IPV6 Attacks

ACM.459 Before you enable and start using IPv6, make sure you understand how it can be attacked

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Network Security | IPv6

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I showed you how to run docker in a rootless manner to protect against injection and similar attacks.

In this post I’m going to cover some attacks that can be carried out if you are running IPv6.

I’ve already explained why I disable IPv6 on my home network.

I don’t need it. The purpose of IPv6 is to handle many more IP addresses than IPv4 can handle. I don’t have that many IP addresses on my personal home network or even in my cloud so I don’t need it. I doubt anyone needs IPv6 on their home network.

I can instantly recognize IPv4 ranges. After many years of working in network security I can instantly recognize certain IP ranges such as those belonging to major cloud providers, Google DNS servers, and malicious ranges such as 77.x.x.x which is typically Russia or low 100’s which is usually somewhere in Asia and often networks like Tencent, Hinet, Chinanet and the likes.

Easier to spot anomalies. Because I recognize the traffic it’s easier to spot anomalies. Of course these network blocks are becoming more fragmented but it is still useful to be able to instantly recognize a potentially malicious source when inspecting network traffic. It’s easier to spot anomalies.

Twice as much to manage. IPv4 and IPv6 are completely different. At the packet layer these protocols do pretty much everything differently though there are similar concepts and names. If I run IPv4 and IPv6 I need to ensure that I configure both correctly. If I only run IPv4 I only have to manage one version. As stated in other posts, if I get to the point where I am forced to use IPv6, I will likely switch completely to IPv6 and disable IPv4 — and start memorizing IPv6 names.

Possible crossover of traffic creates potential vulnerabilties. There are cases where I need to use IPv6 but I stand up separate networks and systems for that. And that leads me to my next point.

The attacks and vulnerabilities

If you are going to run IPv6 you need to understand how it is going to be attacked and where it is vulnerable. Over the past couple of years there were some accounts on social media that attacked me every time I published a post on how to disable IPv4. I mean attacked. It was not normal behavior. When I looked at their profiles it was clear they were IPv6 fanboys. (And yes, all male.) But why?

Here’s what I suspect. These people on social media knew about some attacks and want you to use IPv6 because they know how to break it. They know how to bypass things and they know that people turning it on probably don’t know how it works in a lot of cases. I didn’t know for sure at the time. I just blocked those accounts. But as new attacks come to light, I’m pretty certain I was right.

I just posted on social media how some people are trying to manipulate you to use vulnerable code, lists for your security scanners that exfiltrate data from your environment, as well as docker containers and software packages with embedded vulnerabilities — intentionally in some cases, unintentionally in others. I think the people harassing me knew about these vulnerabilities. I also think many of the attacks on social media are campaigns to get you to do something less than ideal from a security perspective. I wrote about that here:

Be careful not to get swept up by some emotional argument or arguments in general that don’t make sense.

I was aware of and wrote about a few things that could make you vulnerable when you turn on IPv6 — like network security devices that do absolutely nothing for IPv6 because they are counting on MACs that are routable and can be manipulated when using IPv6 that is not configured to make those MACs non-routable.

But I decided that before I write about how to disable IPv6 on an Amazon Linux instance that I would gather some additional information about IPv6 attacks. Here are some resources for you to peruse. If you are going to allow IPv6 on your network, make sure your configuration is such that you are not susceptible to these attacks.

If you don’t specify an IPv6 DNS server, one may be gratuitously provided for you (think gratuitous ARP)

Let’s say you have IPv4 and IPv6 available on your network. You don’t configure an IPv6 DNS server and you think that your systems will therefore only connect to the IPv4 server. An attacker may be able to provide DNS for IPv6 and trick your system into using IPv6 instead. They can direct your requests to their DNS server and send back incorrect IP addresses for the domains you are trying to visit.

What is the recommendation from my friends at Black Hills Infosec? Disable IPv6 if you’re not using it. Oh. Really? Thank you.

It is especially concerning if attackers are able to direct you to an alternate server for software updates.

When I tried to limit my network to IPv4, Ubuntu updates got blocked because they were trying to use IPv6 addresses. When I disabled IPv6 that behavior stopped. If you intend to use IPv6 it’s fine to use it for updates as long as you are sure you’re getting those updates from the correct IP address. If you’re having problems on IPv4 you can disable IPv6 altogether and the updates come via IPv4.

Exploit IPv6 Flow Labels

This presentation explains how it might be possible to figure out the device ID in an IPv6 Flow and perform a man in the middle. This has been fixed in updated operating systems. Make sure yours are up to date.

https://www.youtube.com/watch?v=oFeosswx2vc

SLAAC Attack

What is SLAAC?

Stateless Address Autoconfiguration (SLAAC) is another way to assign addresses on an IPv6-enabled network.

What is the SLAAC Attack?

It is a way to:

impose a parasitic IPv6 overlay network on top of an IPv4-only network so that an attacker can carry out man-in-the-middle (MITM) attacks on IPv4 traffic.

You can read the details of the attack here.

By the way it also works on a MAC OS.

And others…

How can you prevent it?

NSA recommends assigning addresses to hosts via a Dynamic Host Configuration Protocol version 6 (DHCPv6) server to mitigate the SLAAC privacy issue. Alternatively, this issue can also be mitigated by using a randomly generated interface ID (RFC 4941 — Privacy Extensions for Stateless Address Auto-configuration in IPv6) [1] that changes over time, making it difficult to correlate activity while still allowing network defenders requisite visibility.

https://media.defense.gov/2023/Jan/18/2003145994/-1/-1/0/CSI_IPV6_SECURITY_GUIDANCE.PDF

Here are some other documented IPv6 attacks

https://www.hpc.mil/images/hpcdocs/ipv6/5-ipv6-attacks-and-countermeasures-v1.2.pdf

IPv6 attacks spike in 2023

And as predicted, as people roll out IPv6 without understanding how it works and how to properly configure it, the attackers are gleefully cheering and using those attacks. As the adoption of IPv6 rises, so does the use of the related attacks:

I also found this tidbit interesting:

They’d rather run on servers that are compromised, or IoT devices that are compromised on the black market, rather than use those VPNs.

For all those people who think no one wants to attack you — that’s why they do. They are using your network devices to attack others.

What do you need to do to protect your networks?

You can run various tools such as those used by 2nd Sight Lab to scan networks. Most importantly, take a look at your configurations to make sure they are correct. Here is some NSA Guidance:

In the next post I’m going to look at disabling IPv6 on my Amazon Linux 2023 host.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab