Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Active and Passive Teredo Detection with Nessus and PVS

Quoting directly from Microsoft's web site about Teredo:

"Teredo is an IPv6 transition technology that provides address assignment and host-to-host automatic tunneling for unicast IPv6 traffic when IPv6/IPv4 hosts are located behind one or multiple IPv4 network address translators (NATs)."

Tenable Network Security has had active and passive techniques available to detect Teredo servers in both Nessus and the Passive Vulnerability Scanner for some time. Tenable's techniques for detecting Teredo servers are an excellent example of how a blended approach of active and passive network monitoring can be leveraged for realtime enterprise discovery.

This blog entry describes some of the security ramifications of Teredo as well as operational considerations for running these checks.

Security Issues with Teredo

Teredo enables IPv6 devices on your network to communicate directly with the Internet. This may allow for:

  • bypassing outbound/inbound IPv4 network controls such as firewalls and router ACLs.
  • avoid monitoring and/or enforcement of your outbound web proxy
  • avoid monitoring and/or enforcement of your IDS/IPS
  • avoid analysis of your network performance and activity with IPv4 centric solutions

Servers that establish IPv6 connectivity to points outside your local network now also become an attack point. Also, Teredo servers may be targeted directly for attack with yet to be discovered (or published) security vulnerabilities.

Teredo can be limited by blocking UDP traffic at the perimeter of the network.

Teredo Detection with the PVS

Tenable's research group offers two plugins for the Passive Vulnerability Scanner

  • Plugin #3875 Detection of Teredo IPv6 client
  • Plugin #3876 Teredo Server Detection

Analysis of UDP packets is used to identify both Teredo servers and clients that are connecting to it. Since the PVS operate 24x7, it can find all systems that make use of Teredo, even if they are used only occasionally.

Even if you do not have Teredo servers installed, these rules can identify if you have a system scanning for Teredo servers. This could be from a laptop using Teredo in a different environment, or perhaps a worm or malware agent looking for a Teredo server to ex-filtrate data from your IPv6 network.

Teredo Detection with Nessus

Nessus plugin ID #23972 "Teredo Server Detection" sends a router solicitation request on UDP port 3544. If an answer is received, the Teredo router is queried for more information which is displayed in the report.

For More Information

Teredo detection is an excellent example of Tenable's blended form of vulnerability monitoring which combines patch auditing, network scanning and network sniffing. To read more about it this concept, please consider our "Blended Security Assessments" paper available in our Vulnerability Management section of the Tenable Network Security web site.

For specific information about Teredo and IPv6 security, please consider these following links: