Re: IPS conference call

[randy marchany <marchany () VT EDU>]

On Wed, May 26, 2010 at 3:45 PM, Flynn, Gary <flynngn () jmu edu> wrote:

>  Randy,
>
> What ipv6 attacks have your IPS units detected? Just curious as we’re
> getting ready to upgrade our IPS for IPv6 capability and enable native IPv6
> across the Internet border. Currently we’re blocking IPv6 and allowing
> tunneling/transition protocols. We hope to reverse that.

That's my point. The IPS units did NOT detect the test IPv6 attacks packets
we built during our tests in 2008/9. They only detected things like ping6.
We've been full production IPv6 for about 5 years now. Snort v3.x has v6
detection capability if I remember correctly. I was talking with Marty
Roesch about this & he told me that Sourcefire is the only one with working
IPv6 detection.  I don't know if other vendors can make this claim. However,
if you are evaluating V6 detection capabilities in an IPS/IDS, you need to
verify this actually works.

While I haven't seen a lot of v6 attacks yet, I have seen a v4 attack with a
v6 communication backchannel that basically went through ACLs and IPS with
no problem. We killed the malware when we discovered it and the v6
backchannel reinserted it. That's when we discovered our IPS didn't really
detect v6.  I admit this is a problem for us since we are ipv6 production
and may not be for the majority of the EDU world but it is a cautionary
tale.

> I saw a white paper from ISS or eEye 5-6 years ago about detected IPv6
> attacks and IPv6 enabled malware but haven’t seen anything recently.

http://www.cs.columbia.edu/~smb/papers/v6worms.pdf by Bellovin, Cheswick and
Keromytis describes the shape of things to come in general terms. John
Ladwig mentions this in his post to this thread.

>