[Q1 2015]
akamai.com
= ipv4 exhaustion and ipv6 adoption • Available address space in Internet Protocol version 4 (ipv4) continues to shrink, and will eventually be depleted • The creation of ipv6 provides a massive number of potential new ip addresses, as well as security, routing and networking benefits • At the same time, the expanded number of addresses in ipv6 creates new challenges for DDoS attackers and defenders: • Attackers may find it difficult to identify hosts • Defenders may find it difficult to track the large number of unique addresses that can be generated in an attack
• Transitional technologies used to bridge the operation of ipv4 and ipv6 are also vulnerable to abuse by malicious actors
2 / [The State of the Internet] / Security (Q1 2015)
= elements driving ipv6 attack vectors
• Abuse of transitional technologies to bypass security controls • Use of ipv6 protocol against applications and services that are ipv6 enabled, bypassing ipv4 security controls • Modification of ipv6 protocol structure, aiming to bypass ipv6 ips, ids and firewall technologies • Adaptation of application layer attacks to work over ipv6 • Adaptation of exploitation frameworks to work with the ipv6 protocol • Purpose-built denial of service tools and techniques based solely on the ipv6 protocol architecture
3 / [The State of the Internet] / Security (Q1 2015)
= transition vulnerabilities
The transition from ipv4 to ipv6 creates multiple vulnerabilities: • ipv6 networking that is enabled by default and overlooked by administrators • Tunneling protocols such as Teredo that may allow ipv6 traffic to bypass security filtering • Filtering programs that require special configuration to work with ipv6
4 / [The State of the Internet] / Security (Q1 2015)
= reflection attacks over ipv6
• PLXsert researchers created a laboratory environment to test ipv6 vulnerability • In most cases, abuse of ipv4-protected services and systems was possible using the ipv6 stack • Standard udp reflection techniques were successful against both chargen and ntp services over ipv6, due to lack of ipv6 support in the filtering layer
Figure 1: ntp reflection successfully targeted an ipv6 machine in our lab behind a shared router
5 / [The State of the Internet] / Security (Q1 2015)
= spoofing and hijacking
• The expansion in ipv6 allows for a substantial spoofable/hijackable address space to be leveraged by attackers • A single end-user ip range will typically be a /64, allowing roughly 18 quintillion spoofable/hijackable addresses • Even a single machine could easily send traffic that appears to be from millions of legitimate-looking hosts
Figure 2: Spoofed traffic was successfully routed to an IPV6 host via an isp 6 / [The State of the Internet] / Security (Q1 2015)
= local-link attacks
PLXsert performed several tests on popular cloud-provider networks. For a provider that did not have Rogue Router Advertisement (rra) protection, researchers simulated an effective DDoS attack: –
Crafted rra packets flooded testing machines with malformed routing information
–
Requests directed the targeted machine to use the attacking server as its first hop in the default route
–
The targeted machine was forced to stop communicating over its global link interface, effectively DoSing end users
This technique was effective in networks where local-link addresses are shared with neighbors and protections against rra are not in place
7 / [The State of the Internet] / Security (Q1 2015)
= security community considerations
• • •
•
Many of the security implications of ipv6 adoption are undiscovered or unreported End users and corporations are at risk when deploying ipv6 technology without proper training or awareness Security community research has seen indications that malicious actors are already testing and researching ipv6 attack methods ipv6 will eventually be the principal addressing protocol on the Internet, and the web security community must be ready
8 / [The State of the Internet] / Security (Q1 2015)
= Q1 2015 State of the Internet –Security Report
Download the Q1 2015 State of the Internet Security Report • The Q1 2015 report covers: –
Analysis of DDoS web application attack trends
–
Bandwidth (Gbps) and volume (Mpps) statistics
–
Year-over-year and quarter-by-quarter analysis
–
Attack frequency, size, types and sources
–
Security implications of the transition to IPv6
–
Mitigating the risk of website defacement and domain hijacking
–
DDoS techniques that maximize bandwidth, including booter/stresser sites
–
Analysis of SQL injection attacks as a persistent and emerging threat
9 / [The State of the Internet] / Security (Q1 2015)
= about stateoftheinternet.com
•
StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats.
•
Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.
10 / [The State of the Internet] / Security (Q1 2015)