A year ago the world celebrated World IPv6 Launch Day, which was supposed to be the day IPv6 was activated by major Web operators and service providers.
At the time of the launch, there were concerns about whether or not IPv6 was a security risk. As it turns out, at least one high-profile network has been attacked over IPv6 in the past year.
Matthew Prince, co-founder and CEO of CloudFlare, told eSecurity Planet that while there had been a bit of noise around IPv6-based attacks over the years, about two months ago the noise started to get real.
"In the last two months we've seen a number of attacks that have been IPv6 only," Prince said. "The techniques behind those attacks tend to be similar to what we see in the IPv6 world with denial of service and large SYN floods, as well as application layer attacks."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
While Prince isn't certain why IPv6 attacks are growing, his theory involves the fact that a lot of traditional Web security solutions rely on IP address blacklisting. IPv4 is a 32-bit address space, while IPv6 provides a much larger 128-bit address space. IP address blacklisting is not practical with IPv6, given the large address space.
Attackers are now beginning to experiment with these native IPv6 attacks. The largest such publicly reported attack to date was against Cloudflare.com itself. CloudFlare is no stranger to attackers and recently helped repel the largest known DDoS in history, which hit as much as 300 Gbps of traffic.
"We were hit with an IPv6 attack that got to about 3 Gbps," Prince said.
New IPv6 Security Approaches
Prince noted that it's important for companies of all sizes to start to take IPv6 security into account, as it is likely to emerge as a new attack vector. As such, it's important to make sure security solutions have capabilities in place to handle IPv6 attacks.
Instead of relying on blacklisting IP addresses, CloudFlare has built its own software stack that looks at more than just the addresses.
"We're trying to build a reputation engine about everything we know about a particular user, and that includes an IP address as well as the subnet, the origination and the target destination," Prince said. "All of that provides us with a score that helps us to access what the risk is from a particular visitor."
The idea being that by having more intelligence on a given connection, an appropriate decision on routing can be made. If the reputation of a given connection is considered to be a risk, Prince said CloudFlare will increase the friction against the connection before it can connect to a site on the CloudFlare platform.
Prince also noted that in one respect, IPv6 will make it easier for companies to determine reputation.
"While IPv6 blacklists are more difficult to administer than IPv4 blacklists, IPv6 provides a routable address all the way to the end device," Prince said. "As such IPv6 whitelists are very powerful and usable in contrast with IPv4 whitelists where addresses can move around."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.