[76840] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (william(at)elan.net)
Fri Dec 31 17:35:41 2004
Date: Fri, 31 Dec 2004 14:35:49 -0800 (PST)
From: "william(at)elan.net" <william@elan.net>
To: Rob Thomas <robt@cymru.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.58.0412311547150.15035@qentba.nf23028.arg>
Errors-To: owner-nanog-outgoing@merit.edu
BTW - One of the most fascinating things is that some miscreants when they
hack your ipv4 host, the first thing they do (if kernel can support ipv6)
is setup ipv6 tunnel to their home (or more likely another hacked box)
destination, then they setup a bot which has only ipv6 adddress. Apparently
this way they can survive longer without being discovered or their bot
access blocked because ipv6 tunnels are seen as good thing (rightly so)
and ipv6 activitiy is not looked at as closely by automated means.
And of course there are those peski ipv6 irc servers in italy and
other places with interesting crowd on them...
At the same time, I'll note that I've never seen hacked ipv6-only box...
(but maybe that is just because there aren't that many ipv6-only boxes)
On Fri, 31 Dec 2004, Rob Thomas wrote:
> Hi, NANOGers.
>
> Folks who are considering or using IPv6 should know that the miscreants
> are as well. There have been IPv6 bots and botnets. IPv6 based hosts
> are regularly used as a bounce for IRC access. IPv6 DoS tools do exist.
> Many of your monitoring tools choke on IPv6, or ignore it entirely.
>
> So while a new approach to security with IPv6 may be warranted, many of
> the same old threats await you there.
>
> Thanks,
> Rob.
