It is just a fact of life that attackers and defenders are now operating in a dual-protocol world. With the addition of IPv6, attackers are learning new tricks and defenders will need to anticipate and protect against those new attacks. Attackers will try to use IPv4 and IPv6, each alone or in combination, for their exploits. We can predict that attacks will use a combination of IPv4 and IPv6 in a way that could allow an attacker to avoid detection by today's protection mechanisms.
Attackers commonly use a specific methodology when using恶意软件繁殖以及用于开发的命令和控制网络。但是,攻击者在执行目标攻击时使用不同的标准方法。攻击者从侦察,探索和扫描,剥削,维护访问,掩盖轨道以及利用访问到其他系统的访问开始。当攻击者执行侦察时,他们可能只专注于目标的IPv4地址。但是,复杂的攻击者会认识到何时可以通过IPv6运输实现目标。如果受害者仅使用IPv4,则只能在该协议上到达,但是如果受害者可以在两者之间达到两者,则“攻击表面”有效地翻了一番。攻击者将对IPv4和IPv6进行可及性测试和扫描,从而使其工作量增加一倍。攻击者和防守者现在都必须做两次。一次用于IPv4,一次用于IPv6。攻击者执行的每项活动都将使用IPv4和ipv6来确定一个协议是否比另一个协议不那么强化。 Then the attacker will leverage the weakest of the two connection protocols.
Many IPv6 security tools that attackers and defenders use support IPv6.Nmap安全扫描仪6.0已经IPv6支持for many years.回溯(since before release 4) has had IPv6 capability and can useMiredo或简单的6in4隧道。metasploithas supported IPv6 targets for many years and Rapid7'sNexposealso has IPv6 vulnerability scanning capabilities.Tenable Nessus 3.2具有IPv6功能,主要是由于NMAP的IPv6功能。Qualys QualysGuard Scanner 6.11and itsFreeScan Serviceare IPv6-capable. Of course IPv6 security practitioners are aware of theThe Hacker's Choice (THC) IPv6 Attack Toolkit, theSI6 Networks IPv6 Toolkitand the IPv6 capabilities in theScapypacket crafting library. There are many other security utilities that are now becoming IPv6 capable.
However, the list of security systems capable of深度数据包检查(DPI)具有IPv4和IPv6特征奇偶校验的差异令人惊讶地短,并且不会迅速增长。有一些工具可以解析IPv6数据包和IPv6数据包,这些工具包裹在IPv4数据包中。这些IPS系统中的许多甚至可扩展到超过10Gbps的交通检查。Cisco的IPS系统在版本6.2之前已经获得了IPv6支持。Security Onion这是Doug Burks创建的IDS和NSM工具的出色开源分布,具有IPv6检测功能。现在,一些主要的Web应用程序防火墙(WAFS)支持IPv6。
攻击者能够使用IPv4对双协议服务器对应用程序层攻击的某些部分以及使用IPv6进行攻击的某些部分。这可能会混淆IPS,因为它无法确定这两次攻击是相关的。如果您的IPS甚至不在查看IPv6数据包,情况会更糟。IPS更有可能仅仅检查每个连接,独立地寻找匹配签名或触发异常检测阈值的数据包。
There are also some IPv6 capabilities in安全信息经理(SIMs),安全事件经理(SEM),因此结合了安全信息和活动经理(SIEMs). For example,Splunk版本4.3or later has IPv6 support andArcSight Network Configuration Manager(NCM) has had IPv6 capabilities since May 2007. There are also several other SIEMs products that have basic IPv6 support.
This type of a dual-protocol attack could also avoid correlation by the SIEMs. The SIEMs would not recognize that the IPv4 address of the attacker is associated with the IPv6 address of the attacker. The correlation engine is not able to determine that the attacker's source IPv4 address and IPv6 address are the same computer. If an attacker compromises a system with IPv4 and then spreads to other systems using IPv6, the SIEMs would not determine these two activities are part of the same attack. The SIEMs may not even be able to determine that the IPv4 address of the compromised server is configured on the same server that has an IPv6 address that was used for the secondary attacks to other systems.
So, how would a SIEMs determine that a dual-protocol attack is originating from the same source? One approach would be to use some form of metadata or other time-domain commonality to determine that the same attacker is using both protocols in combination to formulate an attack. The SIEMs could try different techniques to trace-back to the source. For example, the SIEMs could perform a whois or DNS query on the IPv4 and IPv6 addresses and see if they are the same organization or FQDN. The SIEMs could do a traceroute to the sources using IPv4 and IPv6 and see if the paths are congruent. The SIEMs may be able to use some type of heuristics to correlate the IPv4 and IPv6 activities. Splunk's Minister of Defense, Monzy Merza, haswritten and presentedon the topic of using metacharacteristics to detect threats. However, it will take time before defenders have IPv4 and IPv6 correlation capabilities built into their protection systems by default.
声誉系统在关联IPv4地址和IPv6地址时也有同样的挑战。随着CGN/LSN系统的引入,对于这个世界,IPv4声誉过滤可能不会很长。用于检测电子邮件垃圾邮件或托管恶意软件网站的许多信誉过滤系统都没有IPv6功能。声誉数据库将需要能够将托管恶意软件的系统或生成恶意流量的系统的IPv4地址和IPv6地址关联。但是,他们还不存在。
攻击者正在学习IPv6安全性at the same pace as IT professionals and at the same pace as IPv6 is deployed on the Internet. There will be those attackers or defenders who are further ahead of their counterparts and will have an advantage over their competition. Even though IPv4 and IPv6 are similar in many ways, IPv6 has several nuances that the security industry needs to take into consideration. The best practice would be to anticipate these challenges and create protection measures ahead of deployment. However, IPv6 is now implemented on the Internet and on many organization's Internet edges. This situations leads to opportunities for attackers that force the defenders to develop strategies to protect their organizations.
Scott