Slideshow q1 2015 security implications for i pv6 from stateofthe internet
Transcript of Slideshow q1 2015 security implications for i pv6 from stateofthe internet
akamai.com
[Q1 2015 ]
• Available address space in Internet Protocol version 4 (IPV4)
continues to shrink, and will eventually be depleted
• The creation of IPV6 provides a massive number of potential
new IP addresses, as well as security, routing and networking
benefits
• At the same time, the expanded number of addresses in IPV6
creates new challenges for DDoS attackers and defenders:
• Attackers may find it difficult to identify hosts
• Defenders may find it difficult to track the large number of unique addresses
that can be generated in an attack
• Transitional technologies used to bridge the operation of IPV4
and IPV6 are also vulnerable to abuse by malicious actors
= IPV4 exhaustion and IPV6 adoption
2 / [The State of the Internet] / Security (Q1 2015)
= elements driving IPV6 attack vectors
3 / [The State of the Internet] / Security (Q1 2015)
• Abuse of transitional technologies to bypass security controls
• Use of IPV6 protocol against applications and services that are
IPV6 enabled, bypassing IPV4 security controls
• Modification of IPV6 protocol structure, aiming to bypass IPV6
IPS, IDS and firewall technologies
• Adaptation of application layer attacks to work over IPV6
• Adaptation of exploitation frameworks to work with the IPV6
protocol
• Purpose-built denial of service tools and techniques based
solely on the IPV6 protocol architecture
= transition vulnerabilities
4 / [The State of the Internet] / Security (Q1 2015)
The transition from IPV4 to IPV6 creates multiple vulnerabilities:
• IPV6 networking that is enabled by default and overlooked by
administrators
• Tunneling protocols such as Teredo that may allow IPV6 traffic
to bypass security filtering
• Filtering programs that require special configuration to work
with IPV6
= reflection attacks over IPV6
5 / [The State of the Internet] / Security (Q1 2015)
• PLXsert researchers created a laboratory environment to test
IPV6 vulnerability
• In most cases, abuse of IPV4-protected services and systems
was possible using the IPV6 stack
• Standard UDP reflection techniques were successful against
both CHARGEN and NTP services over IPV6, due to lack of IPV6
support in the filtering layer
Figure 1: NTP reflection successfully targeted an IPV6 machine in our lab behind a shared router
• The expansion in IPV6 allows for a substantial
spoofable/hijackable address space to be leveraged by
attackers
• A single end-user IP range will typically be a /64, allowing
roughly 18 quintillion spoofable/hijackable addresses
• Even a single machine could easily send traffic that appears to
be from millions of legitimate-looking hosts
Figure 2: Spoofed traffic was successfully routed to an IPV6 host via an ISP
= spoofing and hijacking
6 / [The State of the Internet] / Security (Q1 2015)
= local-link attacks
7 / [The State of the Internet] / Security (Q1 2015)
PLXsert performed several tests on popular cloud-provider
networks. For a provider that did not have Rogue Router
Advertisement (RRA) protection, researchers simulated an
effective DDoS attack:
• Crafted RRA packets flooded testing machines with malformed routing
information
• Requests directed the targeted machine to use the attacking server as
its first hop in the default route
• The targeted machine was forced to stop communicating over its global
link interface, effectively DoSing end users
This technique was effective in networks where local-link
addresses are shared with neighbors and protections against
RRA are not in place
• Many of the security implications of IPV6 adoption are
undiscovered or unreported
• End users and corporations are at risk when deploying IPV6
technology without proper training or awareness
• Security community research has seen indications that
malicious actors are already testing and researching IPV6
attack methods
• IPV6 will eventually be the principal addressing protocol on
the Internet, and the web security community must be ready
= security community considerations
8 / [The State of the Internet] / Security (Q1 2015)
Download the Q1 2015 State of the Internet Security Report
• The Q1 2015 report covers:
⁄ Analysis of DDoS web application attack trends
⁄ Bandwidth (Gbps) and volume (Mpps) statistics
⁄ Year-over-year and quarter-by-quarter analysis
⁄ Attack frequency, size, types and sources
⁄ Security implications of the transition to IPv6
⁄ Mitigating the risk of website defacement and domain hijacking
⁄ DDoS techniques that maximize bandwidth, including booter/stresser
sites
⁄ Analysis of SQL injection attacks as a persistent and emerging threat
= Q1 2015 State of the Internet –Security Report
9 / [The State of the Internet] / Security (Q1 2015)
• StateoftheInternet.com, brought to you by Akamai,
serves as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.
• Visitors to www.stateoftheinternet.com can find current and
archived versions of Akamai’s State of the Internet
(Connectivity and Security) reports, the company’s data
visualizations, and other resources designed to put context
around the ever-changing Internet landscape.
= about stateoftheinternet.com
10 / [The State of the Internet] / Security (Q1 2015)