Re: IPv6Dec 21 2002 04:53AM roy lo (roylo sr2c com) (1 replies)
Re: IPv6Dec 21 2002 05:06AM roy lo (roylo sr2c com)
To add in to what I just said (to make it clear)
The (victim) host(s) itself must have IPv6 enabled (and in most cases it
has tunneling enabled as well)
a friend of mine mention this type of attack a while ago, and he also
mention that most system's IPv6 implementation is incomplete and solaris
is one of the few one that actually has/had a complete implementation of
IPv6 (not sure if it is still true now).
roy lo wrote:
> I think it was used to perform the attack, I have heard this type of
> attack from a friend of mine before awhile ago.
>
> Steven Bairstow wrote:
>
>> Do you mean that IPv6 tunneling was turned on as part of the
>> compromise? Or that it was used to perform the attack?
>>
>>
>>
>>> Recently one of the Honeynet Project's Solaris Honeynets was
>>> compromised.
>>> What made this attack unique was IPv6 tunneling was enabled on the
>>> system,
>>> with communications being forwarded to another country. The attack and
>>> communications were captured using Snort, however the data could not be
>>> decoded due to the IPv6 encapsulation.
>>>
>>> This made me consider, this activity could be used as a means of
>>> "covert" communications or activity. Many IDS systems, and potentially
>>> many sniffers, have difficulty decoding IPv6 activity. Was
>>> wondering if
>>> others had seen this activity, and the implications it may have to
>>> the IDS
>>> community?
>>>
>>> lance
>>>
>>
>>
>>
>>
>>
>
>
--
Roy Lo
Freelance Consultant
E-mail - roylo (at) sr2c (dot) com [email concealed]
Sun Certified Network Administrator (SCNA)
Sun Certified System Administrator (SCSA)
Cisco Certified Network Associate (CCNA)
The (victim) host(s) itself must have IPv6 enabled (and in most cases it
has tunneling enabled as well)
a friend of mine mention this type of attack a while ago, and he also
mention that most system's IPv6 implementation is incomplete and solaris
is one of the few one that actually has/had a complete implementation of
IPv6 (not sure if it is still true now).
roy lo wrote:
> I think it was used to perform the attack, I have heard this type of
> attack from a friend of mine before awhile ago.
>
> Steven Bairstow wrote:
>
>> Do you mean that IPv6 tunneling was turned on as part of the
>> compromise? Or that it was used to perform the attack?
>>
>>
>>
>>> Recently one of the Honeynet Project's Solaris Honeynets was
>>> compromised.
>>> What made this attack unique was IPv6 tunneling was enabled on the
>>> system,
>>> with communications being forwarded to another country. The attack and
>>> communications were captured using Snort, however the data could not be
>>> decoded due to the IPv6 encapsulation.
>>>
>>> This made me consider, this activity could be used as a means of
>>> "covert" communications or activity. Many IDS systems, and potentially
>>> many sniffers, have difficulty decoding IPv6 activity. Was
>>> wondering if
>>> others had seen this activity, and the implications it may have to
>>> the IDS
>>> community?
>>>
>>> lance
>>>
>>
>>
>>
>>
>>
>
>
--
Roy Lo
Freelance Consultant
E-mail - roylo (at) sr2c (dot) com [email concealed]
Sun Certified Network Administrator (SCNA)
Sun Certified System Administrator (SCSA)
Cisco Certified Network Associate (CCNA)
[ reply ]