Attacking all your IPv4 devices at home from the Internet via Dual-Stack Lite

Video in TIB AV-Portal: Attacking all your IPv4 devices at home from the Internet via Dual-Stack Lite

Formal Metadata

Attacking all your IPv4 devices at home from the Internet via Dual-Stack Lite
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The number of Internet connections still increases. More and more providers are not able to assign one public IPv4 address to every client because the IPv4 space has been consumed. In such cases, "Dual-Stack Lite" is a common solution. This protocol is specified in RFC6333 and it allows providers to share their limited IPv4 addresses with all the clients based on an IPv6 network. The presentation will explain the protocol "Dual-Stack Lite" from a security point of view. In the worst case, all IPv4 devices in a home network can be reached directly from the Internet. This could be demonstrated in the past! The presentation will give important information to all those providing services only with IPv4, "Dual-Stack Lite" providers and all respective users.

Related Material

Information Real number Stack (abstract data type) Cartesian coordinate system Duality (mathematics) Pointer (computer programming) Internetworking Software Network topology Lie group Dew point Software testing Figurate number Information security Pressure
Point (geometry) Email Group action Multiplication sign View (database) Simultaneous localization and mapping Electronic program guide Translation (relic) Client (computing) IP address Product (business) Expected value Duality (mathematics) Finite element method Web service Bit rate Internetworking Term (mathematics) Different (Kate Ryan album) Vertex (graph theory) Contrast (vision) Gamma function Router (computing) Summierbarkeit Information security Game theory Address space Family Standard deviation Arm Network-attached storage Shared memory Physicalism Stack (abstract data type) Line (geometry) Instance (computer science) Cartesian coordinate system Befehlsprozessor Internetworking Software 4 (number) Internet service provider Configuration space Website Musical ensemble Speicheradresse Spectrum (functional analysis) Router (computing)
Gateway (telecommunications) Density functional theory Presentation of a group Code Multiplication sign Range (statistics) Source code Client (computing) Mereology Perspective (visual) 10 (number) Web 2.0 Duality (mathematics) Web service Different (Kate Ryan album) Cuboid Endliche Modelltheorie UDP <Protokoll> Uniform boundedness principle Scripting language Source code Programming language Email Data storage device Staff (military) Connected space Arithmetic mean Befehlsprozessor Internetworking Internet service provider PRINCE2 Speicheradresse Point (geometry) Server (computing) Proxy server Student's t-test Law of large numbers Internet forum Internetworking Selectivity (electronic) Router (computing) Proxy server Address space Computer engineering Stack (abstract data type) Letterpress printing Line (geometry) Number Software Dualism Window
Randomization Structural load Plotter Source code Range (statistics) Client (computing) Mereology IP address Facebook Duality (mathematics) Web service Different (Kate Ryan album) Forest Speicheradresse Source code Email Arm Structural load Physicalism Maxima and minima Bit Demoscene Connected space Message passing Befehlsprozessor Internetworking Internet service provider Website Configuration space Resultant Speicheradresse Ocean current Translation (relic) Web browser Law of large numbers Host Identity Protocol Number Prime ideal Internetworking Configuration space Quicksort Address space Forcing (mathematics) Stack (abstract data type) Limit (category theory) Cartesian coordinate system Software Personal digital assistant Web service Data Encryption Standard Table (information) Operating system
Point (geometry) Multiplication sign View (database) Source code Artificial neural network Discrete element method Arm Duality (mathematics) Insertion loss Endliche Modelltheorie Summierbarkeit Form (programming) Data type Scalable Coherent Interface Multiplication sign Length Interior (topology) Sampling (statistics) Code Stack (abstract data type) Instance (computer science) Wind tunnel Internetworking Hill differential equation Musical ensemble Freeware Speicheradresse Daylight saving time Computer worm Flag
Multiplication sign Duality (mathematics) Internetworking Multiplication sign Length Artificial neural network Maxima and minima Stack (abstract data type) Limit (category theory) Perspective (visual) Frame problem
Density functional theory Concurrency (computer science) Gradient Multiplication sign Maxima and minima Design by contract Client (computing) IP address Arm Number Duality (mathematics) Goodness of fit Internetworking Charge carrier Negative number Address space Family Information management Information Interior (topology) Mathematical analysis Mass Stack (abstract data type) Limit (category theory) Befehlsprozessor Internetworking Software Personal digital assistant Internet service provider Router (computing) Address space
Point (geometry) Presentation of a group Module (mathematics) Link (knot theory) Structural load Multiplication sign Letterpress printing IP address Law of large numbers Duality (mathematics) Internetworking Kernel (computing) Ontology Electronic meeting system Configuration space Speicheradresse Address space Physical system Authentication Module (mathematics) Metropolitan area network Addition Dependent and independent variables Computer engineering Uniqueness quantification Physicalism Stack (abstract data type) Connected space Befehlsprozessor Internetworking Dew point Normal (geometry) Configuration space Musical ensemble
Authentication Wechselseitige Information Asynchronous Transfer Mode Module (mathematics) Structural load State of matter Computer engineering Robot Magneto-optical drive 3 (number) Stack (abstract data type) Instance (computer science) Law of large numbers Duality (mathematics) Befehlsprozessor Internetworking Kernel (computing) Configuration space Speicheradresse Local ring Communications protocol Curve fitting Speicheradresse
Computer program Server (computing) Dependent and independent variables Information Computer engineering Multiplication sign Ordinary differential equation Computer network Stack (abstract data type) IP address Variance Corporate Network Duality (mathematics) Befehlsprozessor Internetworking Software Natural number Internetworking Right angle Musical ensemble Speicheradresse Physical system
Density functional theory State of matter Plotter Multiplication sign Source code First-order logic Function (mathematics) Client (computing) Special unitary group IP address Dressing (medical) Duality (mathematics) Graphical user interface Different (Kate Ryan album) Core dump Office suite UDP <Protokoll> Physical system Firewall (computing) Interior (topology) Physicalism Connected space Data stream Process (computing) Befehlsprozessor Internetworking Internet service provider Duality (mathematics) Website Hill differential equation Absolute value Whiteboard Freeware Physical system Speicheradresse Resultant Game controller Ripping Firewall (computing) 3 (number) Electronic mailing list Drop (liquid) Law of large numbers Product (business) Content (media) Network topology Internetworking Data stream Address space Window Execution unit Sine Computer engineering Projective plane Stack (abstract data type) Line (geometry) Algebra Software Video game Musical ensemble Address space
Authentication Default (computer science) Standard deviation Multiplication Computer engineering Letterpress printing Sampling (statistics) Stack (abstract data type) Instance (computer science) Client (computing) IP address Measurement Duality (mathematics) Internetworking Software Internetworking Dew point Energy level Software testing Dualism Metric system Information security Family Speicheradresse
Web 2.0 Point (geometry) Duality (mathematics) Web service Befehlsprozessor Internetworking Computer file Velocity Internet service provider Stack (abstract data type) Client (computing)
Area Email Programmable read-only memory Execution unit Video game Mass Maxima and minima Total S.A. Stack (abstract data type) Heat transfer Instance (computer science) Encapsulation (object-oriented programming) 10 (number) Inflection point Duality (mathematics) Wind tunnel Internetworking Videoconferencing Router (computing) Computer worm Address space Family
Email Duality (mathematics) Web service Email Polar coordinate system Internetworking Forest Point (geometry) Stack (abstract data type) Number
yeah hello I'm happy to be here with a pressure under this figure activity 2015 aren't I don't know what you know about this topic maybe some of you have never heard about before a a light and I hope you will learn about this kind of access Technology at 1st some
information about myself and my name is switchable when I'm from Germany and I'm employed as a penetration test mostly I analyzed by the applications and company networks and even this talk is based on a real penetration test that's the reason the company names and all the most specific issue will be addressed you know what I found some problems in the base technology and that's understand the reason for that or we talk
about Internet access at home the traditional Internet access Ursula router at home on devices are connected to desire it doesn't care with the isn't cable wireless or about what this router it so called the customer premise equipment CPE has public available IP for addressing armed there's small home network where you have a private IP before addresses usually 190 160 8 0 2 0 2 2 0 slash 24 presence on this router makes never trust inflation for you every device can connect to the Internet but it's not possible to connect from the Internet to any of your internal devices directly what you have on most the possibility to configure a so-called port forwarding it means 1 more time for instance HEAT you for worlds to internal otherwise and that's the reason you can reach your network-attached storage which is located in your home network outside from the internet mostly used in then ask for substrings and I believe a lot of people have such kind of traditional Internet access at home please raise up your hands who has a traditional Internet access at home now has a lot of handsets my expectations in the future maybe you will have only idealistic so I 1 of the big differences that every device has a worldwide reachable by 6 address from everywhere in the news and that found from my point of view such kind of internet access is not available today or is anybody here with such kind of Internet access I C 1 and you don't have IP before I haven't this dance bought in the future only IP 6 is available and no idea before maybe some of you have such internet access what that lots of product for their main customers today because a lot of services almost available the fighting and you need to fight the reform however I believe is 6 is growing and distributing more and more of a couple of years ago there was a nice or published RFC 6 5 4 0 and it means I support is required for all IID capital notes that's the reason I called a recent Internet access with a dual-stack then you have IP before and I 6 to anybody here who has such kind of Internet access the term I before and I the physics same guide and you you recipe and perform such kind of internet access is providing more and more I'm from Germany and I expect that we have nowadays millions of clients of such kind of in the next day have IP before and i've 6 for so that the standard I described before in general every device is possible to connect directly from the internet and for I before the CPU works as a network address translation Roger like on a traditional Internet and Internet access however died before address spaces X also on the problem of IP before addresses almost available anymore public which will IPV fortresses in Austria and Germany in in summary I know 5 axis bridles they are not able to provide you with IP before address because they don't have it on what can they do they are successful they have a lot of customers which are about 1 1 of thousands or on the transience of clients of cities bought no idea for addresses are available anymore there exist some solutions some of our corporate area popular although standard for it to understand that called do spectral light in contrast that full dual-stack it means I beautiful and i Buzek's is available on that line that's dual-stack on tuesday client is similar to what have different answers I will describe to you how this this access technology is working and what kind of security features or interesting things are related to that so overview this CPU is provided provide 6 addressed from the axis prominent aren't for idealistic so there's no difference to recent Internet access it means I music that's going directly from the CPU to the Internet and in general all internal devices whichever idea 6 addressed also in general reachable from the Internet may be justifiable on the CPU or something like that what what happens the IP read for the most important differences the CPU does not have a public available like fortress there is no IP for any more the device has externally only 1 might music separate and in this
configuration it's called light it's specified in RFC 6 refer free there's important devices on the side of the access provider that's called actress from transition Dr. David your there aren't dualistic light enables access providers to share IP fortresses among customers by combining 2 well-known technologies it means I before an IP retirement here and so-called character rate that it's done at the AFT or on there's a distinction if you have a axis of to cycline Katrina IP before capital and the so-called IP for Parisians TYC under traditional or recent Internet access the CPU was IP before capital with 2 light this router is only in IP before provisions that doesn't have a public IP before addresses on date X or on the blue of broadband site interlink that bright idea for addresses for the devices in your home now I
will not talk about a specific box in a CPU which provides you with 5 before dressed and I've also not talk about boxing no specific safety on there are some random they provides devices for X as bright as it means to have different safety are Windows nowadays and different router and knows I've analyzed at least 3 or 4 different CPU models from the 3 different ranges so there's some on the market the technology itself from the user perspective DFT art works for you like a proxy is a proxy for TCP means for UTP and and fries in P E I think some of you will provide services for clients it means mail service BP and service or a Devon unstill 1 important in for you 1 day AFT are all under markets do not support the IT sector and I and I know that big companies in Germany and that's where I come from that company's staff users they use a VPN connection with the IP that gateway they cannot use it anymore because they have a tone such a dualistic light Internet access while the other don't understand what happens here daily code it's not possible to use a VPN to our company I can occur at any more ions now that's the point that these to be the and gate or switch to dual-stack it means to be again data has this approach before and 5 Buzek's as well than it's working because 96 can used directly and most lines nowadays has idea 6 enabled the means to make arrests Windows and Linux SSCP he does not have at public reachable fortress anymore it's also not possible to configure a port forwarding if you have a network attached storage in your home network which is not supporting IPV 60 and you have such kind of internet access you cannot use this metric attached storage from the internet anymore there's no way you have to enable IDB 6 that may be important to know if you have an answer down and like to reach it from the internet but I've had students that light does not here in Hungary present in the market what's in Germany and Austria and the money I think also more than 100 million users have such as internet access of light and that ideally for addresses are limited because they are shared among the customers ports became a critical resources well if you have an IP before addressed with maybe thousands 2005 thousand people to the same time you cannot have 65 thousand 636 parts for you and me last on how is it works as these parts of assigned to analyze its
I broderies simple PHP script while that's possible of every programming language like I and put it on web server and I Requests these script that only prince my source at the address and my used source part with a common idea before access and also with a common IDB 6 access from a home device if there's only 1 device actors still use source quotes all simple incremental is it around the same script with IPV Forum from a client which is accessed dualistic light to resolve this difference while it's literature to the young but you see also 36 thousand 0 8 8 3 6 0 3 9 and then up the connection is not possible and the connection selective foot with part of ports I did of course 1 of thousands tries sequentially and on then I displayed it's yeah
that's traditional simple incremental it depends on your Operating System how is it works in detail it has no source probes randomization hereabouts on the usual operating system with simple incremental if it's reached 65 thousand 676 it goes back to the dolphins start again to increase with IDB 6 and I before with IDB forest do they collide so it looks totally different that's 1 example of and here some gaps that all seen the connection was lost before I aren't I zoom in a little bit looking more deeper and I detect I have force smaller ranges of parts which are assigned for me for my CPU which I can use but they are blocked for a limited time and if my allowed number of ports what I cannot use any port anymore for demonstration purposes I created a website of a lot of pictures from different websites and if all these external resources come from different IP before science and I have access with both declined the browser tries to connect to all the scientists wire D A of T R and for every request a news source describe what if the limit is reached with this configured only a few site the pictures will not displayed anymore However house assignment of source for that all those results I've detected on 1 A of T on while I can say design and the source quotes it depends on the mend off Dave Giardella different rentals and a kind of source assignment is different that's not the case that you have the floor plot in different spaces it also depends on the configuration of behavior although it's possible provigo maybe in taxes providers finds a maximum of 500 source both for each TV and it depends on the phenomenon of DFT arm and also on the load only a few on this subject devices and x is prime networks data uninventive with over 40 gigabit-per-second also and I believe there's a lot of traffic and I've seen 1 case there was a source brought assigns to a client administers the beams and less than 1 minute later the same source support was assigned to another CPU another client that's dynamic depends on the left and if you are configuration from our and on modern 5 thousand people can share 1 single IP before addressing that the fact it works and now
there's some necessary cost if you provide services like e-mail service or whatever at 1st enable ID physics especially private sector but in general if you provide services these bright at all so that I Buzek's because million of people don't have ID before anymore and all that axis is provided don't like to pay for his if because costs money and they don't have to do it if I to be 6 is available if people go to Facebook to Google you due for them about all the sites are available native 6 about other sites modern yelled wonders if you have an IP before services increasing the number of current connection 1 public you met right on Germany and his top was available only before IP before and I know client Stafford dual-stack lights internet access this hatched out device on they try to reach mailing to ever a message too much current connections from your IP address yeah 5 thousand connections from 1 IP address it looks a little bit strange but it's not malicious traffic it's usual traffic if the source IP address is shared by maybe 5 thousand users and so if you have an IP before as well you should enable source down all the our scene which is required for sharing a P addresses is an example if you put have frying Apache college to activate there's also brought logging it's very simple if you have a strange traffic and you like to identify what was said clients you usually you need to have to police I think that's the same case an angry what if IPD fortresses chance for a thousand of customers IP before address itself is not enough to identify the current customer he needed source part also because they have T has extended network address translation table there's also that assignment between 2 current source part fantasy the while that's all about what
so now we should have a deeper look in the tunneling I for all IID music so this tunneling is quite old from the nineties R C 2 4 7 3 answers now add 1 s 2 times label-free you know layer free therefore layer to whatever bought 2 times later free you lounges sound strange is that I a simple demonstration there's a package you can build of escaping for instance and even this next had equal to 4 was not a good document what if you trade such pack and I've reverted here it means the source address a destination address and I could be fixed and the source and destination address in form and if you showed a packet is the I believe that what you expected and IP music both is later free but you have 2 times the free that's it's strange if you're and he's begun the it's the same UCI idea 6 and I the floor for 1 packet I think geisha press indicates how about Wireshark
here and so the sample packet dumps you only seen IP for if you filter for IP thinks you should expect to see nothing what infected here Wireshark is displayed in there were a few here only the highest layer free packet model and here I have layer free 60 and above or below it depends on your point of view there's IP before and then the payload or the delay of refer that layoff over its
limit strange it is the 1st time that I have 2 times layer frame and you can combine it you can have every freelance 4 times whatever it's possible and I'll but it's a little strange but
perspective this really nice if you have
seen these Donald and
runs between your CPU and DFT are here is IP before tons of IPV 6 because the provided has so that I P was network or can have and on that way this poem this active if your clients
and you use sec light then you can imagine you're access for Kanzi you use private IP addresses because they're out of does not work as network addresses leisure not anymore it's done by DFT on because so-called carry carry a great negative press inflation CGN is used as all the analysis for it and the access provider can monitor or how many devices my clients have in the past in Germany Daria contracts available everywhere allowed to have only a 1 2 free devices on your internet access that's not the case anymore but maybe I guess a contract uh which is limit sitting down a number of good concurrent devices and now it's more easy for X is provided to monitor how many different devices do you have a time and which private IP addresses the because of all this information it's possible to see in the tunnel which entity if your or
what this time will IP before of IPV 6 so what do you think what kind of authentication is there available no answer that's right yes no authentication on this was interesting for me and I
developed the following attack it means I tried to attack all IP before devices at home if you have a stack like Internet access as an attack on Indians and that I should try and disprove the IP music's address the a unique reachable public IP before fortress and send this package to to see the thereafter throughout on D capsulate sits and it results in IP before a normal IP reform package it comes from the internet and then the to a device known that maybe a print the response goes to the CPU it sends DFT ontology 96 and then this idea fool it sent to the internet and is also rich from the attacker but the interesting point is you can have a direct connection from the Internet to a private IT before fortress is is running only on this presentation slides here as it's running really did well is a small had to for Linux it's quite easy to perform at it's really much of how do have to enable a killer module for all IID before Nigeria's external link then you have to configure DIP music's address off the FTIR on as an additional IP physics addresses when your system here
this address of day if the on the CPU knows this addressed this is provided for instance referred 69 protocol something like bot that wants this secret then you have
to define a tunnel the label no private IP is it's only label you can use any names and you have to establish this tunnel from your own spoofed IP 6 addressed to Buzek's address often CPE of Daraja at home because this policy without authentication and its state less then you have to an end of the tunnel after that you have to
enable a routing to private or to any used by the reform network behind this CPU mostly it's 192 168 0 . 0 all something different mostly surrender appended and then you have to send a packet for the disarmament of private natural NTP and is only 1 package it reads some information from NTP servers and I run this program from the system and the Internet against private IP addresses what 0 press time out it doesn't work sure wasn't working is send a packets that way maybe he hasn't NTP servers running the response goes that way that right that predatory here it should be if the reason is your a P 6 ended to 192 168 Ode upon what the response comes in that example from 80 . 1 2 3 and usually your IP stack will not target nice that's the ensemble of my request and also called solve different the easiest way
to record the on so
as TCP dump and that's the real output not life plots captured on a real system and you see here these answer comes from DFT RIP before addressed to my idea for addresses and all the content can display and that's the difference as the the possibility to connect to idea for device that private IP before dressed in a home network without having port forwarding or anything else it
works with UTP in and I simply it means you can't bring all your sites at home and if you have time maybe you can ride a modified IPV for thinks Szostak which can detect packets which are assigned to the same data stream which they come from different source IP address then you send a packet to it should be possible if you have time and the board heckle maybe then the new project for you it works not with GDP directly at least as a free rein handshake on summary of the also integrated stateful inspection firewall that means if you stand here as soon packets to start the freeware handshake this device sends SYN acknowledge packets through a day of job what's the stateful inspection viable your drops that along come that way but if you and I simply it works fine on top of TCP you can have so-called acknowledged scanning it means only act packet on its center through all if t also I've checked in the balls what do you need he needs as an attack on a system of dual stack when Internet became that's easy you know you need IP physics address office CPU from ideas like customer that's different difficult because how is this idea to music suppressing used mostly the users don't know down idealistic suppressed off their CPU because if they have outgoing IT physics connection and they go to a website like remind readers show me my IP address they displayed idea 6 address of the device itself if they go to ID before side there before address off Dave Yost displayed the CPU 6 address is less a secret spot is it's not a not so called the secret you need idea 6 address of to a few those also simple because mostly all clients of 1 x is product the same have on now you need ID reasons for address off to home network that easy to guess mostly in and you need the possibility to prove that I Buzek's address when they have jargon CCP are how's it possible to prove it here are this attack is displayed as running from 1 system but that's not necessary this state last 1 packets like UDP arise impede you can consent this proved ITV 6 addressed even if you are also a dualistic like client from the same access provider descended through another line of the same except for item and the result cannot go to you because you don't have a public i before dress but you can send it to the idea for address which is under your control and Internet does no possibility to detect this kind of attack is joined to the same thing because 1 Klein descending of strange packet to another outlined in the same annex is provided and result goes to anywhere in the Internet if possible what I
wrote as penetration tests on a bias that attackers and my goal is to improve there's a security level under some measurements if you are a customer who who has a dualistic internet access do not publish your IP 6 address because it's the secret that only 1 secret you have but that's not the so called authentication but still only 1 secret and other pointers please protect all your devices in no matter because even if you have for instance a printer which is able to reconfigurable as in the communities string private a lot of network printers can modified in such a way and even if this print on is not configured to use the internet because there's a static IP address in your home network and it's only reachable from new devices that tell the printer itself cannot standard here because no default get free you can then only 2 that devices but such a packets can and otherwise from the internet and as a as an MP MDC modifications only in 1 UDP packet even if there's no default that get way on your printer it's possible to modify it have as an MP because as acronym for the security of multi my problem
z-axis pride I can strongly let recommend to all Lexus bridles enable anti-spoofing measurements as much as you can on the border would jump from each of the and also on every network device between your CDs and DA your islands on devices between auto parts of brother Metric even tho max provided also offer dedicated 0 dedicated original samples and there's no anti-spoofing protection between these zeros and clients for X is providing so from such as so it's easy to around those proving attack against these climbs
on velocity and if you're CPU and wrong please protect your locked 5 because if the CPU throughout also looking for a fair data downloaded in all these files dead souls I 6 suppresses of 2 cities are included so these log files or important for the across or they are going to dential
wall my last point there's even for service providers please enable IV 6 you may ask why i don't draw on IP sex service and my services only a simple TCP so was like male or web and also all clients with the client can use my service in general that's true but what
happens if the payload to offer your own data datagrams all very close to the maximum transfer unit because they're encapsulation takes 40 additional bytes what I did is acceptable answer if you're serving huge fires uploading videos for instance that the the packet size is important the small simply as your aggressive doesn't get onto these packets if they are too big for all day encapsulated tunnels will be in a fragmented here it
means the area comes i before packet with 1500 bytes total size here that will become a size of 1500 40 bytes the additional idealistic set up and down the packets of fragmented on that way a mosfet landed on that but in general if packets
are fragmented it means the number of packets is increased and the performance will decrease and I hope you don't like the slow performing services that's the reason I strongly recommend these enable by Buzek's on your services
that that that I can say thank you for your attention if you have questions can also be here or by mail if you like encrypted B to be and executing yes thank you for attention forests that presents you're directly and know what thank you have a few


  473 ms - page object


AV-Portal 3.20.1 (bea96f1033d39fbe77f82542458e108105398441)