It’s a given that Internet Protocol version 6 (IPv6) is a basic requirement as the number of endpoints increases at the staggering rate of the past few years – and accelerates even more as the Internet of Things (IoT) moves from being the next big thing to the current big thing.
This may be causing security experts some sleepless nights. Rene Paap, writing at Dark Reading, outlines why the change from IPv4 to IPv6 will create significant distributed denial of service (DDoS) attack opportunities for crackers.
Paap writes that IPv6 security is immature; IPv6/IPv4 gateways are vulnerable because of the amount of data they hold; and the IoT will introduce legions of cheap, hackable devices into the landscape. All in all, it’s a reason to worry:
And therein lies the nightmare scenario. We now have IPv6, accompanied by immature visibility tools; gateways between IPv4 and IPv6 that are brittle and precarious; and the unprecedented proliferation of relatively unsecure IoT devices, replete with those brand-spanking-new IPv6 vulnerabilities, all creating ubiquitous potential fuel for botnets. The reality is precisely as desperate as it sounds.
Akamai Technologies, in its Internet security report for the first quarter of 2015, found that DDoS attacks in general were up. Indeed, dramatically up: The firm found that attacks more than doubled compared to the year-ago quarter and rose 35 percent compared to the previous quarter.
IPv6 DDoS attacks weren’t yet much of a factor. That’s good news. The bad silver lining, however, is that it is only a matter of time before they are. The going will be rough at that point: The IPv6-specific attacks will be piled atop already accelerating DDoS numbers, according to FirstPost:
IPv6 DDoS is not yet a common occurrence, but there are indications that malicious actors have started testing and researching IPv6 DDoS attack methods. A new set of risks and challenges associated with the transition to IPv6 are already affecting cloud providers as well as home and corporate network owners. Many IPv4 DDoS attacks can be replicated using IPv6 protocols, while some new attack vectors are directly related to the IPv6 architecture. Many of the features of IPv6 could enable attackers to bypass IPv4-based protections, creating a larger and possibly more effective DDoS attack surface.
The good news is that vendors appear to be paying attention to the problem. Arbor Networks, for instance, claims that its Threat Management System (TMS) safeguards both IPv4 and IPv6 networks. According to the company, it “surgically removes up to 8 Tbps of DDS attack traffic while enabling the flow of legitimate traffic,” while safeguarding both address universes from DDoS attacks.
Network administrators and security personnel have a tremendous amount to worry about. It seems that DDoS attacks on IPv6, which seem very possible and could have horrendous ramifications, should be shuffled to near the top of that list.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at cweinsch@optonline.net and via twitter at @DailyMusicBrk.