6to4faild

Emile Aben — Dec 05, 2010 12:00 AM
6to4faild prototype script in scapy (python)

Python Source icon 6to4faild.py — Python Source, 2 kB (2280 bytes)

File contents

#!/opt/local/Library/Frameworks/Python.framework/Versions/2.5/Resources/Python.app/Contents/MacOS/Python
import sys
import re
from scapy.all import *

# response reset
# note doesn't work
def send_response_tcp_reset(pkt):
   respR = IP(dst=pkt[IP].src, src=pkt[IP].dst) / \
           IPv6(dst=pkt[IPv6].src, src=pkt[IPv6].dst) / \
           TCP(sport=pkt[TCP].dport, dport=pkt[TCP].sport, ack=pkt[TCP].seq+1 , seq=0, flags="RA")
   send(respR)

def send_response_encap_icmp6_unreach_code(pkt,my_code):
   orgV6 = pkt[IPv6]
   respEncU = IP(dst=pkt[IP].src, src=pkt[IP].dst) / \
           IPv6(dst=pkt[IPv6].src, src=pkt[IPv6].dst) / \
           ICMPv6DestUnreach(code=my_code) / \
           orgV6 / \
           pkt[TCP]
   send(respEncU)


def send_response_encap_icmp6_unreach(pkt):
   orgV6 = pkt[IPv6]
   respEncU = IP(dst=pkt[IP].src, src=pkt[IP].dst) / \
           IPv6(dst=pkt[IPv6].src, src=pkt[IPv6].dst) / \
           ICMPv6DestUnreach() / \
           orgV6 / \
           pkt[TCP]
   send(respEncU)

def send_response_icmp6_unreach(pkt):
# this is silly, IPv6 src address is not on wire
   respIU = IPv6(dst=pkt[IPv6].src, src=pkt[IPv6].dst) / \
            ICMPv6DestUnreach() / \
            pkt[IPv6] / \
            pkt[TCP]
   send(respIU)

def send_response_icmp31_unreach(pkt):
   respU31 = IP(dst=pkt[IP].src, src=pkt[IP].dst) / \
             ICMP(type=3,code=1) / \
             pkt[IP] / \
             pkt[IPv6] / \
             pkt[TCP]
   send(respU31)

def send_response_icmp_unreach_code(pkt,my_code):
   respUcode = IP(dst=pkt[IP].src, src=pkt[IP].dst) / \
              ICMP(type=3,code=my_code) / \
              pkt[IP] / \
              pkt[IPv6] / \
              pkt[TCP]
   send(respUcode)

def fast_fail_6to4(pkt):
   # todo more precise match of source pkts
   if IPv6 in pkt and re.match('^2002:',pkt[IPv6].src):
      if TCP in pkt:
         send_response_tcp_reset(pkt)
         #send_response_encap_icmp6_unreach(pkt)
         #send_response_encap_icmp6_unreach_code(pkt,4)
         #send_response_icmp31_unreach(pkt)
         #send_response_icmp_unreach_code(pkt,2)
         #send_response_icmp_unreach_code(pkt,0)
         #silly#send_response_icmp6_unreach(pkt)

sniff(prn=fast_fail_6to4,iface="en0",filter="proto 41", store=0)
Navigation
Related Items
Using RIPE Atlas Metadata to Measure NATs

As part of the user interface to the RIPE Atlas network, users can see the first and second hops ...

RIPE Atlas Fun: Map a RIPE Atlas Anchor

View maps based on RIPE Atlas traceroute measurements. Compare the maps to the ISP's description of ...

New and Improved RIPE Registry Global Resource Service

We have redesigned and improved the way we mirror other databases. We now have a method of ...

RIPE Database Joins Single Sign-On Club

With RIPE NCC Access, our single sign-on service - you log in once and can access many RIPE NCC ...

A RIPE Atlas View of Internet Meddling in Turkey

In RIPE Atlas we see latencies to Google's 8.8.8.8 DNS resolver service drop in Turkey. We expect ...

more ...