[ipv6hackers] IPS/WAF and combined IPv6-IPv4 attacks

Merike Kaeo merike at doubleshotsecurity.com
Mon Jul 22 15:05:20 CEST 2013


Hi.

This is something I've been socializing privately for a while - just asking folks if they've seen
or are even aware of these kinds of potential attempts to fly under the radar.  So far I have not
heard of anything that's been realized.

The IDS vendors all need more work.  

I didn't have time to reply earlier.  But did want to say that over
a year ago I tested a device that was really great at fuzzing and checking all kinds of IPv4 attacks.  They
'supported' IPv6 but when I asked for details they said they replaced the IPv4 headers with IPv6 and that
was it.   Hmmmmmm.....no testing with extension headers or anything else.  I expect most IDS vendors with signatures
do the same thing.

- merike




On Mon 22/07/13  2:53 AM , "ZAMANI Omar" <Omar.ZAMANI at solucom.fr> wrote:

> Hello everybody !
> 
> Following my IPv6 security investigations, I'm looking at a particular
> breed of attacks : those that combine IPv4 and IPv6.
> 
> I don't know if such attacks are very common, but I was thinking that
> now that we have two network protocols working, some attacks targeting
> the application layer may choose to alternate for example IPv4
> encapsulated HTTP requests and IPv6 encapsulated HTTP requests in order
> to fly under the radar. For such attacks to succeed, WAFs and IPS must
> be designed to analyze IPv4 and IPv6 traffic independently as two
> different streams even at the application layer. 
> 
> Is that the case of the available solutions on the market ? Has the
> hacker community ever tried to achieve an attack of this kind ?
> 
> Thank you for your replies.
> 
> Omar ZAMANI
> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers [1]
> 
> 
> 
> Links:
> ------
> [1]
> http://webmail.sonic.net/parse.php?redirect=http://lists.si6networks.com/li
> stinfo/ipv6hackers
> 



More information about the Ipv6hackers mailing list