Technical Details
DHCPv6 DNS poisoning allows an attacker to control the DNS server address of a victim, effectively poisoning the service so that the victim will communicate with an attacker-controlled system. In this type of attack, the attacker spoofs a DHCP server response, including a DNS configuration.
MITRE Technique Alignment (2)
DHCPv6 Spoofing Attack
DHCP spoofing occurs when an attacker responds to DHCP requests and lists themselves (spoofs) as the default gateway or DNS server, usually to initiate a man-in-the-middle (MitM) attack. With DHCP spoofing, attackers can intercept traffic from users before forwarding it to the real gateway or perform DoS (Denial of Service) by flooding the real DHCP server with requests.
1- Disabling IPv6
Windows 10, 7, and Vista
From the Start menu, select Control Panel. Make sure you are in the Large or Small icons view (Windows 7), or Classic View (Vista). Open Network and Sharing Center. On the left, select Change adapter settings (Windows 7) or Manage network connections (Vista). Right-click the connection for which you want to disable IPv6, and select Properties. Uncheck Internet Protocol Version 6 (TCP/IPv6) and click OK.
Hint: You can disable this via GPO also, for your organization ;)
Linux
Open a terminal window as root user. Issue the command sysctl -w net.ipv6.conf.all.disable_ipv6=1 Issue the command sysctl -w net.ipv6.conf.default.disable_ipv6=1
On a Debian-based machine: Open a terminal window. Issue the command sudo nano /etc/sysctl.conf Add the following at the bottom of the file: net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 Save and close the file. Reboot the machine.
Mac OS X
In Mac OS X, you’ll need to disable the IPv6 protocol both for your Ethernet card (wired connections) and for AirPort (wireless connections).
Mac OS X 10.5 and later
While logged into an account with administrative privileges, from the Apple menu, select System Preferences…. In System Preferences, select Network. Click Ethernet and then click Advanced…. Click the TCP/IP tab, and from the pull-down menu next to “Configure IPv6:”, choose Off or Link-local only. Click OK. Click Wi-Fi or AirPort and then click Advanced…. Click the TCP/IP tab, and from the pull-down menu next to “Configure IPv6:”, choose Off or Link-local only. Click OK.
2- Deploy DHCPv6
Deploying a DHCPv6 server will help reduce the risk of DHCP spoofing attacks as there will be an authority for DHCPv6 address allocations.
3- Implement Cisco’s DHCPv6 Guard
The DHCPv6 Guard feature blocks reply and advertisement messages that come from unauthorized DHCP servers and relay agents.
Packets are classified into one of the three DHCP-type messages. All client messages are always switched regardless of device role. DHCP server messages are only processed further if the device role is set to server. Further processing of server messages includes DHCP server advertisements (for source validation and server preference) and DHCP server replies (for permitted prefixes).
If the device is configured as a DHCP server, all the messages need to be switched, regardless of the device role configuration.
4- Additional Security Solutions
Network Intrusion Detection System (NIDS) can detect spoofing and poisoning attacks in the network.
