Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Stupid Little IPv6 Tricks InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Stupid Little IPv6 Tricks

Published: 2013-06-12
Last Updated: 2013-06-12 22:12:51 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

With the IPv6 Summit on Friday, various IPv6 related topics are of course on my mind. So I figured to put together a quick laundry list of "stupid little IPv6 tricks/topics". Let me know what issues you are running into as well:

1 - Proxies 

Right now, many web sites use proxies to provide IPv6 access. The result is some "interesting" behaviour that you may experience:

  • The IPv6 version of the site may be out of date because the proxy cached it.
  • The IPv6 version may use a different certificate (see an earlier story about this).
  • A site may be down via IPv6 (because of a proxy problem) but up via IPv4.
  • The actual web application isn't coded to look at the Forward-For or similar header, so it has no idea where you are comming from and you run into rate limits.

2 - Extension Headers

Security devices still have issues with extension headers. They may miss attacks, or just misinterpret packets.

  • IDSs will not reassemble sessions correctly as they do not know if a packet will be dropped or not.
  • Firewalls may block packets (or let them pass) as they can't figure out the protocol.
  • Packet analysis tools will give you the wrong interpretation of a packet.

3 - Log Analysis / Address Interpreation

I still see log analysis tools that at first sight seem to work fine with IPv6, but they don't "normalize" the addresses, meaning that 2001:db8::1 is not considered equal to 2001:0db8::1 or 2001:0db8:0000:0000:0000:0000:0000:0001.

4 - Spam

Probably the most common IPv6 "attack" I see is spam, probably by accident (both ends happen to support IPv6) but it works quite well as there are still no real block list for IPv6.

5 - Portscans

So far, we see pretty much no port scans on IPv6 (which is kind of good ;-) ). It is still a decent idea to "hide" an SSH server in IPv6 space. 

BTW: Don't forget that we are now able to accept IPv6 firewall logs, not just IPv4!

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ipv6
0 comment(s)
Diary Archives