[ale] IPv6

Michael H. Warfield mhw at wittsend.com
Sun Nov 9 22:16:28 EST 2003


On Tue, Nov 04, 2003 at 01:51:17AM -0500, George Johnson wrote:
> I was just at the AUUG meeting tonight.  Just how easily is a system running
> ipv4 hacked by a someone running ipv6?  Does a firewall protect you from it?
> Where are some good sites on the subject of hacking with ipv6?

	Not exactly the correct question (BTW...  I was the speaker and
AUUG for that night).  Someone hacks into you box and then they enable
IPv6 (simple as adding a few lines to a couple of config files and restarting
the network OR entering the enabling commands manually / by script) and then
set up their backdoors / communications channels over SIT/6over4 or 6to4.
This was what happened to a machine on the Honeynet Project.  Guys broke
into the honeypot and immediately shifted gears and switched all their
communications and backdoors to IPv6.  Guess what...  None of the IDS
software (Snort and others) could then detect their activity.  The initial
breakin generally occurs over IPv4.  They secure their connections and their
beach-head using IPv6.

	Most firewalls will NOT and firewalling IPv6 in and IPv4
environment is a bit of a black art.

	To block SIT (aka 6over4) and 6to4 you have to block protocol 41
(tcp is 6 and udp is 17) in your IPv4 firewall rules.  IF you terminate
IPv6 tunnels on your firewall, THEN you can filter the IPv6 traffic using
iptables6.  If you DON'T terminate your IPv6 tunnels on your firewall,
your IPv4 firewall will see IPv6 traffic as IPv4 protocol 41 (and not be
able to filter tcp or upd in that traffic) and your IPv6 firewall will
not see it at all (because it's IPv4 traffic).

	Everybody pays sooo much attention to their tcp and udp and icmp
rules that they forget there are other protocols, like SIT (aka 6over4)
and GRE.  LOTS of firewalls are open to passing SIT traffic that should
not be.  The "elite" have figured this out.

	BBTW...  I've been asked by someone if I would reprise my IPv6
talk at ALE-NE in December.  I've agreed but I have not received confirmation
back.  Stand by for further announcements.

> George Johnson



> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available




More information about the Ale mailing list