On-Prem

Networks

It's begun: 'First' IPv6 denial-of-service attack puts IT bods on notice

Internet engineers warn this is only the beginning


Analysis What's claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption.

Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar's SiteProtect DDoS protection service when he realized there were "packets coming from IPv6 addresses to an IPv6 host."

The attack wasn't huge – unlike this week's record-breaking 1.35Tbps attack on GitHub – and it wasn't using a method that is exclusive to IPv6, but it was sufficiently unusual and worrying to flag to the rest of his team.

Computers behind 1,900 IPv6 addresses were attacking the DNS server as part of a larger army of commandeered systems, mostly using IPv4 addresses on the public internet. Anyone running an IPv6 network needs to, therefore, ensure they have the same level of network security and mitigation tools in place as their IPv4 networks – and fast.

"The risk is that if you don't have IPv6 as part of your threat model, you could get blindsided," Neustar's head of research and development Barrett Lyon told us.

With a few notable exceptions – like Facebook and LinkedIn – most companies that have started introducing IPv6 networks do so by running IPv4 and IPv6 in parallel, often with two different teams. Both Lyon and George warned that, in their experience, network engineers are getting their IPv6 networks up first and then worrying about locking down security later.

Open resolvers

Of the 1,900 IPv6 addresses, Lyon noted that 400 were used by poorly configured DNS systems, and roughly a third of the attack traffic came from those servers – miscreants can use DNS servers to amplify network traffic to victims' systems. That is potentially an enormous future problem as it demonstrates engineers are setting up networks with security problems baked in that could then take years to fix.

The internet community has been heavily focused for several years on identifying and patching open IPv4 resolvers because they can be used for the aforementioned DNS amplification attacks.

But that drive has been, in part, possible because the IPv4 address space is scannable; not so IPv6, the address space of which is so huge that it would be very difficult to use the same discovery techniques. As such, any new open resolvers going up today are the lurking future security nightmare of tomorrow.

Adding to the list of potential IPv6 security issues are: the fact that some mitigation tools only work with IPv4 (often thanks to hard-coded addresses written into their code) – or are put into IPv4 and only later ported across to IPv6; that a lot of IPv6 networking is being done in software (rather than hardware) opening up many more potential security holes; and that the expansion of packet headers in the IPv6 protocols creates potential new attack vectors.

When it comes to the gradual rollout of IPv6: that can act both in its favor and against it when it comes to security, although the pluses will fade over time as IPv6 slowly becomes the networking default.

On the plus side, IPv6 networks are still not ubiquitous enough for attackers to focus on and develop new attack methods specifically for the new protocol. Not yet anyway. And the current worst security offenders – cobbled-together internet-of-things products – are focused almost entirely on IPv4.

Default

But on the downside, pretty much every modern mobile device and PC has IPv6 support included and turned on as a default, so when those IPv6 attacks come, they are going to hit hard. Plus, a lot of network engineers don't know what they don't know.

George hypothesized that one big future problem could be if a network is hit with a combination of IPv4 and IPv6 attack traffic – as happened in this case. A sysadmin could pull out all the normal mitigation tools but only kill off the IPv4 traffic, leaving the network under attack and the person in charge unable to figure out why.

Thanks to the dual-stack system most people are using to rollout IPv6 alongside their existing systems, Lyon also worries that an IPv6 attack could compromise the routers and switches used to run the networks side-by-side and so attack IPv4 networks through the backdoor.

This week's attack is "only the tip of the iceberg", Lyon said. His hope is it serves as a wake-up call for sysadmins to apply best practices to IPv6 networks, and argues that "anything you do in the IPv4 world, you should be doing in the IPv6 world."

It's fair to say he is not confident that people will learn the lesson ahead of time though. "People don't tend to think of security as a priority for later," said Lyon. "It doesn't come until there's a crisis." ®

Send us news
59 Comments

Some 300,000 IPs vulnerable to this Loop DoS attack

Easy to exploit, not yet exploited, not widely patched – pick three

French government sites disrupted by <i>très grande</i> DDoS

Russia and Sudan top the list of suspects

NKabuse backdoor harnesses blockchain brawn to hit several architectures

Novel malware adapts delivers DDoS attacks and provides RAT functionality

DDoS-like attack brought down OpenAI this week, not just its purported popularity

Plus: Lab launches dataset sharing initiative for its own benefit

Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks

Zyxel zero days and nation-state actors (maybe) had a hand in the sector’s worst cybersecurity event on record

HTTP/2 'Rapid Reset' zero-day exploited in biggest DDoS deluge seen yet

Botnet storm drowned last record with 398 million requests per second

Huge DDoS attack against US financial institution thwarted

Akamai reckons traffic flood peaked at 55.1 million packets per second

Mirai reloads exploit arsenal as botnet embarks on another expansion drive

With 13 new payloads it's the biggest update to the botnet in months

With dead-time dump, Microsoft revealed DDoS as cause of recent cloud outages

Previous claims its own software updates were the issue remain almost, kinda, plausible

Russian IT guy sent to labor camp for DDoSing Kremlin websites

Pro-Ukraine techie gets hard time

Microsoft battles through two 365 outages in one day

Windows titan blames technical problems while hacktivists claim it woz them wot did it

European air traffic control confirms website 'under attack' by pro-Russia hackers

Another cyber nuisance in support of Putin's war, nothing too serious