'First true' native IPv6 DDoS attack spotted in wild

News by Mark Mayne

First in-the-wild DDOS IPV6 attack hits servers, with portents of more to come. The DNS dictionary attack originated from around 1,900 different native IPv6 hosts, on more than 650 different networks.

The first documented native IPv6 DDoS attack has been spotted in the wild over the weekend.

The DNS dictionary attack originated from around 1,900 different native IPv6 hosts, on more than 650 different networks and targeted authoritative DNS service Neustar's network.

The distributed attack demonstrates that that hackers are deploying new methods for IPv6 attacks, as widely predicted, not simply replicating IPv4 attacks using IPv6 protocols, according to Neustar.

Barrett Lyon, head of research and development, Neustar, told SC Media UK: “We've been expecting this event for a while, but it has now happened. We've also seen a real ramping up of IPV4 attacks this year too - nearly double compared to the same period in 2017 - but IPV6 attacks present some unique issues that can't be easily solved. One example is the sheer number of addresses available to an attacker can exhaust the memory of modern security appliances…”

The total number of possible IPv6 addresses is more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses and provides approximately 4.3 billion addresses. However, due to the greater potential number of IPv6 addresses, a considerably greater attack volume is possible, and as many newer network deployments may support IPV6, but mitigation tools may not, the result is potentially a patchwork quilt of adoption, ideal for attackers to take advantage.

Wesley George, principle engineer, SiteProtect Network Engineering Neustar told SC Media UK: “There is a big challenge here, but there has been a lot of progress made in the last few years. The best practice guidance is out there, and it is clear that IPV6 needs to be treated as a first class citizen now. In many cases it is about visibility - we see companies with great telemetry for IPV4, and it's essential that security stances are able to do the same for IPV6 traffic.”  

Neustar's UltraDNS service handles 10 percent of all internet traffic, customers include Tesco, Forbes.com, PurpleBricks and NetRefer. The number of Alexa Top 1000 websites currently reachable over IPv6 has hit 26.9 percent, according to the IPv6 launch website, and it is clear that there will be more work for security professionals in the IPV6 pipeline.

Just weeks ago Internet Engineering Task Force (IETF) contributor Fernando Gont helped write RFC 8021, a fix designed to prevent a fragmentation attack vector against IPv6 protocol routers in large-scale networks. The vector, called “atomic fragments” has been the subject of much debate - and was the topic of a Black Hat 2012 presentation.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews