The adoption of IPv6 is opening up new attack vectors for Denial of Service attacks as researchers probe the next generation of Internet Protocols for weaknesses, according to the most recent State of the Internet—Security report from Akamai.
Distributed Denial of Service attacks (DD0S) became more common and more robust in the first quarter of the year, growing not only in frequency but also in the amount of bandwidth being leveraged, according to the most recent State of the Internet—Security report from Akamai. The number of attacks observed on its networks more than doubled from Q1 2014, and the largest peaked at a hefty 170 Gbps.
To me, one of them most interesting points in the report is the emergence of IPv6 as a vector for these attacks. They are not yet common, but the next generation Internet Protocols are being examined for weaknesses and tools are appearing to automate attacks.
The report is based on attack data gathered from Akamai’s content delivery network and DDoS protection technology from Prolexic (acquired by Akamai in 2014).
Launching a DDoS attack is basically a matter of leveraging enough resources to overwhelm a target network or system, either causing it to stop working or blocking access to legitimate users. This can disrupt business, upset customers, and damage corporate reputations. Although Denial of Service does not typically damage systems or pose a threat to data, it is an effective tool for hacktivists and extortionists who want to draw attention to an issue or put pressure an organization. The commercial availability of botnets as attack platforms and automated attack tools have made DDoS easy and affordable.
Tools have been developed to spot and block these attacks, and in the never-ending game of attack-and-defend the bad guys are looking for ways around these tools. IPv6 offers them some.
As the pool of IPv4 addresses available for assignment has dried up, IPv6 was developed to meet the increasing demand for Internet access. It still is in the early stages of deployment, but many IT products come with the new protocols enabled by default and they are beginning to be used. Both IPv4 and v6 will be operating side by side on networks for some time to come, and that can create problems.
Although IPv6 offers some improvements in security, it also presents some new vulnerabilities, particularly when IPv6 capabilities enabled by default are not monitored. IPv6 features could let attackers bypass IPv4-based protections, creating a new DDoS attack surface.
“This ability to bypass firewalls and other security measures opens the potential for old and well-mitigated threats to resurface,” the authors wrote. Akamai reports it has seen indications that malicious actors are testing and researching IPv6 DDoS attack methods.
New IPv6 DDoS threats include:
- Abuse of transitional technologies to bypass security controls.
- Use of IPv6 traffic to applications and services that are IPv6 enabled to bypass IPv4 security controls.
- Modification of IPv6 protocol structure to bypass intrusion prevention and detection systems and firewalls.
- Adapting application layer DDoS attacks and exploitation frameworks to work over IPv6.
- Purpose-built DoS tools based on IPv6.
“IPv6 DDoS is not yet a common occurrence,” the report says, but with testing of attack methods already beginning, the potential for these attacks should not be ignored. There is no single solution to defend against these attacks. Simply turning off IPv6 is not a realistic option. IPv6 traffic, although still slow today, is growing and the need to accommodate billions of new Internet-enabled devices will make IPv6 the principal addressing protocol in the not-too-distant future.
Awareness is the first line of defense against these new attacks. Administrators need to be aware of all IPv6-enabled devices and services on their networks and of the IPv6 traffic, and be prepared to respond to threats when they appear.