SoylentNews is people
SoylentNews
Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar's SiteProtect DDoS protection service when he realized there were "packets coming from IPv6 addresses to an IPv6 host."
The attack wasn't huge – unlike this week's record-breaking 1.35Tbps attack on GitHub – and it wasn't using a method that is exclusive to IPv6, but it was sufficiently unusual and worrying to flag to the rest of his team.
Computers behind 1,900 IPv6 addresses were attacking the DNS server as part of a larger army of commandeered systems, mostly using IPv4 addresses on the public internet. Anyone running an IPv6 network needs to, therefore, ensure they have the same level of network security and mitigation tools in place as their IPv4 networks – and fast.
"The risk is that if you don't have IPv6 as part of your threat model, you could get blindsided," Neustar's head of research and development Barrett Lyon told us.
[...] Adding to the list of potential IPv6 security issues are: the fact that some mitigation tools only work with IPv4 (often thanks to hard-coded addresses written into their code) – or are put into IPv4 and only later ported across to IPv6; that a lot of IPv6 networking is being done in software (rather than hardware) opening up many more potential security holes; and that the expansion of packet headers in the IPv6 protocols creates potential new attack vectors.
[...] George hypothesized that one big future problem could be if a network is hit with a combination of IPv4 and IPv6 attack traffic – as happened in this case. A sysadmin could pull out all the normal mitigation tools but only kill off the IPv4 traffic, leaving the network under attack and the person in charge unable to figure out why.
Thanks to the dual-stack system most people are using to rollout IPv6 alongside their existing systems, Lyon also worries that an IPv6 attack could compromise the routers and switches used to run the networks side-by-side and so attack IPv4 networks through the backdoor.
This week's attack is "only the tip of the iceberg", Lyon said. His hope is this it serves as a wake-up call for sysadmins to apply best practices to IPv6 networks, and argues that "anything you do in the IPv4 world, you should be doing in the IPv6 world."
It's fair to say he is not confident that people will learn the lesson ahead of time though. "People don't tend to think of security as a priority for later," said Lyon. "It doesn't come until there's a crisis."
(Score: 0) by Anonymous Coward on Sunday March 04 2018, @11:02PM (3 children)
But there's hardly anyone using IPv6.
(Score: 0) by Anonymous Coward on Monday March 05 2018, @02:37AM (1 child)
https://www.google.com/intl/en/ipv6/statistics.html [google.com]
It is about 1 in 4.
Most of that adoption is due to people using old routers. Or companies with outdated policies. Just upgraded my fathers router. +1 IPV6 user. Pretty much all of the major ISPs are IPV6 ready.
(Score: 2) by NotSanguine on Monday March 05 2018, @04:41AM
And does your father's router get assigned an IPv6 address by his ISP? I would hope so. Most major ISPs in the US [wikipedia.org] (with the exception of Comcast) offer IPv6 to their customers. It's unclear (to me at least) whether or not that's implemented by default, or if customers must request it. ISP deployments have been uneven around the world.
Just about every major OS has (since 2011 or so) IPv6 enabled by default [wisc.edu]. Most routers/gateways/firewalls (including commercial/enterprise/carrier-grade systems) have IPv6 available and ready to use as well.
The vast majority of TLDs and major DNS providers support IPv6, but few DNS zones or BGP routing tables include IPv6 addresses/networks [wikipedia.org]:
So, the infrastructure is in place, and carriers (backbone, transit and ISPs) have support for IPv6, but until a large fraction of the tens of millions (or more) of various entities that have DNS zones and broadcast BGP routes that include IPv6 addressing, actual usage will continue to lag.
More's the pity.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Interesting) by TheRaven on Monday March 05 2018, @09:43AM
My ISP is BT (in the UK) and all of their lines now support IPv6. When I do a DNS lookup of soylentnews.org, if I don't explicitly specify a protocol (i.e. I use getaddrinfo, as most vaguely modern programs do), I get back 2600:3c00::f03c:91ff:fe98:b8fe. That is the address that my web browser uses, so I'm connecting via IPv6 here.
My hosting provider charges for IPv4 addresses, but gives out IPv6 addresses (well, /64 prefixes) for free, so if I could guarantee everywhere that I want to access my email from supported v6 then I'd save a bit of money each month.
sudo mod me up