Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Leaked DNS Query Detection - ISATAP Request (IPv6)

Low

Synopsis

An internal IPv6 routing query has leaked to the public realm via DNS.

Description

ISATAP, or Intra-Site Automatic Tunnel Addressing Protocol is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. Traffic observed from this host indicates it has queried the network for an available ISATAP host to supply the PRL, or potential routers list. Through an error in DNS configuration, the remote host has sent an ISATAP request to the public realm, potentially allowing for a man-in-the-middle (MiTM) attack to take place. A determined attacker who is able to register a gTLD with the same domain name could theoretically serve a malicious PRL in response. This may result in IPv6 traffic from the affected host being redirected through an attacker-controlled gateway, unbeknownst to the user.

Solution

Ensure that any '6in4' or ISATAP traffic cannot pass through the firewall to reach external resources.