IPv6 Protocol Implementation is Not a Security Panacea

Wednesday, February 22, 2012



The advent of the IPv6 protocol had produced some enthusiastic hopes for bolstering internet security over the past few years, and while it does offer a significant improvement in many respects over the languishing IPv4 protocol, many of the current problems will likely persist.

"One of the frequent rallying points for IPv6 was that it was more secure than IPv4. One network security group within a large US government organization went so far as to declare that since IPv6 is more secure, that the group decided to disband because they alleged that the next generation Internet protocol’s inherent security capabilities would address their security concerns," writes Arbor Networks' Bill Cerveny.

That may have been too optimistic of an assessment.

A report issued by researchers at Arbor Networks has revealed the first documented cases of distributed denial of service (DDoS) attacks, a favorite among hacktivist groups where a large amount of information is sent to a web server at such high frequency that it overwhelms the processing capacity or causes the system to shut down.

"For the first time, respondents to Arbor Networks 7th annual Worldwide Infrastructure Security Report indicated they had observed IPv6 DDoS attacks on their networks. This marks a significant milestone in the arms race between attackers and defenders," said Cerveny.

Another aspect of DDoS vulnerabilities where IPv6 is concerned is the vastly increased number of IP addresses attackers will have at their disposal for conducting the disruptive operations, making it more difficult for mitigation by means of blocking the offending sources.

The full implementation of IPv6 will undoubtedly be accompanied by an increased level of attacks, which should not be surprising to most given the innovative nature of assailants.

"The same thing that has made the IPv6-enabled Internet 'valuable' has also made it an increasingly valuable venue for attacks. While the frequency of attacks is relatively modest on IPv6 today, we expect that accelerated adoption will be followed in-kind by an accelerated pace of attacks," Cerveny said.

Other researchers have similarly been finding vulnerabilities in IPv6. Last year a group produced a proof of concept that demonstrated how new features in the Microsoft Windows operating system which enable IPv6 network access could potentially be exploited by a man-in-the-middle (MITM) attack.

The researchers found that default settings in the OS protocol would allow attackers to redirect information in an exploit utilizing the Stateless Address Auto Configuration (SLAAC) standard to reroute data through networks controlled by the attackers, exposing potentially sensitive data.

The one saving grace was that in order to carry out the exploit attackers would need to successfully install some hardware into the target network, making the possibility of such an event is highly improbable, yet nonetheless possible.

While IPv6 will not be the all-encompassing remedy to many security problems as some had hoped early on, it will for the most part represent an improvement over its predecessor.

“Much of the early thinking around IPv6 security being better than IPv4 security was based on the RFC requirement that IPv6 stacks include IPsec support, but that is clearly too simplistic a view (and that strict requirement has been removed in recently-released RFC 6434) . Even though IPv6 shares many security vulnerabilities with IPv4, and has some unique vulnerabilities unique to IPv6, secure network-centric service provisioning is about much more than protection for data in-flight. As always, employing a team of trained security specialists, knowledgeable about IPv6, applying proven best-practices and working methodically to counter evolving threats, is the key to protecting service availability and integrity," said John Spence of Nephos6.

Source:  http://ddos.arbornetworks.com/2012/02/a-milestone-in-ipv6-deployment/

Possibly Related Articles:
Denial of Service MITM Research internet Attacks DDoS Headlines Security IPv6 IPv4 IPSec Arbor Networks protocol
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.