[SpamCop-List] Re: IPv6?
nobody at spamcop.net
Thu Jul 8 02:01:09 EDT 2004
"Glenn Daniels" <aukword666 at attglobal.net> wrote in
news:cchoa3$vl4$1 at news.spamcop.net:
> I am let us say, reactionary, have not got past Windows 2000
> and would not know what you provided.
Actually, I am still running Win2k (though I should mention my OS of choice
is FreeBSD ;) I learned about this out of curiosity by doing a search.
> If I am understanding the "readme", tcpip6.sys is expected
> to be passing packets. Howsomeever, SpamPop was not
> "seeing" that previously, and it begs the question why
> things are different now... Like, is there a chance that
> the driver "fingerprint" was altered by an unrecognized
> virus? What harm would come of submitting a copy to
> SARC for investigation/ confirmation that it is "clean"?
Well, I don't know, not having submitted anything to them before. However,
after doing another search on "TEREDO", based on what was in the packet, I
came up with this page:
Now, I am not really up on IPv6 or packet analysis, but my uneducated guess
is that what's going on might be similar to what happens in DHCP, inasmuch as
(from the link above):
"On a periodic basis (by default every 30 seconds), Teredo clients send a
single bubble packet to the Teredo server. The Teredo server discards the
bubble packet and no response is sent. The periodic bubble packet refreshes
the IP address/UDP port mapping in the NAT's translation table. Otherwise,
the mapping becomes stale and is removed. If the mapping is not present, all
inbound Teredo traffic (for a cone NAT) or inbound Teredo traffic from the
Teredo server (restricted NAT) to the Teredo host is silently discarded by
IOW, what's happening is your computer is establishing itself to the network
as a matter of knowing where everything is (in contrast to DHCP, where it
works in the opposite direction). Keep in mind this is just a guess, and you
should not use this as a basis for further action or inaction.
> In my experience, my suspicions pay off as often as not
> under investigation. I don't endorse reckless paranoia,
> but it also isn't healthy to not be a little paranoid where
> there are concerns for malicious code: there is an
> awful lot of it "out there", and it seems to me that
> tcpip6.sys could be targeted for "attack".
Well, I think that Paul's initial advice might be best:
"If you're *that* concerned about security that a random packet freaks
you out, it's time for you to upgrade your OS."
Or, if you're truly interested, you can install a *nix OS as or on your
gateway with ipfw (unless you are using a router with stateful packet
filtering), and use snort on another machine (also with *nix) to capture and
log suspicious packets (if you have a router with stateful packet filtering,
you can just snort the router, which should be able to send syslogs to any
machine on the network, in that case the one running snort). It does a much
better job of this sort of analysis than can be done by hand, though it's not
that easy to set up. Once it's set up, you can, however, do much more
intricate analysis than you might be able to do with the method you're using
now, and it will likely help you better discern between true threats and
normal network activity. If you don't have a router and you're that concerned
about security, I recommend setting up an OpenBSD box for the
gateway/firewall, with snort on another machine analyzing packets. OpenBSD is
by far the most secure, freely available OS, and definitely one of the most
secure OSes, period. Malicious hackers will almost never try to hack a
machine they know is running OpenBSD, as they know they almost certainly
can't do it (nothing is a certainty when speaking of security).
More information about the SpamCop-List