Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/2/2015
10:30 AM
Rene Paap
Rene Paap
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

IPv6 And The Growing DDoS Danger

IPv6 and the Internet of Things have arrived -- and with them an enormous potential expansion for distributed denial-of-service (DDoS) attacks.

The number of connected devices is growing exponentially, with one billion new IoT devices expected to ship this year alone. As such, IPv4 addresses have been exhausted, but IPv6 is on deck to address this concern. The new system allows for 2^128 IP addresses (in comparison, IPv4 only carried 2^32 possible IP addresses). So everything is fine, right?

Sadly, no.

While IPv6 will certainly aid in accommodating the growth of new connected phenomena, such as the Internet of Things (IoT), adoption at the moment is slow. And because IPv6 occupies such a relatively small space, Internet security implementations that take it into full consideration are also lagging. This leaves a lot of networks vulnerable to distributed denial of service (DDoS) attacks.

DDoS attacks occur when Internet hackers use infected hosts to control connected devices remotely and make unwilling devices (bots) send malicious traffic to their target of choice. The target organizations are flooded with traffic, thus restricting or disabling service for legitimate traffic, or crashing the victim network. The most recent Verizon Data Breach Investigations Report noted:

“Distributed denial-of-service attacks got worse again this year with our reporting partners logging double the number of incidents from last year…We saw a significant jump in…attacks [that] rely on improperly secured services, such as Network Time Protocol (NTP), Domain Name System (DNS), and Simple Service Discovery Protocol (SSDP), which make it possible for attackers to spoof source IP addresses, send out a bazillion tiny request packets, and have the services inundate an unwitting target with the equivalent number of much larger payload replies.”

While most DDoS attacks do not, at present, involve IPv6, both the number and size of these attacks are rising, and IPv6 brings with it particular vulnerabilities. According to a recent CNET article: “First, with the relatively immature network infrastructure, many network operators don't have the ability to scrutinize network traffic well enough to distinguish DDoS attacks from benign traffic. Second, gateways that link IPv4 and IPv6 must store lots of ‘state’ information about the network traffic they handle, and that essentially makes them more brittle.”

The Internet of Things is also adding to the threat, according to an InfoSec Institute report “Internet of Things: How Much are We Exposed to Cyber Threats? The report, published earlier this year, cited the possibility of cyber criminals stealing sensitive information by hacking or compromising IoT devices to run cyberattacks against third-party entities using routers, SOHO devices or SmartTVs. “IoT devices manage a huge quantity of information, they are capillary distributed in every industry,” the report noted, “and, unfortunately, their current level of security is still low.”

And therein lies the nightmare scenario. We now have IPv6, accompanied by immature visibility tools; gateways between IPv4 and IPv6 that are brittle and precarious; and the unprecedented proliferation of relatively unsecure IoT devices, replete with those brand-spanking-new IPv6 vulnerabilities, all creating ubiquitous potential fuel for botnets. The reality is precisely as desperate as it sounds.

The best course of action to prepare for an onslaught of DDoS attacks exploiting IoT and IPv6 adoption is to ensure that your enterprise network security system can support the many connections from so many more connected devices. Also ensure the IPv6 support is on par with the IPv4-based feature set. Most attacks are carried out over IPv4, and by shifting over to IPv6, the attacker could bypass the defenses that only inspect IPv4 traffic. Meanwhile, IPv6-specific attack vectors have been reported

IPv6 and the IoT have arrived, and with them comes an enormous expansion in DDoS attack potential. 

 

Rene Paap is a networking professional with over 15 years of experience. Through previous roles as a technical marketing engineer, he developed a thorough understanding of networking technologies. Rene's specialties include product assessment, position analysis, Ethernet, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tirou
50%
50%
Tirou,
User Rank: Apprentice
12/13/2015 | 4:43:44 PM
More information on this topic?
Does anyone have some more info about dangerous influence of IPv6 in connection of DDoS attacks?
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...