Leaked DNS Query Detection - ISATAP Request (IPv6)

low Nessus Network Monitor Plugin ID 7203

Synopsis

An internal IPv6 routing query has leaked to the public realm via DNS.

Description

ISATAP, or Intra-Site Automatic Tunnel Addressing Protocol is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. Traffic observed from this host indicates it has queried the network for an available ISATAP host to supply the PRL, or potential routers list. Through an error in DNS configuration, the remote host has sent an ISATAP request to the public realm, potentially allowing for a man-in-the-middle (MiTM) attack to take place. A determined attacker who is able to register a gTLD with the same domain name could theoretically serve a malicious PRL in response. This may result in IPv6 traffic from the affected host being redirected through an attacker-controlled gateway, unbeknownst to the user.

Solution

Ensure that any '6in4' or ISATAP traffic cannot pass through the firewall to reach external resources.

See Also

https://technet.microsoft.com/library/security/ms10-029

https://support.microsoft.com/en-us/kb/978338

http://resources.infosecinstitute.com/security-vulnerabilities-ipv6-tunnels

Plugin Details

Severity: Low

ID: 7203

Version: 1.0

Family: Data Leakage

Published: 5/26/2016

Updated: 8/16/2018