Tim Chown tjc at ecs.soton.ac.uk
Thu Jan 19 11:11:10 CET 2006

On Wed, Jan 18, 2006 at 11:19:02PM -0800, Merike Kaeo wrote:
> I was wondering what folks were doing to detect anomolies or potential 
> attacks over v6.  I log access-list exceptions and  see that there's a 
> few hundred hits on the v6 filters but of course thousands on the v4 
> side.  When scrolling through the log I don't see any of the v6 
> entries.....either because they are buried or because they had already 
> been over-written (I am looking at the router's locally buffered log).
> Soon will look at deploying netflow but was wondering what folks here 
> were doing or known issues that they may want to share.  Thanks!

Our experience, on a site with maybe 1,500 hosts and key services (web,
dns, mx) dual-stacked is that our v6 firewall sees no port scanning but
sweeps on hosts where IPv6 addresses are externally advertised.  So yes
if you have a v6 address for DNS/MX/etc expect to be probed over v6 for
that host (no big surprise...).   I'll see if I can dig out some relative
volume numbers.   

But it's not just about filters; we don't yet have the v6 support that 
we'd like to see in the release version of Snort, so we can pick out 
exploit attempts that are only attempted over IPv6 transport.


More information about the ipv6-ops mailing list