Slashdot Mirror
Tunnelled IPv6 Attacks Bypass Network Intrusion Detection Systems (itnews.com.au)
"The transition to internet protocol version 6 has opened up a whole new range of threat vectors that allow attackers to set up undetectable communications channels across networks, researchers have found."
Slashdot reader Bismillah summarizes a report from IT News.
Researchers at NATO's Cooperative Cyber Defence Centre of Excellence and Estonia's University of Tallinn have worked out how to set up communications channels using IPv6 transition mechanisms, to exfiltrate data and for systems control over IPv4-only and dual-stack networks -- without being spotted by network intrusion detection systems.
The article argues that "Since IPv6 implementations and security solutions are relatively new and untested, and systems engineers aren't fully aware of them, the new protocol can become a network backdoor attackers can exploit undetected." The researchers' paper is titled "Hedgehog In The Fog."
The article argues that "Since IPv6 implementations and security solutions are relatively new and untested, and systems engineers aren't fully aware of them, the new protocol can become a network backdoor attackers can exploit undetected." The researchers' paper is titled "Hedgehog In The Fog."
IPv6 is called out unfairly here. Any kind of tunnel is potentially not handled by an IDS.
There's better ways to exfiltrate data. VPN anyone?
netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled
These IPV6 tunnels are use than useless in my experience.
Windows Homegroup depends on IPV6 being present & some other users of the machines I use find it useful so it can't be disabled as well all the time but at least it's not trying to tunnel out. When (though it's still rare), the network has IPV6 connectivity it also has IPV6 firewalls so it's less of an issue as well.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
this happens when you have a baby-boomer tech employee who refuses to retire. you let him ride out his last days as a senior or manager while backfilling him with what you hope are more competent and open minds, but unless its from the vendor that bought him steak and told him he was a real straight shooter, hes not going out of his lane to potentially fail at this point in his career, or learn something new.
Thats nice, but we have newly graduated kids from top-tier schools coming in that couldn't tell you the first thing about ipv6. They know it exists, and that's about the extent of it.
this happens when you have a baby-boomer tech employee who refuses to retire
that happens when anybody is not much interested in exploring newer technologies ; actually I'd put more trust in a network specialist baby boomer who still lives off the industry, and who experienced the multiple changes since the 70s.
I wonder how much of this is from win to denying that IPv6 is coming and not doing the homework and proper security analysis?
Jumpstart the tartan drive.
It goes well beyond the boomers. v6 has been around for TWENTY years and TFA is calling it "new". The kids coming out of school now seem to think of it as "new" as well. Even XP supports v6, just how new could it be? Before you cast too many stones at the boomers, remember you seem to have been asleep for 10 years yourself. By the time you noticed this v6 thing, I was running dual stack at home so I could get familiar with it.
This from the same industry that gushes over every new application framework that offers no tangible benefits over the old framework and will probably be yesterday's news by the time an actual project can be completed. Where are all those much younger network guys pushing for a v6 initiative? For God's sake, Comcast beat them to v6!
IPv6 transition mechanisms
ipv6 has been around nearly a decade. any company that doesnt have a competent dual-stack implementation deserves what they get. that having been said the number of vendors that recoil in shock and horror when you ask if they can route, or even support ipv6 is amazing.
The truly terrifying thing is the amount of otherwise competent and knowledgeable IT professionals who are utterly terrified of IPv6 and get elevated blood pressure whenever its mentioned.
Theres a whole generation of IT pros who have come to believe that NAT is the solution to almost all of their security issues, have no use for port blocking firewalls or defense in depth. It wasn't that long ago that desktop workstations often had Internet routeable IP addresses and you had to have actual firewalls on the front end and inside as well.
Nowadays they run their webserver in an RFC1918 range and use DNAT to send the traffic into it, thinking this is more secure than having a firewall and, when they look at IPv6, they see this security blanket as being taken away from them and they retreat into their shells.
In the free world the media isn't government run; the government is media run.
I have more than enough IPv4 addresses allocated to me and my servers. I don't need IPv6.
Sorry the rest of you have to fight over IPs. I've got plenty (no you can't have them).
Let me guess, you use DNAT extensively?
In the free world the media isn't government run; the government is media run.
I just deactivate IPv6 at all dual stack machines, that should fix this (and a lot more issues that the idiot who implemented IPv6 first instead of use it only if no IPv4 available created).
I can use the entire 10.x.y.z range internally, that are more IP's than I'll ever need.
Automatic transition mechanisms are beyond useless in todays dual stack world. They are not now nor will they ever be sufficiently reliable for production use and therefore universally ignored for purposes other than owning end users. Microsoft themselves shut down their own teredo servers due to stated reason of non-existent demand.
The only thing continuing to have teredo, isatap and 6to4 enabled by default on billions of machines does is help end users get owned.
Can I put this to use to clone a mesh network for private communications?
It little behooves the best of us to comment on the rest of us.
I have more than enough IPv4 addresses allocated to me and my servers. I don't need IPv6.
Sorry the rest of you have to fight over IPs. I've got plenty (no you can't have them).
It is great to hear you have enough IPv4 addresses. What happens when you want to communicate with someone who happens to be less fortunate?
Speaking for myself restoring the Internet to a viable network of PEERs where everyone has the capability if desired to directly address everyone else is of upmost importance to countering the proliferation of centralized manure currently waging war against *my* Internet.
IPv6 is well worth any initial hardship or annoyance. Even if everyone hides behind an SPI anyway the ability to trivially prime direct connections with a 1:1 map is an absolutely priceless capability by itself without getting to global costs of dealing with IPv4 scarcity or people being forced into CGN land.
Takes two to Tango.
That's going to blow up in spectacular fashion as soon as v6 only sites start popping up that you or your employer care about (there are v6 only sites now, but mostly not targeted at English speakers).
Yep, learned about it in college in '98 and how it was going to be the next big thing and rolled out quickly. Took its time though but it's here to stay.
> Speaking for myself restoring the Internet to a viable network of PEERs where everyone has
> the capability if desired to directly address everyone else is of upmost importance to countering
> the proliferation of centralized manure currently waging war against *my* Internet.
I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an extra layer of protection.
> IPv6 is well worth any initial hardship or annoyance. Even if everyone hides
> behind an SPI anyway the ability to trivially prime direct connections with
> a 1:1 map is an absolutely priceless capability by itself without getting to global
> costs of dealing with IPv4 scarcity or people being forced into CGN land.
I hope somebody comes out with a NAT'ing IPV6 ADSL router that NATs multiple machines behind it to one publically visible address. It'll be worth it just to watch all those internet hippies' heads explode.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
> I just deactivate IPv6 at all dual stack machines, that should fix this...
Wrong. If your ISP doesn't support IPV6, you can still get IPV6 via a "tunnel broker". Packets get tunnelled over an encrypted connection to IPV6-land. I know this is Slashdot, but please RTFA https://www.itnews.com.au/news...
> The researchers developed proofs of concept with tunnel-based IPv6 transition tools over
> IPv4-only, or IPv4/IPv6 dual-stack networks, that were able to pass traffic undetected by
> common network intrusion detection systems (NIDS) such as Snort, Suricata, Bro and Moloch.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an extra layer of protection.
1:many NAT is *LESS* secure than SPI. NAT requires added complexity to support ALGs, packet mangling and tolerance of ambiguous assumptions about application state.
this happens when you have a baby-boomer tech employee who refuses to retire. you let him ride out his last days as a senior or manager while backfilling him with what you hope are more competent and open minds.
So, in your world, young people with no experience in deploying networking will use
their "more competent and open minds" to do a job that older workers cannot,
even though the older worker has been aware of IPv6 for nearly as long as the
younger people have been alive. Because, you know, they are older.
Fuck You, you ageist piece of shit.
I hope someone sues your company into fucking oblivion.
Its one of those protocols hardly anyone uses in relation towards IPv4. You can turn it off on your system and everything runs just fine. It doesn't matter how old it is, but the "neck massager" was never really meant for your neck. Know what I mean ;) ? It was new and was supposed to be able to handle more web addresses. Cloud computing is getting worse, so maybe it'll get its use when we all have servers in our houses or maybe in our phones. You never know anymore. I still say cloud computing will destroy open source.
XP actually didn't support IPv6 out of the box: that support had to be added later.
Saying that IPv6 is 20 years old is misleading, given that only recently have enterprises accelarated their moves to this protocol, and also, a lot of changes happened in the IPv6 spec over that time (e.g. the deprecation of IPv4 compatible addresses)
Just because something works doesn't mean that it scales. When you are unable to add any new boxes to the network, or when your ISP ultimately pulls IPv4 support due to the address shortage, the only thing that would be working perfectly would be your intranet - your 192.168 network
Reading the summary, since the issue is regarding IPv6 packets that are undetected on an IPv4 network that's unaware of the protocol, it'll only make it easier for IPv6 to be a disguised carrier of attack vectors
XP supported it out of the box. You had to enable it but the code was installed on the box when it was delivered.
I've been writing and shipping applications that support IPv6 for nearly 20 years now. I've been using IPv6 from home for 15 years now.
Work has been operating servers reachable by the public over IPv6 for longer still.
Amazingly one reason some people are looking at IPv6 is that they are out of private IPv4 addresses in their CGN (carrier grade NAT) setups. Apparently mobile phone companies are hitting this.
NAT is not security, it's a placebo, and it's still subject to NAT traversal attacks.
Also IPv6 can do NAT (eg. you can use it for a transparent proxy) and there are routers that let you define your own firewall rules so that cheap ADSL router with NAT is already available - so you can do it, just don't assume that NAT is going to keep anyone other than the honest out.
I hope the idea of IPV6 NAT gets taken out back and shot. NAT has been the single most pain in the ass thing to network gaming since forever.
I don't now how much time I've wasted trying to troubleshoot why certain people can't connect to our gaming session. Most of the time it's because of NAT. And when they can connect to the game, the audio chat doesn't work still. Grrrrrr.
Then there's people who have multiple consoles and want to play the same game together online. One of them can and the other can't because the ports are taken.
IPV6 will get rid of all that crap but not if people use NAT or are forced to use NAT by their ISP.
The only thing NAT gives you on IPV6 is protection if you disable the deny inbound for all machines rule. All that router manufacturers have to do is make sure that can't be disabled on a consumer device. Only UPnP and inbound rules for static IP hosts would then be the way to allow inbound, just like with IPV4+NAT.
Actually, it did. It wasn't configured out of the box until SP2 or 3 but you could configure it if you wanted from day 1. TYhe protocol driver was on the install disk.
V4 has changed as much as v6 has over the years. For example, source routing and source quench went away. Congestion control has changed a good bit.
The fact that enterprises have only recently gotten interested in v6 just means they were asleep at the switch for a long time. They jumped on every flavor of the month they could find while ignoring the one thing that was nearly certain to be around for the long haul.
Any security NAT can give you can easily be implemented in v6 with a few simple rules.
Nope. No NAT. Real, public IPv4 IPs. Yes, the allocation is unfair.
I have returned a bunch of IPs (some /24s and some /26s or something) to the organization's pool (which is much larger than /24) as we've consolidated some things, but as far as I know there's no chance of those IPs going back to public use as far as I know. In the grand scheme of things, a few hundred IPs for public allocation won't help much. Now, IBM on the other hand, with it's /8 assignment...
> Speaking for myself restoring the Internet to a viable network of PEERs where everyone has
> the capability if desired to directly address everyone else is of upmost importance to countering
> the proliferation of centralized manure currently waging war against *my* Internet.
I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an extra layer of protection.
> IPv6 is well worth any initial hardship or annoyance. Even if everyone hides
> behind an SPI anyway the ability to trivially prime direct connections with
> a 1:1 map is an absolutely priceless capability by itself without getting to global
> costs of dealing with IPv4 scarcity or people being forced into CGN land.
I hope somebody comes out with a NAT'ing IPV6 ADSL router that NATs multiple machines behind it to one publically visible address. It'll be worth it just to watch all those internet hippies' heads explode.
Repeat after me: NAT is *not* a security mechanism. If you think it protects you, you are a fool.
NAT is not a security mechanism, but it provides useful security by preventing hosts from having publicly routable IPs when they simply don't need them.
It's an additional layer on top of a firewall which may or may not actually be configured properly (or actually work). Think of the tens of millions of home users who have a crappy modem/router combo device managed by their ISP.
Useful security? How many times have you seen "just put it in the DMZ" as a solution to many connectivity issues NAT causes? There goes their supposed security.
windows 10 enables the tunnel mechanisms by default.
and has no easy way to turn them off.
yeah, you can remove ipv6 from the network card - but are you so daft that you think it actually removes this threat? hahahahha. of course no. you have to go into registry to disable ipv6. and of course they will reset it on update, because fuck you, that's why. and disabling any ipv6 support entirely wouldn't help either if the offending sw gets to write it's own ethernet packets(though thats more complicated than some powershell script. oh yeah don't try disabling powershell either, it will break half the system, because again, fuck you).
of course, if you can't turn off the iot mesh shit either then why worry about this.
world was created 5 seconds before this post as it is.
If all the unused /8's were returned, that would get us a few more months at most.
In Soviet Russia the insensitive clod is YOU!
What does me reading something on the internet have to do with my friends???
That was more of a rhetorical question. I was hoping you had seen it. Regardless, the advice is out there and it's being put to use. The routers have that feature and their websites have the instructions on how to use it. I have seen it recommended when upnp and port forwarding fail to work for whatever reason. I've had upnp stop working mysteriously many times.
But that doesn't matter. It's a very common built in feature that will completely bypass the supposed protection from NAT and every other firewall protection feature of the router.
My point is that NAT doesn't give any more protection than the firewall does. And the DMZ is the easiest way to bypass both of them. So NAT doesn't protect the user from themselves.
Right now the DMZ can only have one device in it. That's mainly because people only have one external IPv4 address. No such restriction with IPv6 when end users can get /64s. And end users tend to take the path of least resistance. "My skype, game, whatever doesn't work", "DMZ the computer!"
NPT is 1:1 which doesn't have all but one of the issues that 1:many NAT has. There's no port rewriting, not statetful packet inspection, etc. The only issue is if the internal host needs to tell an external host its IP address. Incoming using DNS would have no issues.
NPT does not block incoming connections like regular NAT does. This is because 1:many NAT has no idea where to send incoming without an explicit rule. NPT which is 1:1 does know where to send incoming connections because each external IP is routed to the appropriate internal IP.
So you still need a firewall with NPT.
No.
This is because 1:many NAT has no idea where to send incoming without an explicit rule.
A lot of people think this, but it's not true. Your router knows perfectly well where to send the packet, because the packet has a dest address field in the header that tells it where to send it.
Now, it is true that if your network is using RFC1918 addresses (which I note isn't actually a requirement for NAT) then it's quite hard to send your router a packet with one of those addresses in the dest field... but your ISP could do it easily, and of course so could anybody else in a position to twist your ISP's arm until they cooperate. If they do, your router will happily route those packets on to their destination, unless you also have a firewall in place that drops them.
In other words: if you want a firewall, you need a firewall. NAT is no substitute.
RFC 6598 -- http://tools.ietf.org/html/rfc...
XP has an IPv6 stack, but I wouldn't go so far as to say it "supports v6". It only supports SLAAC. (pinning a static address is a pain in the ass, and doesn't always survive a reboot) There is zero GUI integration for managing it. The OS will not use it for it's own internal processes (namely DNS.) And Microsoft has never officially supported it.
It's also so hopelessly out-of-date, it only barely works. Very little of what is considered IPv6 today is supported.
"every flavor"? You mean NAT? Shit we've all been using since the mid-90s? ISPs have been grasping at straws because they can't get any more v4 addresses, and still have to connect a growing number of users to the v4 internet. (and develop v6 CPE hardware and infrastructure, AND still get the v6 only connected to the v4 internet.) And their answer has been NAT as well; just on a scale beyond reason.
Those professionals hate it because it's a constantly moving target. If IPv6 were one thing to implement, ONCE, they'd've done it long ago. However, that's not the case. Even today, it's a constantly changing ball of shit.
IPv6 is a different way to doing things. NAT does involve a "firewall" -- 'tho it's unlikely to be watching traffic with an eye to security. With IPv6, security is not automatic; firewall rules have to be manually crafted.
Don't blame M$ and Google for what was a basic, founding tenant of IPv6... "None of this bullshit NAT!" And from a second chair in the room, "yeah, and none of this G** D*** DHCP!" By the time we get around the room, IPSec (think all of OpenSSL) had been glued into the protocol. Many hard lessons completely unlearned -- SLAAC, RA's, multicast DNS, etc.
If you want something to blame on Google, ask them why Android doesn't support DHCPv6.
[On the subject of SLAAC: this wasn't such a bad idea on the surface. However, the types of limited machines SLAAC specifically called out were *NEVER* going to be able to run anything close to a standards compliant IPv6 stack. It's a very stupid optimization once all the other designed-by-committee bullshit was stapled together. And worse, to date it has simply cemented the completely anti-IPv6 mindset of 64/64 network/host divide. So much so, that Stupid(tm) has been built into silicon!]
Hell, Windows XP enables them by default. (once IPv6 is installed)
#1 - Wrong. This is often trotted out, but an outsider cannot find every machine on your network with just the prefix or a single address. Once inside your network (compromised host), it's possible, but far from dirt simple.
#2 - It's as tested as anything else.
#3 - True, but you can attack anything that has a NAT map as well. And this is partially why privacy extensions exist (your address changes regularly)
#4 - Wrong. This was a basic requirement of early IPv6 standards. It's now "optional", but present in many stacks.
#5 - I'd say it's "full assed" by the few ISPs that bother to offer it at all.
You are correct. I was referring to NAT + RFC1918 when I said that it doesn't know where to send incoming packets (originally sent to the public IP). That's the mechanism that creates the psudo security of NAT.
As you said, using routable addresses on the inside does not trigger this. Without a firewall they can go direct. Same with NTP and routable addresses on the inside.
Yes, ISPs can send to you using RFC1918. If you're using a tunnel broker for IPv6 that can be intercepted without ISP help and IPv4 injected that way (6to4, IPv4 compatible addresses, IPv4 mapped addresses). I have my firewall blocking all those.
I agree, NAT is not a substitute for a firewall. NAT is also a waste of resources and causes problems when used with routable addresses behind a firewall. People keep saying that it protects you if your firewall is misconfigured. There are so many ways to get around NAT when the firewall is broken that it's a naive view to have.
I mean every flavor of everything. CASE tools, XML, CORBA, Ruby on Rails, Java, a zillion management fads, you name it, as soon as some exec read about it while waiting for tee time, it became a must have. Except for IPv6 apparently.
But I agree the extremes they're going to to avoid just going with v6 are silly at the least. Personally, I would love to just go with v6 so I can get enough addresses allocated without submitting my last colonoscopy and the opinions of 3 or more fortune tellers, but it's just not a great option if nobody can reach it.
Consider, XP itself is hopelessly out of date and unsupported. Since XP was for workstations (not servers) SLACC made plenty of sense (and it still does).
Notably, if v6 was enabled and it didn't get a router announcement, it would auto-configure Teredo.
Basically, it worked well enough to meaningfully operate in a dual stack environment. It would not work in a v6 only environment.
So no excuses there, the capability existed.