RE: IPv6

[<mike () honeynet org>]

Sure...

If the host they want to connect back to is on an ipv6 network.  They
would have to do ipv6 over ipv4 (sometimes :).

Mike



> Other than hiding traffic once its been compromised, is there any other
> reasons to use IP6?
>
> Charles
>
> -----Original Message-----
> From: Colin Stubbs [mailto:cjstubbs () optushome com au]
> Sent: Wednesday, December 18, 2002 7:46 AM
> To: honeypots () securityfocus com
> Subject: Re: IPv6
>
> I'm not sure how wide spread this is, since I'm not regularly working
> with compromised machines. But I was under the impression this was
> almost old hat now, as it's a fairly logical method of avoiding
> IDS/firewalls/etc.
>
> More importantly, I saw this used to hide remote access on a compromised
> Debian 2.2 box I cleaned up early March 2002, it was part of a rootkit,
> though I no longer have any info on, or files from that particular
> machine.
>
> Colin Stubbs
>
> On Wed, 2002-12-18 at 12:34, Lance Spitzner wrote:
> > Recently one of the Honeynet Project's Solaris Honeynets was
> compromised.
> > What made this attack unique was after breaking into the system, the
> > attackers enabled IPv6 tunneling on the system, with communications
> being
> > forwarded to another country.  The attack and communications were
> captured
> > using Snort, however the data could not be decoded due to the IPv6
> > tunneling.  Also, once tunneled, this could potentialy disable/bypass
> the
> > capabilities of some IDS systems.
> >
> > Marty is addressing this issue and has added IPv6 decode support to
> > Snort.  Its not part of Snort current (2.0) yet, its still in the
> > process of testing.  If you would like to test this new capability,
> > you can find it online at
> >
> >     http://www.snort.org/~roesch/
> >
> > Marty's looking for feedback.  As IPv6 usage spreads, especially in
> > Asia, you will want to be prepared for it.  Keep in mind, even in
> > IPv4 environments (as was our Solaris Honeynet) attackers can
> > encode their data in IPv6 and then tunnel it through IPv4.  We will
> > most likely being seeing more of this type of behavior.
> >
> > Just a friendly heads-up :)
> >
> > --
> > Lance Spitzner
> > http://www.tracking-hackers.com
>
>
>
> --------------------------------------------------------
>
>
> The information contained in this message is intended only for the
> recipient, and may be a confidential attorney-client communication or
> may otherwise be privileged and confidential and protected from
> disclosure. If the reader of this message is not the intended recipient,
> or an employee or agent responsible for delivering this message to the
> intended recipient, please be aware that any dissemination or copying of
> this communication is strictly prohibited. If you have received this
> communication in error, please immediately notify us by replying to the
> message and deleting it from your computer.
>
> Thank you,
>
> Standard & Poor's
>
> --------------------------------------------------------