Educause Security Discussion mailing list archives
Re: IPS conference call
From: randy marchany <marchany () VT EDU>
Date: Wed, 26 May 2010 20:26:44 -0400
On Wed, May 26, 2010 at 3:45 PM, Flynn, Gary <flynngn () jmu edu> wrote:
Randy, What ipv6 attacks have your IPS units detected? Just curious as we’re getting ready to upgrade our IPS for IPv6 capability and enable native IPv6 across the Internet border. Currently we’re blocking IPv6 and allowing tunneling/transition protocols. We hope to reverse that.
That's my point. The IPS units did NOT detect the test IPv6 attacks packets we built during our tests in 2008/9. They only detected things like ping6. We've been full production IPv6 for about 5 years now. Snort v3.x has v6 detection capability if I remember correctly. I was talking with Marty Roesch about this & he told me that Sourcefire is the only one with working IPv6 detection. I don't know if other vendors can make this claim. However, if you are evaluating V6 detection capabilities in an IPS/IDS, you need to verify this actually works. While I haven't seen a lot of v6 attacks yet, I have seen a v4 attack with a v6 communication backchannel that basically went through ACLs and IPS with no problem. We killed the malware when we discovered it and the v6 backchannel reinserted it. That's when we discovered our IPS didn't really detect v6. I admit this is a problem for us since we are ipv6 production and may not be for the majority of the EDU world but it is a cautionary tale.
I saw a white paper from ISS or eEye 5-6 years ago about detected IPv6 attacks and IPv6 enabled malware but haven’t seen anything recently.
http://www.cs.columbia.edu/~smb/papers/v6worms.pdf by Bellovin, Cheswick and Keromytis describes the shape of things to come in general terms. John Ladwig mentions this in his post to this thread.
Current thread:
- IPS conference call Brian Smith-Sweeney (May 26)
- <Possible follow-ups>
- Re: IPS conference call randy marchany (May 26)
- Re: IPS conference call Jon Hanny (May 26)
- Re: IPS conference call Flynn, Gary (May 26)
- Re: IPS conference call John Ladwig (May 26)
- Re: IPS conference call Brian Smith-Sweeney (May 26)
- Re: IPS conference call randy marchany (May 26)