search menu icon-carat-right cmu-wordmark

Posts by Ryan Giobbi

Managing IPv6 - Part 2

Managing IPv6 - Part 2

• Blog
Ryan Giobbi

Past entries have addressed both securing and disabling IPv6. This entry describes ways that administrators can secure their networks and generate test cases to test those settings....

Read More
Managing IPv6 - Part 1

Managing IPv6 - Part 1

• Blog
Ryan Giobbi

This entry is the first in a series about securely configuring the IPv6 protocol on selected operating systems. Although this entry focuses on how to disable IPv6, we are not recommending that everyone immediately disable IPv6. However, if critical parts of your infrastructure (firewall, IDS, etc.) do not yet fully support the IPv6 protocol, consider disabling IPv6 until those components can be upgraded....

Read More
Mitigating Slowloris

Mitigating Slowloris

• Blog
Ryan Giobbi

Slowloris is a denial-of-service (DoS) tool that targets web servers. We have some suggestions about mitigation techniques and workarounds to protect your server. However, use caution if you implement any of these suggestions because they will likely have some unintended side effects....

Read More
Bypassing Firewalls with IPv6 Tunnels

Bypassing Firewalls with IPv6 Tunnels

• Blog
Ryan Giobbi

Hello, it's Ryan. We've talked about IPv6 in blog entries and vulnerability notes before. But instead of focusing on IPv6 vulnerabilities, this blog entry will show how functional IPv6 tunneling protocols can be used to bypass IPv4-only firewalls and ACLs. If you'd like a demonstration, watch this video that we created....

Read More
Filtering ICMPv6 Using Host-Based Firewalls

Filtering ICMPv6 Using Host-Based Firewalls

• Blog
Ryan Giobbi

Hey, it's Ryan. This blog entry contains some quick recommendations about filtering certain ICMPv6 types using two host-based firewalls--Linux ip6tables and Microsoft Vista's advfirewall. If you have suggestions or other ideas, let me know....

Read More
Ping Sweeping in IPv6

Ping Sweeping in IPv6

• Blog
Ryan Giobbi

Hello, its Ryan. We've noticed a misconception about IPv6 that is popular on the internet: that IPv6 addresses are hard to ping sweep because there are so many possible addresses. Ping sweeping can lead to port scanning, so this misconception is viewed as a security feature. In this post, I'll prove that, while it won't work across the internet, ping sweeping on the local network is easier in IPv6 than in IPv4....

Read More
Safely Using Package Managers

Safely Using Package Managers

• Blog
Ryan Giobbi

Hi, it's Ryan. Package managers partially automate the process of installing and removing software packages. Most package managers use cryptographic signatures to verify the integrity of packages. In the article Attacks on Package Managers, the authors describe how an attacker can abuse package managers that use digital signatures....

Read More
Who Has My Cookies?

Who Has My Cookies?

• Blog
Ryan Giobbi

Hi, Ryan Giobbi from the Vulnerability Analysis team making this post. The CERT/CC has been tracking cross-site scripting vulnerabilities for a long time, and the actual vulnerabilities haven't changed much over the years. However, some technology that was developed to make life easier can actually be exploited to expand the impact of a cross-site scripting attack. Single sign-on is an access-control technology that enables a user to login once and gain access to multiple systems....

Read More

Contact the Author

Ryan Giobbi