Tunnelled IPv6 Attacks Bypass Network Intrusion Detection Systems

"The transition to internet protocol version 6 has opened up a whole new range of threat vectors that allow attackers to set up undetectable communications channels across networks, researchers have found." Slashdot reader Bismillah summarizes a report from IT News. Researchers at NATO's Cooperative Cyber Defence Centre of Excellence and Estonia's University of Tallinn have worked out how to set up communications channels using IPv6 transition mechanisms, to exfiltrate data and for systems control over IPv4-only and dual-stack networks -- without being spotted by network intrusion detection systems.
The article argues that "Since IPv6 implementations and security solutions are relatively new and untested, and systems engineers aren't fully aware of them, the new protocol can become a network backdoor attackers can exploit undetected." The researchers' paper is titled "Hedgehog In The Fog."

this is not an ipv6 specific issue

IPv6 is called out unfairly here. Any kind of tunnel is potentially not handled by an IDS.

There's better ways to exfiltrate data. VPN anyone?

Re:this is not an ipv6 specific issue

[phayes]

VPNs aren't setup and enabled by default on windows machines the way teredo, 6to4 and isatap are.

First thing I change on Win devices I use

[phayes]

netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled

These IPV6 tunnels are use than useless in my experience.

Windows Homegroup depends on IPV6 being present & some other users of the machines I use find it useful so it can't be disabled as well all the time but at least it's not trying to tunnel out. When (though it's still rare), the network has IPV6 connectivity it also has IPV6 firewalls so it's less of an issue as well.

Re: First thing I change on Win devices I use

[phayes]

Turning off IPV6 in your router will turn off native IPV6 routing but that's not the issue here. The problem is that Windows in particular sets up three different means of tunnelling IPV6 in IPV4. Turning off IPV6 in your router will do nothing for these and you need to turn off Teredo, 6to4 and Isatap on every windows machine.

Re:First thing I change on Win devices I use

[phayes]

When IPV6 is configured on a Windows machine and it is getting & attempting to use AAAA DNS records, resulting in a 30 second timeouts, that's when I diable IPV6: http://blogs.cisco.com/enterpr...

Yeah, it's the client's network that "should" be fixed, but I've given up at tilting at windmills. I'll just tell them that their IPV6 is messed up, disable IPV6 on the server with the issues getting rid of the timeouts and move on.

Re:give me a break.

this happens when you have a baby-boomer tech employee who refuses to retire. you let him ride out his last days as a senior or manager while backfilling him with what you hope are more competent and open minds, but unless its from the vendor that bought him steak and told him he was a real straight shooter, hes not going out of his lane to potentially fail at this point in his career, or learn something new.

Thats nice, but we have newly graduated kids from top-tier schools coming in that couldn't tell you the first thing about ipv6. They know it exists, and that's about the extent of it.

Re:give me a break.

[sjames]

It goes well beyond the boomers. v6 has been around for TWENTY years and TFA is calling it "new". The kids coming out of school now seem to think of it as "new" as well. Even XP supports v6, just how new could it be? Before you cast too many stones at the boomers, remember you seem to have been asleep for 10 years yourself. By the time you noticed this v6 thing, I was running dual stack at home so I could get familiar with it.

This from the same industry that gushes over every new application framework that offers no tangible benefits over the old framework and will probably be yesterday's news by the time an actual project can be completed. Where are all those much younger network guys pushing for a v6 initiative? For God's sake, Comcast beat them to v6!

Re:give me a break.

[myowntrueself]

IPv6 transition mechanisms

ipv6 has been around nearly a decade. any company that doesnt have a competent dual-stack implementation deserves what they get. that having been said the number of vendors that recoil in shock and horror when you ask if they can route, or even support ipv6 is amazing.

The truly terrifying thing is the amount of otherwise competent and knowledgeable IT professionals who are utterly terrified of IPv6 and get elevated blood pressure whenever its mentioned.

Theres a whole generation of IT pros who have come to believe that NAT is the solution to almost all of their security issues, have no use for port blocking firewalls or defense in depth. It wasn't that long ago that desktop workstations often had Internet routeable IP addresses and you had to have actual firewalls on the front end and inside as well.

Nowadays they run their webserver in an RFC1918 range and use DNAT to send the traffic into it, thinking this is more secure than having a firewall and, when they look at IPv6, they see this security blanket as being taken away from them and they retreat into their shells.

Re:give me a break.

[myowntrueself]

I have more than enough IPv4 addresses allocated to me and my servers. I don't need IPv6.

Sorry the rest of you have to fight over IPs. I've got plenty (no you can't have them).

Let me guess, you use DNAT extensively?

Re:give me a break.

[johanw]

I can use the entire 10.x.y.z range internally, that are more IP's than I'll ever need.

Microsoft must stop

[WaffleMonster]

Automatic transition mechanisms are beyond useless in todays dual stack world. They are not now nor will they ever be sufficiently reliable for production use and therefore universally ignored for purposes other than owning end users. Microsoft themselves shut down their own teredo servers due to stated reason of non-existent demand.

The only thing continuing to have teredo, isatap and 6to4 enabled by default on billions of machines does is help end users get owned.

Re:give me a break.

[WaffleMonster]

I have more than enough IPv4 addresses allocated to me and my servers. I don't need IPv6.

Sorry the rest of you have to fight over IPs. I've got plenty (no you can't have them).

It is great to hear you have enough IPv4 addresses. What happens when you want to communicate with someone who happens to be less fortunate?

Speaking for myself restoring the Internet to a viable network of PEERs where everyone has the capability if desired to directly address everyone else is of upmost importance to countering the proliferation of centralized manure currently waging war against *my* Internet.

IPv6 is well worth any initial hardship or annoyance. Even if everyone hides behind an SPI anyway the ability to trivially prime direct connections with a 1:1 map is an absolutely priceless capability by itself without getting to global costs of dealing with IPv4 scarcity or people being forced into CGN land.

Takes two to Tango.

Re:give me a break.

[sjames]

That's going to blow up in spectacular fashion as soon as v6 only sites start popping up that you or your employer care about (there are v6 only sites now, but mostly not targeted at English speakers).

It affects IPV4-only machines too

[knorthern+knight]

> I just deactivate IPv6 at all dual stack machines, that should fix this...

Wrong. If your ISP doesn't support IPV6, you can still get IPV6 via a "tunnel broker". Packets get tunnelled over an encrypted connection to IPV6-land. I know this is Slashdot, but please RTFA https://www.itnews.com.au/news...

> The researchers developed proofs of concept with tunnel-based IPv6 transition tools over
> IPv4-only, or IPv4/IPv6 dual-stack networks, that were able to pass traffic undetected by
> common network intrusion detection systems (NIDS) such as Snort, Suricata, Bro and Moloch.

Re:give me a break.

[cstacy]

this happens when you have a baby-boomer tech employee who refuses to retire. you let him ride out his last days as a senior or manager while backfilling him with what you hope are more competent and open minds.

So, in your world, young people with no experience in deploying networking will use
their "more competent and open minds" to do a job that older workers cannot,
even though the older worker has been aware of IPv6 for nearly as long as the
younger people have been alive. Because, you know, they are older.

Fuck You, you ageist piece of shit.
I hope someone sues your company into fucking oblivion.

Re:IPv6

[marka63]

The only reason people can "turn it off and everything runs just fine" is that you have been paying extra to your ISP to pay for the CGN boxes to keep IPv4 limping along well past the time when everyone should have been off it.

Sane ISP's know that they don't want to run CGN boxes. They are expensive and increase they amount of logging that needs to be kept for law enforcement purposes. They also break functionality on which some of the customers depend.

Sane ISP's enable IPv6 as it takes load off the CGN boxes. A typical household with a IPv6 enabled sees around 60% of the traffic happening over IPv6 with
the percentage increasing everyday as CDN's turn on IPv6 support.