Re: IPv6

From: roy lo (roylo@sr2c.com)
Date: 12/21/02

  • Next message: Krzysztof Zaraska: "Re: IPv6" 
    Date: Sat, 21 Dec 2002 00:06:33 -0500
From: roy lo <roylo@sr2c.com>
To: roy lo <roylo@sr2c.com>

    To add in to what I just said (to make it clear)

    The (victim) host(s) itself must have IPv6 enabled (and in most cases it
    has tunneling enabled as well)
    a friend of mine mention this type of attack a while ago, and he also
    mention that most system's IPv6 implementation is incomplete and solaris
    is one of the few one that actually has/had a complete implementation of
    IPv6 (not sure if it is still true now).

    roy lo wrote:

    > I think it was used to perform the attack, I have heard this type of
    > attack from a friend of mine before awhile ago.
    >
    > Steven Bairstow wrote:
    >
    >> Do you mean that IPv6 tunneling was turned on as part of the
    >> compromise? Or that it was used to perform the attack?
    >>
    >>
    >>
    >>> Recently one of the Honeynet Project's Solaris Honeynets was
    >>> compromised.
    >>> What made this attack unique was IPv6 tunneling was enabled on the
    >>> system,
    >>> with communications being forwarded to another country. The attack and
    >>> communications were captured using Snort, however the data could not be
    >>> decoded due to the IPv6 encapsulation.
    >>>
    >>> This made me consider, this activity could be used as a means of
    >>> "covert" communications or activity. Many IDS systems, and potentially
    >>> many sniffers, have difficulty decoding IPv6 activity. Was
    >>> wondering if
    >>> others had seen this activity, and the implications it may have to
    >>> the IDS
    >>> community?
    >>>
    >>> lance
    >>>
    >>
    >>
    >>
    >>
    >>
    >
    > 

    -- 
Roy Lo  
Freelance Consultant 
E-mail -  roylo@sr2c.com
Sun Certified Network Administrator (SCNA)
Sun Certified System Administrator (SCSA)
Cisco Certified Network Associate (CCNA)

    Relevant Pages