IDS mailing list archives
Re: IPv6
From: roy lo <roylo () sr2c com>
Date: Sat, 21 Dec 2002 00:06:33 -0500
To add in to what I just said (to make it clear)The (victim) host(s) itself must have IPv6 enabled (and in most cases it has tunneling enabled as well) a friend of mine mention this type of attack a while ago, and he also mention that most system's IPv6 implementation is incomplete and solaris is one of the few one that actually has/had a complete implementation of IPv6 (not sure if it is still true now).
roy lo wrote:
I think it was used to perform the attack, I have heard this type of attack from a friend of mine before awhile ago.Steven Bairstow wrote:Do you mean that IPv6 tunneling was turned on as part of the compromise? Or that it was used to perform the attack?Recently one of the Honeynet Project's Solaris Honeynets was compromised. What made this attack unique was IPv6 tunneling was enabled on the system,with communications being forwarded to another country. The attack and communications were captured using Snort, however the data could not be decoded due to the IPv6 encapsulation. This made me consider, this activity could be used as a means of "covert" communications or activity. Many IDS systems, and potentiallymany sniffers, have difficulty decoding IPv6 activity. Was wondering if others had seen this activity, and the implications it may have to the IDScommunity? lance
--Roy Lo Freelance Consultant E-mail - roylo () sr2c com
Sun Certified Network Administrator (SCNA) Sun Certified System Administrator (SCSA)Cisco Certified Network Associate (CCNA)