Re: IPv6

[Colin Stubbs <cjstubbs () optushome com au>]

I'm not sure how wide spread this is, since I'm not regularly working
with compromised machines. But I was under the impression this was
almost old hat now, as it's a fairly logical method of avoiding
IDS/firewalls/etc.
 
More importantly, I saw this used to hide remote access on a compromised
Debian 2.2 box I cleaned up early March 2002, it was part of a rootkit,
though I no longer have any info on, or files from that particular
machine.

Colin Stubbs

On Wed, 2002-12-18 at 12:34, Lance Spitzner wrote:
> Recently one of the Honeynet Project's Solaris Honeynets was compromised.
> What made this attack unique was after breaking into the system, the
> attackers enabled IPv6 tunneling on the system, with communications being 
> forwarded to another country.  The attack and communications were captured 
> using Snort, however the data could not be decoded due to the IPv6 
> tunneling.  Also, once tunneled, this could potentialy disable/bypass the 
> capabilities of some IDS systems.
>
> Marty is addressing this issue and has added IPv6 decode support to
> Snort.  Its not part of Snort current (2.0) yet, its still in the 
> process of testing.  If you would like to test this new capability,
> you can find it online at 
>
>     http://www.snort.org/~roesch/
>
> Marty's looking for feedback.  As IPv6 usage spreads, especially in
> Asia, you will want to be prepared for it.  Keep in mind, even in 
> IPv4 environments (as was our Solaris Honeynet) attackers can
> encode their data in IPv6 and then tunnel it through IPv4.  We will
> most likely being seeing more of this type of behavior.
>
> Just a friendly heads-up :)
>
> -- 
> Lance Spitzner
> http://www.tracking-hackers.com