Honeypots mailing list archives

Re: FW: IPv6

From: xbud <xbud () g0thead com>
Date: Thu, 19 Dec 2002 04:29:19 -0600

On Wednesday 18 December 2002 12:42, Hornat, Charles wrote:

Hey Mike, Its been a while, how have you been?

My question is base don this thought:  In order for the attacker to
compromise the system, they would have used IP 4 and would have been
caught by any existing IDS.  Additionally, once they go through the
trouble of getting IP6 to run on the compromised system, what would they
do with it?  Attack other IP6 systems?  Perhaps there is an exploit in
IP6 that you missed?

Maybe, but not limited to ipv6 enabled hosts only... The attacker can simply 
use another compromised box configured with ipv6 as a bounce and re-route or 
tunnel through and back out the net via a local ipv4 tunnel.  This 
essentially allows him to attack from a honeypot  Not knowing what went 
through the ipv4 tunnel allows him to curconvent the honeypots logging 
capabilities.

Seems like it adds complication and more possibility
for problems and detection for the attacker to implement.

Obviously he didn't mind going through the trouble of enabling ipv6, he may 
have had greater intentions.

Charles

-x

Current thread:

IPv6 Lance Spitzner (Dec 17)
- Re: IPv6 Colin Stubbs (Dec 18)
- Re: IPv6 Chris Green (Dec 18)
  - Re: IPv6 Jose Nazario (Dec 19)
    - Re: IPv6 Valdis . Kletnieks (Dec 20)
- <Possible follow-ups>
- RE: IPv6 Hornat, Charles (Dec 18)
  - RE: IPv6 mike (Dec 18)
- FW: IPv6 Hornat, Charles (Dec 18)
  - Re: FW: IPv6 xbud (Dec 19)
  - Re: FW: IPv6 mike (Dec 19)
  - Re: IPv6 Jon Miller (Dec 19)
- Re: IPv6 mb_lima (Dec 20)
  - Re: IPv6 Valdis . Kletnieks (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 mb_lima (Dec 20)