Bug #4845: IPv6 evasion : parasite6 + dos new ipv6 + fake mldrouter6 advertise - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4845

open

Bug #3323: tracking: ipv6 evasions

IPv6 evasion : parasite6 + dos new ipv6 + fake mldrouter6 advertise

Added by Philippe Antoine over 2 years ago. Updated 10 months ago.

Status:

New

Priority:

Normal

Assignee:

Community Ticket

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

cf paper https://www.scitepress.org/Papers/2019/78401/78401.pdf
cf S-V test https://github.com/OISF/suricata-verify/pull/172

For parasite6, ie the IPv6 version of an ARP cache poisoning, we could have an alert if we see 2 packets icmpv6.type == 136 with same IP and different MAC addresses (ie if we keep a version of the cache)
But then, we would not know which one is right, unless we have some external data...
Should we do something ?

Should we do ARP cache poisoning detection first ?

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #4845

IPv6 evasion : parasite6 + dos new ipv6 + fake mldrouter6 advertise

Updated by Philippe Antoine over 2 years ago

Updated by Philippe Antoine 10 months ago