IPv4-mapped IPv6 Address Used For Obfuscation, (Sat, Dec 9th)

Category :

SANS Full Feed

Posted On :

A reader submitted an unusual URL:

Notice the format of the hostname: ::ffff:a.b.c.d

I had to look this up: this is a IPv4-mapped IPv6 address. It is a format to describe an IPv4 address using a IPv6 address format.

From Wikipedia article on IPv6 addresses:

::ffff:0:0/96 ? This prefix is used for IPv6 transition mechanisms and designated as an IPv4-mapped IPv6 address.
With a few exceptions, this address type allows the transparent use of the transport layer protocols over IPv4 through the IPv6 networking application programming interface. In this dual-stack configuration, server applications only need to open a single listening socket to handle connections from clients using IPv6 or IPv4 protocols. IPv6 clients are handled natively by default, and IPv4 clients appear as IPv6 clients at their IPv4-mapped IPv6 address. Transmission is handled similarly; established sockets may be used to transmit IPv4 or IPv6 datagram, based on the binding to an IPv6 address, or an IPv4-mapped address.

In the submitted URL, this format is most likely use to try to bypass detection. Software that supports IPv6 addresses and can communicate both over IPv6 and IPv4, will establish an IPv4 connection when given such an address.

The IPv4 part of the address can also be represented in hexadecimal: ::ffff:aabb:ccdd


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.