2012 IEEE Symposium on Humanities, Science and Engineering Research
IPv6 Attack Scenarios Testbed
* Wan Nor Ashiqin Wan Ali, * Abidah Hj Mat Taib, * Naimah Mohd Hussin and * Jamal Othman
* Faculty of Computer and Mathematical Sciences, Universiti Teknologi MARA Perlis Branch, Malaysia
wannorashiqin@gmail.com, abidah@perlis.uitm.edu.my
 
Abstract Deploying IPv6 in the enterprise network will increase
the security issues since some of IPv6 features bring
vulnerabilities. Thus, mitigating them with appropriate security
policy is vital. By having attack scenario testing, it will expose
network administrators to the IPv6 potential attack. For example,
Bad ACK-Reset attack is used by an attacker to reset a new
connection after exploiting network. Also, Packet Fragmentation
attack is capable to control over the packet fragmentation services
yet can cause problems in security measurement. Hence, this
paper tested Bad ACK-Reset and Packet Fragmentation attack
scenarios for analysis. This paper used Scapy (2.0.1) to generate
packets for testing. A testbed simulation has been designed by
using Graphical Network Simulator 3 (GNS3). Several ip6tables
rules and access control lists (ACLs) were implemented at the host
and the router respectively to counter Bad ACK-Reset and Packet
Fragmentation attack scenarios. Information gained from the
testing will provide a clear understanding on IPv6 security issues
and help to design a proper network security policy. The current
results from the testing can be used for future research in
generating the security policies. Thus, our further research will
focus on modelling the created security policy for IPv6
deployment.
Keywords IPv6 deployment; IPv6 attack scenarios; security
policy; GNS3; IP6tables
I. INTRODUCTION
Handling threats due to Internet Protocol version 6 (IPv6)
deployment become an important issue to be discovered [1],
[2], [3], [4]. Since enterprises need to deploy IPv6 sooner or
later, they must also consider about the security issues related
to IPv6 deployment. Therefore, we need to run a testing of
several attacks which related to the IPv6 deployment in order
to create an appropriate set of security policy that can be
implemented and enforced in the host firewall and also the
perimeter firewall.
This paper focuses on attacks testing setup using Graphical
Network Simulator 3 (GNS3) simulation software [5]. The
GNS3 supports any testbed simulation using Cisco routers.
The testbed simulation focuses on testing several attacks
which related to the Internet Control Message Protocol for
IPv6 (ICMPv6) [6]. Attacking activities have been conducted
using THC IPv6 Toolkits [7] and Scapy [8] in order to test on
IPv6 attacks. The documentation of ip6tables in RFC 4890 has
been considered in our testing simulation. However, some
This work was sustained in part by the Fundamental Research Scheme
Grant (FRGS), code project: 600-RMI/SSP/FRGS 5/3/Fsp (54/2010) and
Dana Kecemerlangan UiTM, code project: 600-RMI/ST/DANA 5/3/Dst
(455/2011).
978-1-4673-1310-0/12/$31.00 2012 IEEE
attacks need to be filtered at router, thus, some of the Access
Control Lists (ACLs) have been configured to encounter the
attacks before they arrive at host.
The remainder of this paper is organized as follows: Section
2 discusses on IPv6 attacks scenarios, Section 3 describes a test
bed simulation using GNS3 application, Section 4 states the
purpose of testing, Sections 5 identifies the assessment criteria
and Section 6 designs the framework of testing. The rest of the
sub-topics are testbed of testing, experimental tools, test
procedure, findings, conclusion and last section closes the
paper with some conclusions.
II. IPV6 ATTACK SCENARIOS
IPv6 attacks are becoming possible due to wider application
of the IPv6 in the present network. Moreover, recent
development has shown that computer devices and networks
are enabled with IPv6 utilization. Unintentionally, when
enterprises start to deploy IPv6, they still need to maintain the
IPv4 concurrently. Hence, security issues have been increased
since enterprises need to maintain the coexistence condition of
IPv4 and IPv6 [4].
Researchers [9], [4], [10] found that the number of attacks
have been increased with the IPv6 deployment since attackers
manipulate the vulnerabilities of IPv6. However, with
knowledge and understanding about IPv6 attacks, administrator
is better equipped to counter the IPv6 security issues. For
instance, this paper demonstrates Bad ACK-Reset and Packet
Fragmentation attacks that can occur in IPv6 deployment.
The Bad ACK-Reset attack [11] can be used to generate a
connection after doing something bad to the victim host but
still desire to create an additional session without any
acknowledgement to that victim. Thus, an attacker can inject
any malicious packet which can harm the victim host again and
again by resetting new connection. The Bad ACK-Reset attack
indicates the IPv6 attacks which can be occurred when attacker
is capable to reset new connection between the victim host.
Meanwhile, Packet Fragmentation attack is usually being
used to make the content of data transferred become unclear,
thus it can be passed through the firewall [12]. It can also be
seriously misused by an attacker to inject various malicious
packets by using the packet fragmentation. The packet
fragmentation attack can occur in both IPv4 and IPv6 network.
464
 2012 IEEE Symposium on Humanities, Science and Engineering Research

However, since our works are focusing on IPv6 attacks, we implementation is crucial for enterprises to manage their
have tested this kind of attack by applying IPv6 addresses. This organization security properly.
attack is adopted from [12] and re-testing in our experimental
testbed. This testing was performed in a private network to isolate it
from the running network. Hence, the testing did not create any
III. TESTBED SIMULATION USING GNS3 APPLICATION conflict with the public network or organization network
because it is hazardous to test the attacks scenarios by using
Graphical Network Simulator 3 (GNS3) provides researcher organization network.
to emulate complex or simple networks. In addition, the GNS3 Figure 1 shows the basic of organization network topology
application can combine the actual devices and virtual devices which adopt the distributed firewall concept [18]. The
together in one or more networks. The virtual devices can be distributed firewall concept point out that it is important to
expressed as virtual machine, router and other virtual network manage the host firewall besides perimeter firewall [18], [19].
devices. Thus, this testing will provide appropriate mechanisms that can
Besides, GNS3 supports the Cisco IOS by using Dynamips represent host firewall which are ip6tables rules and ACLs.
which can make thing easier since it provides GUI. Users are
capable to run any commands as long as the commands and
parameters used are sustained by Cisco IOS. Besides Cisco,
GNS3 also supports Juniper routers and PIX Firewall.
In addition, GNS3 application is an open source which is
free, can be installed and available to be used in various types
of operating system such as Windows, MacOS, Linux and
others. However, GNS3 does not replace the router because it
is used for education and lab testing purposes.
A. Purpose
The aim of the testing presented here is to point out Bad
ACK-Reset and Packet Fragmentation attacks can occur in
IPv6 deployment. Indirectly, there are solutions provided in
this testing which can be practiced to prevent the attacks from
occurring.
B. Assessment Criteria
The attack scenarios have been tested and evaluated using
Wireshark which is an open-source packet analyzer [13].
Therefore, packets are observed according to each frame inside
the packets. After the packets are observed, some prevention is
applied to counter the attack scenarios. Then, the testing is
repeated two times; the first testing is without any filtering rule
and the second condition is with appropriate filtering rules. The
attack scenarios are tested several times with some filtering
rules until we get the appropriate rules. Packets are captured
and analyzed again to see whether the rules are capable to Figure 1. Organization Network Topology
counter those attacks.
C. Framework D. Experimental Testbed Setup
This attack scenario testing is conducted as a preliminary The testbed simulation was designed by using GNS3
study to prove that enterprises need to properly manage their application. The existing firewall was tested to review whether
host firewall. Several studies have revealed the importance of it can support IPv6 traffic or not. Some of the attacks which
firewall management and some security issues when users start related to IPv6 deployment were tested and the packet of traffic
to deploy IPv6 [14], [15], [16], [9]. Indirectly, enterprises must was captured for depth analysis.
protect their own organization firewall in order to sustain their The testing simulation was designed by using one virtual
business activities since they are using much more network router and two computers (Windows XP, Centos). A guest
applications compared to individual user. operating system (Virtual Ubuntu) was installed in the host
With the existence of IPv6, enterprises cannot totally rely on operating system (Windows XP) to support this testing setup.
perimeter firewall since it is a mandatory of IP Security (IPsec) All computers are connected using virtual router which has
in IPv6 installation [17]. The perimeter firewall cannot see the been configured using GNS3 application.
content of any packet if the attacker uses IPsec. If end-to-end Two nodes which represent Node A (Centos) and Node B
IPsec is used, it means that transmitted data are encrypted and (Virtual Ubuntu) have been configured with dual-stack
only destination host can decrypt it. Therefore, host firewall addresses. The dual-stack addresses have been configured to

465
 2012 IEEE Symposium on Humanities, Science and Engineering Research

represent the coexistence condition of IPv4 and IPv6 addresses. IV. FINDINGS DISCUSSION
Even though the experimental setup was in dual-stack
addresses, but this testing only focuses on IPv6 attack scenarios. A. Bad ACK-Reset Attack
Figure 2(a) shows the testbed topology designed using GNS3 The Bad ACK-Reset attack [21] can be used to generate a
application. connection after doing something wrong to the victim host but
still desire to create an additional session without any
acknowledgement. The Bad ACK-Reset attack has been tested
in IPv4 network and some rules to counter the attack which are
applied [11]. Hence, the same Bad ACK-Reset code has been
adapted in this testing to test whether it is possible to be
occurred in IPv6 addresses. TABLE I shows the captured packet
from the testing.
Based on T ABLE I, the Node B
(2607:f0d0:1002:53:a00:27ff:fe96:b186) has been attacked
with a sort of content rule for "BAD STUFF" by Node A
(2607:f0d0:1002:52:230:18ff:fea3:7559). The content was
separated into two parts to urge TCP reassembly, thus victim
host did not aware the content rule as it came with single
segment. The attacker could send any SYN packet without
victims acknowledgement because the Bad ACK-Reset attack
would reset the connection again.
The Bad ACK-Reset attack can be prevented by using the
ip6tables rules which has been tested with the testbed
Figure 2(a). Testbed Topology Using GNS3 Application simulation:
#ip6tables A INPUT s ipv6_address j DROP
R1#sh run ! #ip6tables A INPUT s ipv6_network_prefix d
Building configuration... interface FastEthernet0/1 ipv6_network_prefix j ACCEPT
! ip address 192.168.33.3 #ip6tables -A OUTPUT -p tcp -s ipv6_address -d
ipv6 unicast-routing 255.255.255.0 ipv6_network_prefix --tcp-flags RST, RST --destination-port 80
! duplex auto
-j DROP
interface FastEthernet0/0 speed auto
ip address 192.168.32.2 ipv6 address
255.255.255.0 2607:F0D0:1002:53::3/64 The Bad ACK-Reset attack has been tested again after
duplex auto ipv6 enable ip6tables are implemented. T ABLE II shows that attacker
speed auto ! cannot reset the connection once again. Therefore, the attacker
ipv6 address End is restricted to continue the communication with the victim
2607:F0D0:1002:52::2/64 nodes with those ip6tables rules.
ipv6 enable

Figure 2(b). Router Configuration

The virtual routers [20] have been configured by using

router emulator that is Dynamips. The router configuration for
this testing can be referred in Figure 2(b).
E. Test Procedure
Firstly, we created a private network for our testing by using
GNS3. Then, we configured the router and computers to ensure
that the connection was successful. Subsequently, we tested the
network with the Bad ACK-Reset and Packet Fragmentation
attacks using Scapy (2.0.1). Those attacks had been tested
without applying any rule at first. At that moment, they were
captured and analyzed by using Wireshark. The testing had
been repeated by applying some rules to counter the problem.
From there, we could define which rules are appropriate to
prevent the attacks from occurring.

466
 2012 IEEE Symposium on Humanities, Science and Engineering Research

T ABLE I. C APTURED P ACKET OF B AD ACK-R ESET ATTACK

No. Time Source Destination Protocol Info
1 0.000000 c4:01:0a:74:00:01 c4:01:0a:74:00:01 LOOP Reply

2 3.933787 2607:f0d0:1002:52:230:18ff:fea3:7559 2607:f0d0:1002:53:a00:27ff:fe96:b186 TCP 9415 > http [SYN] Seq=0

Win=8192 Len=0
3 3.933804 2607:f0d0:1002:53:a00:27ff:fe96:b186 2607:f0d0:1002:52:230:18ff:fea3:7559 TCP http > 9415 [RST, ACK] Seq=1
Ack=1 Win=0 Len=0
4 4.135994 2607:f0d0:1002:52:230:18ff:fea3:7559 2607:f0d0:1002:53:a00:27ff:fe96:b186 TCP 9415 > http [ACK] Seq=1 Ack=3
Win=8192 Len=0
5 4.136011 2607:f0d0:1002:53:a00:27ff:fe96:b186 2607:f0d0:1002:52:230:18ff:fea3:7559 TCP http > 9415 [RST] Seq=3 Win=0
Len=0
6 4.209749 2607:f0d0:1002:52:230:18ff:fea3:7559 2607:f0d0:1002:53:a00:27ff:fe96:b186 HTTP Continuation or non-HTTP traffic
7 4.209755 2607:f0d0:1002:53:a00:27ff:fe96:b186 2607:f0d0:1002:52:230:18ff:fea3:7559 TCP http > 9415 [RST] Seq=2 Win=0
Len=0

T ABLE II. C APTURED P ACKET OF B AD ACK-R ESET ATTACK USING IP6 TABLES

No. Time Source Destination Protocol Info

1 0.00000 c4:01:0a:74:00:01 c4:01:0a:74:00:01 LOOP Reply

0
2 2.85805 2607:f0d0:1002:52:230:18ff:fea3:7 2607:f0d0:1002:53:a00:27ff:fe96: TCP 47916 > http [SYN] Seq=0 Win=8192
7 559 b186 Len=0
3 7.87003 fe80::c601:aff:fe74:1 2607:f0d0:1002:53:a00:27ff:fe96: ICMPv6 Neighbor Solicitation for
9 b186 2607:f0d0:1002:53:a00:27ff:fe96:b186
from c4:01:0a:74:00:01
4 7.87006 2607:f0d0:1002:53:a00:27ff:fe96:b fe80::c601:aff:fe74:1 ICMPv6 Neighbor Advertisement
4 186 2607:f0d0:1002:53:a00:27ff:fe96:b186
(sol)
5 10.0072 c4:01:0a:74:00:01 c4:01:0a:74:00:01 LOOP Reply
76

B. Packet Fragmentation Attack
Fragmentation is the method of IP packet separation where
an IP packet is divided into smaller packets. Thus, the packet
can easily be transmitted through the network which does not
allow huge packets transmission [12]. However, this
fragmentation method can be misused by an attacker to send
any hidden attack inside the packet. Attacker can hide their
attacks into countless small fragments, so that it can bypass the
network attack detection or network filtering. We have injected
the testing with a single packet of Packet Fragmentation attack.
Figure 3 shows the snapshot of testing when we injected a
Packet Fragmentation attack; we got a reply from the victim
host.
Then, the Node A gets a Parameter Problem message from
the Node B which means there is a parameter problem because
of an invalid header. However, the Node A can still keep on
sending the fragmented packet to the Node B. Thus, the
network administrator can implement Access Control List
(ACL) to block the Packet Fragmentation attack. Some ACL
rules are implemented at the router to counter the attack:
(config)#ipv6 access-list BLOCKFRAGMENTS
(config-ipv6-acl)#permit 88 any any
(config-ipv6-acl)#permit 103 any any
(config-ipv6-acl)#permit icmp any any router-advertisement
(config-ipv6-acl)#permit icmp any any router-solicitation
(config-ipv6-acl)#deny ipv6 any 2607:f0d0:1002:52::/64
(config-ipv6-acl)#interface FastEthernet 0/1
(config-if)#ipv6 traffic-filter BLOCKFRAGMENTS in

T ABLE IV shows the captured packet of Packet

Fragmentation attack which has been filtered using ACL rules.
From the T ABLE IV, we can see that Node A
(2607:f0d0:1002:52:230:18ff:fea3:7559) tries to send the IPv6
packet fragmentation again to the Node B
Figure 3. Snapshot of Packet Fragmentation Attack (2607:f0d0:1002:53:a00:27ff:fe96:b186). The Node A then still
gets a Parameter Problem message from the Node B.
Based on T ABLE III, Node A However, Node A cannot keep on sending the fragmented
(2607:f0d0:1002:52:230:18ff:fea3:7559) sent the IPv6 packet packet to the Node B since the fragmented packet is blocked at
fragmentation to the Node B the router.
(2607:f0d0:1002:53:a00:27ff:fe96:b186).

467
 2012 IEEE Symposium on Humanities, Science and Engineering Research

T ABLE III. C APTURED P ACKET OF PACKET FRAGMENTATION ATTACK

No. Time Source Destination Protocol Info

1 0.0000 2607:f0d0:1002:52:230:18ff:fea3: 2607:f0d0:1002:53:a00:27ff:fe96: IPv6 IPv6 fragment (nxt=TCP (0x06) off=800
00 7559 b186 id=0x2)
2 0.0000 2607:f0d0:1002:53:a00:27ff:fe96: 2607:f0d0:1002:52:230:18ff:fea3: ICMPv6 Parameter Problem (erroneous header field
29 b186 7559 encountered)
3 2.5597 2607:f0d0:1002:52:230:18ff:fea3: 2607:f0d0:1002:53:a00:27ff:fe96: IPv6 IPv6 fragment (nxt=TCP (0x06) off=800
02 7559 b186 id=0x2)
4 2.5597 2607:f0d0:1002:53:a00:27ff:fe96: 2607:f0d0:1002:52:230:18ff:fea3: ICMPv6 Parameter Problem (erroneous header field
25 b186 7559 encountered)
5 2.6295 c4:02:05:08:00:01 c4:02:05:08:00:01 LOOP Reply
53

T ABLE IV. C APTURED P ACKET OF PACKET FRAGMENTATION ATTACK USING ACL R ULES

No. Time Source Destination Protocol Info

1 0.0000 c4:02:05:08:00:01 c4:02:05:08:00:01 LOOP Reply
00
2 1.6064 2607:f0d0:1002:52:230:18ff:fea 2607:f0d0:1002:53:a00:27ff:fe96 IPv6 IPv6 fragment (nxt=TCP (0x06) off=800
98 3:7559 :b186 id=0x2)

3 1.6065 2607:f0d0:1002:53:a00:27ff:fe9 2607:f0d0:1002:52:230:18ff:fea3 ICMPv6 Problem (erroneous header field encountered)

23 6:b186 :7559
4 6.6037 fe80::a00:27ff:fe96:b186 fe80::c602:5ff:fe08:1 ICMPv6 Neighbor Solicitation for fe80::c602:5ff:fe08:1
58 from 08:00:27:96:b1:86
5 6.6190 fe80::c602:5ff:fe08:1 fe80::a00:27ff:fe96:b186 ICMPv6 Destination Unreachable (Administratively
23 prohibited)
6 6.6218 fe80::c602:5ff:fe08:1 2607:f0d0:1002:53:a00:27ff:fe96 ICMPv6 Neighbor Solicitation for
43 :b186 2607:f0d0:1002:53:a00:27ff:fe96:b186 from
c4:02:05:08:00:01

V. CONCLUSION
The experiment presented in this paper supports the need
for a more persistent and distributed security policy which
focuses on managing the host firewall appropriately. This
paper highlights some IPv6 attack scenarios analysis which
uses GNS3 application in modelling the testing topology.
Currently, we are testing on several IPv6 attack scenarios in
order to study in depth about IPv6 deployment and its
vulnerabilities. Indirectly, we can define appropriate security
policies in designing a security policy model for IPv6
deployment based on the testing result. Therefore, for the out
coming, there will be an implementation of prototype security
policy model based on distributed firewall concept.
ACKNOWLEDGMENT
We would like to thank the reviewers, participants of the
research project and other individuals who have indirectly
contributed to this research.
REFERENCES
[1] D. Zagar and K. Grgic, "IPv6 Security Threats and Possible Solutions,"
in Automation Congress, 2006. WAC '06. World, 2006, pp. 1-7.
[2] Y. Xinyu, M. Ting and S. Yi., "Typical DoS/DDoS Threats under IPv6,"
in Computing in the Global Information Technology, 2007. ICCGI 2007.
International Multi-Conference on, 2007, pp. 55-55.
[3] R. Radhakrishnan, M. Jamil, S. Mehfuz and Moinuddin, "Security issues
in IPv6," in Networking and Services, 2007. ICNS. Third International
Conference on, 2007, pp. 110-110.
[4] E. DurdagI and A. Buldu, "IPV4/IPV6 security and threat comparisons,"
Procedia - Social and Behavioral Sciences, vol. 2, pp. 5285-5291, 2010.
[5] GNS3. (2011, 9th May). GNS3 Graphical Network Simulator. Available:
http://www.gns3.net/
[6] E. Davies and J. Mohacsi, "Recommendations for Filtering ICMPv6
Messages in Firewalls [RFC 4890]," 2007.
[7] v. Hauser. (2005, 20th May). Attacking the IPv6 Protocol Suite.
Available: http://www.thc.org/thc-ipv6/
[8] J. Novak. (2011, 10th June). A Taste of Scapy. Available:
http://www.sans.org/reading_room/whitepapers/testing/taste-
scapy_33249
[9] Y. Dequan, S. Xu, G. Qiao, "Security on IPv6," in Advanced Computer
Control (ICACC), 2010 2nd International Conference on, 2010, pp. 323-
326.
[10] W. Hui, Y. Sun, J. Liu and K. Lu, "DDoS/DoS Attacks and Safety
Analysis of IPv6 Campus Network: Security Research under IPv6
Campus Network," in Internet Technology and Applications (iTAP),
2011 International Conference on, 2011, pp. 1-4.
[11] J. Novak, W. Josh, M. Tim, P. Mike. (2010, 10th August). Packetstan.
Available: http://www.packetstan.com/2010/06/scapy-code-for-bad-ack-
reset.html
[12] S. Hogg and E. Vynke, IPv6 Security vol. 1. Indianapolis: Cisco Press,
2008.
[13] Ulf Lamping, S. Richard and W. Ed, Wireshark User's Guide: for
Wireshark 1.7: Free Software Foundation, 2004-2011.
[14] D. Barrera and P. C. van Oorschot, "Security visualization tools and
IPv6 addresses," in Visualization for Cyber Security, 2009. VizSec 2009.
6th International Workshop on, 2009, pp. 21-26.
[15] F. Beck, O. Festor, I. Chrisment and R. Droms, "Automated and secure
IPv6 configuration in enterprise networks," in Network and Service
Management (CNSM), 2010 International Conference on, 2010, pp. 64-
71.
[16] A. R. Choudhary and A. Sekelsky, "Securing IPv6 network
infrastructure: A new security model," in Technologies for Homeland
Security (HST), 2010 IEEE International Conference on, 2010, pp. 500-
506.

468
 2012 IEEE Symposium on Humanities, Science and Engineering Research
[17] N. M. Ahmad and A. H. Yaacob, "End to End Ipsec Support across
Ipv4/Ipv6 Translation Gateway," in Network Applications Protocols and
Services (NETAPPS), 2010 Second International Conference on, 2010,
pp. 222-227.
[18] S. Ioannidis, A.D. Keromytis, S.M. Bellovin and J.M. Smith,
"Implementing a distributed firewall," presented at the Proceedings of
the 7th ACM conference on Computer and communications security,
Athens, Greece, 2000.
469
[19] Z.-g. Xiong and X.-m. Zhang, "Research and design on distributed
firewall based on LAN," in Computer and Automation Engineering
(ICCAE), 2010 The 2nd International Conference on, 2010, pp. 517-520.
[20] T. Li, W.E. Thain and T. Fallon, "On the use of virtualization for router
network simulation," 2010.
[21] C. L. Schuba, I.V. Krsul, M.G. Kuhn, E.H. Spafford, A. Sundaram and D.
Zamboni, "Analysis of a Denial of Service Attack on TCP," IEEE
Symposium on Security and Privacy, pp. 208-223, 1997.