Honeypots mailing list archives
Re: IPv6
From: Colin Stubbs <cjstubbs () optushome com au>
Date: 18 Dec 2002 22:45:50 +1000
I'm not sure how wide spread this is, since I'm not regularly working with compromised machines. But I was under the impression this was almost old hat now, as it's a fairly logical method of avoiding IDS/firewalls/etc. More importantly, I saw this used to hide remote access on a compromised Debian 2.2 box I cleaned up early March 2002, it was part of a rootkit, though I no longer have any info on, or files from that particular machine. Colin Stubbs On Wed, 2002-12-18 at 12:34, Lance Spitzner wrote:
Recently one of the Honeynet Project's Solaris Honeynets was compromised. What made this attack unique was after breaking into the system, the attackers enabled IPv6 tunneling on the system, with communications being forwarded to another country. The attack and communications were captured using Snort, however the data could not be decoded due to the IPv6 tunneling. Also, once tunneled, this could potentialy disable/bypass the capabilities of some IDS systems. Marty is addressing this issue and has added IPv6 decode support to Snort. Its not part of Snort current (2.0) yet, its still in the process of testing. If you would like to test this new capability, you can find it online at http://www.snort.org/~roesch/ Marty's looking for feedback. As IPv6 usage spreads, especially in Asia, you will want to be prepared for it. Keep in mind, even in IPv4 environments (as was our Solaris Honeynet) attackers can encode their data in IPv6 and then tunnel it through IPv4. We will most likely being seeing more of this type of behavior. Just a friendly heads-up :) -- Lance Spitzner http://www.tracking-hackers.com
Current thread:
- IPv6 Lance Spitzner (Dec 17)
- Re: IPv6 Colin Stubbs (Dec 18)
- Re: IPv6 Chris Green (Dec 18)
- <Possible follow-ups>
- RE: IPv6 Hornat, Charles (Dec 18)
- RE: IPv6 mike (Dec 18)
- FW: IPv6 Hornat, Charles (Dec 18)
- Re: FW: IPv6 xbud (Dec 19)
- Re: FW: IPv6 mike (Dec 19)
- Re: IPv6 Jon Miller (Dec 19)
- Re: IPv6 mb_lima (Dec 20)
(Thread continues...)