Bug #4845
openBug #3323: tracking: ipv6 evasions
IPv6 evasion : parasite6 + dos new ipv6 + fake mldrouter6 advertise
Description
cf paper https://www.scitepress.org/Papers/2019/78401/78401.pdf
cf S-V test https://github.com/OISF/suricata-verify/pull/172
For parasite6, ie the IPv6 version of an ARP cache poisoning, we could have an alert if we see 2 packets icmpv6.type == 136 with same IP and different MAC addresses (ie if we keep a version of the cache)
But then, we would not know which one is right, unless we have some external data...
Should we do something ?
Should we do ARP cache poisoning detection first ?
Updated by Philippe Antoine almost 3 years ago
- Subject changed from IPv6 evasion : parasite6 to IPv6 evasion : parasite6 + dos new ipv6 + fake mldrouter6 advertise
dos new ipv6 is about spoofing. The way to detect this would be to have a recorded network structure where each host is identified by MAC and IP-Address
I do not know what we want to do about this :
- nothing : people can use the logs and do some post-processing to tell the difference between the expected network map and what they see
- be able to load a map of the network so as to alert when there is an unknown/spoofing machine appearing
That comment about dos new ipv6 goes also for fake mldrouter advertise
Updated by Philippe Antoine over 1 year ago
- Assignee set to Community Ticket
- Target version set to TBD