Skip to main content
SpringerLink
Log in
Book cover

Nordic Conference on Secure IT Systems

NordSec 2016: Secure IT Systems pp 85–100Cite as

Creating and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10014))

Abstract

The Internet Protocol Version 6 (IPv6) transition opens a wide scope for potential attack vectors. IPv6 transition mechanisms could allow the set-up of covert egress communication channels over an IPv4-only or dual-stack network, resulting in full compromise of a target network. Therefore effective tools are required for the execution of security operations for assessment of possible attack vectors related to IPv6 security.

In this paper, we review relevant transition technologies, describe and analyze two newly-developed IPv6 transition mechanism-based proof-of-concept tools for the establishment of covert information exfiltration channels. The analysis of the generated test cases confirms that IPv6 and various evasion techniques pose a difficult task for network security monitoring. While detection of various transition mechanisms is relatively straightforward, other evasion methods prove more challenging.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    IPv6 Enabled Networks, RIPE NCC. http://v6asns.ripe.net/v/6 (Accessed 15/04/2016).

  2. 2.

    IPv6 CIDR Report. http://www.cidr-report.org/v6/as2.0/ (Accessed 15/04/2016).

  3. 3.

    SI6 Networks’ IPv6 Toolkit. http://www.si6networks.com/tools/ipv6toolkit/ (Accessed 10/11/2015).

  4. 4.

    Topera IPv6 analysis tool: the other side. http://toperaproject.github.io/topera/ (Accessed 10/11/2015).

  5. 5.

    Chiron. http://www.secfu.net/tools-scripts/ (Accessed 10/11/2015).

  6. 6.

    nc64 https://github.com/lockout/nc64 (Accessed 12/03/2016).

  7. 7.

    tun64 https://github.com/lockout/tun64 (Accessed 12/03/2016).

  8. 8.

    Scapy project. http://www.secdev.org/projects/scapy/ (Accessed 10/11/2015).

  9. 9.

    Vagrant. https://www.vagrantup.com/ (Accessed 07/12/2015).

  10. 10.

    Automated virtual testing environment. https://github.com/markuskont/exfil-testbench (Accessed 07/12/2015).

  11. 11.

    Snort v2.9.8.0. http://manual.snort.org/ (Accessed 07/12/2015).

  12. 12.

    Suricata v2.1beta4. http://suricata-ids.org/docs/ (Accessed 07/12/2015).

  13. 13.

    Bro v2.4.1 https://www.bro.org/documentation/index.html (Accessed 07/12/2015).

  14. 14.

    Moloch v0.12.1. https://github.com/aol/moloch (Accessed 07/12/2015).

  15. 15.

    Moloch 0.14.0 2016/05/08 CHANGELOG specifies a notice that “[IPv6] support is experimental, and will change with ES 5.0.” https://github.com/aol/moloch/blob/master/CHANGELOG (Accessed 16/08/2016).

References

  1. Atlasis, A.: Attacking IPv6 implementation using fragmentation. Technical report, Centre for Strategic Cyberspace + Security Science (2011)

    Google Scholar 

  2. Atlasis, A.: Security impacts of abusing IPv6 extension headers. Technical report, Centre for Strategic Cyberspace + Security Science (2012)

    Google Scholar 

  3. Atlasis, A., Rey, E.: Evasion of high-end IPS devices in the age of IPv6. Technical report, secfu.net (2014)

    Google Scholar 

  4. Blumbergs, B.: Technical analysis of advanced threat tactics targeting critical information infrastructure. Cyber Security Review, pp. 25–36 (2014)

    Google Scholar 

  5. Blunden, B.: Covert Channels. In: Blunden, B. (ed.) The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd edn. Jones and Bartlett Learning, Burlington (2013)

    Google Scholar 

  6. Brangetto, P., Çalişkan, E., Rõigas, H.: Cyber Red Teaming - Organisational, technical and legal implications in a military context. NATO CCD CoE (2015)

    Google Scholar 

  7. Bukač, V.: IDS system evasion techniques. Master’s thesis, Masarykova Univerzita Fakulta Informatiky (2010)

    Google Scholar 

  8. Carpenter, B., Jung, C.: Transmission of IPv6 over IPv4 Domains without Explicit Tunnels. RFC 2529, IETF Secretariat, standards Track, March 1999

    Google Scholar 

  9. Colajanni, M., Zotto, L.D., Marchetti, M., Messori, M.: Defeating NIDS evasion in Mobile IPv6 networks. In: IEEE (2011)

    Google Scholar 

  10. Colitti, L., Gunderson, S.H., Kline, E., Refice, T.: Evaluating IPv6 adoption in the internet. In: Krishnamurthy, A., Plattner, B. (eds.) PAM 2010. LNCS, vol. 6032, pp. 141–150. Springer, Heidelberg (2010). doi:10.1007/978-3-642-12334-4_15

    Chapter  Google Scholar 

  11. Convery, S., Miller, D.: IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation. White paper, Cisco Systems, March 2004

    Google Scholar 

  12. Czyz, J., Allman, M., Zhang, J., Iekel-Johnson, S., Osterweil, E., Bailey, M.: Measuring IPv6 adoption. In: ACM SIGCOMM14 (2014)

    Google Scholar 

  13. Ellens, W., Żuraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E.: Flow-based detection of DNS tunnels. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds.) AIMS 2013. LNCS, vol. 7943, pp. 124–135. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38998-6_16

    Chapter  Google Scholar 

  14. Farinacci, D., Li, T., Hanks, S., Meyer, D., Traina, P.: Generic Routing Encapsulation (GRE). RFC 2784, IETF Secretariat, March 2000. (standards Track. Supplemented with RFC2890)

    Google Scholar 

  15. Fortinet: Biting the Bullet: A Practical Guide for Beginning the Migration to IPv6. white paper, Fortinet Inc. (2011)

    Google Scholar 

  16. Data SecurityLabs, G.: Uroburos: Highly complex espionage software with Russian roots. Technical report, G Data Software AG, February 2014

    Google Scholar 

  17. Gont, F.: Processing of IPv6 “Atomic” Fragments. RFC 6946, May 2013

    Google Scholar 

  18. Gont, F.: Security Implications of IPv6 on IPv4 Networks. RFC 7123, February 2014

    Google Scholar 

  19. Gont, F., Chown, T.: Network Reconnaissance in IPv6 Networks. Technical report, IETF Secretariat, February 2015. (internet Draft)

    Google Scholar 

  20. Gont, F., Liu, W., Bonica, R.: Transmission and processing of IPv6 options. Technical report, IETF Secretariat, March 2015. (best Current Practice)

    Google Scholar 

  21. Gont, F., Heuse, M.: Security assessments of IPv6 networks and firewalls. IPv6 Congress 2013 (2013). (presentation)

    Google Scholar 

  22. The Government of HKSAR: IPV6 security. Technical report, The Government of the Hong Kong Special Administrative Region, May 2011

    Google Scholar 

  23. Hogg, S., Vyncke, E.: IPv6 Security. Cisco Press, Indianapolis (2009)

    Google Scholar 

  24. Krishnan, S.: Handling of Overlapping IPv6 Fragments. RFC 5722, IETF Secretariat, December 2009. (standards Track. Updates RFC 2460)

    Google Scholar 

  25. Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., Bhatia, M.: A uniform format for IPv6 extension headers. Technical report

    Google Scholar 

  26. Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert channels in IPv6. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 147–166. Springer, Heidelberg (2006). doi:10.1007/11767831_10

    Chapter  Google Scholar 

  27. Moore, K.: Connection of IPv6 Domains via IPv4 Clouds. RFC 3056, IETF Secretariat, February 2001. (standards Track)

    Google Scholar 

  28. Murphy, R.: IPv6 / ICMPv6 Covert Channels. DEF CON 2014 (2014). (presentation)

    Google Scholar 

  29. National Cybersecurity and Communications Integration Center: ICS-CERT Monitor. Technical report, US Dep. of Homeland Security, December 2013

    Google Scholar 

  30. Niemi, O.P., Levomki, A., Manner, J.: Dismantling intrusion prevention systems. In: ACM SIGCOMM 2012, August 2012

    Google Scholar 

  31. Nordmark, E., Gilligan, R.: Basic transition mechanisms for IPv6 hosts and routers. RFC 4213, IETF Secretariat, October 2005. (standards Track)

    Google Scholar 

  32. Pastrana, S., Montero-Castillo, J., Orfila, A.: Evading IDSs and firewalls as fundamental sources of information in SIEMS. In: Pastrana, S., Montero-Castillo, J., Orfila, A. (eds.) Advances in Security Information Management: Perceptions and Outcomes. Nova Science Publishers, New York (2013)

    Google Scholar 

  33. Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: eluding network intrusion detection. Technica report, DTIC Document, January 1998

    Google Scholar 

  34. Sarrar, N., Maier, G., Ager, B., Sommer, R., Uhlig, S.: Investigating IPv6 traffic: What happened at the world IPv6 day? In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 11–20. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28537-0_2

    Chapter  Google Scholar 

  35. Degen, S., et al.: Testing the security of IPv6 implementations. Technical report, Ministryof Economic Affairs of the Netherlands, March 2014

    Google Scholar 

  36. Skoberne, N., Maennel, O., Phillips, I., Bush, R., Zorz, J., Ciglaric, M.: Ipv4 address sharing mechanism classification and tradeoff analysis. IEEE/ACM Trans. Netw. 22(2), 391–404 (2014)

    Article  Google Scholar 

  37. Steffann, S., van Beijnum, I., van Rein, R.: A comparison of IPv6-over-IPv4 tunnel mechanisms. RFC 7059, IETF Secretariat, November 2013. (informational)

    Google Scholar 

  38. Tadayoni, R., Henten, A.: Transition from IPv4 to IPv6. In: 23rd European Regional Conference of the International Telecommunication Society, July 2012

    Google Scholar 

  39. Taib, A.H.M., Budiarto, R.: Evaluating IPv6 Adoption in the Internet. In: 5th Student Conference on Research and Development. IEEE, December 2007

    Google Scholar 

  40. Templin, F., Gleeson, T., Thaler, D.: Intra-site automatic tunnel addressing protocol (ISATAP). RFC 5214, IETF Secretariat, March 2008. (informational)

    Google Scholar 

  41. TrendLabs: targeted attack trends 2014 Report. Technical report, TrendMicro (2015)

    Google Scholar 

  42. Troan, O., Carpenter, B.: Deprecating the Anycast Prefix for 6to4 Relay Routers. RFC 7526, IETF Secretariat, May 2015. (best Current Practice)

    Google Scholar 

  43. Vidal, J.M., Castro, J.D.M., Orozco, A.L.S., Villalba, L.J.G.: Evolutions of evasion techniques aigainst network intrusion detection systems. In: ICIT 2013, The 6th International Conference on Information Technology, May 2013

    Google Scholar 

  44. Wu, P., Cui, Y., Wu, J., Liu, J., Metz, C.: Transition from IPv4 to IPv6: a state-of-the-art survey. IEEE Comm. Surv. Tutorials 15(3), 1407–1424 (2013)

    Article  Google Scholar 

Download references

Acknowledgements

This research was conducted with the support of NATO Cooperative Cyber Defense Center of Excellence. The authors would like to acknowledge the valuable contribution of Leo Trukšāns, Walter Willinger, and Merike Käo.

Author information

Authors and Affiliations

  1. NATO Cooperative Cyber Defense Center of Excellence, Tallinn, Estonia

    Bernhards Blumbergs, Mauno Pihelgas & Markus Kont

  2. Tallinn University of Technology, Tallinn, Estonia

    Olaf Maennel & Risto Vaarandi

Authors
  1. Bernhards Blumbergs
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mauno Pihelgas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Markus Kont
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Olaf Maennel
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Risto Vaarandi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bernhards Blumbergs .

Editor information

Editors and Affiliations

  1. Tampere University of Technology , Tampere, Finland

    Billy Bob Brumley

  2. Computer Science and Eng, University of Oulu, Oulu, Finland

    Juha Röning

A Appendix

A Appendix

(See Table 1)

Table 1. Protocol tunneling and data exfiltration tool assessment
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Blumbergs, B., Pihelgas, M., Kont, M., Maennel, O., Vaarandi, R. (2016). Creating and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels. In: Brumley, B., Röning, J. (eds) Secure IT Systems. NordSec 2016. Lecture Notes in Computer Science(), vol 10014. Springer, Cham. https://doi.org/10.1007/978-3-319-47560-8_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-47560-8_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-47559-2

  • Online ISBN: 978-3-319-47560-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation