A Milestone in IPv6 Deployment

By: Bill Cerveny -

For the first time, respondents to Arbor Networks 7th annual Worldwide Infrastructure Security Report indicated they had observed IPv6 DDoS attacks on their networks. This marks a significant milestone in the arms race between attackers and defenders. As the chart below shows, network operators are concerned about having sufficient visibility and mitigation capabilities to protect IPv6-enabled properties.

As I’m sure occurred with the first IPv4-based security attacks, there are some basic observations that can be made. There are now sufficient target(s) of interest that can be attacked on the IPv6 Internet including a significant number of services and web sites utilizing IPv6 for which attacks could be called “denial of service.” Gone are the days when a network failure on the IPv6 Internet would be ignored and undetected because, well, no one noticed (or cared). There are now operational discussion lists such as NANOG and “IPv6 Operations” where network operators actively discuss IPv6 network issues. The same thing that has made the IPv6-enabled Internet “valuable” has also made it an increasingly valuable venue for attacks. While the frequency of attacks is relatively modest on IPv6 today, we expect that accelerated adoption will be followed in-kind by an accelerated pace of attacks.

There are finally a sufficient number of sources from which to launch denial of service attacks (or even distributed denial of service attacks). Launching a denial of service attack requires access to the medium on which the attack is being launched. Until recently, the number of IPv6-based end-points was very small and this limited the number of possible injection points for IPv6-based attacks. Anecdotally, eight to ten years ago, IPv6 deployment network drawings listed numerous research and educational organizations which had IPv6 connectivity. However, if one attempted to drill down into how many hosts within the organization could actually send or receive IPv6, the reality was that only a handful of nodes (sometimes in the range of 4 or 5) actually were capable of sending or receiving IPv6 traffic on the global Internet.
More than six years ago, one of the frequent rallying points for IPv6 was that it was more secure than IPv4. One network security group within a large US government organization went so far as to declare that since IPv6 is more secure, that the group decided to disband because they alleged that the next generation Internet protocol’s inherent security capabilities would address their security concerns.

Time and research has shown that IPv6 is not more secure than IPv4. Remember, IPv6 was created in the mid-90s at a time which preceded much of the huge growth of the Internet and before many of the most notable IPv4 security vulnerabilities were identified and fixed.  John Spence, of Nephos6, agrees:  “Much of the early thinking around IPv6 security being better than IPv4 security was based on the RFC requirement that IPv6 stacks include IPsec support, but that is clearly too simplistic a view (and that strict requirement has been removed in recently-released RFC 6434) .  Even though IPv6 shares many security vulnerabilities with IPv4, and has some unique vulnerabilities unique to IPv6, secure network-centric service provisioning is about much more than protection for data in-flight.  As always, employing a team of trained security specialists, knowledgeable about IPv6, applying proven best-practices and working methodically to counter evolving threats, is the key to protecting service availability and integrity.” (For additional background on IPsec in IPv6, see Spence’s discussion at http://www.nephos6.com/blog/?p=24)

So, the bad news is that IPv6 network attacks have been detected on the IPv6-enabled Internet. But, the good news is that IPv6 deployment has reached a threshold where network engineers have become concerned about attacks on their IPv6 network infrastructure and attackers have found targets on the IPv6-enabled Internet worthy of the effort to craft and execute attacks.   And for those organizations that have not yet started their IPv6 implementation, Spence also points out that, “Because of the way IPv6 automatic transition mechanisms work hard to self-provision IPv6 services for dual-stack nodes (like Windows Vista or 7), IPv6 security vulnerabilities often exist in apparent IPv4-only deployments.  I call these ‘accidental IPv6 deployments’ because they are by definition unmanaged, and latent – but still very exploitable.  So, because of the state of IPv6 default configurations on many devices, even an organization without an IPv6 deployment needs an IPv6 security program.”

Comments