IDS mailing list archives

Re: IPv6

From: Steven Bairstow <sab139 () psu edu>
Date: Fri, 20 Dec 2002 13:14:28 -0500

Do you mean that IPv6 tunneling was turned on as part of the compromise?  Or that it was used to perform the attack?

Recently one of the Honeynet Project's Solaris Honeynets was compromised.
What made this attack unique was IPv6 tunneling was enabled on the system,
with communications being forwarded to another country.  The attack and
communications were captured using Snort, however the data could not be
decoded due to the IPv6 encapsulation.

This made me consider, this activity could be used as a means of
"covert" communications or activity.  Many IDS systems, and potentially
many sniffers, have difficulty decoding IPv6 activity.  Was wondering if
others had seen this activity, and the implications it may have to the IDS
community?

lance



-- 


Steven Bairstow                  http://www.personal.psu.edu/~sab139
Computer and Network Services - Sutherland Building
Penn State University - Abington College

"The machine is a marvelous simplifier... and may be the modern
emancipator of the creative mind." -- Frank Lloyd Wright

Current thread:

IPv6 Lance Spitzner (Dec 19)
- Re: IPv6 Steven Bairstow (Dec 20)
  - Re: IPv6 roy lo (Dec 23)
    - Re: IPv6 roy lo (Dec 23)
- Re: IPv6 Krzysztof Zaraska (Dec 23)