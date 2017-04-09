Tunnelled IPv6 Attacks Bypass Network Intrusion Detection Systems (itnews.com.au) 12
"The transition to internet protocol version 6 has opened up a whole new range of threat vectors that allow attackers to set up undetectable communications channels across networks, researchers have found." Slashdot reader Bismillah summarizes a report from IT News. Researchers at NATO's Cooperative Cyber Defence Centre of Excellence and Estonia's University of Tallinn have worked out how to set up communications channels using IPv6 transition mechanisms, to exfiltrate data and for systems control over IPv4-only and dual-stack networks -- without being spotted by network intrusion detection systems.
The article argues that "Since IPv6 implementations and security solutions are relatively new and untested, and systems engineers aren't fully aware of them, the new protocol can become a network backdoor attackers can exploit undetected." The researchers' paper is titled "Hedgehog In The Fog."
VPNs aren't setup and enabled by default on windows machines the way teredo, 6to4 and isatap are.
IPv6 transition mechanisms
ipv6 has been around nearly a decade. any company that doesnt have a competent dual-stack implementation deserves what they get. that having been said the number of vendors that recoil in shock and horror when you ask if they can route, or even support ipv6 is amazing.
Since IPv6 implementations and security solutions are relatively new and untested
but this has been an issue thats unaddressed by the industry, not security pros. I can think of maybe five vendors ive declined because their ipv6 implementation was either partial, shitty, or non-existent. I decided on implementing OpenBS
I have more than enough IPv4 addresses allocated to me and my servers. I don't need IPv6.
Sorry the rest of you have to fight over IPs. I've got plenty (no you can't have them).
netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled
These IPV6 tunnels are use than useless in my experience.
Windows Homegroup depends on IPV6 being present & some other users of the machines I use find it useful so it can't be disabled as well all the time but at least it's not trying to tunnel out. When (though it's still rare), the network has IPV6 connectivity it also has IPV6 firewalls so it's less of an issue as well.