Slideshow: Q1 2015 Security Implications for IPv6 from StateoftheInternet.com

1
Q1 2015
2
ipv4 exhaustion and ipv6 adoption

• Available address space in Internet Protocol
  version 4 (ipv4) continues to shrink, and will
  eventually be depleted
• The creation of ipv6 provides a massive number
  of potential new ip addresses, as well as
  security, routing and networking benefits
• At the same time, the expanded number of
  addresses in ipv6 creates new challenges for DDoS
  attackers and defenders
• Attackers may find it difficult to identify hosts
• Defenders may find it difficult to track the
  large number of unique addresses that can be
  generated in an attack
• Transitional technologies used to bridge the
  operation of ipv4 and ipv6 are also vulnerable to
  abuse by malicious actors

2 / The State of the Internet / Security (Q1
2015)
3
elements driving ipv6 attack vectors

• Abuse of transitional technologies to bypass
  security controls
• Use of ipv6 protocol against applications and
  services that are ipv6 enabled, bypassing ipv4
  security controls
• Modification of ipv6 protocol structure, aiming
  to bypass ipv6 ips, ids and firewall technologies
  
• Adaptation of application layer attacks to work
  over ipv6
• Adaptation of exploitation frameworks to work
  with the ipv6 protocol
• Purpose-built denial of service tools and
  techniques based solely on the ipv6 protocol
  architecture

3 / The State of the Internet / Security (Q1
2015)
4
transition vulnerabilities
The transition from ipv4 to ipv6 creates multiple
vulnerabilities ipv6 networking that is
enabled by default and overlooked by
administrators Tunneling protocols such as
Teredo that may allow ipv6 traffic to bypass
security filtering Filtering programs that
require special configuration to work with ipv6
4 / The State of the Internet / Security (Q1
2015)
5
reflection attacks over ipv6

• PLXsert researchers created a laboratory
  environment to test ipv6 vulnerability
• In most cases, abuse of ipv4-protected services
  and systems was possible using the ipv6 stack
• Standard udp reflection techniques were
  successful against both chargen and ntp services
  over ipv6, due to lack of ipv6 support in the
  filtering layer
• Figure 1 ntp reflection successfully targeted an
  ipv6 machine in our lab behind a shared router

5 / The State of the Internet / Security (Q1
2015)
6
spoofing and hijacking

• The expansion in ipv6 allows for a substantial
  spoofable/hijackable address space to be
  leveraged by attackers
• A single end-user ip range will typically be a
  /64, allowing roughly 18 quintillion
  spoofable/hijackable addresses
• Even a single machine could easily send traffic
  that appears to be from millions of
  legitimate-looking hosts
• Figure 2 Spoofed traffic was successfully routed
  to an IPV6 host via an isp

6 / The State of the Internet / Security (Q1
2015)
7
local-link attacks

• PLXsert performed several tests on popular
  cloud-provider networks. For a provider that did
  not have Rogue Router Advertisement (rra)
  protection, researchers simulated an effective
  DDoS attack
• Crafted rra packets flooded testing machines
  with malformed routing information
• Requests directed the targeted machine to use
  the attacking server as its first hop in the
  default route
• The targeted machine was forced to stop
  communicating over its global link interface,
  effectively DoSing end users
• This technique was effective in networks where
  local-link addresses are shared with neighbors
  and protections against rra are not in place

7 / The State of the Internet / Security (Q1
2015)
8
security community considerations

• Many of the security implications of ipv6
  adoption are undiscovered or unreported
• End users and corporations are at risk when
  deploying ipv6 technology without proper training
  or awareness
• Security community research has seen indications
  that malicious actors are already testing and
  researching ipv6 attack methods
• ipv6 will eventually be the principal addressing
  protocol on the Internet, and the web security
  community must be ready

8 / The State of the Internet / Security (Q1
2015)
9
Q1 2015 State of the Internet Security Report

• Download the Q1 2015 State of the Internet
  Security Report
• The Q1 2015 report covers
• Analysis of DDoS web application attack trends
• Bandwidth (Gbps) and volume (Mpps) statistics
• Year-over-year and quarter-by-quarter analysis
• Attack frequency, size, types and sources
• Security implications of the transition to IPv6
• Mitigating the risk of website defacement and
  domain hijacking
• DDoS techniques that maximize bandwidth,
  including booter/stresser sites
• Analysis of SQL injection attacks as a persistent
  and emerging threat

9 / The State of the Internet / Security (Q1
2015)
10
about stateoftheinternet.com

• StateoftheInternet.com, brought to you by Akamai,
  
• serves as the home for content and information
  intended to provide an informed view into online
  connectivity and cybersecurity trends as well as
  related metrics, including Internet connection
  speeds, broadband adoption, mobile usage,
  outages, and cyber-attacks and threats.
• Visitors to www.stateoftheinternet.com can find
  current and archived versions of Akamais State
  of the Internet (Connectivity and Security)
  reports, the companys data visualizations, and
  other resources designed to put context around
  the ever-changing Internet landscape.

10 / The State of the Internet / Security (Q1
2015)