Using Dual Protocol for SIEMs Evasion

Attackers using IPv4 and IPv6 can avoid detection by IPS, SIEMs, reputation filtering, and more

It is just a fact of life that attackers and defenders are now operating in a dual-protocol world. With the addition of IPv6, attackers are learning new tricks and defenders will need to anticipate and protect against those new attacks. Attackers will try to use IPv4 and IPv6, each alone or in combination, for their exploits. We can predict that attacks will use a combination of IPv4 and IPv6 in a way that could allow an attacker to avoid detection by today's protection mechanisms.

Attackers commonly use a specific methodology when using malware propagation and command-and-control networks for exploitation. However, attackers use a different standard methodology when performing a targeted attack. Attackers start with reconnaissance, exploring and scanning, exploitation, maintaining access, covering up tracks, and leveraging access to expand to other systems. When an attacker is performing reconnaissance, they may only focus on the IPv4 addresses of the target. However, a sophisticated attacker would recognize when a target is reachable over IPv6 transport. If a victim only uses IPv4 then they are reachable only over that one protocol, but if a victim is reachable over both, then the "attack surface" has effectively doubled. An attacker will perform reachability testing and scanning over IPv4 and IPv6, thus doubling their workload. Both attackers and defenders must now do everything twice; once for IPv4 and once for IPv6. Every activity that the attacker performs will use IPv4 and IPv6 to determine if one protocol is less fortified than the other. Then the attacker will leverage the weakest of the two connection protocols.

Many IPv6 security tools that attackers and defenders use support IPv6. Nmap Security Scanner 6.0 has had IPv6 support for many years. Backtrack (since before release 4) has had IPv6 capability and can use Miredo or simple 6in4 tunneling. Metasploit has supported IPv6 targets for many years and Rapid7's Nexpose also has IPv6 vulnerability scanning capabilities. Tenable Nessus 3.2 has IPv6 capabilities, mostly due to Nmap's IPv6 functionality. Qualys QualysGuard Scanner 6.11 and its FreeScan Service are IPv6-capable. Of course IPv6 security practitioners are aware of the The Hacker's Choice (THC) IPv6 Attack Toolkit, the SI6 Networks IPv6 Toolkit and the IPv6 capabilities in the Scapy packet crafting library. There are many other security utilities that are now becoming IPv6 capable.

However, the list of security systems capable of Deep Packet Inspection (DPI) with IPv4 and IPv6 feature parity is surprisingly short and not growing as rapidly. There are some tools that are capable of parsing IPv6 packets and IPv6 packets encapsulated within IPv4 packets. Many of these IPS systems are even scalable to beyond 10Gbps of traffic inspection. Cisco's IPS systems have had IPv6 support prior to version 6.2. Security Onion, an excellent open source distribution of IDS and NSM tools created by Doug Burks, has IPv6 detection capabilities. Some of the major Web Application Firewalls (WAFs) now support IPv6.

Attackers have the ability to perform some portions of an application-layer attack on a dual-protocol server using IPv4 and some portions of the attack using IPv6. This could confuse IPSs because it would not be able to determine that these two attacks are related. The situation is much worse if your IPS is not even looking at the IPv6 packets. It is more likely that the IPS will simply inspect each of the connections independently looking for packets that match signatures or trigger anomaly detection thresholds.

There are also some IPv6 capabilities in Security Information Managers (SIMs), Security Event Managers (SEMs), and thus combined Security Information and Event Managers (SIEMs). For example, Splunk version 4.3 or later has IPv6 support and ArcSight Network Configuration Manager (NCM) has had IPv6 capabilities since May 2007. There are also several other SIEMs products that have basic IPv6 support.

This type of a dual-protocol attack could also avoid correlation by the SIEMs. The SIEMs would not recognize that the IPv4 address of the attacker is associated with the IPv6 address of the attacker. The correlation engine is not able to determine that the attacker's source IPv4 address and IPv6 address are the same computer. If an attacker compromises a system with IPv4 and then spreads to other systems using IPv6, the SIEMs would not determine these two activities are part of the same attack. The SIEMs may not even be able to determine that the IPv4 address of the compromised server is configured on the same server that has an IPv6 address that was used for the secondary attacks to other systems.

So, how would a SIEMs determine that a dual-protocol attack is originating from the same source? One approach would be to use some form of metadata or other time-domain commonality to determine that the same attacker is using both protocols in combination to formulate an attack. The SIEMs could try different techniques to trace-back to the source. For example, the SIEMs could perform a whois or DNS query on the IPv4 and IPv6 addresses and see if they are the same organization or FQDN. The SIEMs could do a traceroute to the sources using IPv4 and IPv6 and see if the paths are congruent. The SIEMs may be able to use some type of heuristics to correlate the IPv4 and IPv6 activities. Splunk's Minister of Defense, Monzy Merza, has written and presented on the topic of using metacharacteristics to detect threats. However, it will take time before defenders have IPv4 and IPv6 correlation capabilities built into their protection systems by default.

Reputation systems also have the same challenge in associating IPv4 addresses and IPv6 addresses. With the introduction of CGN/LSN systems, IPv4 reputation filtering may not be long for this world. Many of the reputation filtering system used for detecting e-mail spam or web sites hosting malware do not have IPv6 capabilities. The reputation databases will need to be able to correlate the IPv4 address and IPv6 address of a system hosting malware or a systems generating malicious traffic. However, they are not there yet.

Attackers are learning about IPv6 security at the same pace as IT professionals and at the same pace as IPv6 is deployed on the Internet. There will be those attackers or defenders who are further ahead of their counterparts and will have an advantage over their competition. Even though IPv4 and IPv6 are similar in many ways, IPv6 has several nuances that the security industry needs to take into consideration. The best practice would be to anticipate these challenges and create protection measures ahead of deployment. However, IPv6 is now implemented on the Internet and on many organization's Internet edges. This situations leads to opportunities for attackers that force the defenders to develop strategies to protect their organizations.


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2013 IDG Communications, Inc.