Microsoft, Juniper urged to patch dangerous IPv6 DoS hole

By , Network World |  Security, IPv6, Juniper Networks

If RA Guard is not available, another workaround within a Windows environments is to turn off Router Discovery, says Sam Browne, a computer networking instructor at City College San Francisco who has also been pressuring Microsoft to fix the hole. Bowne has produced a video that shows how easy the exploit is to do. (See it yourself in a related blog post on Network World's Microsoft Subnet.)  Turning off Router Discovery "is a simple solution, requiring only one command, but it will prevent you from using Stateless Autoconfiguration. It's probably appropriate for servers, but not as good for client machines," Bowne says.

Bowne says another possibility is to set your firewall to block rogue Router Advertisements, while whitelisting them from authorized gateways. But both Bowne and Heuse say that this method is easily defeated. Heuse is even planning on demonstrating an attack that bypasses this fix later this month.

Horley also says that the attack isn't limited to those connected to a wired LAN, either. "It does affect Windows 7 and Server 2008 machines on wireless networks too," he said. "There is no fix for wireless networks as RA Guard is not a feasible option on wireless."

On the other hand, Horley also admits that on the wireless side, "the greatest risk of being affected is when joining an open network. Assuming the machine is on a trusted, secure wireless network, unless it is 'owned' there is no reason someone would run this exploit unless they were being malicious." He also notes: "There are likely far better exploits out there then a simple DOS attack if you have managed to connect to the secure wireless network."

Meanwhile Bowne is continuing to push Microsoft to take three actions: issue a security warning telling people to disable router discovery on servers and adjust their firewall to block rogue Router Advertisements on clients; shut Router Discovery off by default in future products; and patch the network software so that it limits the amount of CPU that can be consumed by the Router Discovery and Stateless Autoconfiguration processes.

Julie Bort writes the Microsoft Update, Odds and Ends and Source Seeker blogs for Network World's Microsoft Subnet, Cisco Subnet and Open Source Subnet community sites. Follow Bort on Twitter@Julie188.

Read more about lan and wan in Network World's LAN & WAN section.


Originally published on Network World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question