How to prepare for potential IPv6 DDoS attacks
Enterprises learn how to prepare for IPv6 with DDoS attack tools. Michael Cobb further addresses the inevitable attacks and what users can do.
It's taking far longer than many expected, but IPv4 address exhaustion makes the transition to IPv6 unavoidable. The arrival of the internet of things (IoT) is beginning to speed up the process based on figures from Google that are pointing to adoption rates doubling every nine months.
However, the growing use of IPv6 brings with it security risks and DNS challenges. While its vast address space will enable every device in the world to have its own unique internet protocol (IP) address, it also opens up the prospect of new and more powerful distributed denial of service (DDoS) attack. At the moment, IPv6 DDoS attacks are neither as prevalent nor as big as those happening over IPv4, but they are occurring with increasing frequency and sophistication. Many IPv4 DDoS attacks can be replicated using IPv6 protocols, and hackers are already testing new methods for IPv6 DDoS attacks.
Although only around 25% of websites completely support IPv6 today, most enterprises support it somewhere in their networks -- whether their administrators are aware of it or not. This creates an immediate problem, as many on-premises DDoS mitigation tools aren't yet fully IPv6-aware, just as countless network security devices haven't been configured to apply the same set of rules to IPv6 traffic as to IPv4 traffic. Even large vendors who offer VPN-based services have recently been found to only protect IPv4 traffic even though they handle IPv6 traffic.
Network administrators should audit their systems and review how IoT devices handle IPv6 traffic and run a sense-check to ensure that there are no configuration settings that could lead to exploitable vulnerabilities and that tools have feature and hardware parity in both IPv4 and IPv6.
Why hackers launch IPv6 DDoS Attacks
For hackers developing DDoS attack tools, IPv6 not only introduces an additional attack vector but greater attack volume. IPv4 provides approximately 4.3 billion unique 32-bit IP addresses while IPv6 uses 128-bit addresses and gives attackers over 340 undecillion addresses to play with.
In terms of tracking and blocking, this makes a strict blacklist on a per-IP basis much harder to scale, since the number of addresses is infinitely larger. Blacklist operators, such as Spamhaus, are aware that spammers, for example, could easily launch a spread-spectrum spamming campaign using a different IP address for every message and are trying to find a practical solution. The same tactic can be used in IPv6 DDoS attacks to make filtering malicious traffic increasingly difficult. Implementing packet filter rules in IPv6 firewalls is already hard enough, as packets can contain several types of headers.
On the plus side, IPv6 will provide the ability to build considerably more accurate whitelists, since it reduces the need for network address translation and provides addresses that are routable all the way to the end device.
Another area that hackers can exploit in an enterprise IPv6 network is the relatively sparse address space. For example, one IPv6 DDoS attack technique involves sending traffic addressed to random addresses in a network and hoping that many of those addresses don't actually exist. This causes a broadcast storm on the physical network, which ties up the router that has to send out requests asking for the Layer 2 address that handles the non-existent destination IP address. On an IPv6 network the number of available addresses is dramatically higher, so the amplification of the attack is greatly increased and the chance of a host actually existing at the address that is being used in the attack is almost zero. To tackle this particular problem, administrators need to configure routers with a black-hole route for addresses not actively being used on the network while using longest prefix-match specific routes for each real endpoint. This ensures traffic addressed to a real endpoint will be forwarded to its destination and traffic addressed to other addresses will be dropped by the black hole.
IPv6 attacks inevitable: Get prepared
As IPv6 comes to represent an increasingly larger part of an enterprise's network, its exposure to all forms of IPv6 DDoS attacks will increase. Administrators need to familiarize themselves now with the Secure Neighbor Discovery (SEND) protocol, which can counter some potential IPv6 DDoS attack techniques; an IPv6 node use the Neighbor Discovery (ND) protocol to discover other network nodes but is susceptible to malicious interference.
Many tools can be used to monitor network settings, for example NDPWatch keeps a database of Ethernet versus IPv6 address pairings and reports any abnormal changes to those pairings via email. The Neighbor Discovery Protocol Monitor (NDPMon) monitors the local network and reports any suspicious anomalies in the function of nodes using ND messages while the THC IPv6 Attack Toolkit can be used to get a better understanding of how a network handles IPv6 traffic that is potentially malicious.
IPv6 has been a long time coming, but adoption is speeding up and will hit a tipping point in the not-too-distant future. Now is the time to prepare network defenses to handle IPv6-based DDoS attacks.