Planning for an IPv6 attack: DDoS, neighbor discovery threats and more

An IPv6 DDoS attacks are imminent, and your network security tools may not be configured for it. Expert Michael Cobb explains how enterprises can prepare its defenses.

It's taking far longer than many expected, but IPv4 address exhaustion makes the transition to IPv6 unavoidable. The arrival of the internet of things is beginning to speed up the process; figures from Google point to adoption rates are doubling every nine months.

However, the growing use of IPv6 brings with it security risks and challenges. While its vast address space will enable every device in the world to have its own unique IP address, it also opens up the prospect of new and more powerful distributed denial of service (DDoS) attacks. At the moment, IPv6 DDoS attacks are neither as prevalent nor as big as those happening over IPv4, but they are occurring with increasing frequency and sophistication. Many IPv4 DDoS attacks can be replicated using IPv6 protocols, and hackers are already testing new IPv6 attack methods.

Although only around 25% of websites completely support IPv6 today, most enterprises support it somewhere in their networks -- whether their administrators are aware of it or not. This creates an immediate problem, as many on-premises DDoS mitigation tools aren't yet fully IPv6-aware, just as countless network security devices haven't been configured to apply the same set of rules to IPv6 traffic as to IPv4 traffic. Even large vendors who offer VPN-based services have recently been found to only protect IPv4 traffic even though they handle IPv6 traffic.

Network administrators should audit their systems and review how devices handle IPv6 traffic. They should run a sense-check to ensure that there are no configuration settings that could lead to exploitable vulnerabilities and that tools have feature and hardware parity in both IPv4 and IPv6.

What IPv6 offers hackers

For hackers developing DDoS attack tools, IPv6 not only introduces an additional attack vector but greater attack volume. IPv4 provides approximately 4.3 billion unique 32-bit IP addresses. IPv6 uses 128-bit addresses and gives attackers over 340 undecillion addresses to play with.

In terms of tracking and blocking, this makes a strict blacklist on a per-IP basis much harder to scale, since the number of addresses is infinitely larger. Blacklist operators like Spamhaus are aware that spammers, for example, could easily launch a spread-spectrum spamming campaign using a different IP address for every message and are trying to find a practical solution. The same tactic can be used in DDoS attacks to make filtering malicious traffic a lot harder. Implementing packet filter rules in IPv6 firewalls is already hard enough, as packets can contain several types of headers.

On the plus side, IPv6 will provide the ability to build considerably more accurate whitelists, since it reduces the need for network address translation and provides addresses that are routable all the way to the end device.

Another area that hackers can exploit in an enterprise IPv6 network is the relatively sparse address space. For example, one DDoS attack technique involves sending traffic addressed to random addresses in a network, hoping that many of those addresses don't actually exist. This causes a broadcast storm on the physical network, which ties up the router that has to send out requests asking for the Layer 2 address that handles the non-existent destination IP address. The number of available addresses on an IPv6 network is dramatically higher, so the amplification of the attack is greatly increased and the chances of a host actually existing at the address that is being used in the attack is almost zero. To tackle this particular type of IPv6 attack, administrators need to configure routers with a black-hole route for addresses not actively being used on the network, while using longest prefix-match specific routes for each real endpoint. This ensures traffic addressed to a real endpoint will be forwarded to its destination and traffic addressed to other addresses will be dropped by the black hole routers.

IPv6 attacks inevitable: Get prepared

As IPv6 comes to represent an increasingly larger part of an enterprise's network, its exposure to all forms of IPv6-based attacks will increase. Administrators need to familiarize themselves now with the secure neighbor discovery (SEND) protocol, which can counter some potential IPv6 attack techniques; IPv6 nodes use the neighbor discovery protocol, which is susceptible to malicious interference, to discover other network nodes.

Tools like NDPWatch, which keeps a database of Ethernet versus IPv6 address pairings and reports any abnormal changes to those pairings via email, can be used to monitor network settings. The Neighbor Discovery Protocol Monitor monitors the local network and reports any suspicious anomalies in the function of nodes using ND messages, while the THC IPv6 Attack Toolkit can be used to get a better understanding of how a network handles potential malicious IPv6 traffic.

IPv6 has been a long time coming, but adoption is speeding up and will hit a tipping point in the not-too-distant future. Now is the time to prepare network defenses to handle IPv6 DDoS attacks.

Next Steps

Examine IPv6 vulnerabilities and risks before deployment

Find out expert John Curran's arguments in favor of IPv6 support

Read about IoT's driving effect on the need for IPv6 deployment

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing