Article written by Neustar SiteProtect principal engineer Wesley George
As IPv6 began development in the mid-2000’s, the thought of cyberattacks on this protocol were a distant threat that sat in the theoretical basket. According to a recent Google report, 14% of Australians now access their online content through IPv6 while worldwide this rate is even higher at 22%.
As evident in the report, a lot has changed in the last few years, as networks have begun to migrate from the old IPv4 architecture to the newer IPv6 system this theoretical possibility began to emerge as a more credible and realistic threat. In February this year, Neustar detected a live native attack on its UltraDNS network, taking this threat from a theoretical possibility to a tangible real-world issue that today’s network managers need to address seriously.
While this isn’t the first IPv6 attack, the evidence suggests that they are escalating. Previously the majority of attacks have not specifically targeted a particular IP version, instead aiming to disrupt anything they could find that was not secure. This particular attack was notable because in addition to IPv4 sources and destinations, additional attack traffic originated from many IPv6 hosts targeting IPv6 servers. While the type of attack used was by no means new, the targeting of these attacks is beginning to evolve to include IPv6.
In order to ease IPv6 deployment, there are a well-documented series of best practices for making applications IPv6-capable. The idea is that when presented with a network that is IPv6-capable, applications will take advantage of this transparently to the end user. Malware developers can take advantage of these same best practices such that as IPv6 is deployed in more and more networks, they can both generate attacks from IPv6 hosts, and attack IPv6 content and services with little additional effort.
In addition to this, there is a lack of awareness and skills around IPv6 attacks and how to mitigate against them. Many people are unaware that IPv6 is available on their network and services or that it is available on many residential and mobile networks that their remote employees might use.
As a result, IPv6 is not in their threat profiles and they don’t have the same levels of protection in place or a plan for how to address an IPv6 attack. This oversight is usually due to the perception that deployment needs the most attention, leaving security as a lower priority, particularly as the perceived threat of IPv6 attacks is still quite low.
Another issue which is contributing to the acceleration of attacks on IPv6 networks is the rapid growth of the Internet of Things (IoT). Due to the sheer number of new devices being deployed the only way for them to exist and function is to deploy them using the IPv6 protocol. Unlike devices that used the IPv4 protocol which needed network address translation (NAT) to receive an address, IPv6 devices can be targeted directly without a NAT and can, therefore, be easier to target and access directly.
This raises the question, ‘How do we best protect our networks against these protocol-specific attacks?”
While it appears that for the moment most cyber criminals are not directly targeting IPv6, largely due to the fact that it hasn’t yet been universally deployed, the recent attack shows that it is only a matter of time before this becomes commonplace. This means that businesses and their network managers need to start implementing processes that can detect wayward IPv6 traffic flow across their networks.
They also need to develop a stronger and more thorough understanding of emerging threat vectors in order to develop and implement new security plans that can detect, mitigate the risk of and deal with these IPv6 specific attacks when they do arise.