[Bro] 6to4 Tunnelling

Gregor Maier gregor at icir.org
Thu May 12 13:15:43 PDT 2011

I haven't done it myself but 6to4 and 6-in-4 tunnels are fairly easy to
detect, since they use a specific IP protocol number (41).

There's no immediate way for Toredo and other UDP encapsulated traffic
though (other than checking which hosts have traffic on port 3544 and
build whitelists/blacklists based on that). However, it should be fairly
easy to write an analyzer that parses UDP packets and checks if it is
Toredo or some other tunneling technique by checking
  a) whether there's an IPv6 header in the payload that makes sense
     (e.g., next header)
  b) the IPv6 address prefix in the header makes sense (e.g., is
     2001::/31 for Toldedo, etc.)
  c) (maybe) check that the IPv4 address is encoded in the IPv6 address
     according to the tunneling scheme.

Such an analyzer should be very lightweight and it doesn't need state.
It can either be run on only port 3544 traffic, all UDP traffic. Or, I
guess one could make DPD signatures for it by looking for the prefix
(e.g., 2001::/32, ip-version, an next-header value that makes sense)

Actually extracting and parsing the encapsulated v6 traffic is more
difficult, since the extracted packets would have be injected back into
Bro's processing above the analyzer trees.

Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA

More information about the Bro mailing list