Detections
Analytics
Leaked DNS Query Detection - ISATAP Request (IPv6)
low Nessus Network Monitor Plugin ID 7203
Synopsis
An internal IPv6 routing query has leaked to the public realm via DNS.Description
ISATAP, or Intra-Site Automatic Tunnel Addressing Protocol is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. Traffic observed from this host indicates it has queried the network for an available ISATAP host to supply the PRL, or potential routers list. Through an error in DNS configuration, the remote host has sent an ISATAP request to the public realm, potentially allowing for a man-in-the-middle (MiTM) attack to take place. A determined attacker who is able to register a gTLD with the same domain name could theoretically serve a malicious PRL in response. This may result in IPv6 traffic from the affected host being redirected through an attacker-controlled gateway, unbeknownst to the user.Solution
Ensure that any '6in4' or ISATAP traffic cannot pass through the firewall to reach external resources.See Also
https://technet.microsoft.com/library/security/ms10-029
https://support.microsoft.com/en-us/kb/978338
http://resources.infosecinstitute.com/security-vulnerabilities-ipv6-tunnels
Plugin Details
Severity: Low
ID: 7203
Version: 1.0
Family: Data Leakage
Published: 5/26/2016
Updated: 8/16/2018