To add in to what I just said (to make it clear)
The (victim) host(s) itself must have IPv6 enabled (and in most cases it
has tunneling enabled as well)
a friend of mine mention this type of attack a while ago, and he also
mention that most system's IPv6 implementation is incomplete and solaris
is one of the few one that actually has/had a complete implementation of
IPv6 (not sure if it is still true now).
roy lo wrote:
> I think it was used to perform the attack, I have heard this type of
> attack from a friend of mine before awhile ago.
>
> Steven Bairstow wrote:
>
>> Do you mean that IPv6 tunneling was turned on as part of the
>> compromise? Or that it was used to perform the attack?
>>
>>
>>
>>> Recently one of the Honeynet Project's Solaris Honeynets was
>>> compromised.
>>> What made this attack unique was IPv6 tunneling was enabled on the
>>> system,
>>> with communications being forwarded to another country. The attack and
>>> communications were captured using Snort, however the data could not be
>>> decoded due to the IPv6 encapsulation.
>>>
>>> This made me consider, this activity could be used as a means of
>>> "covert" communications or activity. Many IDS systems, and potentially
>>> many sniffers, have difficulty decoding IPv6 activity. Was
>>> wondering if
>>> others had seen this activity, and the implications it may have to
>>> the IDS
>>> community?
>>>
>>> lance
>>>
>>
>>
>>
>>
>>
>
>
--
Roy Lo
Freelance Consultant
E-mail - roylo_at_sr2c.com
Sun Certified Network Administrator (SCNA)
Sun Certified System Administrator (SCSA)
Cisco Certified Network Associate (CCNA)
Received on Dec 23 2002
Intro
