Tunnelled IPv6 Attacks Bypass Network Intrusion Detection Systems

"The transition to internet protocol version 6 has opened up a whole new range of threat vectors that allow attackers to set up undetectable communications channels across networks, researchers have found." Slashdot reader Bismillah summarizes a report from IT News. Researchers at NATO's Cooperative Cyber Defence Centre of Excellence and Estonia's University of Tallinn have worked out how to set up communications channels using IPv6 transition mechanisms, to exfiltrate data and for systems control over IPv4-only and dual-stack networks -- without being spotted by network intrusion detection systems.
The article argues that "Since IPv6 implementations and security solutions are relatively new and untested, and systems engineers aren't fully aware of them, the new protocol can become a network backdoor attackers can exploit undetected." The researchers' paper is titled "Hedgehog In The Fog."

give me a break.

[nimbius]

IPv6 transition mechanisms

ipv6 has been around nearly a decade. any company that doesnt have a competent dual-stack implementation deserves what they get. that having been said the number of vendors that recoil in shock and horror when you ask if they can route, or even support ipv6 is amazing.

Since IPv6 implementations and security solutions are relatively new and untested

but this has been an issue thats unaddressed by the industry, not security pros. I can think of maybe five vendors ive declined because their ipv6 implementation was either partial, shitty, or non-existent. I decided on implementing OpenBSD instead and so far havent found anything as robust.

systems engineers aren't fully aware of them

this happens when you have a baby-boomer tech employee who refuses to retire. you let him ride out his last days as a senior or manager while backfilling him with what you hope are more competent and open minds, but unless its from the vendor that bought him steak and told him he was a real straight shooter, hes not going out of his lane to potentially fail at this point in his career, or learn something new.

Re:give me a break.

[knorthern+knight]

> Speaking for myself restoring the Internet to a viable network of PEERs where everyone has
> the capability if desired to directly address everyone else is of upmost importance to countering
> the proliferation of centralized manure currently waging war against *my* Internet.

I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an extra layer of protection.

> IPv6 is well worth any initial hardship or annoyance. Even if everyone hides
> behind an SPI anyway the ability to trivially prime direct connections with
> a 1:1 map is an absolutely priceless capability by itself without getting to global
> costs of dealing with IPv4 scarcity or people being forced into CGN land.

I hope somebody comes out with a NAT'ing IPV6 ADSL router that NATs multiple machines behind it to one publically visible address. It'll be worth it just to watch all those internet hippies' heads explode.