IDS mailing list archives
Re: IPv6
From: roy lo <roylo () sr2c com>
Date: Fri, 20 Dec 2002 23:53:34 -0500
I think it was used to perform the attack, I have heard this type of attack from a friend of mine before awhile ago.
Steven Bairstow wrote:
Do you mean that IPv6 tunneling was turned on as part of the compromise? Or that it was used to perform the attack?Recently one of the Honeynet Project's Solaris Honeynets was compromised. What made this attack unique was IPv6 tunneling was enabled on the system, with communications being forwarded to another country. The attack and communications were captured using Snort, however the data could not be decoded due to the IPv6 encapsulation. This made me consider, this activity could be used as a means of "covert" communications or activity. Many IDS systems, and potentially many sniffers, have difficulty decoding IPv6 activity. Was wondering if others had seen this activity, and the implications it may have to the IDS community? lance
--Roy Lo Freelance Consultant E-mail - roylo () sr2c com
Sun Certified Network Administrator (SCNA) Sun Certified System Administrator (SCSA)Cisco Certified Network Associate (CCNA)