[SpamCop-List] Re: IPv6?

[smogmonster]

"Glenn Daniels" <aukword666 at attglobal.net> wrote in 
news:cchoa3$vl4$1 at news.spamcop.net:

<snip>

> I am let us say, reactionary, have not got past Windows 2000
> and would not know what you provided.

Actually, I am still running Win2k (though I should mention my OS of choice 
is FreeBSD ;) I learned about this out of curiosity by doing a search.

> If I am understanding the "readme", tcpip6.sys is expected
> to be passing packets. Howsomeever, SpamPop was not
> "seeing" that previously, and it begs the question why
> things are different now... Like, is there a chance that
> the driver "fingerprint" was altered by an unrecognized
> virus? What harm would come of submitting a copy to
> SARC for investigation/ confirmation that it is "clean"?

Well, I don't know, not having submitted anything to them before. However, 
after doing another search on "TEREDO", based on what was in the packet, I 
came up with this page:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx

Now, I am not really up on IPv6 or packet analysis, but my uneducated guess 
is that what's going on might be similar to what happens in DHCP, inasmuch as 
(from the link above):

"On a periodic basis (by default every 30 seconds), Teredo clients send a 
single bubble packet to the Teredo server. The Teredo server discards the 
bubble packet and no response is sent. The periodic bubble packet refreshes 
the IP address/UDP port mapping in the NAT's translation table. Otherwise, 
the mapping becomes stale and is removed. If the mapping is not present, all 
inbound Teredo traffic (for a cone NAT) or inbound Teredo traffic from the 
Teredo server (restricted NAT) to the Teredo host is silently discarded by 
the NAT."

IOW, what's happening is your computer is establishing itself to the network 
as a matter of knowing where everything is (in contrast to DHCP, where it 
works in the opposite direction). Keep in mind this is just a guess, and you 
should not use this as a basis for further action or inaction.

> In my experience, my suspicions pay off as often as not
> under investigation. I don't endorse reckless paranoia,
> but it also isn't healthy to not be a little paranoid where
> there are concerns for malicious code: there is an
> awful lot of it "out there", and it seems to me that
> tcpip6.sys could be targeted for "attack".

Well, I think that Paul's initial advice might be best:

"If you're *that* concerned about security that a random packet freaks
you out, it's time for you to upgrade your OS."

Or, if you're truly interested, you can install a *nix OS as or on your 
gateway with ipfw (unless you are using a router with stateful packet 
filtering), and use snort on another machine (also with *nix) to capture and 
log suspicious packets (if you have a router with stateful packet filtering, 
you can just snort the router, which should be able to send syslogs to any 
machine on the network, in that case the one running snort). It does a much 
better job of this sort of analysis than can be done by hand, though it's not 
that easy to set up. Once it's set up, you can, however, do much more 
intricate analysis than you might be able to do with the method you're using 
now, and it will likely help you better discern between true threats and 
normal network activity. If you don't have a router and you're that concerned 
about security, I recommend setting up an OpenBSD box for the 
gateway/firewall, with snort on another machine analyzing packets. OpenBSD is 
by far the most secure, freely available OS, and definitely one of the most 
secure OSes, period. Malicious hackers will almost never try to hack a 
machine they know is running OpenBSD, as they know they almost certainly 
can't do it (nothing is a certainty when speaking of security).

http://www.snort.org/

http://www.openbsd.org/

- smogmonster