[Bro] 6to4 Tunnelling

Will baxterw3232 at gmail.com
Fri May 13 08:26:25 PDT 2011


On Thu, May 12, 2011 at 4:15 PM, Gregor Maier <gregor at icir.org> wrote:
> I haven't done it myself but 6to4 and 6-in-4 tunnels are fairly easy to
> detect, since they use a specific IP protocol number (41).
>
> There's no immediate way for Toredo and other UDP encapsulated traffic
> though (other than checking which hosts have traffic on port 3544 and
> build whitelists/blacklists based on that). However, it should be fairly
> easy to write an analyzer that parses UDP packets and checks if it is
> Toredo or some other tunneling technique by checking
>  a) whether there's an IPv6 header in the payload that makes sense
>     (e.g., next header)
>  b) the IPv6 address prefix in the header makes sense (e.g., is
>     2001::/31 for Toldedo, etc.)
>  c) (maybe) check that the IPv4 address is encoded in the IPv6 address
>     according to the tunneling scheme.
>
> Such an analyzer should be very lightweight and it doesn't need state.
> It can either be run on only port 3544 traffic, all UDP traffic. Or, I
> guess one could make DPD signatures for it by looking for the prefix
> (e.g., 2001::/32, ip-version, an next-header value that makes sense)
>
Yes, I think this sounds like the way to do it. I appreciate the feedback.
>
> Actually extracting and parsing the encapsulated v6 traffic is more
> difficult, since the extracted packets would have be injected back into
> Bro's processing above the analyzer trees.
>
Extracting the encapsulated traffic would be great and probably should
be the end goal, but for now, I would settle with knowing which hosts
are using the protocol then ensuring they should be based on policy.

Thanks again for the info!

Will

>
> cu
> Gregor
> --
> Gregor Maier
> <gregor at icir.org>  <gregor at icsi.berkeley.edu>
> Int. Computer Science Institute (ICSI)
> 1947 Center St., Ste. 600
> Berkeley, CA 94704, USA
> http://www.icir.org/gregor/
>




More information about the Bro mailing list