Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Stupid Little IPv6 Tricks SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Stupid Little IPv6 Tricks

With the IPv6 Summit on Friday, various IPv6 related topics are of course on my mind. So I figured to put together a quick laundry list of "stupid little IPv6 tricks/topics". Let me know what issues you are running into as well:

1 - Proxies 

Right now, many web sites use proxies to provide IPv6 access. The result is some "interesting" behaviour that you may experience:

  • The IPv6 version of the site may be out of date because the proxy cached it.
  • The IPv6 version may use a different certificate (see an earlier story about this).
  • A site may be down via IPv6 (because of a proxy problem) but up via IPv4.
  • The actual web application isn't coded to look at the Forward-For or similar header, so it has no idea where you are comming from and you run into rate limits.

2 - Extension Headers

Security devices still have issues with extension headers. They may miss attacks, or just misinterpret packets.

  • IDSs will not reassemble sessions correctly as they do not know if a packet will be dropped or not.
  • Firewalls may block packets (or let them pass) as they can't figure out the protocol.
  • Packet analysis tools will give you the wrong interpretation of a packet.

3 - Log Analysis / Address Interpreation

I still see log analysis tools that at first sight seem to work fine with IPv6, but they don't "normalize" the addresses, meaning that 2001:db8::1 is not considered equal to 2001:0db8::1 or 2001:0db8:0000:0000:0000:0000:0000:0001.

4 - Spam

Probably the most common IPv6 "attack" I see is spam, probably by accident (both ends happen to support IPv6) but it works quite well as there are still no real block list for IPv6.

5 - Portscans

So far, we see pretty much no port scans on IPv6 (which is kind of good ;-) ). It is still a decent idea to "hide" an SSH server in IPv6 space. 

BTW: Don't forget that we are now able to accept IPv6 firewall logs, not just IPv4!

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS London August 2021

 Johannes

4193 Posts
ISC Handler
Jun 12th 2013
Thread locked Subscribe Jun 12th 2013
8 years ago

Sign Up for Free or Log In to start participating in the conversation!