Recently one of the Honeynet Project's Solaris Honeynets was compromised.
What made this attack unique was after breaking into the system, the
attackers enabled IPv6 tunneling on the system, with communications being
forwarded to another country. The attack and communications were captured
using Snort, however the data could not be decoded due to the IPv6
tunneling. Also, once tunneled, this could potentialy disable/bypass the
capabilities of some IDS systems.
Marty is addressing this issue and has added IPv6 decode support to
Snort. Its not part of Snort current (2.0) yet, its still in the
process of testing. If you would like to test this new capability,
you can find it online at
http://www.snort.org/~roesch/
Marty's looking for feedback. As IPv6 usage spreads, especially in
Asia, you will want to be prepared for it. Keep in mind, even in
IPv4 environments (as was our Solaris Honeynet) attackers can
encode their data in IPv6 and then tunnel it through IPv4. We will
most likely being seeing more of this type of behavior.
What made this attack unique was after breaking into the system, the
attackers enabled IPv6 tunneling on the system, with communications being
forwarded to another country. The attack and communications were captured
using Snort, however the data could not be decoded due to the IPv6
tunneling. Also, once tunneled, this could potentialy disable/bypass the
capabilities of some IDS systems.
Marty is addressing this issue and has added IPv6 decode support to
Snort. Its not part of Snort current (2.0) yet, its still in the
process of testing. If you would like to test this new capability,
you can find it online at
http://www.snort.org/~roesch/
Marty's looking for feedback. As IPv6 usage spreads, especially in
Asia, you will want to be prepared for it. Keep in mind, even in
IPv4 environments (as was our Solaris Honeynet) attackers can
encode their data in IPv6 and then tunnel it through IPv4. We will
most likely being seeing more of this type of behavior.
Just a friendly heads-up :)
--
Lance Spitzner
http://www.tracking-hackers.com
[ reply ]