Re: IPv6

[roy lo <roylo () sr2c com>]

To add in to what I just said (to make it clear)

The (victim) host(s) itself must have IPv6 enabled (and in most cases it 
has tunneling enabled as well)
a friend of mine mention this type of attack a while ago, and he also 
mention that most system's IPv6 implementation is incomplete and solaris 
is one of the few one that actually has/had a complete implementation of 
IPv6 (not sure if it is still true now).


roy lo wrote:

> I think it was used to perform the attack, I have heard this type of 
> attack from a friend of mine before awhile ago.
>
> Steven Bairstow wrote:
>
> > Do you mean that IPv6 tunneling was turned on as part of the 
> > compromise?  Or that it was used to perform the attack?
> >
> >  
> >
> > > Recently one of the Honeynet Project's Solaris Honeynets was 
> > > compromised.
> > > What made this attack unique was IPv6 tunneling was enabled on the 
> > > system,
> > > with communications being forwarded to another country.  The attack and
> > > communications were captured using Snort, however the data could not be
> > > decoded due to the IPv6 encapsulation.
> > >
> > > This made me consider, this activity could be used as a means of
> > > "covert" communications or activity.  Many IDS systems, and potentially
> > > many sniffers, have difficulty decoding IPv6 activity.  Was 
> > > wondering if
> > > others had seen this activity, and the implications it may have to 
> > > the IDS
> > > community?
> > >
> > > lance
> > >   
> >
> >
> >
> >  


--
Roy Lo  
Freelance Consultant 
E-mail -  roylo () sr2c com


Sun Certified Network Administrator (SCNA)
Sun Certified System Administrator (SCSA)
Cisco Certified Network Associate (CCNA)