Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Networking Security

Tunnelled IPv6 Attacks Bypass Network Intrusion Detection Systems (itnews.com.au) 113

"The transition to internet protocol version 6 has opened up a whole new range of threat vectors that allow attackers to set up undetectable communications channels across networks, researchers have found." Slashdot reader Bismillah summarizes a report from IT News. Researchers at NATO's Cooperative Cyber Defence Centre of Excellence and Estonia's University of Tallinn have worked out how to set up communications channels using IPv6 transition mechanisms, to exfiltrate data and for systems control over IPv4-only and dual-stack networks -- without being spotted by network intrusion detection systems.
The article argues that "Since IPv6 implementations and security solutions are relatively new and untested, and systems engineers aren't fully aware of them, the new protocol can become a network backdoor attackers can exploit undetected." The researchers' paper is titled "Hedgehog In The Fog."
This discussion has been archived. No new comments can be posted.

Tunnelled IPv6 Attacks Bypass Network Intrusion Detection Systems

Comments Filter:
  • by Anonymous Coward on Sunday April 09, 2017 @08:52AM (#54201773)

    IPv6 is called out unfairly here. Any kind of tunnel is potentially not handled by an IDS.

    There's better ways to exfiltrate data. VPN anyone?

    • by phayes ( 202222 ) on Sunday April 09, 2017 @09:04AM (#54201805) Homepage

      VPNs aren't setup and enabled by default on windows machines the way teredo, 6to4 and isatap are.

    • by Anonymous Coward

      No. The point is that ipv6 is often not watched by IDS. In most cases because the admins didn't realize v6 was running and simply haven't configured it.

      • Re: (Score:1, Offtopic)

        Shitty admins use Shitty configurators on Shitty windows for Shitty protection.

    • by Cramer ( 69040 )

      Perhaps. But the key here is that admins often are completely blind to IPv6 and various shit systems (and users) do to enable IPv6. (I'm looking right at you Microsoft!) VPNs? Sure. And many will block them.

  • by phayes ( 202222 ) on Sunday April 09, 2017 @09:03AM (#54201795) Homepage

    netsh interface teredo set state disabled
    netsh interface isatap set state disabled
    netsh interface 6to4 set state disabled

    These IPV6 tunnels are use than useless in my experience.

    Windows Homegroup depends on IPV6 being present & some other users of the machines I use find it useful so it can't be disabled as well all the time but at least it's not trying to tunnel out. When (though it's still rare), the network has IPV6 connectivity it also has IPV6 firewalls so it's less of an issue as well.

    • When ipv6 on my router is set to disabled, is it blocked?

      • by phayes ( 202222 ) on Sunday April 09, 2017 @10:20AM (#54202013) Homepage

        Turning off IPV6 in your router will turn off native IPV6 routing but that's not the issue here. The problem is that Windows in particular sets up three different means of tunnelling IPV6 in IPV4. Turning off IPV6 in your router will do nothing for these and you need to turn off Teredo, 6to4 and Isatap on every windows machine.

      • by Cramer ( 69040 )

        In a word, NO! In fact, it will cause windows to fall back to using teredo, etc. to fake IPv6 connectivity. One must take active measures to block that shit from the network. Turning off those interfaces within windows will *NOT* keep them turned off.

    • netsh interface teredo set state disabled
      netsh interface isatap set state disabled
      netsh interface 6to4 set state disabled

      These IPV6 tunnels are use than useless in my experience.

      Windows Homegroup depends on IPV6 being present & some other users of the machines I use find it useful so it can't be disabled as well all the time but at least it's not trying to tunnel out. When (though it's still rare), the network has IPV6 connectivity it also has IPV6 firewalls so it's less of an issue as well.

      At least you didn't advise disabling IPv6 completely, which isn't even a supported configuration any more (in Microsoft products).

      • by phayes ( 202222 )

        When IPV6 is configured on a Windows machine and it is getting & attempting to use AAAA DNS records, resulting in a 30 second timeouts, that's when I diable IPV6: http://blogs.cisco.com/enterpr... [cisco.com]

        Yeah, it's the client's network that "should" be fixed, but I've given up at tilting at windmills. I'll just tell them that their IPV6 is messed up, disable IPV6 on the server with the issues getting rid of the timeouts and move on.

        • When IPV6 is configured on a Windows machine and it is getting & attempting to use AAAA DNS records, resulting in a 30 second timeouts, that's when I diable IPV6: http://blogs.cisco.com/enterpr... [cisco.com]

          Yeah, it's the client's network that "should" be fixed, but I've given up at tilting at windmills. I'll just tell them that their IPV6 is messed up, disable IPV6 on the server with the issues getting rid of the timeouts and move on.

          Thats using a sledgehammer to crack a nut. You don't need to disable IPv6 to do that.

          • by phayes ( 202222 )

            Given that I couldn't care less about homegroup and it's the only thing that I see that breaks when IPV6 is disabled & "netsh interface ipv6 set state disabled" takes 5 seconds, it's a itty bitty teeny tiny sledgehammer. MS can state that it's an unsupported config but why should I care (presently)? If IPV6 becomes necessary in the future for things I need, I'll change my habits but so far? Meh...

            • Given that I couldn't care less about homegroup and it's the only thing that I see that breaks when IPV6 is disabled & "netsh interface ipv6 set state disabled" takes 5 seconds, it's a itty bitty teeny tiny sledgehammer. MS can state that it's an unsupported config but why should I care (presently)? If IPV6 becomes necessary in the future for things I need, I'll change my habits but so far? Meh...

              It isn't a supported configuration. Microsoft do not test with IPv6 disabled. If you disable it you are on your own, in uncharted territory, with pretty much only blogs to guide you.

              Good luck.

              • by phayes ( 202222 )

                Oh gee, no IPV6, only IPV4, what _ever_ will we do? IPV4 only hosts are _such_ a mystery!!!

                • Oh gee, no IPV6, only IPV4, what _ever_ will we do? IPV4 only hosts are _such_ a mystery!!!

                  In this case it is a mystery because the configuration has not been tested by the vendor. Its not that the system needs IPv6 connectivity to the Internet, thats completely different. Its that some applications expect to find a functional IPv6 stack and may react unpredictably if it isn't present. Thats what testing would be for. If the applications and OS were tested in the presence of a disabled IPv6 stack you'd be dead right. But it isn't. So you don't really know how its going to fuck up until YOU test i

                  • by phayes ( 202222 )

                    I've never seen an app (other than homegroup) that _needs_ IPV6 so like I said earlier, not having it is no loss and can quickly clear up some problems.

    • by Cramer ( 69040 )

      Until you reboot. Or install virtually anything from Microsoft. (read: they won't STAY turned off.)

      • by phayes ( 202222 )

        I don't know whats wrong with your installations but around here, interfaces disabled using netsh do not get enabled through a mere reboot.

  • I wonder how much of this is from win to denying that IPv6 is coming and not doing the homework and proper security analysis?

    • by rtb61 ( 674572 )

      None of this make sense, every indication is that NATO (North American Territorial Occupation farce), along with the CIA and NSA (to be fair the entire global spy vs spy apparatus), will hide any hacks they find so that they can use them even when organised crime already has them. Is this a subtle attack on IPV6 to keep people on IPV4 for as long as possible because they have completely hacked IPV4. Also IPV6 represents a nearly figurative infinite number of disposable IP addresses, allowing people to use e

  • by WaffleMonster ( 969671 ) on Sunday April 09, 2017 @12:10PM (#54202347)

    Automatic transition mechanisms are beyond useless in todays dual stack world. They are not now nor will they ever be sufficiently reliable for production use and therefore universally ignored for purposes other than owning end users. Microsoft themselves shut down their own teredo servers due to stated reason of non-existent demand.

    The only thing continuing to have teredo, isatap and 6to4 enabled by default on billions of machines does is help end users get owned.

  • Can I put this to use to clone a mesh network for private communications?

  • Its one of those protocols hardly anyone uses in relation towards IPv4. You can turn it off on your system and everything runs just fine. It doesn't matter how old it is, but the "neck massager" was never really meant for your neck. Know what I mean ;) ? It was new and was supposed to be able to handle more web addresses. Cloud computing is getting worse, so maybe it'll get its use when we all have servers in our houses or maybe in our phones. You never know anymore. I still say cloud computing will destroy
    • One thing hardly has anything to do w/ the other - and that's w/o touching your mixed metaphors regarding the neck massager

      IPv6 was designed from ground up to be a replacement for, not an enhancement to, IPv4. Bottom line was that there was no way to extend IPv4 addresses b'cos any fix would have to monkey around w/ the definition of the lengths of the source and destination address headers, and the moment one touched that, every router on the internet would have to be upgraded. Given the effort invol

      • by Cramer ( 69040 )

        IETF decided that rather than do piecemeal solutions, they'd do one cleanroom implementation of the internet protocol using everything that had been learned over the decades of IPv4 usage.

        HAH! They actively ignored much of what had been learned, and further, ignored what enterprises actually used. They put zero effort into how to get there -- backwards compatibility, migration paths, ... And they gave zero consideration to any aspect of security. IPv6 is the horribly broken, constantly changing ball of shit

    • The only reason people can "turn it off and everything runs just fine" is that you have been paying extra to your ISP to pay for the CGN boxes to keep IPv4 limping along well past the time when everyone should have been off it.

      Sane ISP's know that they don't want to run CGN boxes. They are expensive and increase they amount of logging that needs to be kept for law enforcement purposes. They also break functionality on which some of the customers depend.

      Sane ISP's enable IPv6 as it takes load off the CGN b

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...