RE: IPv6

["Hornat, Charles" <Charles_Hornat () standardandpoors com>]

Other than hiding traffic once its been compromised, is there any other
reasons to use IP6?

Charles

-----Original Message-----
From: Colin Stubbs [mailto:cjstubbs () optushome com au] 
Sent: Wednesday, December 18, 2002 7:46 AM
To: honeypots () securityfocus com
Subject: Re: IPv6

I'm not sure how wide spread this is, since I'm not regularly working
with compromised machines. But I was under the impression this was
almost old hat now, as it's a fairly logical method of avoiding
IDS/firewalls/etc.
 
More importantly, I saw this used to hide remote access on a compromised
Debian 2.2 box I cleaned up early March 2002, it was part of a rootkit,
though I no longer have any info on, or files from that particular
machine.

Colin Stubbs

On Wed, 2002-12-18 at 12:34, Lance Spitzner wrote:
> Recently one of the Honeynet Project's Solaris Honeynets was
compromised.
> What made this attack unique was after breaking into the system, the
> attackers enabled IPv6 tunneling on the system, with communications
being 
> forwarded to another country.  The attack and communications were
captured 
> using Snort, however the data could not be decoded due to the IPv6 
> tunneling.  Also, once tunneled, this could potentialy disable/bypass
the 
> capabilities of some IDS systems.
>
> Marty is addressing this issue and has added IPv6 decode support to
> Snort.  Its not part of Snort current (2.0) yet, its still in the 
> process of testing.  If you would like to test this new capability,
> you can find it online at 
>
>     http://www.snort.org/~roesch/
>
> Marty's looking for feedback.  As IPv6 usage spreads, especially in
> Asia, you will want to be prepared for it.  Keep in mind, even in 
> IPv4 environments (as was our Solaris Honeynet) attackers can
> encode their data in IPv6 and then tunnel it through IPv4.  We will
> most likely being seeing more of this type of behavior.
>
> Just a friendly heads-up :)
>
> -- 
> Lance Spitzner
> http://www.tracking-hackers.com
 
 
 
--------------------------------------------------------

 
The information contained in this message is intended only for the recipient, and may be a confidential attorney-client 
communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this 
message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended 
recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have 
received this communication in error, please immediately notify us by replying to the message and deleting it from your 
computer. 
 
Thank you, 
 
Standard & Poor's
 
--------------------------------------------------------