[Bro] 6to4 Tunnelling
baxterw3232 at gmail.com
Fri May 13 08:26:25 PDT 2011
On Thu, May 12, 2011 at 4:15 PM, Gregor Maier <gregor at icir.org> wrote:
> I haven't done it myself but 6to4 and 6-in-4 tunnels are fairly easy to
> detect, since they use a specific IP protocol number (41).
> There's no immediate way for Toredo and other UDP encapsulated traffic
> though (other than checking which hosts have traffic on port 3544 and
> build whitelists/blacklists based on that). However, it should be fairly
> easy to write an analyzer that parses UDP packets and checks if it is
> Toredo or some other tunneling technique by checking
> a) whether there's an IPv6 header in the payload that makes sense
> (e.g., next header)
> b) the IPv6 address prefix in the header makes sense (e.g., is
> 2001::/31 for Toldedo, etc.)
> c) (maybe) check that the IPv4 address is encoded in the IPv6 address
> according to the tunneling scheme.
> Such an analyzer should be very lightweight and it doesn't need state.
> It can either be run on only port 3544 traffic, all UDP traffic. Or, I
> guess one could make DPD signatures for it by looking for the prefix
> (e.g., 2001::/32, ip-version, an next-header value that makes sense)
Yes, I think this sounds like the way to do it. I appreciate the feedback.
> Actually extracting and parsing the encapsulated v6 traffic is more
> difficult, since the extracted packets would have be injected back into
> Bro's processing above the analyzer trees.
Extracting the encapsulated traffic would be great and probably should
be the end goal, but for now, I would settle with knowing which hosts
are using the protocol then ensuring they should be based on policy.
Thanks again for the info!
> Gregor Maier
> <gregor at icir.org> <gregor at icsi.berkeley.edu>
> Int. Computer Science Institute (ICSI)
> 1947 Center St., Ste. 600
> Berkeley, CA 94704, USA
More information about the Bro