Could IPv6 Result in More DDoS Attacks?

With the growing popularity of IPv6 (Internet Protocol Version 6), so the possibility of this protocol providing a gateway for Distributed Denial of Service (DDoS) attacks has also increased. Developed by the Internet Engineering Task Force (IETF) to replace the forthcoming exhaustion of IPv4, IPv6 became a Draft Standard in December 1998, and was defined as an Internet Standard in July 2017.

DDoS attacks have largely been focused on the mainstream IPv4 Internet, but as that network is superseded by the 128-bit address format IPv6, enabling approximately
3.4 x 1038 addresses, or 7.9 x 1028 more than IPv4, then the attack surface has expanded dramatically. With the increasing adoption of IPv6 as an Internet protocol, so it will become an increasingly viable attack target.

The first recorded incidence of a significant IPv6 DDoS attack was recorded in March 2018 where a DNS dictionary attack originated from over 1,900 native IPv6 hosts. The attack occurred on more than 650 networks and targeted the DNS service Neustar.

Devices that employ the IPv6 protocol, which is also known as the Internet Protocol next generation (IPng), can send and receive data packets over a network, in the same way that the IPv4 protocol has made possible since 1983. Currently, IPv4 still transports the bulk of Internet traffic although it is just a matter of time until it is fully superseded by IPv6.

The signature of a DDoS attack involves large volumes of computers flooding target machines with random traffic so that target websites becomes unusable. While some attacks have been aimed at extorting money out of target companies, it has become clear that the primary motivation for these attacks is political, ideological, and a simple desire to vandalize.

IPv6 has several vulnerabilities. First, due to their relatively immature nature as network structures, most IPv6 networks are ill-equipped to identify DDoS attacks when they occur. Next, many network administrators apparently have no intention of creating plans to mitigate future cyber-attacks, leaving their networks open and exposed, although this situation will undoubtedly change should DDoS attacks increase significantly.

While virtually all global computer networks support IPv4, only 25% support the IPv6 protocol. Additionally, many large vendors offering VPN-based services support IPv4 only, which leaves a massive migration project for the future. The solution to this predicament is for system administrators to audit their networks to ensure that their IPv6 networks are safe and free from exploitable vulnerabilities.

One area in an IPv6 network that hackers could exploit involves the fact that huge numbers of network messages are sent to random addresses in the hope that those addresses do not exist. This causes a broadcast storm on the network, which prompts the router to send out requests for the Layer 2 addresses associated with the non-existent destination IP addresses. In an IPv6 network, the potential number of addresses is much higher than on an IPv4 network and the likelihood of a host existing at any of the targeted addresses is negligible. A method of “black holing” addresses that are not actively being used on a network can be used to ensure that addresses not associated with live end-point devices are dropped. This cuts down the number of actual IP addresses in a network, which can then be more easily leveraged by cyber criminals.

Another security risk involves online services known as tunnel brokers. This technology provides IPv6 connectivity, but within an IPv4 infrastructure. Often termed 6in4 or 6to4, this methodology effectively bypasses all the rules set up for IPv4 technology resulting in those tunnels not being encrypted by many firewalls, which opens a two-way vulnerability to incoming and outgoing traffic.

One positive feature of IPv6 is its reduced dependence on Network Address Translations or NATs. NAT technology links one IP address space to another by changing the network address in the header of the IP, which conserves the number of global IPv4 addresses. Due to the huge number of available IPv6 addresses, there is no requirement to use the NAT technology, as full IP addresses are available to route directly to all end-point devices. Moving away from NAT removes the risk of operators being blacklisted by outgoing spammers. Moreover, due to NAT deployment, DDoS solutions, which are not stateful, may block innocent bystanders when attempting to mitigate an attack. Allot’s DDoS Secure solution is stateful and as such has granular mitigation, even if NAT still exists somewhere in the network.

One of the optimal ways to defend against an IPv6 or any other form of DDoS attack is to adopt a system that provides protection against both inbound and outbound cyberattacks that are aimed at overwhelming a network and disrupting service availability.

Security provisions for IPv6 networks have taken a long time to develop, but with the increasing rate of adoption of this protocol it is clear that now is the time to prepare network defenses to manage IPv6-based DDoS attacks.

With a track record built on proven success with the world’s largest deployed network-based security service, Allot’s DDoS Secure surgically mitigates against inbound and outbound volumetric DoS and DDoS attacks at wire speed.


*** This is a Security Bloggers Network syndicated blog from Allot Blog authored by Nigel Kersh. Read the original post at: