Attack defenders will find it more difficult to track individual malicious hosts, because a single small network prefix can easily generate enough unique addresses to exhaust a system’s memory with its massive address space.

In addition, since quintillions of devices could potentially share a legitimate /64 prefix, one malicious actor could cause massive outages for huge numbers of users if attack blocking is not accurately applied. With IPv4, blocking a single attack source might result in a worst-case scenario of a high-traffic proxy with tens of thousands of users being blocked. Applying the same techniques to blocking a single prefix in IPv6 could potentially deny service to hundreds of millions of legitimate users.

Multiple IPv6 security vulnerabilities have been found in the IPV6 protocol stack. A great risk comes from administrators and users overlooking IPV6 networking that is enabled by default, and as a result, services and protocols may be exposed by IPv6 even when corresponding security measures were put in place for IPV4.

Malicious actors could leverage IPv6 security oversights to bypass firewalls and other security measures. For example, transitional technologies may enable IPv6 traffic to bypass security filtering by using tunneling protocols. It’s important to understand IPv6 security vulnerabilities such as:

• Iptables in Linux doesn’t work on IPv6 unless expressly configured to do so.
• Some older versions of the Windows operating system firewall do not block IPv6 traffic by default;
• Older versions of Snort, a network intrusion detection system for UNIX and Windows, only supported IPv6 if the software was compiled with the –enable-ipv6 flag. This might leave some systems unable to inspect, alert on or drop IPv6 traffic.

The ability to bypass firewalls and other security measures creates the potential for old and well-mitigated threats to resurface with IPv6. Old IPv4 attack vectors may be retooled for use on IPV6 networks, and new attack vectors could be introduced.

What do we know about IPv6 attack vectors?

As part of its research, Akamai’s Prolexic Security Engineering and Research Team (PLXsert) set up laboratory environments internally and on some of the leading cloud providers’ platforms. Some of these platforms deployed IPV6 functionality by default, while others required IPV6 to be explicitly enabled. Abuse was possible using the IPV6 stack and included the following:

Reflection: Researchers replicated standard UDP reflection DDoS attack techniques against CHARGEN and NTP services over IPV6, where the packets would normally be ingress-filtered on their way to the reflectors by iptables. The lack of IPV6 support in the filtering layer allowed access to the services.

Spoofing: IPv6 enables a huge spoofable and hijackable address space. For example, a botnet of home computers vulnerable to IPV6 spoofing could generate massive amounts of unique-looking host addresses, far beyond what is possible using IPV4. These same devices could be assigned globally identifiable addresses that could, in effect, bypass Network Address Translation (NAT). A compromised machine could be leveraged as a malicious server with large numbers of unique addresses.

Local link attacks: Tests on popular cloud provider networks revealed that one provider did not have Rogue Router Advertisement (RRA) protections in place. Researchers were able to craft RRA packets in Scapy and flood the testing machines over unicast with malformed routing information. These requests directed the targeted machine to use the attacking server as its first hop in the default route, which caused the targeted machine to stop communicating over its global link interface, effectively creating a denial of service situation for its end users. The technique was effective in networks where local-link addresses were shared with neighbors, and protections against RRA were not in place. Such a technique could also be used for a man-in-the-middle (MitM) attack.

Dual stacks & IPv6 address space: There is a misconception that it is impossible to scan a large IPv6 address space. However, utilizing IPv4 protocols such as Address Resolution Protocol (ARP) on dual-stack systems, researchers were able to discover neighboring server media access control (MAC) addresses for the associated IPv4/24 on various cloud platforms. With this information, researchers could reliably convert neighboring MAC addresses into IPv6 local-link and, in some cases, global link addresses. The networks routed local-link traffic to services, which could be leveraged to bypass firewall and intrusion detection system (IDS) and intrusion prevention system (IPS) measures against the host.

There are potential risks that end users and corporations face when deploying IPV6 technology without proper training or security considerations. IPV6 DDoS attacks are not yet a common occurrence, but there are indications that malicious actors are already testing and researching IPV6 DDoS attack methods. These attacks may prove to be effective in combination with transition technologies and dual stack architectures.

The impending addition of billions of Internet-enabled devices will lead IPV6 to be the principal addressing protocol on the Internet in the future. It is imperative for the security community to be ready to address newly discovered security challenges associated with IPV6.

The State of the Internet site provides IPv6 resources to help organizations understand, implement and defend IPv6:

• IPv6 adoption visualization;
• Quarterly State of the Internet Reports, including global IPv6 adoption;
• Quarterly State of the Internet – Security Reports, including IPv6 security;
• State of the Internet Blog: IPv6 trends;
• Best practices for IPV6 on Akamai.com.