requests beyond the limit.
Aside from that, there is a lot of work to be done on the IPv6 facilities in RouterOS, let's not distract from that
by focussing on the least important issues like this one.
sysctl -a | grep ipv6.neigh.That is actually something different. There are two different issues here:Linux has this in the form of a kernel option:
neigh/default/unres_qlen - INTEGER
The maximum number of packets which may be queued for each
unresolved address by other network layers.
(deprecated in linux 3.3) : use unres_qlen_bytes instead.
Prior to linux 3.3, the default value is 3 which may cause
unexpected packet loss. The current default value is calculated
according to default value of unres_qlen_bytes and true size of
packet.
Default: 101
You'll see a value you can set as a default or per interface. Being that MikroTik is Linux underneath it's possible this is already exposed. Not sure how to verify if it's present in the kernel MikroTik is using.Code: Select allsysctl -a | grep ipv6.neigh.
It's not an OOM, at least I don't think so. I'd expect there to be more significant impact were it an OOM (e.g. routing protocols might get OOM-killed and restart, ssh/webfig would become problematic when viewing large datasets, etc). I think it's the neighbour table getting completely full of unresolved destinations — when I looked, on a device with a ~128k limit, there were about 128k entries. Only about 20 of those entries were shown as "valid", and that's for a router with many more actual physical neighbours than just 20. So I would agree with your supposition that it could be the garbage collector naïvely reaping the oldest entries, rather than reaping oldest non-valid neighbours.Now, in Linux I wonder what entries the garbage collector purges. The op has stated he loses connectivity. Not sure if it's from the host failing because of an OOM state or because the router loses the neighbor table data for downstream devices while being scanned. If it's the latter I'd suspect the garbage collector is dropping valid neighbors to make room for more scans. I'll have to boot up a few Linux VMs and check out how they handle it. In the Cisco IOS case the valid entries stay as they explicitly garbe collect and restrict only new neighbor discovery attempts (default 512).
Oh, yes, and the other reason I don't think it's an OOM:Not sure if it's from the host failing because of an OOM state
sudo dnf -y install thc-ipv6
sudo ndpexhaust26 -p -r enp3s0 2605:a000:a8ca:2741::/64rtr1841-top#sh ipv6 neighbors statistics
IPv6 ND Statistics
Entries 516, High-water 516, Gleaned 3, Scavenged 2, Static 0
Entry States
INCMP 512 REACH 2 STALE 1 GLEAN 0 DELAY 0 PROBE 1
Resolutions
Requested 1404, timeouts 2936, resolved 6, failed 886
In-progress 512, High-water 512, Throttled 12882, Data discards 1
NUD
Requested 45, timeouts 9, resolved 41, failed 3
in-progress 1, high-water 3, throttled 0, current queue 0, queue high-water 0
For what it's worth, I've raised this with MikroTik support, Ticket#2018040822000592.Start laughing or crying at that point because your HEX is rebooting. Yes, rebooting. Target a Cisco 1841 w/15.0 code and default settings ... nothing happens.
A Cisco 1841 cost 30 times what a HEX cost, and for that price you don't even get software updates.Target a Cisco 1841 w/15.0 code and default settings ... nothing happens.
Confirmed. It'll OOM a CCR with 2GB RAM and 256k IPv6 neighbour entries. It doesn't even need to be to a subnet which is directly connected to the CCR, from what I can tell.Start laughing or crying at that point because your HEX is rebooting. Yes, rebooting. Target a Cisco 1841 w/15.0 code and default settings ... nothing happens.
I've been contacted by the researchers, and we've got a bit of a dialogue going. Hello, Austin, when you click through to this thread. Thanks for getting in touch :-)Another one for our IPv6 address space scanning shitlist:
add address=2607:f140:4800::/48 list=shitpit
It's likely being done by one of the authors of this paper (or someone working with them) at Berkeley University: https://conferences.sigcomm.org/imc/201 ... nal245.pdf
I've done some tests, and the problem looks to be worse than it appears…So ... Grab a Linux box, put it on your LAN and prepare to LULz to the point of tears.
At this time, this is now another IPv6 deficiency that will prevent me from recommending MikroTik products for anything other than home routing. The fact the router can be REBOOTED simply by an end-user running ndpexhaust26 is scary enough not to mention the ISP side implications of using this hardware and exposing yourself to continue ND related issues.
We've got our own /29 and AS number, full BGP tables, and we do null-route the prefix as a whole.I'm a bit confused about what is your problem. When it is in the ND it should only affect reachable networks.
Are you getting a static prefix from your ISP? (e.g. a /48)
Did you make sure to have an "unreachable" route for your entire prefix in the route table? (with only /64 routes to your reachable networks in place, and the default)
In addition to everything else this is what I'm seeing. Just transiting a high volume of ICMPv6 traffic is enough to cause the router to reboot. I updated to 6.42rc56 this morning and no stealth fixes were contained in that release. It's trivial to reboot spam any MikroTik router w/ndpexhaust26 on the segment.However, I think it is also possible to cause problems for transit routers which are not directly connected to /64 being attacked. This might be because of memory exhaustion in the IPv6 routing cache… not sure yet. I need to do some more experiments over the weekend with some test lab equipment.
I didn't think I was imagining it… but this definitely puts this into "very scary" territory. Especially if type 1, 2, 3, or 4 can trigger this.In addition to everything else this is what I'm seeing. Just transiting a high volume of ICMPv6 traffic is enough to cause the router to reboot. I updated to 6.42rc56 this morning and no stealth fixes were contained in that release. It's trivial to reboot spam any MikroTik router w/ndpexhaust26 on the segment.
Maybe this is just a case of bad values for some IPv6 sysctl parameters — e.g. memory exhaustion by the kernel because of a value set too large. It will be interesting to hear back from MikroTik support — next week, I guess.This doesn't seem to affect Linux itself, wonder what crazy stuff Mikrotik are doing with IPv6 to introduce a vulnerability like this?
I added a "notrack" rule to ipv6 raw prerouting, and RouterOS still crashes.Maybe it is connection tracking.
I could understand if the router dropped packets because it does not have the CPU power to push them. But crashing is not a good engineering solution.Of course pumping a gigabit of ICMP probes like those friendly programs do will kill the router.
Maybe it is connection tracking. That would explain why it also effects unreachable networks.
However, it does not really explain why it would be triggered by low volume traffic. Connection tracking
should survive moderate traffic. Of course pumping a gigabit of ICMP probes like those friendly programs
do will kill the router.
I have asked them to reconsider, as this isn't traffic destined for the router that crashes. Nor do I believe it affects ICMPv6 only.You can exhaust resources of any device by simply sending large amount of data.
Set up ipv6 firewall to protect your router.
Best way is to limit amount of accepted icmpv6 packets in IPv6 RAW firewall.
Excellent news - and good luck, MikroTik team!"We will test this scenario."
I guess we keep on waiting, and hoping...Unfortunately problem is not resolved yet. I also can not give you any ETA for such fixes.
When problem will be resolved, then RouterOS release notes will include such fix description.
Yup, I don't have any plan to use MikroTik equipment in net new projects until I see more active IPv6 feature development. Speaking with the wallet is the most effective agent of change I have available.I guess we keep on waiting, and hoping...Unfortunately problem is not resolved yet. I also can not give you any ETA for such fixes.
When problem will be resolved, then RouterOS release notes will include such fix description.