In the Internet world, every networked device is assigned an IP address for identification and location definition. The rapid development of the Internet since the 1990s has led to IPv4 address exhaustion as the number of addresses required by networked devices far outstrips the number of IPv4 addresses available. Therefore, the development and deployment of IPv6 protocol is urgent.

In addition to offering a richer number of IP addresses than IPv4, IPv6 has many other advantages.

Faster and safer has been the long-term pursuit of the Internet. IPv6 has a fixed header. Unlike IPv4, which carries a lot of long data, the short header effectively improves the forwarding efficiency of network data. In terms of security, IPv6 integrates with IPSec to authenticate and encrypt data at the network layer, providing end-to-end data security for users and preventing data hijacking.

At present, most websites have started to use IPv6, but the design of IPv4 and IPv6 is not interoperable, which makes the transition from IPv4 to IPv6 more complicated, including the field of network security.

In early 2018, Neustar claimed to be the victim of an IPv6 DDoS attack, which was the first public IPv6 DDoS attack. The attack originated from approximately 1900 different local IPv6 hosts and targeted authoritative DNS servers in Neustar’s network on more than 650 different networks. Some called it “the first native IPv6 DDoS attack.” This may not be the first time, but it shows that the defense against DDoS attacks in the IPv6 era is urgent.

Impact and damage of DDoS attacks

DDoS attacks are known as DDoS attacks, in which hackers use controlled computers to send as many network access requests as possible to a specific target, creating a flood of traffic that floods the target system. DDoS attacks are very harmful and difficult to defend against. They can directly lead to the breakdown of websites and servers, resulting in huge losses such as authority damage, brand shame and property loss, and seriously threaten the development of Internet information security.

On IPv6 networks, for hackers who develop DDoS attack tools, IPv6 not only introduces additional attack media, but also increases the attack volume. Because IPv4 provides about 4.3 billion unique 32-bit IP addresses. IPv6, with its 128-bit address system, claims to be able to assign an IP address to every grain of sand in the world, meaning that attackers can tap into more than 34 billion IP addresses, making the damage magnified countless times. For web site administrators, tracking and blocking will become more difficult. Because the number of addresses is infinite, operators like Spamhaus, which operates spam blacklists, realize that spammers can easily launch mass spam campaigns using different IP addresses for each message.

In addition, some new features of IPv6 protocol can also be used by hackers for DDoS attacks:

  • IPv6 added NS, NA, RS, and RA, which may be used for DDoS attacks

  • New features of IPv6’s NextHeader also pose similar risks, such as the Type0 route header vulnerability, in which carefully crafted packets allow a message to bounce back and forth between two vulnerable servers, depleting link bandwidth

  • IPv6 supports stateless automatic configuration. In addition, there may be many AVAILABLE IP addresses under the subnet, enabling attackers to launch random DDoS attacks

  • IPv6 uses the end-to-end shard reassembly mechanism. If the server has vulnerabilities, it may be attacked by the DoS attack of carefully forged shard packets

IPv6 attacks are inevitable: Be prepared

As IPv6 becomes a larger part of enterprise networks, ipv6-based attacks will increase. Because IPv6 nodes can use the malicious neighbor discovery protocol to discover other network nodes, webmasters now need to be familiar with the Secure Neighbor Discovery Protocol (SEND). This protocol solves the problem of interoperation between all nodes connected on the same link and can resist some potential IPv6 attack technologies.

In addition, what other methods can be used to defend against IPv6 DDoS attacks?

  • Refactoring the operating system to support IPv6: This is one of the best defenses. A system is developed to protect against inbound and outbound network attacks, which can be used to support IPv6 networks and security protection under IPv6 networks.

  • Traffic monitoring and early warning system: At present, IPv4 and IPv6 coexist. The traffic monitoring and early warning system needs to support IPv4 and IPv6, detect dual-stack traffic at the same time, and detect abnormal traffic in advance.

  • Stronger traffic cleaning system: Since IPv6 has 2^96 times more IP addresses than IPv4, the system needs to support dual stack and can automatically determine the IP type. Therefore, more powerful processing performance is required to support security defense and cleaning of massive IP addresses.

  • Adapt to new challenges: Traditional DDoS defense algorithms and modes should be updated to adapt to new features and challenges in IPv6.

IPv6 protocol adoption is accelerating and will reach a tipping point in the near future. Now is the time to prepare network defenses to handle IPv6 DDoS attacks. Act fast!

Recommended reading

Everyone is talking about cloud security, what is going on?

The world has run out of 4.3 billion IPv4 addresses! IPv6, now