Project

General

Profile

Actions

Bug #4845

open

Bug #3323: tracking: ipv6 evasions

IPv6 evasion : parasite6 + dos new ipv6 + fake mldrouter6 advertise

Added by Philippe Antoine about 3 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

cf paper https://www.scitepress.org/Papers/2019/78401/78401.pdf
cf S-V test https://github.com/OISF/suricata-verify/pull/172

For parasite6, ie the IPv6 version of an ARP cache poisoning, we could have an alert if we see 2 packets icmpv6.type == 136 with same IP and different MAC addresses (ie if we keep a version of the cache)
But then, we would not know which one is right, unless we have some external data...
Should we do something ?

Should we do ARP cache poisoning detection first ?

Actions #1

Updated by Philippe Antoine about 3 years ago

  • Subject changed from IPv6 evasion : parasite6 to IPv6 evasion : parasite6 + dos new ipv6 + fake mldrouter6 advertise

dos new ipv6 is about spoofing. The way to detect this would be to have a recorded network structure where each host is identified by MAC and IP-Address
I do not know what we want to do about this :
- nothing : people can use the logs and do some post-processing to tell the difference between the expected network map and what they see
- be able to load a map of the network so as to alert when there is an unknown/spoofing machine appearing

That comment about dos new ipv6 goes also for fake mldrouter advertise

Actions #2

Updated by Philippe Antoine over 1 year ago

  • Assignee set to Community Ticket
  • Target version set to TBD
Actions

Also available in: Atom PDF