In the Internet world, every networked device is assigned an IP address for identification and location definition. With the rapid growth of the Internet since the 1990s, the number of addresses needed by connected devices far exceeds the number of available IPv4 addresses, leading to a shortage of IPv4 addresses. Therefore, the development and deployment of protocol IPv6 is urgent.

In addition to providing a larger number of IP addresses than IPv4, IPv6 has a number of other advantages.

Faster and safer has been the long-term pursuit of the Internet. IPv6 is a fixed header, unlike IPv4 that carry a pile of lengthy data, short headers effectively improve the efficiency of network data forwarding; In terms of security, IPv6 directly integrates IPSec, authenticates and encrypts data in the network layer, provides end-to-end data security for users, and ensures that data is not hijacked.

At present, most websites have started to refer to IPv6, but IPv4 and IPv6 are not designed to be interoperable, which makes the transition from IPv4 to IPv6 a lot more complicated, including in the area of network security.

In early 2018, Neustar claimed to have been hit by an IPv6 DDoS attack, the first such attack to be made public. The attack originated from about 1,900 different native IPv6 hosts and targeted authoritative DNS servers in the Neustar network on more than 650 different networks. Some are calling this the “first native IPv6 DDoS attack.” Although this may not be the first time, it can be seen that the IPv6 era against DDoS attack is urgent.

The effects and hazards of DDoS attacks

Known as DDoS attacks, hackers use controlled computers (chickens) to send as many network access requests as possible to a particular target, creating a flood of traffic to hit the target system. DDoS attack is very harmful, and it is very difficult to prevent, can directly lead to website downtime, server paralysis, causing authority damage, brand shame, loss of property and other huge losses, a serious threat to the development of Internet information security.

In IPv6 networks, for hackers who develop DDoS attack tools, IPv6 not only introduces an additional attack medium, but also increases the amount of attacks. That’s because IPv4 provides about 4.3 billion unique 32-bit IP addresses. IPv6, on the other hand, uses 128-bit addresses and claims to be able to assign an IP to every grain of sand in the world, which means that attackers can exploit more than 34 billion IP addresses, making an attack infinitely more harmful. It will become more difficult for site managers to track and block. Because the number of addresses is infinite, operators like Spamhaus, which operates a spam blacklist, will realize that spammers can easily launch a mass spam campaign with a different IP address for each message.

In addition, some new features of the IPv6 protocol may also be used by hackers for DDoS attacks:

  • IPv6 adds NS/NA/RS/RA, which could be used for DDoS attacks
  • IPv6’s new NexHeader feature also runs the same risk, such as the Type0 routing header vulnerability, which allows a single packet to “bounce” between two vulnerable servers, using up link bandwidth, through carefully crafted packets
  • IPv6 supports stateless automatic configuration, and there may be a very large number of IP addresses available under the subnet, so that attackers can easily launch random source DDoS attacks
  • IPv6 uses an end-to-end sharding reconfiguration mechanism, and if the server has a vulnerability, it can be exposed to a DoS attack by a carefully forged sharding packet

IPv6 attacks are inevitable: Be prepared

As IPv6 becomes a larger and larger part of the enterprise network, attacks based on IPv6 will increase. Because IPv6 nodes can use the Neighbor Discovery Protocol, which is vulnerable to malicious interference, to discover other network nodes, site administrators now need to familiarize themselves with the Secure Neighbor Discovery Protocol (Send). The protocol solves the problem of interoperation between all nodes connected on the same link and can resist some potential IPv6 attack technologies.

In addition, what are some other ways to resist DDoS attacks under the IPv6 protocol?

  • Refactoring the operating system to support IPv6: This is one of the best ways to defend yourself. A system is developed to protect against inbound and outbound network attacks, which can be used to support IPv6 network and IPv6 network security protection.
  • Traffic monitoring and early warning system: At present, it is the coexistence period of IPv4 and IPv6. The traffic monitoring and early warning system needs to support IPv4 and IPv6, detect double stack traffic at the same time, play the monitoring and early warning effect, and sense abnormal traffic in advance.
  • Stronger traffic washing system: Since IPv6 has 2^96 times as many IP addresses as IPv4, the system needs to support dual stacks and be able to automatically determine IP types. Therefore, more powerful processing performance is needed to support the security defense and cleaning of massive IP.
  • Prepared for new challenges: Current traditional DDoS defense algorithms and patterns should be ready to be upgraded to accommodate new features and challenges under IPv6.

IPv6 adoption is accelerating and will reach a tipping point in the near future. Now is the time to prepare network defenses against IPv6 DDoS attacks. Act quickly!

Recommended reading

What is all this cloud security that everyone is talking about?

The world has run out of 4.3 billion IPv4 addresses! IPv6, no time to lose