What do we know about IPv6 attack vectors?
As part of its research, Akamai’s Prolexic Security Engineering and Research Team (PLXsert) set up laboratory environments internally and on some of the leading cloud providers’ platforms. Some of these platforms deployed IPV6 functionality by default, while others required IPV6 to be explicitly enabled. Abuse was possible using the IPV6 stack and included the following:
Reflection: Researchers replicated standard UDP reflection DDoS attack techniques against CHARGEN and NTP services over IPV6, where the packets would normally be ingress-filtered on their way to the reflectors by iptables. The lack of IPV6 support in the filtering layer allowed access to the services.
Spoofing: IPv6 enables a huge spoofable and hijackable address space. For example, a botnet of home computers vulnerable to IPV6 spoofing could generate massive amounts of unique-looking host addresses, far beyond what is possible using IPV4. These same devices could be assigned globally identifiable addresses that could, in effect, bypass Network Address Translation (NAT). A compromised machine could be leveraged as a malicious server with large numbers of unique addresses.
Local link attacks: Tests on popular cloud provider networks revealed that one provider did not have Rogue Router Advertisement (RRA) protections in place. Researchers were able to craft RRA packets in Scapy and flood the testing machines over unicast with malformed routing information. These requests directed the targeted machine to use the attacking server as its first hop in the default route, which caused the targeted machine to stop communicating over its global link interface, effectively creating a denial of service situation for its end users. The technique was effective in networks where local-link addresses were shared with neighbors, and protections against RRA were not in place. Such a technique could also be used for a man-in-the-middle (MitM) attack.
Dual stacks & IPv6 address space: There is a misconception that it is impossible to scan a large IPv6 address space. However, utilizing IPv4 protocols such as Address Resolution Protocol (ARP) on dual-stack systems, researchers were able to discover neighboring server media access control (MAC) addresses for the associated IPv4/24 on various cloud platforms. With this information, researchers could reliably convert neighboring MAC addresses into IPv6 local-link and, in some cases, global link addresses. The networks routed local-link traffic to services, which could be leveraged to bypass firewall and intrusion detection system (IDS) and intrusion prevention system (IPS) measures against the host.