DDoS by the (version) numbers

IPv6.  We’ve heard it’s been coming for years but no, it’s not here yet.  However it’s “here” enough to be a security threat to every organization that has started their migration to IPv6.  With IPv6 adoption comes new security challenges.  Although only 25% of websites completely support IPv6 today, many more are supporting v6 in parts of their network, whether their operators know it or not.

IPv6 introduces not just another attack vector but an attack volume – one that encompasses a parallel universe of all DDoS attacks known today.  All attack vectors that originate in IPv4, be they volumetric or application attacks, can also occur in IPv6.

For the most part an IPv6 network is no more or less vulnerable to DDoS attacks than its IPv4 counterpart but the fact that any vulnerability in v4 can be exploited in v6 is frightening because of the sheer number of vectors and the fact that most security professionals don’t know everything running IPv6 in their network today.

IPv6-based DDoS attacks today are neither as prevalent nor as big as those happening over IPv4 but they are occurring with increasing frequency and sophistication.  As IPv6 comes to represent an increasingly bigger part of your network each year, so too will your exposure to IPv6-based attacks.

Volumetric

Volumetric attacks are perpetrated by leagues of zombie computing devices collectively known as a botnet.  The power of DDoS volumetric attacks is proportional to the number of connected devices in the botnet.  More zombies equal more fire power to send out mal-intended DNS, NPT and CHARGEN messages.

Although only 6% of your visitors use IPv6 today, it doesn’t mean only that percent will be affected.  Since it’s best practice for both protocols to share the same interface, i.e. are dual-stacked, flooding the IPv6 interface indiscriminately takes down all users, independent of the Internet Protocol they’re on.

As the number of connected devices grows, so too will IPv6.  By 2020 it is estimated that there will be 34 billion connected devices on the Internet.  Is your network ready for botnets version six?

To mitigate the v6 DDoS parallel attack ensure your DDoS mitigation solution has the same functionality in IPv6 and uses the same hardware for acceleration.

Application Layer

Attack vectors at layer 7 use specialized traffic designed to consume enough computational resources to overwhelm a system.  Far fewer attacks but more deadly.  As in the lower layers all vulnerabilities at the application layer over v4 are also vulnerable over v6.  Different protocol, same result.

Keeping Up

Most IPv6 attacks go unnoticed by the untrained eye.  Mitigation of DDoS attacks over the next generation protocol starts with training.  Security specialists need to know IPv6 well enough to recognize attacks and then mitigate them with the tools at hand.  And these tools must have feature and hardware parity in IPv4 and IPv6.  To mitigate the parallel volume of v6 DDoS attacks, go through your DDoS solution, line by line, feature by feature, to make sure it protects your network as well over IPv6.

“Whack a mole” is a never ending game in network security but in the case of next generation DDoS mitigation, being properly trained and ensuring you have a fully IPv6-capable solution like A10’s Thunder TPS, are the prerequisites to play.

Add new comment