[ipv6hackers] IPS/WAF and combined IPv6-IPv4 attacks

Marco Ermini marco.ermini at gmail.com
Thu Aug 15 13:33:00 CEST 2013


Maybe I can share some experiences about that.

The majority of *commercial* IPS and WAF vendors support IPv6 in
dual-stack. So they would catch signatures or application behaviours when
sent via IPv6.

What I have seen so far is that the majority of security suppliers - and I
am including also firewall or NGFW vendors - do not support things like
extension headers or chained headers or prefix verifications or invalid
addresses in specific network segments, and so on. They can eventually do
it with additional signatures, but don't have them "in stock".

Reconstructing an HTTP flow on IPv6 is not more difficult than with IPv4 -
I could even think it may be easier on many circumstances.

Another thing I found is that basically no one support signatures inside
IPv6 tunnelled protocols. One of the first thing I have took care in my
company is to actually forbid that - IPv6 is only by dual stack, it
actually required upgrading some WAN components (think about MPLS routers
not supporting IPv6...) but we eventually did it.

I was actually also surprised to find that many vendors did not actually
had anything "out of the shelf" to prohibits these tunnels. I didn't expect
them to find an exploit inside a Teredo tunnel, but I would have expected
them to be able to actually simply block one. Some vendor required creation
of the specific signature for that.

We are running an RFP against the major firewall vendors and I have
actually included many IPv6 requirements, which have profited generously
from Fernando's RFCs and RFC drafts and other material (thanks for that
:-)), if I have time I will try to "clean" it from company references and
other commercially sensitive information and maybe "normalise" it for
sharing - if I have time, sorry I am changing my job and moving city in
this period so I am a bit busy :-P


Cheers



On 22 July 2013 11:53, ZAMANI Omar <Omar.ZAMANI at solucom.fr> wrote:

> Hello everybody !
>
>
>
> Following my IPv6 security investigations, I'm looking at a particular
> breed of attacks : those that combine IPv4 and IPv6.
>
>
>
> I don't know if such attacks are very common, but I was thinking that
> now that we have two network protocols working, some attacks targeting
> the application layer may choose to alternate for example IPv4
> encapsulated HTTP requests and IPv6 encapsulated HTTP requests in order
> to fly under the radar. For such attacks to succeed, WAFs and IPS must
> be designed to analyze IPv4 and IPv6 traffic independently as two
> different streams even at the application layer.
>
>
>
> Is that the case of the available solutions on the market ? Has the
> hacker community ever tried to achieve an attack of this kind ?
>
>
>
> Thank you for your replies.
>
>
>
>
>
> Omar ZAMANI
>
>
>
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>



-- 
Marco Ermini
root at human # mount -t life -o ro /dev/dna /genetic/research
http://www.linkedin.com/in/marcoermini
"Jesus saves... but Buddha makes incremental back-ups!"



More information about the Ipv6hackers mailing list