Honeypots mailing list archives
Re: FW: IPv6
From: xbud <xbud () g0thead com>
Date: Thu, 19 Dec 2002 04:29:19 -0600
On Wednesday 18 December 2002 12:42, Hornat, Charles wrote:
Hey Mike, Its been a while, how have you been? My question is base don this thought: In order for the attacker to compromise the system, they would have used IP 4 and would have been caught by any existing IDS. Additionally, once they go through the trouble of getting IP6 to run on the compromised system, what would they do with it? Attack other IP6 systems? Perhaps there is an exploit in IP6 that you missed?
Maybe, but not limited to ipv6 enabled hosts only... The attacker can simply use another compromised box configured with ipv6 as a bounce and re-route or tunnel through and back out the net via a local ipv4 tunnel. This essentially allows him to attack from a honeypot Not knowing what went through the ipv4 tunnel allows him to curconvent the honeypots logging capabilities.
Seems like it adds complication and more possibility for problems and detection for the attacker to implement.
Obviously he didn't mind going through the trouble of enabling ipv6, he may have had greater intentions.
Charles
-x
Current thread:
- IPv6 Lance Spitzner (Dec 17)
- <Possible follow-ups>
- RE: IPv6 Hornat, Charles (Dec 18)
- RE: IPv6 mike (Dec 18)
- FW: IPv6 Hornat, Charles (Dec 18)
- Re: FW: IPv6 xbud (Dec 19)
- Re: FW: IPv6 mike (Dec 19)
- Re: IPv6 Jon Miller (Dec 19)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 Valdis . Kletnieks (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 mb_lima (Dec 20)