IPv6/IPv4 – what’s the deal?
Every device on the Internet is assigned a unique IP address for identification and location definition. With the rapid growth of the Internet after commercialization in the 1990s, it became evident that far more addresses would be needed to connect devices than the IPv4 address space had available.
Because there are fewer than 4.3 billion IPv4 addresses available, depletion has been anticipated since the late 1980s, when the Internet started to experience dramatic growth. This depletion is one of the reasons for the development and deployment of its successor protocol, IPv6. Currently, IPv4 and IPv6 coexist on the Internet.
The total number of possible IPv6 addresses is more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses and provides approximately 4.3 billion addresses. The two protocols are not designed to be interoperable, complicating the transition to IPv6.
Why are they being attacked?
IPv6 introduces an entirely new attack vector with greater attack volume. IPv4 provides approximately 4.3 billion unique 32-bit IP addresses while IPv6 uses 128-bit addresses and gives attackers over 340 undecillion addresses to play with.
Hackers know what is coming, even though only around 25% of websites completely support IPv6 today. The problem begins when IPv6 is supported by the company’s network – and the administrators may or may not be aware of it. Many IPv4 DDoS attacks can be replicated using IPv6 protocols. And, hackers are already testing new methods for IPv6 DDoS attacks.
Many on-premises DDoS mitigation tools aren’t yet fully IPv6-aware, just as countless network security devices haven’t been configured to apply the same set of rules to IPv6 traffic as to IPv4 traffic. Even large vendors who offer VPN-based services have recently been found to only protect IPv4 traffic even though they handle IPv6 traffic.
How to prepare
As IPv6 becomes a larger part of your enterprise’s network, your exposure to every form of IPv6 DDoS attacks will increase. According to a recent report, “Administrators need to familiarize themselves now with the Secure Neighbor Discovery (SEND) protocol, which can counter some potential IPv6 DDoS attack techniques; an IPv6 node uses the Neighbor Discovery (ND) protocol to discover other network nodes but is susceptible to malicious interference.”
“Network administrators should audit their systems and review how devices handle IPv6 traffic and run a sense-check to ensure that there are no configuration settings that could lead to exploitable vulnerabilities and that tools have feature and hardware parity in both IPv4 and IPv6.”
The massive amount of address space is another area of concern. For example, one IPv6 DDoS attack technique involves sending traffic addressed to random addresses in a network and hoping that many of those addresses don’t exist. This causes a broadcast storm on the physical network, which ties up the router that must send out requests asking for the Layer 2 address that handles the non-existent destination IP address. On an IPv6 network, the number of available addresses is dramatically higher, so the amplification of the attack is greatly increased and the chance of a host existing at the address that is being used in the attack is almost zero.
To tackle this problem, administrators need to configure routers with a black-hole route for addresses not actively being used on the network while using longest prefix-match specific routes for each real endpoint. This ensures traffic addressed to a real endpoint will be forwarded to its destination and traffic addressed to other addresses will be dropped by the black hole.