For well over a decade there have been concerns about security vulnerabilities and exploits that are based on IPv6 transport.
Earlier this year, researchers from the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE) in Tallinn, Estonia, published a paper detailing their proof of concept with tunnel-based IPv6 transition tools over IPv4-only, or IPv4/IPv6 dual-stack networks. They found that many common network intrusion detection systems (NIDS) passed the traffic undetected.
The use of tunnelling to subvert traffic is in no way new and the article itself covers many of the tunnelling approaches that have been used to set up covert channels for well over a decade. However, what this research has highlighted is the need to draw attention and validation to logging and intrusion detection tools that can correlate between IPv4 and IPv6 traffic and find commonalities to detect any potential abusive and/or criminal behaviour. These solutions should encompass all of the varying IPv6 transition/coexistence mechanisms that are widely being deployed.
Security breaches continue to be front page news almost on a daily basis due in large to the exponential growth in the number of devices connected to the Internet and subsequently getting hacked. As criminal exploit tools become increasingly more sophisticated and automated, the impact of these attacks also keeps increasing. There is a continual necessity to understand the threats introduced with any new application, device, software and protocol used.
What is mind boggling, however, are the continued use of ‘old’ techniques to create ‘new’ exploit mechanisms that are successful.
Why aren’t the good guys ahead of the bad guys when it comes to detecting covert channels and exploiting known vulnerabilities?
Note the use of ‘known vulnerabilities’ since the latest headlining attacks exploit devices with known vulnerabilities. While I can understand that not every device can always be patched quickly, there certainly should be assessments done on whether systems are likely to be successfully exploited, and if so, other mitigation techniques put in place to avoid the risk.
To ‘think like a hacker’ is to think how to most easily get the desired outcome while staying under the radar. This means using tools that will vary packet sizes, vary the frequency of sending packets, use trusted protocols in a manner not easily detected, and, sometimes, even cryptographically protect malicious traffic. The criminals will use any mechanism that results in traffic that is difficult to fingerprint and detect in realtime by existing devices.
So, what do we do?
For starters, don’t give up and don’t panic. I sincerely hope that security device manufacturers use the freely available security assessment tools and work with security researchers to ensure that they have features and functionalities to detect and mitigate against evolving persistent threats.
With continually increasing IPv6 deployments (and sometimes associated IPv4/IPv6 transition mechanisms) it’s also important to pay attention to the ways that IPv4/IPv6-enabled traffic can be exploited for covert channels. In this respect, I completely agree with the researchers from the NATO CCDCOE that fundamental changes to the way network traffic is interpreted and parsed are required to address these sophisticated threats.
Everyone has to play their part to help create trusted and secure electronic communications. While device manufacturers need to have the capabilities available, network and device administrators also need to know how to properly configure, deploy, and monitor features and have functionality to detect and analyze tunnelled and/or otherwise obfuscated traffic.
Merike Kaeo is the CTO of Farsight Security, responsible for developing the technical strategy and executing its vision.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.