IDS mailing list archives
Re: IPv6
From: Steven Bairstow <sab139 () psu edu>
Date: Fri, 20 Dec 2002 13:14:28 -0500
Do you mean that IPv6 tunneling was turned on as part of the compromise? Or that it was used to perform the attack?
Recently one of the Honeynet Project's Solaris Honeynets was compromised. What made this attack unique was IPv6 tunneling was enabled on the system, with communications being forwarded to another country. The attack and communications were captured using Snort, however the data could not be decoded due to the IPv6 encapsulation. This made me consider, this activity could be used as a means of "covert" communications or activity. Many IDS systems, and potentially many sniffers, have difficulty decoding IPv6 activity. Was wondering if others had seen this activity, and the implications it may have to the IDS community? lance
-- Steven Bairstow http://www.personal.psu.edu/~sab139 Computer and Network Services - Sutherland Building Penn State University - Abington College "The machine is a marvelous simplifier... and may be the modern emancipator of the creative mind." -- Frank Lloyd Wright