Security and Threats in an IPv6 World

IPv6 introduces new ways to do old things. These new ways allow us to go from 4,294,967,296 possible bad guys to 340,282,366,920,938,000,000,000,000,000,000,000,000 bad guys. How can we secure these threats and protect these networks? Well to start, the earliest attacks on IPv6 will be just like the old attacks only from more locations.

In fact, spammers, just like many other organizations, have already started migrating operations to IPv6. A recent eWeek article by Fahmida Rashid highlighted some interesting stats coming out of RIPE Labs, the security arm of Europe’s RIR. According to Fahmida’s article, “a weeklong study last March conducted by RIPE Labs found that 3.5 percent of total e-mail received over IPv6 networks was spam. It’s a trifling amount compared to the 31 percent received during the same period over IPv4, but it indicates the spammers have already started the transition.

The amount of spam on IPv6 remains minuscule in terms of total volume, at 1.89 percent. However, the RIPE study didn’t include all the spam that never made it on to the network because the firewall blocked it based on blacklisted DNS hosts and greylist settings.” In addition to the problems listed above, we should also expect to see more botnets, which makes things difficult for whitelisting and blacklisting. In the past, it was easy for ISPs and network admins to block APNIC (Asia-Pacific Networks) if there was no need for those networks to have access to their resources. This also made it easier to block botnets, spam, and other malicious traffic that originated from those regions. With the volume of addresses and potential targets increasing, blocking regions may not ease traffic that much.

We may find ourselves finally moving away from layer 3 blocking all-together and using more application-layer firewalls. These changes also mean that negative reputation systems may become obsolete. In the past, spam services, IDS/IPS, and even some content filtering systems could remember that an attack came from 3-4 addresses, and if those addresses attacked again those were to be treated as such. With the sheer volume of assignable addresses, such a system is fraught with problems. More focus will have to be placed on the type of messages and payloads, including a greater focus on delivery systems (maybe even cloud based) where reputation is based upon trust, and not based upon previous abuse. The biggest hole in IPv6 is actually IPv4. As long as we are sitting with one leg in and one leg out, we have to protect attacks on both sides of the bridge. This means securing both IPv4 and IPv6 stacks on all systems.

This also means having to keep an eye on hybrid attacks that attempt to send attacks on IPv4 devices over IPv6 networks, where your dual-stack router ends up sending the final payload. Security admins will need to inspect traffic at multiple layers. This means we continue to focus on our network-based technologies, but we also ensure we are still looking at the endpoints. Until we fully cut the cord and run a fully native IPv6 environment, we will have to carry the knowledge we’ve learned about IPv4 threats and the knowledge we’re gaining about IPv6 threats, and be prepared for both.