It is no secret that the proliferation of connected devices has exhausted IPv4 addresses. This was first forecasted and examined in the 1980s, and has been in the process of being fulfilled since 2011. As of September 2015, North America exhausted its pool of addresses. IPv4 is continuing to hang on as ISPs in various regions continue to leverage unassigned pools of IP addresses and are recycling those that subscribers no longer need. But IPv6 has made its way into the mainstream and while this shift is very much needed, IPv6 enterprise adoption is presenting new opportunities for cyber criminals.
Before we get into what this evolving threat surface looks like, let us examine the introduction of IPv6 and why the protocol exists.
Every device that connects to the internet needs an Internet Protocol (IP) address including iPhones, NEST thermostats, smart watches, cars, etc. Our current IPv4 system however, has a cap on how many IP addresses it can generate and it is close to exhaustion as it reaches the four billion IP address mark. Given this, the Internet Engineering Task Force (IETF) developed a new protocol called IPv6. According to the FCC, “IPv6, the next-generation protocol, provides approximately 340 undecillion IP addresses, ensuring availability of new IP addresses far into the future, as well as promoting the continued expansion and innovation of internet technology.”
IPv6 has two main components: the network prefix and the host identifiers. The network prefix can change, but it will tend to be more stable from an identity perspective. The host identifier will be randomly generated .
The new security risks from IPv6
Because the host identifier randomly generates, it makes it very difficult to lock in an identity to track a specific device using an IPv6 address. Since IPv4 addresses are limited and static, it is easy to block an IP address that is a bad actor. In the IPv6 world, however, a device’s unique address is constantly changing as the host identifier generates every 12-24 hours. With IPv6 comes the frustrating reality that it is nearly impossible to blacklist threatening IP addresses – making it easier for malicious devices to masquerade as harmless ones.
Another attack vector targets both IPv4 and IPv6 traffic. Most software applications have been both IPv4 and IPv6 enabled for many years. This is known as “dual stacking”. However, when vulnerabilities are identified within software, the developers almost always focus only on the common IPv4 stack of the software, and fail to patch the IPv6 code. And of course, to modern attackers, seeing patch announcements is like a bright light on a juicy target – they know what the vulnerability is, and there’s a really good chance that the IPv6 path to the vulnerability is wide open.
Attackers can also use IPv6 addresses for amplification attacks, like DNS attacks. The internet community has recently been dedicated to plugging these holes in IPv4 DNS open resolvers, aided by the fact that the address space is scan-able. The IPv6 space, however, is new and much larger. In a recent attack, computers behind 1,900 IPv6 addresses attacked a DNS server as part of a larger army of commandeered systems, most of which used IPv4 addresses. Of the 1,900 IPv6 addresses, 400 were used by poorly configured DNS systems, producing roughly one-third of the overall attack traffic. Because DNS configuration for IPv6 is very different from that used for IPv4, DNS-based amplification attacks could become an enormous problem in the future.
Today’s enterprise challenge – a balancing act
Because of the fundamental differences between these two protocols, it has been vitally important that existing IPv4 networks can still operate as the implementation of IPv6 continues. Some enterprises have started the process by running IPv4 and IPv6 in parallel, often with two different teams. This approach speeds IPv6 network implementation but works against consistent security. Complicating matters even further, many security tools still do not support the IPv6 protocol, or may not be configured properly. This allows attackers to bypass firewalls and intrusion prevention systems, generating malicious IPv6 traffic that these controls do not recognize.
Although widespread IPv6 implementation is relatively new, what we have learned through history is that enterprises need to ensure they stay educated on what threats will evolve from the protocol and take a proactive approach to assessing and implementing new security measures to minimize risks. Key things to look out for as IPv6 implementations increase include ensuring that firewall and security rules are synchronized in both IPv4 and IPv6; that routers and switches are configured to recognize IPv6 formatted attacks; and that staff are trained and aware of the possibility that attacks are utilizing IPv6 only, with no IPv4 component.
On the upside, IPv6 networks are still not ubiquitous enough for attackers to focus on these new attack methods specifically for the new protocol—IoT products and the botnets that target them are currently focused almost entirely on IPv4. However, on the downside, pretty much every modern mobile device and PC will soon have IPv6 support included and turned on as a default, so when those IPv6 attacks come, they are going to hit hard.
Bottom line – the bad guys are well versed in the weaknesses of IPv6 – make sure that you are as well.