Abstract
The Internet Protocol Version 6 (IPv6) transition opens a wide scope for potential attack vectors. IPv6 transition mechanisms could allow the set-up of covert egress communication channels over an IPv4-only or dual-stack network, resulting in full compromise of a target network. Therefore effective tools are required for the execution of security operations for assessment of possible attack vectors related to IPv6 security.
In this paper, we review relevant transition technologies, describe and analyze two newly-developed IPv6 transition mechanism-based proof-of-concept tools for the establishment of covert information exfiltration channels. The analysis of the generated test cases confirms that IPv6 and various evasion techniques pose a difficult task for network security monitoring. While detection of various transition mechanisms is relatively straightforward, other evasion methods prove more challenging.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
IPv6 Enabled Networks, RIPE NCC. http://v6asns.ripe.net/v/6 (Accessed 15/04/2016).
- 2.
IPv6 CIDR Report. http://www.cidr-report.org/v6/as2.0/ (Accessed 15/04/2016).
- 3.
SI6 Networks’ IPv6 Toolkit. http://www.si6networks.com/tools/ipv6toolkit/ (Accessed 10/11/2015).
- 4.
Topera IPv6 analysis tool: the other side. http://toperaproject.github.io/topera/ (Accessed 10/11/2015).
- 5.
Chiron. http://www.secfu.net/tools-scripts/ (Accessed 10/11/2015).
- 6.
nc64 https://github.com/lockout/nc64 (Accessed 12/03/2016).
- 7.
tun64 https://github.com/lockout/tun64 (Accessed 12/03/2016).
- 8.
Scapy project. http://www.secdev.org/projects/scapy/ (Accessed 10/11/2015).
- 9.
Vagrant. https://www.vagrantup.com/ (Accessed 07/12/2015).
- 10.
Automated virtual testing environment. https://github.com/markuskont/exfil-testbench (Accessed 07/12/2015).
- 11.
Snort v2.9.8.0. http://manual.snort.org/ (Accessed 07/12/2015).
- 12.
Suricata v2.1beta4. http://suricata-ids.org/docs/ (Accessed 07/12/2015).
- 13.
Bro v2.4.1 https://www.bro.org/documentation/index.html (Accessed 07/12/2015).
- 14.
Moloch v0.12.1. https://github.com/aol/moloch (Accessed 07/12/2015).
- 15.
Moloch 0.14.0 2016/05/08 CHANGELOG specifies a notice that “[IPv6] support is experimental, and will change with ES 5.0.” https://github.com/aol/moloch/blob/master/CHANGELOG (Accessed 16/08/2016).
References
Atlasis, A.: Attacking IPv6 implementation using fragmentation. Technical report, Centre for Strategic Cyberspace + Security Science (2011)
Atlasis, A.: Security impacts of abusing IPv6 extension headers. Technical report, Centre for Strategic Cyberspace + Security Science (2012)
Atlasis, A., Rey, E.: Evasion of high-end IPS devices in the age of IPv6. Technical report, secfu.net (2014)
Blumbergs, B.: Technical analysis of advanced threat tactics targeting critical information infrastructure. Cyber Security Review, pp. 25–36 (2014)
Blunden, B.: Covert Channels. In: Blunden, B. (ed.) The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd edn. Jones and Bartlett Learning, Burlington (2013)
Brangetto, P., Çalişkan, E., Rõigas, H.: Cyber Red Teaming - Organisational, technical and legal implications in a military context. NATO CCD CoE (2015)
Bukač, V.: IDS system evasion techniques. Master’s thesis, Masarykova Univerzita Fakulta Informatiky (2010)
Carpenter, B., Jung, C.: Transmission of IPv6 over IPv4 Domains without Explicit Tunnels. RFC 2529, IETF Secretariat, standards Track, March 1999
Colajanni, M., Zotto, L.D., Marchetti, M., Messori, M.: Defeating NIDS evasion in Mobile IPv6 networks. In: IEEE (2011)
Colitti, L., Gunderson, S.H., Kline, E., Refice, T.: Evaluating IPv6 adoption in the internet. In: Krishnamurthy, A., Plattner, B. (eds.) PAM 2010. LNCS, vol. 6032, pp. 141–150. Springer, Heidelberg (2010). doi:10.1007/978-3-642-12334-4_15
Convery, S., Miller, D.: IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation. White paper, Cisco Systems, March 2004
Czyz, J., Allman, M., Zhang, J., Iekel-Johnson, S., Osterweil, E., Bailey, M.: Measuring IPv6 adoption. In: ACM SIGCOMM14 (2014)
Ellens, W., Żuraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E.: Flow-based detection of DNS tunnels. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds.) AIMS 2013. LNCS, vol. 7943, pp. 124–135. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38998-6_16
Farinacci, D., Li, T., Hanks, S., Meyer, D., Traina, P.: Generic Routing Encapsulation (GRE). RFC 2784, IETF Secretariat, March 2000. (standards Track. Supplemented with RFC2890)
Fortinet: Biting the Bullet: A Practical Guide for Beginning the Migration to IPv6. white paper, Fortinet Inc. (2011)
Data SecurityLabs, G.: Uroburos: Highly complex espionage software with Russian roots. Technical report, G Data Software AG, February 2014
Gont, F.: Processing of IPv6 “Atomic” Fragments. RFC 6946, May 2013
Gont, F.: Security Implications of IPv6 on IPv4 Networks. RFC 7123, February 2014
Gont, F., Chown, T.: Network Reconnaissance in IPv6 Networks. Technical report, IETF Secretariat, February 2015. (internet Draft)
Gont, F., Liu, W., Bonica, R.: Transmission and processing of IPv6 options. Technical report, IETF Secretariat, March 2015. (best Current Practice)
Gont, F., Heuse, M.: Security assessments of IPv6 networks and firewalls. IPv6 Congress 2013 (2013). (presentation)
The Government of HKSAR: IPV6 security. Technical report, The Government of the Hong Kong Special Administrative Region, May 2011
Hogg, S., Vyncke, E.: IPv6 Security. Cisco Press, Indianapolis (2009)
Krishnan, S.: Handling of Overlapping IPv6 Fragments. RFC 5722, IETF Secretariat, December 2009. (standards Track. Updates RFC 2460)
Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., Bhatia, M.: A uniform format for IPv6 extension headers. Technical report
Lucena, N.B., Lewandowski, G., Chapin, S.J.: Covert channels in IPv6. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 147–166. Springer, Heidelberg (2006). doi:10.1007/11767831_10
Moore, K.: Connection of IPv6 Domains via IPv4 Clouds. RFC 3056, IETF Secretariat, February 2001. (standards Track)
Murphy, R.: IPv6 / ICMPv6 Covert Channels. DEF CON 2014 (2014). (presentation)
National Cybersecurity and Communications Integration Center: ICS-CERT Monitor. Technical report, US Dep. of Homeland Security, December 2013
Niemi, O.P., Levomki, A., Manner, J.: Dismantling intrusion prevention systems. In: ACM SIGCOMM 2012, August 2012
Nordmark, E., Gilligan, R.: Basic transition mechanisms for IPv6 hosts and routers. RFC 4213, IETF Secretariat, October 2005. (standards Track)
Pastrana, S., Montero-Castillo, J., Orfila, A.: Evading IDSs and firewalls as fundamental sources of information in SIEMS. In: Pastrana, S., Montero-Castillo, J., Orfila, A. (eds.) Advances in Security Information Management: Perceptions and Outcomes. Nova Science Publishers, New York (2013)
Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: eluding network intrusion detection. Technica report, DTIC Document, January 1998
Sarrar, N., Maier, G., Ager, B., Sommer, R., Uhlig, S.: Investigating IPv6 traffic: What happened at the world IPv6 day? In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 11–20. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28537-0_2
Degen, S., et al.: Testing the security of IPv6 implementations. Technical report, Ministryof Economic Affairs of the Netherlands, March 2014
Skoberne, N., Maennel, O., Phillips, I., Bush, R., Zorz, J., Ciglaric, M.: Ipv4 address sharing mechanism classification and tradeoff analysis. IEEE/ACM Trans. Netw. 22(2), 391–404 (2014)
Steffann, S., van Beijnum, I., van Rein, R.: A comparison of IPv6-over-IPv4 tunnel mechanisms. RFC 7059, IETF Secretariat, November 2013. (informational)
Tadayoni, R., Henten, A.: Transition from IPv4 to IPv6. In: 23rd European Regional Conference of the International Telecommunication Society, July 2012
Taib, A.H.M., Budiarto, R.: Evaluating IPv6 Adoption in the Internet. In: 5th Student Conference on Research and Development. IEEE, December 2007
Templin, F., Gleeson, T., Thaler, D.: Intra-site automatic tunnel addressing protocol (ISATAP). RFC 5214, IETF Secretariat, March 2008. (informational)
TrendLabs: targeted attack trends 2014 Report. Technical report, TrendMicro (2015)
Troan, O., Carpenter, B.: Deprecating the Anycast Prefix for 6to4 Relay Routers. RFC 7526, IETF Secretariat, May 2015. (best Current Practice)
Vidal, J.M., Castro, J.D.M., Orozco, A.L.S., Villalba, L.J.G.: Evolutions of evasion techniques aigainst network intrusion detection systems. In: ICIT 2013, The 6th International Conference on Information Technology, May 2013
Wu, P., Cui, Y., Wu, J., Liu, J., Metz, C.: Transition from IPv4 to IPv6: a state-of-the-art survey. IEEE Comm. Surv. Tutorials 15(3), 1407–1424 (2013)
Acknowledgements
This research was conducted with the support of NATO Cooperative Cyber Defense Center of Excellence. The authors would like to acknowledge the valuable contribution of Leo Trukšāns, Walter Willinger, and Merike Käo.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
(See Table 1)
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Blumbergs, B., Pihelgas, M., Kont, M., Maennel, O., Vaarandi, R. (2016). Creating and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels. In: Brumley, B., Röning, J. (eds) Secure IT Systems. NordSec 2016. Lecture Notes in Computer Science(), vol 10014. Springer, Cham. https://doi.org/10.1007/978-3-319-47560-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-47560-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47559-2
Online ISBN: 978-3-319-47560-8
eBook Packages: Computer ScienceComputer Science (R0)