Field of the Invention
The present invention is generally directed to identifying attacks on a computer network. More specifically, the present invention identifies routing loop attacks on a computer network and mitigates their effect on the computer network.
Description of the Related Art
Internet protocol version six (IPv6) is destined to be the future network layer protocol for the Internet. IPv6, however, is not compatible with its predecessor, Internet protocol version four (IPv4). Because of this various interoperability mechanisms are being developed that allow computers running IPv6 stack to communicate over IPv4 networks by encapsulating IPv6 packets into IPv4 packets and sending the IPv4 packets through a tunnel. This is referred to as “IPv6-in-IPv4.” This method allows IPv6 packets to be sent over an IPv4 network without prior configuration. While IPv6-in-IPv4 solves a compatibility issue between IPv6 and IPv4, it creates other issues. One such issue is that hackers or malicious programs that exploit differences or inconsistencies between IPv4 and IPv6 communication standards when attacking IPv6-in-IPv4 communications.
One type of attack that IPv6-in-IPv4 is susceptible to are packets designed to create communication loops between nodes or routers. When two different nodes continuously pass packets between themselves, network communications can slow down or crash (stop functioning). This is because as more messages loop around and around from a first node/router to a second node/router and back again, network bandwidth is consumed performing useless tasks.
In general, an IPv6-in-IPv4 tunnel has at least two end points. Each end point must be able to process both IPv4 and IPv6 packets and must possess an IPv4 address. To deliver an IPv6 packet over the tunnel, an ingress end point encapsulates the packet with an IPv4 header. The source IPv4 address is that of the ingress end point and the destination IPv4 address is that of the intended egress end point. Consequently, each tunnel end point must have a routing table that associates each IPv6 destination address with an appropriate next-hop IPv4 address. The packet is then handled by the IPv4-only network as a normal IPv4 packet. When a packet reaches the egress end point, the endpoint strips the IPv4 header from the packet and the packet may be processed as a conventional IPv6 packet.
IPv6-in-IPv4 tunnels are commonly referred to as “automatic tunnels,” and automatic tunnels allow two IPv6 nodes to communicate over an IPv4-only network. These automatic tunnels are not meant to be used permanently in the network, but only during the transition from IPv4 to IPv6 networks. However, since it may take quite some time for the whole Internet to migrate from IPv4 to IPv6, automatic tunnels will exist in the network for a long period of time. Packets sent over an automatic tunnel include an egress IPv4 address that is embedded within the destination IPv6 address of the packet.
As pointed out above there is a looping vulnerability in the design of IPv6-in-IPv4 automatic tunnels. This looping vulnerability can be triggered accidentally, or exploited maliciously by an attacker. An attacker can craft a packet to be routed over a tunnel to a node that is not associated with the packet's destination. This node may forward the packet out of the tunnel to the native IPv6 network and the packet might then be forwarded back into the tunnel again by the IPv6 network, hence causing a routing loop. Conventionally, this loop terminates only when the Hop Limit field of the IPv6 packet is decremented to zero. This vulnerability can be abused as a vehicle for traffic amplification and to facilitate Denial of Service (DoS) attacks.
Without compensating security measures in place, all such automatic tunnels are vulnerable to such an attack, including, yet not limited to tunnels according to the standards such as: the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6 to 4, and 6rd (IPv6 Rapid Deployment on IPv4 Infrastructures). While some possible mitigation measures are being developed, they either impose limitations on network topology or incur a large amount of overhead for routers in a computer network. What is needed are systems and methods that prevent or limit loop attacks affecting IPv6-in-IPv4 communications using simple and efficient techniques.