Writing

Software, technology, sysadmin war stories, and more. Feed
Monday, June 11, 2012

The same-subnet IPv6 backdoor

Let's say you have a machine running iptables rules. It's filtering traffic so that random bits of network stupidity won't be as likely to bother you. Let's say you filter things so that only localhost can connect to them. That means stuff like today's MySQL exploit is then only a problem if someone gets on your local machine.

Pretty good, right? Well, maybe, maybe not.

Your services might also be listening on IPv6 sockets. If you're running a recent version of various distributions, you probably have Apache and sshd listening on :::80 and :::22, respectively, in addition to the usual 0.0.0.0:80 and 0.0.0.0:22.

So maybe you've set up iptables to filter various ports. That's good. That'll keep random miscreants off those ports... assuming they're talking IPv4. iptables itself only filters that protocol.

Maybe your machine is on a network which doesn't have IPv6 connectivity to the outside world. None of my machines have that sort of stuff going on. Not even my machine at ServerBeach has IPv6 connectivity to the outside world. They haven't rolled it out yet.

That just means I can't cross a router with IPv6. But hey, I can still talk to any machine which is on the same subnet as me. Maybe those machines don't explicitly have IPv6 addresses set. That's not a problem, because they tend to make up their own fe80::* link-local stuff. Now they have an address, and thus a way to talk to them.

The next thing you're thinking is that IPv6's link-local space is pretty amazingly large, so how can I find them? Well, that's even easier. A whole bunch of these machines do nothing but spew out dhcp6 solicit messages all day long. All you'd have to do is pick one and portscan it on the IPv6 side to see what comes back.

Stuff this like this makes me want to just "ip6tables -I INPUT -j DROP" and go on with life. There's nothing good which can currently come from accepting any traffic of that sort. Until I can reach the outside world with it and vice-versa, it's not like I'll be missing much.

Long story short, if your machine is running IPv6 unfiltered and you think it's safe due to a lack of routing, all it takes is one host with bad intentions on the same subnet to make your life interesting.