IPv6 Attack Defense

Overview

Disabling the Sending and Receiving of ICMPv6 Packets

When the network condition is good, the device can receive or send ICMPv6 packets. However, in case of large volume traffic, if the host unreachable and port unreachable conditions frequently occur, the device will receive or send a large number of ICMPv6 packets, which will overload the network and compromise device performance. In addition, attackers usually use ICMPv6 error packets to probe internal network structure to further launch attacks.

To improve network performance and enhance network security, you can disable the function of receiving or sending ICMPv6 reply packets, host unreachable packets, and port unreachable packets in the system.

Disabling Unused Ports and Services

Disable unused ports, for example, DHCPv6 port, to reduce the attack surface and prevent attacks on open ports.

Some services (such as dynamic domain name resolution) consume a large number of CPU resources on the management plane. When DNS flood attacks occur, the CPU may be overloaded. To avoid such situation, you can disable these services.

Configuring Refined Security Policies

Loose matching conditions will bring security risks. Refined security policies can block packets with specific IPv6 addresses or packets of specific types.

Preventing Source IP Address Spoofing Attacks

If an attacker sends a request packet with a forged source IP address to the server, the server will send a response packet to the host at the real source IP address. This forged packet attacks both the server and the real host. A flood of such forged packets consumes a great amount of network resources and may trigger a denial of service (DoS) attack. Unicast reverse path forwarding (URPF) can effectively protect the network against malicious attacks initiated by changing the source IP address of packets.

Impact on the System

If the function of sending a certain type of ICMPv6 messages is disabled on a device, the device does not send ICMPv6 messages of the corresponding type. For example, if the function of sending ICMPv6 messages is disabled on a local device, when another device pings the local device, the local device sends the ICMPv6 Echo Request messages to the control plane for processing and does not respond to the messages. If a tracert is run from another device to the local device, the local device does not return error messages.
If the function of receiving a certain type of ICMPv6 messages is disabled on a device, the device discards the ICMPv6 messages of the corresponding type. For example, if the function of receiving ICMPv6 messages is disabled on a local device, another device cannot ping the local device. If a tracert is run from another device to the local device, the local device does not return error messages.
Configuring rate limiting for ICMPv6 error messages on a device reduces the rate at which the device responds to ICMPv6 error messages.
After you disable the function of receiving ICMPv6 reply packets, host unreachable packets, and port unreachable packets in the system, the main interface cannot process such ICMPv6 packets. In addition, the system will not collect statistics on such packets. It counts only the total number of discarded packets.

Procedure

To improve network performance and security, run the undo ipv6 icmp send command to disable the system from sending ICMPv6 packets including echo reply packets, host unreachable packets, and port unreachable packets, redirect packets, and network unreachable packets.
By default, the system is enabled to send ICMPv6 packets.
```
system-view 
undo ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } send
```
You can also run the undo ipv6 icmp all send command to disable the system from sending all types of ICMPv6 packets.
Disable the system from receiving ICMPv6 packets including echo reply packets, host unreachable packets, and port unreachable packets.
```
undo ipv6 icmp { icmpv6-type icmpv6-code | icmpv6-name | all } receive
```
Disable the DHCPv6 server or DHCPv6 PD server function. By default, the DHCPv6 server or DHCPv6 PD server function is disabled.
# Disable the DHCPv6 server or DHCPv6 PD server function in the system view.
```
undo dhcpv6 server { allow-hint | preference | rapid-commit | unicast } ^*
```
# Disable the DHCPv6 server function on the interfaces.
```
interface interface-type interface-number
undo dhcpv6 server
quit
```
Disable the dynamic domain name resolution function. By default, the dynamic domain name resolution function is disabled.
```
system-view 
undo dns resolve
```

Configure an interzone or intrazone security policy to block ICMPv6 packets of a specific type. The echo reply packet is used as an example.

ip service-set icmp6_echo_reply type object   //Create a service set.
service 0 protocol icmpv6 icmpv6-type 129 0   //Add a member and specify the ICMPv6 packet type and code.
quit
security-policy
rule name block_abnormal_icmp6
source-zone untrust
destination-zone trust
service icmp6_echo_reply   //Reference the created service set.
action deny
quit

Configure an interzone or intrazone security policy to block traffic from a specified IPv6 address.
```
security-policy
rule name block_abnormal_ipv6
source-address ff::8
action deny
quit
```
Configure rate limiting for ICMPv6 error messages.
1. Configure rate limiting for ICMPv6 error messages.
```
ipv6 icmp-error { ratelimit interval | bucket bucket-size } ^*
```
2. (Optional) Disable the device from suppressing ICMPv6 Packet Too Big messages
```
undo ipv6 icmp too-big-rate-limit
```
Configure the IPv6 URPF function. For details, see Configuration Guide > Security Protection > URPF > CLI: Example for Configuring URPF.

Checking the Security Hardening Result

Run the display icmpv6 statistics [ interface interface-type interface-number ] command to check statistics about ICMPv6 traffic.