Project

General

Profile

Actions

Bug #4845

open

Bug #3323: tracking: ipv6 evasions

IPv6 evasion : parasite6 + dos new ipv6 + fake mldrouter6 advertise

Added by Philippe Antoine about 3 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

cf paper https://www.scitepress.org/Papers/2019/78401/78401.pdf
cf S-V test https://github.com/OISF/suricata-verify/pull/172

For parasite6, ie the IPv6 version of an ARP cache poisoning, we could have an alert if we see 2 packets icmpv6.type == 136 with same IP and different MAC addresses (ie if we keep a version of the cache)
But then, we would not know which one is right, unless we have some external data...
Should we do something ?

Should we do ARP cache poisoning detection first ?

Actions

Also available in: Atom PDF