back to article It's begun: 'First' IPv6 denial-of-service attack puts IT bods on notice

What's claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption. Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in …

  1. Tom Samplonius

    "With a few notable exceptions – like Facebook and LinkedIn – most companies that have started introducing IPv6 networks do so by running IPv4 and IPv6 in parallel, often with two different teams."

    What is this supposed to even mean? There are only two types of IPv6 deployments that I've seen, dual-stack IPv4+IPv6 and IPv6 only (usually because of the lack of IPv4 addresses). Most of the top 100 sites are dual stack. What does "in parallel" mean?

    Different teams? I've setup IPv4 and IPv6 peering with a number of different networks, and I've never encountered IPv6 run by a different team than IPv4. Do you have even a single example of an organization using different teams for IPv4 and IPv6?

    1. Anonymous Coward
      Anonymous Coward

      I don't have any practical evidence but I could easily imagine a scenario where an IPv6 project team is brought in or created specifically to do an IPv6 project while the core IT team still deal with the everyday IPv4 system. Therefore the normal network team are still managing the IPv4 DHCP and setting up devices on using IPv4 while the project to look at implementing IPv6 takes place in a test environment and gradually into a live environment.

      1. diodesign (Written by Reg staff) Silver badge

        "an IPv6 project team is brought in or created specifically to do an IPv6 project"

        Yup. IPv6 is hacked on as an afterthought. Not at all orgs, but quite a few, it seems.

        C.

    2. Len Silver badge

      I think it refers to the practice that companies like Facebook are using of not running IPv4 at all. All their systems are IPv6-only with the exception of their edge servers. They simply removed IPv4 networking from all their internal servers, desktops, engineers dev stations etc. That way developers and architects don't have to worry at IPv4, test everything twice, worry about attack vectors using the other protocol etc. They just have to make it work on IPv6 and let the webservers translate it to IPv4 for those users who still have IPv4-only connections.

      1. boltar

        "translate it to IPv4 for those users who still have IPv4-only connections"

        "Those users" being the vast majority of people online at the moment.

      2. Anonymous Coward
        Anonymous Coward

        @Len - That's pretty easy

        when you don't have three or four decades old critical mission 24/7 systems crucial for your business.

        1. Anonymous Coward
          Anonymous Coward

          Re: @Len - That's pretty easy

          That's pretty easy....when you don't have three or four decades old critical mission 24/7 systems crucial for your business.

          True. But since the IPv6 draft standard was published in 1998, after almost two decades of work, anybody claiming legacy business critical systems as an excuse should be tied to a gate and have their arse kicked for a week.

          The IT world have been on notice over IPv6 for two whole decades, and arguably a few years more going back to 1994 and the IETF's IPng. If a quarter of a century isn't long enough, how long would the recidivists have needed?

          1. boltar

            Re: @Len - That's pretty easy

            "The IT world have been on notice over IPv6 for two whole decades, and arguably a few years more going back to 1994 and the IETF's IPng. If a quarter of a century isn't long enough, how long would the recidivists have needed?"

            The fact that its been around for that long yet there's still resistance to using it should perhaps be a teensy clue to its designers that it brings little to the table over IP4 other than extra network addresses (which NAT mainly solves since most firms don't want all their machines with a publicly accessable address anyway) and is more complex to set up and manage. I'm wondering just how many more decades it'll take for it to sink in that IP6 is an overcomplex dog.

            1. Anonymous Coward
              Anonymous Coward

              Re: @Len - That's pretty easy

              The fact that its been around for that long yet there's still resistance to using it should perhaps be a teensy clue to its designers that it brings little to the table over IP4 other than extra network addresses

              Most address systems get used far beyond their designer's original intentions (eg UK postcodes), so the shortcomings of IPv4 were inevitable. The single most important thing about IPv6 was making available extra network addresses, and if that meant a certain amount of difficulty, so be it. If the Post Office mess about with the postcode format you'd see a similar difficulty, with everybody whining that geographic coordinates were user unfriendly, too long, too complex etc.

              Even with corporate solutions to avoid IPv6, that only defers the problem because consumers have growing numbers of internet connected devices (I've got no IoT devices, there's still 14 devices in this household with IP addresses). IPv6 may be complicated, but it is the only address system designed for the volume of addresses that will be needed.

              1. boltar

                Re: @Len - That's pretty easy

                "Pv6 may be complicated, but it is the only address system designed for the volume of addresses that will be needed."

                Bollocks. 128 bits was way overkill. 2^64 is twice as many grains of sand as there are on earth so 64 bits would have been more than enough even divided into subnets with the resultant network addresses being far more manageable and the address itself being able to fit into a 64 bit integer with the resultant faster processing in the CPU and NIC.

            2. Mage Silver badge

              Re: @Len - That's pretty easy

              Also security was an add-on fudge. The original idea of direct use of MAC address to automagically create an IP6 was a total privacy fail. At least they fixed that.

              Setting up a firewall so none of your LAN resources or addresses are exposed seems complicated. Maybe it isn't, but the goal of EVERYTHING having a public IP address, just because you can was plain wrong. A dream for big exploitive companies, governments and criminals.

          2. Hans 1 Silver badge

            Re: @Len - That's pretty easy

            @Ledswinger

            True. But since the IPv6 draft standard was published in 1998, after almost two decades of work, anybody claiming legacy business critical systems as an excuse should be tied to a gate and have their arse kicked for a week.

            So spot on!

            I am sure people will call "Ahhh, easy, hindsight et al" to which I have the right answer ... NO, it is called foresight which is hard to come by these days ... I regularly get downvoted because I push for TLS 1.3 adoption by all and sundry asap, with preparations starting everywhere NOW ... and that is not even foresight, it should be common sense!

            Don't come with corporate ^dwpolicy fallacy, enterprise IT, mission critical flying pink unicorns, or other lame excuses, if you don't seriously take care of security, insecurity will seriously take care of you.

      3. Mage Silver badge

        Facebook not running IPv4 at all?

        Nonsense. They have to run it somewhere or most of the victims wouldn't be able to connect!

        How many phones & tablets actually connect via IP6?

        How many broadband ISPs fully support IP6?

        ping www.facebook.com

        PING star-mini.c10r.facebook.com (31.13.73.35) 56(84) bytes of data.

        64 bytes from edge-star-mini-shv-01-dub4.facebook.com (31.13.73.35): icmp_seq=1 ttl=55 time=11.6 ms

        1. dkerago
          FAIL

          Re: Facebook not running IPv4 at all?

          "All their systems are IPv6-only with the exception of their edge servers."

        2. Nanashi

          Re: Facebook not running IPv4 at all?

          Their edge servers have v6 too, it's just that those are the only machines with v4 that Facebook run (with the exception of some HVAC control units in some of their datacenters). Some versions of ping are v4-only so I'm not sure that's the best tool to demonstrate anything with.

          I have no idea where people get the idea that v6 is complex. It's no harder to use than v4, and in fact it's easier than v4 in practice because NAT is de-facto required on v4 but can be avoided on v6.

          (I guess multicast NDP is a bit more complicated than broadcast ARP, but how many people reading this are writing NDP implementations? At a user level, with v4's NAT involved, v6 is less complicated than v4.)

          1. Degenerate Scumbag

            Re: Facebook not running IPv4 at all?

            V6 is so complicated that my entire home network automatically configured when they activated it on my connection. It was so seamless it took me a while to notice.

            The extra address space may be the driving force behind deployment, but it's not the only advantage. Built in multicast has the potential to reduce streaming bandwidth considerably. Imagine being able to stream video directly to a million people from a home internet connection. With ipv6 this is possible.

            1. boltar

              Re: Facebook not running IPv4 at all?

              "V6 is so complicated that my entire home network automatically configured when they activated it on my connection. It was so seamless it took me a while to notice."

              Well thats ok then, so long as your mickey mouse home network can auto configure it must mean IP6 is a cinch for all the corporate and ISP admins out there too.

              "Imagine being able to stream video directly to a million people from a home internet connection."

              What could possibly go wrong with a global IP broadcast system.

              1. Degenerate Scumbag

                Re: Facebook not running IPv4 at all?

                It is indeed a cinch for those worth their salt. It does tend to rile up the low-iq dead wood who have trouble picking up new skills.

                For example, the types of people that don't understand the difference between the concepts of network broadcast (a scatter-gun that sometimes goes wrong) and multicast (peers subscribe, routers relay packets only to subscribed peers, perfect bandwidth efficiency and no potential to cause a storm).

                1. boltar

                  Re: Facebook not running IPv4 at all?

                  "perfect bandwidth efficiency and no potential to cause a storm"

                  Ah bless, so naive, so naive :)

          2. tip pc Bronze badge
            Facepalm

            Re: Facebook not running IPv4 at all?

            @Nanshi

            I have no idea where people get the idea that v6 is complex. It's no harder to use than v4, and in fact it's easier than v4 in practice because NAT is de-facto required on v4 but can be avoided on v6.

            When people write nonsense like ^^ you know they have no clue what they are talking about.

            because NAT is de-facto required on v4 but can be avoided on v6.

            you do realise that NAT can easily be avoided on IPv4. Do you even know what NAT is?

            1. Charles 9 Silver badge

              Re: Facebook not running IPv4 at all?

              Yes, it's that thing that seems to be required in Asia to get everyone connected, given there are more users than IPv4 addresses there. Which raises a problem of unassisted peer-to-peer connections when BOTH ends are behind a NAT or two.

        3. Yes Me Silver badge

          Re: Facebook not running IPv4 at all?

          > 64 bytes from edge-star-mini-shv-01-dub4.facebook.com

          See that? "edge-star..." Yes, their CDN offers IPv4. You have no idea from that what they operate internally.

    3. Jason Bloomberg Silver badge

      What does "in parallel" mean?

      I assumed it meant side-by-side; one stack for handling IPv4 and another for IPv6, incoming packets handed off to the appropriate stack as they arrive. Dealt with by one team proficient in IPv4 another trying to be in IPv6.

      1. Tom 7 Silver badge

        RE What does "in parallel" mean?

        That may explain the lags I'm seeing .I'm sure a router of some form would be quicker than a team.

      2. Yes Me Silver badge

        side by side, not

        "one stack for handling IPv4 and another for IPv6"

        That's an abstraction; in real life the stacks are well integrated with common code and a largely common configuration interface.

        "Dealt with by one team proficient in IPv4 another trying to be in IPv6."

        That would be really short-sighted. Yes, your lead engineers might be the first to get IPv6 expertise, but the goal is to have your whole ops team just as familiar with v6 as v4. Apart from being the cheapest solution, it also prevents you ending up in a few years having to fire a whole team of legacy staff who are incompetent in IPv6.

        1. Degenerate Scumbag

          Re: side by side, not

          Indeed. If a company has an "ipv6 team", then it's function should only be ensuring the regular network team are fully up to speed and assisting them with deploying the upgrade. Any model of seperate teams is pure idiocy.

    4. Mage Silver badge

      IP6 & IP4 in "Parallel"

      It would be pointless to have a Website be IP6 only, since the vast majority of potential visitors only have IP4.

      So anyone deploying IP6 also has IP4. The exact technical mechanism isn't relevant to the word "parallel", which here means as well as.

      Why do I feel like Lemony Snicket?

      1. Yes Me Silver badge

        Re: IP6 & IP4 in "Parallel"

        Yes, the front end facing the Internet needs to provide both services. But the rest of the data centre, CDN or whatever it is can be 100% IPv6 - some operators have already found this to be significantly simpler and cheaper to operate for a whole lot of reasons.

  2. Chris Hills
    Mushroom

    Downside???

    "But on the downside, pretty much every modern mobile device and PC has IPv6 support included and turned on as a default"

    This is a very GOOD thing!

    1. Anonymous Coward
      Anonymous Coward

      Re: Downside???

      Until they pwn your IPv6 stack...

    2. boltar

      Re: Downside???

      "This is a very GOOD thing!"

      Why? What exactly does IPv6 bring to the table for your average user that IPv4 doesn't? Answer: absolutely bugger all. Well, unless you're a fan of hexadecimal , then you're rocking with the incomprehensible and impossible to remember ip6 addresses.

      1. Nanashi

        Re: Downside???

        Um. The internet? Or specifically, it allows us to continue to bring the internet as it grows without losing performance and functionality. Surely that's something people want?

        Also, v6 addresses aren't necessarily hard to remember. For example, here's a URL for accessing a site over v4: https://www.sprint.net/, and here's the v6 equivalent: https://www.sprint.net/. It's hardly more difficult to remember the second than it is to remember the first.

        1. eldakka Silver badge

          Re: Downside???

          Also, v6 addresses aren't necessarily hard to remember. For example, here's a URL for accessing a site over v4: https://www.sprint.net/, and here's the v6 equivalent: https://www.sprint.net/. It's hardly more difficult to remember the second than it is to remember the first.

          The first thing you do when diagnosing/troubleshooting IP-based issues is totally ignore DNS (since it's not acually part of IP) and start throwing around IP addresses.

          When doing tcpdumps, network/router tracing, no-one gives a toss about DNS.

          To use DNS requires registering something somewhere i.e. additional paperwork and/or configuration. Which is pointess when running up a quick service to do/check something.

          Most of the organisations I've worked at don't use DNS inside device/appliance configurations, e.g. all the firewall devices use IP addresses, not DNS. Load balancers likewise (i.e. when configuring new end services, the networking team who look after the firewalls, load balancers, and other devices want IP addresses, not DNS names).

          When you are diagnosing a problem from an end user out in la-la land, the only DNS address you are interested in is the one they are hitting initially. From that point in through the rest of the infrastructure, it's all IP addresses that are looked at.

          Original DNS -> IP -> firewall1 -> Load balancer (IP) -> multiple endpoint IPs -> security service IP -> Load balancer (IP) -> multiple IPs -> firewall2 -> end points -> more load balancers ...

          And there may very well be multiple NATs in there as well for security purposes (and ease of configuration in some cases, especially in B2B VPN situations).

          1. Nanashi

            Re: Downside???

            I thought we were talking about the average user? The average user does none of those things.

            But sure. Use the IPs if you want: https://208.24.22.50/ and https://[2600::]/. I don't know about you, but I can only remember one of those off-hand, and it ain't the v4 one.

    3. Anonymous Coward
      Thumb Up

      Re: Downside???

      > "But on the downside, pretty much every modern mobile device and PC has IPv6 support included and turned on as a default"

      > This is a very GOOD thing!

      Nuke icon noted. Have an upvote :)

  3. Anonymous Coward
    Anonymous Coward

    stating the obvious

    This doesn't appear to be an ipv6 attack per se but simply most modern operating systems will use ipv6 if it is available by default and indeed perform dns lookups using it by preference.

    If you are a network engineer or security specialist surely as part of your 'normal' working practices you would apply the same diligence to ipv6 as ipv4.

    Appears to be more 'fear' advertising.

    1. Anonymous Coward
      Anonymous Coward

      Re: stating the obvious

      "Appears to be more 'fear' advertising."

      Surely they'd all have been OK if they'd implemented DevoPS properly? Click here for the whitepaper.

  4. J. R. Hartley

    IPv6 is a mess

    Such an unbelievably stupid design. IPv4 with carrier grade NAT should be sufficient.

    1. Kevin McMurtrie Silver badge

      Re: IPv6 is a mess

      NAT means we're all slaves to commercial portals for serving data. No f'ing thanks.

  5. Kevin McMurtrie Silver badge

    IPv6 consumer devices are a dumpster fire

    ISPs and IoT makers have set the stage for huge IPv6 DDoS attacks that could take years to fix once they've started. Half of IPv6 devices have zero security and half of them are WAN hardened for peer-to-peer connectivity. Routers from ISPs make that difficult or impossible to manage. At best, they require you to create custom firewall rules for inbound IPv6. No doubt the most popular solution is going to be the wildcard-to-wildcard ALLOW rule that non-technical people can copy & paste. At worst they have one big "on/off" switch and it needs to be "on" anyways because the firewall is buggy. This mess has been building up for years and it won't get fixed anytime soon.

    1. Nanashi

      Re: IPv6 consumer devices are a dumpster fire

      Or not so much. I know it's popular to rag on IoT stuff, but let's actually think about it for a moment. Let's imagine someone who buys a network camera, and who then configures their network so the camera is accessible from the internet so that they can look at it from work (because why else buy a network camera?).

      On v4, the camera is found by scanners within a few hours, because the v4 space is tiny and easy to exhaustively scan. On v6? Not so much. You could spend a million times the effort scanning v6 and not even scratch a single /64, let alone all of the rest of the /64s. The camera is relatively unlikely to be found, and thus relatively unlikely to be exploited. This is still the case even if someone completely shuts down their firewall (which I suspect isn't really going to be the most common configuration).

      Now, it's true that security by obscurity isn't security and there are various ways to narrow down the search space, but nevertheless if you make it much harder to find your IoT devices it's going to make it correspondingly hard to do anything to them. If anything, v6 seems like it should make the situation better rather than worse.

  6. aqk
    Alert

    What about my IoT devices?

    Does this mean I'll have problems querying my refrigerator from the supermarket when I forgot what I was supposed to buy?

    1. Pascal Monett Silver badge
      Trollface

      Re: What about my IoT devices?

      No need to ask that : if you have IoT devices, you will have problems.

    2. eldakka Silver badge

      Re: What about my IoT devices?

      > Does this mean I'll have problems querying my refrigerator from the supermarket when I forgot what I was supposed to buy?

      Nah, just ask the supermarket, as the fridge manufacturer has already sold that information to the supermarket.

  7. The Average Joe

    One ISP I know...

    one of the tech guys there said he can't wait for IPv6 so that firewalls will be obsolete and we can throw them out... I kid you not. "There's a sucker born every minute"

    1. Mage Silver badge

      Re: firewalls will be obsolete

      No, just only deployed by the clued. An IP4 LAN with one public IP needs a NAT router. Technically a firewall is a separate thing and still needed between your LAN and ISP on IP6 only. Admittedly people might not have one as modem + switch will "work".

    2. Hans 1 Silver badge
      Happy

      Re: One ISP I know...

      one of the tech guys there said he can't wait for IPv6 so that firewalls will be obsolete and we can throw them out... I kid you not. "There's a sucker born every minute"

      Well, don't we all hope for miracles ? IT is such a broad subject that you cannot master everything, agreed, TCP/IP is pretty basic stuff, but still ... he probably heard that with IPv6 you no longer needed NAT and this guy confused NAT and firewall, certainly not his area of expertise. I have heard worse and have probably made equally lame remarks ... we all make mistakes ... as long as the guy admits he's wrong he can learn from his mistake, and that is EXACTLY how we learn best ... shame is an incredibly efficient learning-aid ;-)

  8. Anonymous Coward
    Anonymous Coward

    "Anyone running an IPv6 network needs to, therefore, ensure they have the same level of network security and mitigation tools in place as their IPv4 networks"

    .... so its the same story as "I une a Max/Linux so I don't have the security problems all those windoze lusers have"

  9. Blotto Bronze badge

    FUD

    These issues only really apply to servers who’s IPv6 addresses have been published, for example by DNS. the traffic will likely be traversing the same dual stack ipv4/6 infrastructure meaning routers, firewalls, load balancers etc which all need configuring to pass traffic which means someone’s taken the time to do it so why would they not apply the same security as they would for ipv4?

    Most IPv6 stacks for home users will change their addresses frequently meaning the whole allocated subnet will need scanning for vulnerable machines who’s ip’s will change. The attacker could get lucky but it requires a lot more compute and sophistication to perform the attack.

    So this article is all about spreading fear uncertainty and doubt.

    The funny thing is that securing IPv6 means breaking the end to end philosophy many state as one of its positives.

    1. Charles 9 Silver badge

      Re: FUD

      "The funny thing is that securing IPv6 means breaking the end to end philosophy many state as one of its positives."

      No, it's simply a matter of allowing the capability as and when you need it, without having to forward ports and stuff like that or resort to such kludges as (gasp) UPnP.

  10. Mage Silver badge

    IP6 DDOS

    Perhaps it's taken a while for there to be enough compromised PCs etc on the Internet actually able to connect anywhere with IP6.

    Also what ordinary email or web server for the public ONLY runs IP6?

  11. Enno

    IPv6 and CIDR

    The biggest issue I see in the glorious IPv6 future is that one of the current (very poor) mitigation strategies used by some ISPs (cough, Telstra here in Oz) is to unroute targeted destination subnets to unload the attack traffic from their links. In the brave new IPv6 world with it's baked in CIDR routing that will of course no longer be possible...

    It's all very well having your firewall correctly configured to keep the DDoS traffic out of your systems. But if the link to them is taken down by flooding they still accomplished their goal. Nor clear what it gets them apart from shits and giggles, the occasional bit of corporate blackmail notwithstanding.

    1. Nanashi

      Re: IPv6 and CIDR

      You say "of course" but I can't see how CIDR would make it impossible to null-route a subnet.

  12. Spudley

    So the upshot of this article is that IPv6 has *finally* gotten enough adoption that it's worthwhile for the black-hats to take time to start attacking it.

    After hearing endlessly for most of the last decade about how IPv6 is imminent, all I can say is, it's about time.

    Let's be honest, there's no perfect security, so whatever we use, we will get attacked. If we all move to IPv6, we will get attacked via it. But we're currently getting attacked via IPv4, so nothing will change; it's not like IPv6 is more dangerous to use.

  13. EnviableOne Bronze badge

    I think we need a v7 with an address space that is less overkil, and a bit more privacy built in.

    if we used a MAC address sized space (2^48) rather than the Ipv6 monster

    headers get smaller, and there is plenty of address space for use, along with scope for nat and feasable dotted decimal repreentations ....

    1. Anonymous Coward
      Anonymous Coward

      That was IPv5. The devices hiding behind NAT are already well past a 2^48 bit sized address space - EUI-64 had to be introduced years back to extend MAC to 2^64 bit address space. Then there is 2^64 for network route information. Combining those we find ourselves back at the same size *and* layout of an IPv6 address.

      1. EnviableOne Bronze badge

        IPv5 = RFC1819 Internet Stream Protocol

        EUI-64 is just a way to extend a MAC-48 to give a unique IPv6 address (adding FF:FE between OUI and Device Identifier)

        The MAC address 0021.86b5.6e10 (48 bit) becomes

        the EUI-64 address 0221.86ff.feb5.6e10 (64 bit)

        if you employ the same space saving measures used in IPv6 with the smaller address space and extend the ASN field from IPv4 you end up with plenty addresses to use!

        2^48 is more than enough address space, and when your talking 4 addresses in an IPSEC packet, it makes a huge overhead difference.

        1. Charles 9 Silver badge

          Wasn't the same said about 640KB of RAM?

  14. j0hnd0e
    FAIL

    Not first IPv6 DDOS/DOS/DRDOS

    THC.org has demonstrated DoS/DDoS/DrDoS problems with IPv6 over a decade ago. RTFM. So many clueless people thinking they know something nobody can be bothered to even lightly research any claim. No wonder fake news rules.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019