Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday March 04 2018, @06:39PM   Printer-friendly
from the knock-knock dept.

Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar's SiteProtect DDoS protection service when he realized there were "packets coming from IPv6 addresses to an IPv6 host."

The attack wasn't huge – unlike this week's record-breaking 1.35Tbps attack on GitHub – and it wasn't using a method that is exclusive to IPv6, but it was sufficiently unusual and worrying to flag to the rest of his team.

Computers behind 1,900 IPv6 addresses were attacking the DNS server as part of a larger army of commandeered systems, mostly using IPv4 addresses on the public internet. Anyone running an IPv6 network needs to, therefore, ensure they have the same level of network security and mitigation tools in place as their IPv4 networks – and fast.

"The risk is that if you don't have IPv6 as part of your threat model, you could get blindsided," Neustar's head of research and development Barrett Lyon told us.

[...] Adding to the list of potential IPv6 security issues are: the fact that some mitigation tools only work with IPv4 (often thanks to hard-coded addresses written into their code) – or are put into IPv4 and only later ported across to IPv6; that a lot of IPv6 networking is being done in software (rather than hardware) opening up many more potential security holes; and that the expansion of packet headers in the IPv6 protocols creates potential new attack vectors.

[...] George hypothesized that one big future problem could be if a network is hit with a combination of IPv4 and IPv6 attack traffic – as happened in this case. A sysadmin could pull out all the normal mitigation tools but only kill off the IPv4 traffic, leaving the network under attack and the person in charge unable to figure out why.

Thanks to the dual-stack system most people are using to rollout IPv6 alongside their existing systems, Lyon also worries that an IPv6 attack could compromise the routers and switches used to run the networks side-by-side and so attack IPv4 networks through the backdoor.

This week's attack is "only the tip of the iceberg", Lyon said. His hope is this it serves as a wake-up call for sysadmins to apply best practices to IPv6 networks, and argues that "anything you do in the IPv4 world, you should be doing in the IPv6 world."

It's fair to say he is not confident that people will learn the lesson ahead of time though. "People don't tend to think of security as a priority for later," said Lyon. "It doesn't come until there's a crisis."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by NotSanguine on Sunday March 04 2018, @11:08PM (5 children)

    I think that just because NAT eases address strain on the IPv4 pool doesn't mean that it doesn't do other things. On my office network, everything's behind NAT, and sure, I only have a single IPv4 address per net connection, but the NAT gives me other benefits as well.

    Do any of the anti-NAT folks care to refute this, that my knowledge may be increased? Or is this general common sense that all but a few understand?

    NAT is good for what it is. NAT, RFC 1918 [ietf.org] addressing and CIDR [wikipedia.org] have extended the life and usability of IPv4 significantly. So hooray for NAT!

    I'm all for it. However, NAT is not and never was considered a permanent solution. Rather it was designed to maximize the utility of the IPv4 32-bit address space until IPv6 achieved broad adoption.

    Once you move to IPv6, NAT becomes unnecessary. The address space is big enough for everyone to use globally routable addresses. If you're using NAT now, you have some kind of gateway/firewall device(s) which can block the traffic without NAT anyway.

    That's the idea, at least. If, however, you need to communicate with IPv4 devices (you know, like most of the Internet at this point), you'll need to connect to endpoints that are IPv4.

    In such circumstance, you have several options, not all of which require NAT as implemented in IPv4.

    You'll could run a dual-stack [techopedia.com] environment, where NAT would still be required for IPv4 IPv4 host traffic.

    You could also use translation mechanisms [ietf.org] (while this is not NAT, you'll likely still need globally routable IPv4 address(es)), or you can use something like NAT64 [wikipedia.org].

    Once IPv6 has broad enough implementation however, dual stack NAT/NAT64/other translation is neither necessary nor desirable.

    NAT has significant operational, security and resource utilization issues and should only be used where (sadly, this is in a lot of places) necessary.

    You can also use 6to4 relays [wikipedia.org] and web gateways like SixXS [sixxs.net], although those are pretty kludgy IMHO.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    Starting Score:    1  point
    Moderation   +3  
       Informative=3, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by requerdanos on Sunday March 04 2018, @11:27PM

    by requerdanos (5997) Subscriber Badge on Sunday March 04 2018, @11:27PM (#647775) Journal

    This is a terrific "why not NAT" answer, and I appreciate your taking the time to explain it. Thanks.

  • (Score: 2) by Azuma Hazuki on Monday March 05 2018, @07:43PM (3 children)

    by Azuma Hazuki (5086) on Monday March 05 2018, @07:43PM (#648116) Journal

    Question: why the haemorrhaging fuck would i want all my devices to have globally routable addresses? NAT is, if nothing else security-wise, good for making sure some wiseass can't directly poke anything behind the gateway/router. I see no reason to give up that little bit of usefulness, mainly because setting it up requires virtually no effort.

    --
    I am "that girl" your mother warned you about...
    • (Score: 2) by NotSanguine on Monday March 05 2018, @09:28PM (2 children)

      Question: why the haemorrhaging fuck would i want all my devices to have globally routable addresses? NAT is, if nothing else security-wise, good for making sure some wiseass can't directly poke anything behind the gateway/router. I see no reason to give up that little bit of usefulness, mainly because setting it up requires virtually no effort.

      Answer: Because NAT is not a firewall. It was designed to slow the depletion of IPv4 addresses. Full stop.

      NAT, despite what many think, doesn't provide *any* security features. If you're using NAT and not using a firewall to manage ingress/egress on your network, you're just asking to be pwned. NAT doesn't provide the features of a firewall, and you're still vulnerable to attack unless you secure your network with appropriate firewall rules.

      NAT also has significant operational (it breaks a variety of applications), security (it provides a false sense that you're "protected" although NAT doesn't provide any such protections -- firewall features do) and resource utilization (managing NAT translation tables and rewriting packets can slow network performance considerably, and if your gateway is underpowered, cause CPU bottlenecks) issues.

      As such, not using NAT (but using firewall features like packet inspection, address/port blocking/redirection, application proxies, etc.) is far superior to using NAT (because you need those firewall features when using NAT too!), especially with IPv6, as the address space is vastly larger (128-bit vs. 32-bit) and applications (SIP and others) that won't function properly with NAT will. What's more, there's no effort to *not* set up NAT.

      At the same time, if you *really* want to use NAT with IPv6, you can do so. You can even use the IPv6 equivalent of private addresses (ULAs [wikipedia.org]). It's wasteful of resources and completely unnecessary, except to access IPv4 network resources from your IPv6 hosts. Even then, NAT is not the preferred mechanism [ietf.org] for that scenario either.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
      • (Score: 2) by Azuma Hazuki on Monday March 05 2018, @09:58PM (1 child)

        by Azuma Hazuki (5086) on Monday March 05 2018, @09:58PM (#648207) Journal

        Oh, don't misunderstand, of *course* I use a proper firewall. I know NAT's purpose isn't to be a firewall. It's just a nifty side effect of NAT that nothing on the LAN side is directly reachable from the WAN side, that's all.

        --
        I am "that girl" your mother warned you about...
        • (Score: 2) by NotSanguine on Monday March 05 2018, @10:53PM

          Oh, don't misunderstand, of *course* I use a proper firewall. I know NAT's purpose isn't to be a firewall. It's just a nifty side effect of NAT that nothing on the LAN side is directly reachable from the WAN side, that's all.

          That's not really true. As I mentioned in another comment [soylentnews.org]:

          Actually, that's a feature of RFC1918 IP addressing, not NAT. Since the IP networks defined in RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) are defined as "private," no ISP router will forward packets with addresses within those ranges. *That's* why, in the absence of appropriate firewalls/firewall rules, those systems aren't reachable from the outside. NAT has nothing to do with it.

          When you use NAT, it *allows* access to/from those internal hosts.

          So, more correctly, you should say "Therefore the RFC1918-style addressing has a side effect of acting as a (very primitive) firewall."

          What's more, Any "perceived" security benefit (primarily "security through obscurity," which isn't really security at all) of NAT are easily implemented via ingress filtering on your firewall. In a nutshell, NAT does not provide any security.

          But please don't change on my account. That said, I'd strongly recommend that you *not* use a consumer router/firewall as your firewall.

          Rather, use a minimal install of BSD (pfSense [pfsense.org]) or Linux (xbps-install iptables, examples [archlinux.org]) on a multi-homed system [protectli.com] (not recommending the linked device, it's just an example) as your firewall. The feature sets are significantly richer and the implementations are demonstrably more secure.

          --
          No, no, you're not thinking; you're just being logical. --Niels Bohr