Network engineers are waking up to IPv6's security worries. (Image courtesy of Arbor Networks)
The clock is running out on IPv4 on the Internet, but even so the next generation of Internet traffic protocols, IPv6, is being adopted very slowly. But, it seems IPv6 is finally making it to broad acceptance. Arbor Networks reports that the "latest milestone in IPv6 development: the first observations of IPv6 Distributed Denial of Service (DDoS) attacks.
This can only be happening because the number of IPv6-based end-points have grown large enough that possible injection points for IPv6-based attacks is now large enough for attackers to use it. At the same, time they're finding targets on the IPv6-enabled Internet worthy of the effort needed to craft and execute attacks.
According to Arbor Networks' Senior Software Quality Assurance Engineer Bill Cerveny, "Gone are the days when a network failure on the IPv6 Internet would be ignored and undetected because, well, no one noticed (or cared). … The same thing that has made the IPv6-enabled Internet 'valuable' has also made it an increasingly valuable venue for attacks. While the frequency of attacks is relatively modest on IPv6 today, we expect that accelerated adoption will be followed in-kind by an accelerated pace of attacks."
Another problem with these attacks is the myth that IPv6 is somehow more secure than IPv4. Indeed, Cerveny cites the sad case of a "network security group within a large US government organization went so far as to declare that since IPv6 is more secure, that the group decided to disband because they alleged that the next generation Internet protocol's inherent security capabilities would address their security concerns."
They were, and many people still are, so wrong about this. True, IPv6 incorporates Internet Protocol Security (IPsec), but by itself that doesn't buy you any more security. IPv6's header design also lends itself to better security since it can be used to provide to a cleaner division between encryption meta-data and the encrypted payload. In addition IPv6's huge address space can be deployed to scanning attacks harder by allocating random addresses within subnets. But, those are all matters on how you deploy IPv6. In and of itself, IPv6 won't make you any more secure than your childhood blue blanket.
Spence also observed that, "Because of the way IPv6 automatic transition mechanisms work hard to self-provision IPv6 services for dual-stack nodes (like Windows Vista or 7), IPv6 security vulnerabilities often exist in apparent IPv4-only deployments. I call these 'accidental IPv6 deployments' because they are by definition unmanaged, and latent - but still very exploitable. So, because of the state of IPv6 default configurations on many devices, even an organization without an IPv6 deployment needs an IPv6 security program."
For now, as the Washington DC beltway network company Tachyon Dynamics points out, operating systems "like Windows XP, 2003, Vista, 7, and 2008 don't set a limit on the amount of routers they like to listen to. Whereas in Linux and Mac they set their limit at right around 15. If there are more than 15 different RAs coming at them, they stop configuring the address and routes. This is not the case with Windows, and that's what the exploit in the awesome exploitation toolkit called flood_router6 inside The Hacker's Choice IPv6 tool-kit (THC-IPv6) shows. Flood_router6 will basically pound the subnet with millions of RAs with different IPv6 source addresses with different IPv6 prefixes. In a matter of seconds, you can turn a fully functioning Windows machine into a brick."
With trouble like that awaiting IPv6 systems on the Internet, it's clearly time to move from simply making sure that IPv6 works to making sure that IPv6 works securely on your networks. And, Windows users need to make certain that they're not already running IPv6 without even knowing they're making themselves vulnerable to IPv6 attacks.