Sean Siler wrote:
Microsoft based Operating Systems join the All Nodes On Link Multicast Group
> as specified by RFC 4291, but that RFC does not mandate that nodes must> reply to ICMP echo requests. So while we do not reply to pings to ff02::1,
> we are also in compliance with the RFC.
Thus, as such, to identify this OS, one would just have to send an MLD Query on the link, receive the responses, and tada, you have, per the RFC, all the hosts that at least comply to the RFC, then substract the ones you receive an ICMP echo from et voila you know what is doing this trick, which currently means that it is most likely Windows-based as all the KAME's including even OpenBSD reply to the ANOL-ping. The KAME ones you can even do Node Queries to to get more data out of them.
As both MLD and ICMP Echo are ICMP packets, and both is 1 packet outbound (request/query), and several inbound (the replies), nothing really is of a difference.
Unless of course the OS is programmed to have a notion of a 'secure router' which would mean one need to do some spoofing, unless the switch is smart enough to detect&block those kind of action.
The real solution to on-link attacks is of course to compartmentalize the network and to have secure hosts in the first place. Then the only issue left is that rather annoying factor called humans :)
Greets, Jeroen
signature.asc
Description: OpenPGP digital signature
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
