Over the last few years, networks have begun the shift from the five decade old IPv4 architecture to the newer IPv6 system. While the number of addresses available to IPv4 was massive at the time, the new system will provide so many addresses that it’s possible to assign a unique address to every atom on the planet. But that shift has resulted in another change. Threat actors now have new ways to potentially attack systems. Wesley George, Principal Engineer at Neustar, and I discussed what this means for today’s network managers.
IPv6 attacks aren’t new – George said he saw reports of one several years ago although the details of that event are scarce – but they are escalating. Last month Neustar’s UltraDNS dealt with its first live, IPv6 attack. This was a DNS dictionary attack originating from an IPv6 host and directed towards their IPv6 server. Neustar said this was the first true native IPv6 attack and there’s mounting evidence to suggest what was originally a theoretical possibility is now a real issue.
“We have been saying that IPv6 attacks are coming. The way most IPv6 implementations are done, there is a set of best practices that software developers use when they use network services”.
That best practice, said George, means developers access network services in a protocol-agnostic way. That helps make the transition for applications easier when the network moves from IPv4 to IPv6. But malware developers are doing the same thing.
“Most of the time, IPv6 is not this unique attack form,” said George. “What we see are are attacks that are not specific to the IP version”.
However, the recent attack detected by Neustar was different. While the types attacks, like DNS reflection attacks aren’t new, the targeting is changing.
George said some early IPv6 implementations were more vulnerable to certain threat vectors because of scale. While companies were in the early stages of IPv6 deployment, they would only deploy the protocol on limited segments of their LANs. As a result, there was limited network capacity and this created a point of weakness that was susceptible to a DDoS attack.
The attraction in using IPv6 for attacks is a lack of awareness and skills, said George.
“A lot of people don’t know it’s there or realise it’s even turned on or have it in their threat profile. They don’t have the same level of protections in place or, if they have a set of plans or run-books for attacks, they don’t have a plan for IPv6,” said George.
Often, this is there result of a focus on deployment leading to a lower prioritisation on security. This is simply because the perceived threat of IPv6-specific attacks is still low.
“They’re deploying it but not focusing on the security side of things. People are working on the assumption that it’s not much of an attack vector”.
George added, “There are some things, like MD-Cache attacks which, given the sheer number of address in an IPv6 prefix, in poorly designed IPv6 networks means trying to talk to all the addresses in that range, even if there’s nothing responding This can result in a device filling up its memory with a bunch of what are effectively the equivalent of ARP entires”.
That can result in a a device crashing or the blocking of legitimate traffic.
The other thing that is IPv6 specific is that as the IoT becomes more of a reality, the sheer number of devices in deployment means the only way for them to exist on a network is to use IPv6. Those devices can be potentially exploited as they might be more directly reachable. In the past, with IPv4, devices used NAT (Network Address Translation) to receive an address. But with IPv6, those devices might become directly accessible.
At the moment, most threat actors aren’t specifically targeting IPv6 as it hasn’t been universally deployed. In particular, George says many gaming networks are still on IPv4 although some major content providers, such as Netflix, LinkedIn, Facebook and others, are using IPv6. And with many others running a ‘dual-stack’ system with both IPv4 and IPv6, attacks that can reach one of the protocols represents a viable target.
That means businesses need to ensure that have processes in place to detect errant traffic flowing across IPv6, an understanding that there may be new threat vectors to consider and plans in place to deal with new attacks.