Re: IPv6Dec 20 2002 01:45PM Valdis Kletnieks vt edu
Re: IPv6Dec 18 2002 12:45PM Colin Stubbs (cjstubbs optushome com au)
I'm not sure how wide spread this is, since I'm not regularly working
with compromised machines. But I was under the impression this was
almost old hat now, as it's a fairly logical method of avoiding
IDS/firewalls/etc.
More importantly, I saw this used to hide remote access on a compromised
Debian 2.2 box I cleaned up early March 2002, it was part of a rootkit,
though I no longer have any info on, or files from that particular
machine.
Colin Stubbs
On Wed, 2002-12-18 at 12:34, Lance Spitzner wrote:
> Recently one of the Honeynet Project's Solaris Honeynets was compromised.
> What made this attack unique was after breaking into the system, the
> attackers enabled IPv6 tunneling on the system, with communications being
> forwarded to another country. The attack and communications were captured
> using Snort, however the data could not be decoded due to the IPv6
> tunneling. Also, once tunneled, this could potentialy disable/bypass the
> capabilities of some IDS systems.
>
> Marty is addressing this issue and has added IPv6 decode support to
> Snort. Its not part of Snort current (2.0) yet, its still in the
> process of testing. If you would like to test this new capability,
> you can find it online at
>
> http://www.snort.org/~roesch/
>
> Marty's looking for feedback. As IPv6 usage spreads, especially in
> Asia, you will want to be prepared for it. Keep in mind, even in
> IPv4 environments (as was our Solaris Honeynet) attackers can
> encode their data in IPv6 and then tunnel it through IPv4. We will
> most likely being seeing more of this type of behavior.
>
> Just a friendly heads-up :)
>
> --
> Lance Spitzner
> http://www.tracking-hackers.com
>
>
>
with compromised machines. But I was under the impression this was
almost old hat now, as it's a fairly logical method of avoiding
IDS/firewalls/etc.
More importantly, I saw this used to hide remote access on a compromised
Debian 2.2 box I cleaned up early March 2002, it was part of a rootkit,
though I no longer have any info on, or files from that particular
machine.
Colin Stubbs
On Wed, 2002-12-18 at 12:34, Lance Spitzner wrote:
> Recently one of the Honeynet Project's Solaris Honeynets was compromised.
> What made this attack unique was after breaking into the system, the
> attackers enabled IPv6 tunneling on the system, with communications being
> forwarded to another country. The attack and communications were captured
> using Snort, however the data could not be decoded due to the IPv6
> tunneling. Also, once tunneled, this could potentialy disable/bypass the
> capabilities of some IDS systems.
>
> Marty is addressing this issue and has added IPv6 decode support to
> Snort. Its not part of Snort current (2.0) yet, its still in the
> process of testing. If you would like to test this new capability,
> you can find it online at
>
> http://www.snort.org/~roesch/
>
> Marty's looking for feedback. As IPv6 usage spreads, especially in
> Asia, you will want to be prepared for it. Keep in mind, even in
> IPv4 environments (as was our Solaris Honeynet) attackers can
> encode their data in IPv6 and then tunnel it through IPv4. We will
> most likely being seeing more of this type of behavior.
>
> Just a friendly heads-up :)
>
> --
> Lance Spitzner
> http://www.tracking-hackers.com
>
>
>
[ reply ]