Comments on: Mitigating IPv6 Security Threats

By: Bob Gourley

Bob Gourley — Thu, 27 Jan 2011 06:26:43 +0000

Thanks very much for that helpful context.

Bob

By: @Marts_McFly

@Marts_McFly — Thu, 27 Jan 2011 01:04:23 +0000

This has been known for a while. If a company is blocking outgoing UDP packets at their perimeter firewall, then this should mitigate any attacks of covertly trying to tunnel IPv4 over IPv6 (because a UDP packet needs to go out to establish the IPv6 tunnel). More in-particular UDP port 3544, which is the Microsoft Teredo service. Hackers have been doing this for a while now, but as most enterprises block random UDP ports going out it isn't as much of a threat (but a threat is still a threat and should be addressed).

Additionally however, home users who are running UPnP NAT modem/routers are vulnerable to this attack. (Which is the majority of users out there).

It is definitely interesting indeed, but most companies I have looked at, block the UDP packets from going out to establish the IPv6 tunnels.

You are right in saying though that if somebody decided to move data around INSIDE of your network with IPv6, and you don't have any monitoring or inspection in place that is configured for IPv6, you could potentially have users violating policies and doing whatever they want undetected (sharing pirated material amongst each other for example)

Nice post and thanks for sharing.

By: Command Information - Blog » Blog Archive » IPv6 Implementation Issues in the Enterprise: 2010 Edition

Tue, 04 May 2010 17:13:50 +0000

[...] Myth# 2: I’m not running IPv6 so there’s no risk. I hear “we are blocking IPv6 at the edge,” or “IPv6 and known tunneling like protocol 41 is being blocked, so there’s no issue.” Sadly, this isn’t the case. In the past 3 months Command Information has uncovered high-risk tunneling and attempted hacks/probes using IPv6 on Federal Government networks. So merely blocking and filtering based solely on port and protocol is not enough. That’s why deep-packet inspection is key to solving this issue. Don’t believe me? Well, don’t take my word for it, but will you take Bob Gourley’s word for it? See article here. [...]

By: Bryan Halfpap

Bryan Halfpap — Tue, 27 Apr 2010 06:02:40 +0000

This is a major attack surface often overlooked by security professionals. I've read several stories where Man-In-The-Middle attacks were performed with ease by exploiting IPv6-enabled machines not being configured properly, as well as horror stories in Linux about firewalls not being IPv6 configured on network interfaces.

As IPv6 comes into the limelight over the next ten years, we should expect to see the same type of reaction in hackerspaces we do when a new, untested technology emerges from the shadows — exploits, exploits, exploits, and not knowing you have something working and enabled by default (its always the stuff thats enabled by default…) is a major problem. Know thy self before you know thy enemy.

As for Paul's comment:
Firmware manipulation is going to beat rootkits hands down. I'd say the biggest obstacle to overcome in that area that will forever be a showstopper is the diversity of the BIOS playing field.

By: Bob Gourley

Bob Gourley — Sun, 04 Apr 2010 19:42:49 +0000

Paul thanks much for the comment. Good hearing from you. I hope to see you around, maybe at DoDIIS?