logging
Tim Chown
tjc at ecs.soton.ac.uk
Thu Jan 19 11:11:10 CET 2006
On Wed, Jan 18, 2006 at 11:19:02PM -0800, Merike Kaeo wrote:
> I was wondering what folks were doing to detect anomolies or potential
> attacks over v6. I log access-list exceptions and see that there's a
> few hundred hits on the v6 filters but of course thousands on the v4
> side. When scrolling through the log I don't see any of the v6
> entries.....either because they are buried or because they had already
> been over-written (I am looking at the router's locally buffered log).
>
> Soon will look at deploying netflow but was wondering what folks here
> were doing or known issues that they may want to share. Thanks!
Our experience, on a site with maybe 1,500 hosts and key services (web,
dns, mx) dual-stacked is that our v6 firewall sees no port scanning but
sweeps on hosts where IPv6 addresses are externally advertised. So yes
if you have a v6 address for DNS/MX/etc expect to be probed over v6 for
that host (no big surprise...). I'll see if I can dig out some relative
volume numbers.
But it's not just about filters; we don't yet have the v6 support that
we'd like to see in the release version of Snort, so we can pick out
exploit attempts that are only attempted over IPv6 transport.
--
Tim/::1
More information about the ipv6-ops
mailing list