Salient Federal Solutions, a Fairfax, Va., IT engineering firm, is reporting real-world incidents of IPv6 attacks based on the emerging protocol’s tunneling capabilities, routing headers, DNS broadcasting and rogue routing announcements. The company asserts that all of these threats can be eliminated with the use of IPv6-enabled deep packet inspection tools, which it and other network vendors sell.
“We definitely see these attacks, we just can’t say where we are seeing them,” says Lisa Donnan, who leads Salient’s Cyber Security Center of Excellence. Salient Federal Solutions purchased IPv6 consulting and training firm Command Information in March.
The No. 1 attack that Salient Federal is seeing is the result of so much IPv6 traffic being tunneled across IPv4 networks, particularly using the Teredo mechanism that is built into both Microsoft Windows Vista and Windows 7. This vulnerability with IPv6-over-IPv4 tunneling has been known for at least five years, but it is still being exploited.
In Canada there are similar signs says, Robert Beggs, CEO of Digital Defence, a Burlington, Ont., security consultancy. Network administrators at the company say IPv6 isn’t an issue because their network is IPv4-based, he said in an e-mail, but they don’t realize end users with IPv6 for support in their PCs can hide communications using IPv6.
“We have seen at least two recent cases in Toronto where users took advantage of the Windows IPv6 client, Teredo, to by-pass a Web proxy and obtain access to Web sites that would normally be blocked,” he wrote. “In one instance, the end user was accessing child pornography, placing an increased liability and cost burden on our client.”
“The attacker community is well versed in using IPv6-based tools, and most of the common tools, such as nmap and the Metasploit framework, support this protocol.”
Overall, IPv6 that is not managed by the organization “presents a clear threat to network security,” he warned. “Until network management tools become less complex and offer more visibility, and network managers understand the threats, it will continue to be a significant security issue. Unfortunately, we cannot even state the real incidence rate, as most networks are not even looking for this type of traffic.”
“IPv6 tunneling gives attackers a green light to penetrate networks,” says Jeremy Duncan, senior director and IPv6 network architect for Salient Federal Solutions of Fairfax, Va.
Duncan is concerned about uTorrent, which is an IPv6-capable freeware client for the BitTorrent peer-to-peer protocol that’s used to share large files such as music and movies. Duncan says uTorrent runs very well over Teredo, and that the BitTorrent community is discovering IPv6 as a way of avoiding network congestion controls that are used by ISPs to manage BitTorrent traffic on IPv4 networks.
Duncan says it is also easy for users of Vuze, another BitTorrent application, to prefer IPv6 over IPv4.
“BitTorrent users are discovering that they won’t have throttled traffic with IPv6,” Duncan says. “This is an issue for the carriers. They won’t be able to throttle back the IPv6 traffic because they’re not inspecting it.”
Salient Federal says it is also seeing attacks with IPv6’s Type 0 Routing Header, which is a feature of IPv6 that allows a network operator to identify routers along the path that it wants packets to take. The Internet Engineering Task Force recommended in 2007 that this feature of IPv6 be disabled due to the potential for its use in denial-of-service attacks, calling the threat “particularly serious.”
Nonetheless, Salient Federal is seeing Routing Header Type 0 attacks on IPv6 production networks that it monitors. For example, Command Information traced this type of attack to one of its own border routers that was no longer in operation. The attack originated from a research network in China. Had it been a successful attack, it would have allowed the Chinese hacker to send malicious traffic from Command Information’s compromised border router to other networks.
“Network managers have to turn this feature off in their routers,” Duncan says. “This capability was shipped with all Cisco routers by default a few years ago. The newer routers have turned this feature off; the problem is with older routers.”
Another IPv6-related threat comes from the way the Internet’s DNS system broadcasts so-called Quad A records that are used by IPv6. Duncan says Quad A queries are present on every network that the company is monitoring, even though many of those networks are not supporting IPv6 traffic.
When Quad A queries are being broadcast, this indicates that some nodes on the network are IPv6-enabled and can then be targeted with an IPv6-based attack. Because the network itself doesn’t support IPv6, it’s likely that the network manager is not monitoring IPv6 traffic with deep packet inspection tools.
Duncan refers to IPv4 networks that broadcast Quad-A records as “the loaded gun.”
“When companies have IPv6-enabled machines but not IPv6 enabled, hackers know that the network management for IPv6 is lacking,” Duncan says. “They can easily flood the organization’s mail servers with spam that contains malware. All they need is one user with elevated privileges to open one spam message with malware, and that malware can open IPv6 in a tunnel through the firewall.”
Duncan points out that he hasn’t seen the Quad-A vulnerability being exploited yet, but he believes it is a significant threat for enterprises.
“We haven’t seen this exact exploit, but we have seen a lot of IPv6 tunneled traffic that is not being inspected,” Duncan says. “Every enterprise could have tens of thousands of Quad A records being broadcast. … The solution is to lock down IPv6 if you’re not using it and to use deep packet inspection.”
Finally, Salient Federal is reporting that it is seeing rogue router advertisements for IPv6, although the company admits that it hasn’t seen a malicious actor sending them. Rogue router announcements are a threat that the IETF warned against in February, pointing out that this vulnerability could be used for denial-of-service or man-in-the-middle attacks.
This threat comes from the fact that IPv6-enabled workstations are always listening for router announcements due to the autoconfiguration features of IPv6. However, these workstations can be fooled by fake announcements due to network administrator errors or hacking attacks. Rogue routing announcements for IPv6 are being seen in both wireless and wired networks.
“Enterprises need to deploy a fix like Cisco’s RA Guard on their switches and router, but then you need to have IPv6 enabled on your core,” Duncan says. “You also need to use deep packet inspection in your core.”
Duncan urges companies to implement IPv6 on their networks and to put appropriate security controls such as deep packet inspection in place so that they can manage IPv6-related vulnerabilities.
“Enterprises need to make sure that their security vendors can protect against these specific IPv6 vulnerabilities,” he says. He urges companies to get their systems and network engineers trained in IPv6 and to develop an IPv6 cybersecurity plan.
Duncan says that enterprise network managers are gaining in awareness of IPv6 but that they aren’t focused enough on the related security issues. “There’s not as much focus on IPv6 security as there is with IPv4 security,” he says.
Donnan says this is a worry because U.S. companies are vulnerable to IPv6 attacks sent by countries such as China.
“There is state-sponsored hacker activity, and they are very savvy about IPv6,” Donnan says.
Carriers and enterprises are migrating to IPv6 because the Internet is running out of addresses using IPv4. The free pool of unassigned IPv4 addresses expired in February, and in April the Asia Pacific region ran out of all but a few IPv4 addresses being held in reserve for startups. The American Registry for Internet Numbers (ARIN), which doles out IP addresses to network operators in North America, says it will deplete its supply of IPv4 addresses this fall.
–With files from Howard Solomon, Network World Canada