According to Google Statistics, we are only at around 15% adoption of Internet Protocol version 6 (IPv6) worldwide. Because of the low adoption rate today, have we really even scratched the surface on IPv6 Security or is it often overlooked as a small fringe player?
The concerns most people are looking at today for implementation of IPv6 are:
- Inadequate IPv4/IPv6 Parity
- No Visibility
- Stack Implementation Flaws
- Host Scanning
- Using IPv6 to Bypass Rate Limiting
One of the challenges we see today in Enterprise environments is that network address translation (NAT) has solved a lot of the problem of IPv4 Address Space Exhaustion. We see many enterprises who may have only implemented IPV6 at the internet side of their organization and not internally due to a variety of reasons. The challenge many face by not implementing IPV6 is that current threats can begin to take advantage of that lack of visibility or mitigation.
Because the current major operating systems come with IPV6 enabled, malware can begin to auto-configure the network. There has been a recent increase of malicious code that enables IPv6 on a compromised host, creating a potentially undetected channel for an attacker to exploit. Nefarious web sites offer tools that can be used to exploit IPv6 for malicious purposes. These tools include relay6, 6tunnel, nt6tunnel, asybo and many more. These tools can be used for legitimate purposes to facilitate communication between IPv6 and IPv4 devices and applications. However, they can be misused for malware tunneling and routing.
One of the other places where we are seeing a rise in IPV6 abuse is in Teredo Tunneling. Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet, but have no native connection to an IPv6 network. Unlike similar protocols, it can perform its function even from behind NAT devices such as home routers.
Teredo operates using a platform-independent tunneling protocol that provides IPv6 connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. Teredo routes these datagrams on the IPv4 Internet and through NAT devices. Teredo nodes elsewhere on the IPv6 network (called Teredo relays) receive the packets, un-encapsulate them, and pass them on.
A number of Bit Torrent trackers started taking advantage of Teredo Tunnels and would work with configuration of Teredo. What this would do is allow the Torrent user to bypass the firewall security mechanisms for blocking Torrent users. Some clients would use encrypted UDP over known ports (like SIP or DNS) and could exit a protected network by appearing to be harmless. The IPv4 network becomes a transit for these tunnels off to the DarkNet, where IPv6 relays provide anonymity and evasion from detection mechanisms. Malware can also take advantage of the same overlay network mechanisms and go undetected due to lack of IPv6 implementations.
Recently, we saw that 5% of the CCTV Botnet was using IPv6. When the Internet of Things (IoT) fully adapts to IPv6, we will begin to see a rise in DDoS botnets leveraging IPv6. In the Mirai Botnet, we are seeing IPv6-enabled devices in the attack matrix sending out floods. The Mirai Botnet has reached over 1 Tbps in size for flooding attacks. That same 5% of IPv6 hosts could essentially produce 50Gbps of DDoS flooding. It’s very possible this is just the beginning of this sort of attack vector.
Without visibility, companies are blind to potential hidden IPV6 networks. Because of Teredo and other encapsulation strategies, we are going to see more hidden attack vectors in the future. I predict that the increase of IPv6 exploits will become a more common headache for years to come. This small adoption rate globally has made this a very open exposure for security vulnerabilities. Have you implemented detection mechanisms for IPv6? If you detect threats, do you have active mitigation?
We recommend that companies DO implement IPv6 sooner than later.
• Use dual stack as your preferred IPv6 migration choice
• Use static tunneling rather than dynamic tunneling
• Implement outbound filtering on firewall devices to allow only authorized
• Filter internal-use IPv6 addresses at organization border routers
• Filter unneeded services at the edge of the network and Firewalls