[ipv6hackers] IPS/WAF and combined IPv6-IPv4 attacks

Antonios Atlasis antonios.atlasis at gmail.com
Tue Jul 23 22:22:27 CEST 2013


Hi,

since IPv6 is a layer 3 protocol, if you manage to break IPv6 (that is to
evade an IDS by abusing IPv6), then you can launch any type of layer-7
attack, such as an HTTP one, while remaining undetected. I have
demonstrated such examples against Snort.

As far as WAFs are concerned, in order to be effective they must fully
reconstruct an IPv6 datagram before examining it (performing full-packet
inspection), which is not always that easy. If they try to do so, you have
good chances to DoS them.

Antonios.


2013/7/22 ZAMANI Omar <Omar.ZAMANI at solucom.fr>

> Hello everybody !
>
>
>
> Following my IPv6 security investigations, I'm looking at a particular
> breed of attacks : those that combine IPv4 and IPv6.
>
>
>
> I don't know if such attacks are very common, but I was thinking that
> now that we have two network protocols working, some attacks targeting
> the application layer may choose to alternate for example IPv4
> encapsulated HTTP requests and IPv6 encapsulated HTTP requests in order
> to fly under the radar. For such attacks to succeed, WAFs and IPS must
> be designed to analyze IPv4 and IPv6 traffic independently as two
> different streams even at the application layer.
>
>
>
> Is that the case of the available solutions on the market ? Has the
> hacker community ever tried to achieve an attack of this kind ?
>
>
>
> Thank you for your replies.
>
>
>
>
>
> Omar ZAMANI
>
>
>
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>



-- 
=====================
Antonios Atlasis, PhD, MPhil
GXPN, GREM, GPEN, GWAPT, CCIH, GCIA



More information about the Ipv6hackers mailing list