Scariest IPv6 attack scenarios

Experts are reporting a rise in the number of attacks that take advantage of known vulnerabilities of IPv6, a next-generation addressing scheme that is being adopted across the Internet. IPv6 replaces the Internet's main communications protocol, which is known as IPv4.

Salient Federal Solutions, a Fairfax, Va., IT engineering firm, is reporting real-world incidents of IPv6 attacks based on the emerging protocol's tunneling capabilities, routing headers, DNS broadcasting and rogue routing announcements. The company asserts that all of these threats can be eliminated with the use of IPv6-enabled deep packet inspection tools, which it and other network vendors sell.

"We definitely see these attacks, we just can't say where we are seeing them," says Lisa Donnan, who leads Salient's Cyber Security Center of Excellence. Salient Federal Solutions purchased IPv6 consulting and training firm Command Information in March.

The No. 1 attack that Salient Federal is seeing is the result of so much IPv6 traffic being tunneled across IPv4 networks, particularly using the Teredo mechanism that is built into both Microsoft Windows Vista and Windows 7. This vulnerability with IPv6-over-IPv4 tunneling has been known for at least five years, but it is still being exploited.

"IPv6 tunneling gives attackers a green light to penetrate networks," says Jeremy Duncan, senior director and IPv6 network architect for Salient Federal Systems.

BACKGROUND: Invisible IPv6 traffic poses serious network threat

Duncan is concerned about uTorrent, which is an IPv6-capable freeware client for the BitTorrent peer-to-peer protocol that's used to share large files such as music and movies. Duncan says uTorrent runs very well over Teredo, and that the BitTorrent community is discovering IPv6 as a way of avoiding network congestion controls that are used by ISPs to manage BitTorrent traffic on IPv4 networks.

Duncan says it is also easy for users of Vuze, another BitTorrent application, to prefer IPv6 over IPv4.

"BitTorrent users are discovering that they won't have throttled traffic with IPv6," Duncan says. "This is an issue for the carriers. They won't be able to throttle back the IPv6 traffic because they're not inspecting it."

Salient Federal says it is also seeing attacks with IPv6's Type 0 Routing Header, which is a feature of IPv6 that allows a network operator to identify routers along the path that it wants packets to take. The Internet Engineering Task Force recommended in 2007 that this feature of IPv6 be disabled due to the potential for its use in denial-of-service attacks, calling the threat "particularly serious.''

Nonetheless, Salient Federal is seeing Routing Header Type 0 attacks on IPv6 production networks that it monitors. For example, Command Information traced this type of attack to one of its own border routers that was no longer in operation. The attack originated from a research network in China. Had it been a successful attack, it would have allowed the Chinese hacker to send malicious traffic from Command Information's compromised border router to other networks.

"Network managers have to turn this feature off in their routers," Duncan says. "This capability was shipped with all Cisco routers by default a few years ago. The newer routers have turned this feature off; the problem is with older routers."

Another IPv6-related threat comes from the way the Internet's DNS system broadcasts so-called Quad A records that are used by IPv6. Duncan says Quad A queries are present on every network that the company is monitoring, even though many of those networks are not supporting IPv6 traffic.

When Quad A queries are being broadcast, this indicates that some nodes on the network are IPv6-enabled and can then be targeted with an IPv6-based attack. Because the network itself doesn't support IPv6, it's likely that the network manager is not monitoring IPv6 traffic with deep packet inspection tools.

Duncan refers to IPv4 networks that broadcast Quad-A records as "the loaded gun."

"When companies have IPv6-enabled machines but not IPv6 enabled, hackers know that the network management for IPv6 is lacking," Duncan says. "They can easily flood the organization's mail servers with spam that contains malware. All they need is one user with elevated privileges to open one spam message with malware, and that malware can open IPv6 in a tunnel through the firewall."

Duncan points out that he hasn't seen the Quad-A vulnerability being exploited yet, but he believes it is a significant threat for enterprises.

"We haven't seen this exact exploit, but we have seen a lot of IPv6 tunneled traffic that is not being inspected," Duncan says. "Every enterprise could have tens of thousands of Quad A records being broadcast. ... The solution is to lock down IPv6 if you're not using it and to use deep packet inspection."

Finally, Salient Federal is reporting that it is seeing rogue router advertisements for IPv6, although the company admits that it hasn't seen a malicious actor sending them. Rogue router announcements are a threat that the IETF warned against in February, pointing out that this vulnerability could be used for denial-of-service or man-in-the-middle attacks.

This threat comes from the fact that IPv6-enabled workstations are always listening for router announcements due to the autoconfiguration features of IPv6. However, these workstations can be fooled by fake announcements due to network administrator errors or hacking attacks. Rogue routing announcements for IPv6 are being seen in both wireless and wired networks.

"Enterprises need to deploy a fix like Cisco's RA Guard on their switches and router, but then you need to have IPv6 enabled on your core," Duncan says. "You also need to use deep packet inspection in your core."

MORE: 6 simple steps toward IPv6

Duncan urges companies to implement IPv6 on their networks and to put appropriate security controls such as deep packet inspection in place so that they can manage IPv6-related vulnerabilities.

"Enterprises need to make sure that their security vendors can protect against these specific IPv6 vulnerabilities,'' he says. He urges companies to get their systems and network engineers trained in IPv6 and to develop an IPv6 cybersecurity plan.

Duncan says that enterprise network managers are gaining in awareness of IPv6 but that they aren't focused enough on the related security issues. "There's not as much focus on IPv6 security as there is with IPv4 security," he says.

Donnan says this is a worry because U.S. companies are vulnerable to IPv6 attacks sent by countries such as China.

"There is state-sponsored hacker activity, and they are very savvy about IPv6," Donnan says.

Carriers and enterprises are migrating to IPv6 because the Internet is running out of addresses using IPv4. The free pool of unassigned IPv4 addresses expired in February, and in April the Asia Pacific region ran out of all but a few IPv4 addresses being held in reserve for startups. The American Registry for Internet Numbers (ARIN), which doles out IP addresses to network operators in North America, says it will deplete its supply of IPv4 addresses this fall.

IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet, but IPv6 uses 128-bit addresses and can connect up a virtually unlimited number of devices: 2 to the 128th power. IPv6 offers the promise of faster, less-costly Internet services than the alternative, which is to extend the life of IPv4 using network address translation (NAT) devices.

Read more about lan and wan in Network World's LAN & WAN section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurityipv6LAN & WANIPv6 security

More about CiscoIETFInternet Engineering Task ForceLANMicrosoftWikipedia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Carolyn Duffy Marsan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts