A Brave New World, IPv6 Day

June 8th marks World IPv6 Day when a number of major organizations offer internet services using the replacement Internet Protocol version 6 standard. From a security standpoint IPv6 raises some new and potentially interesting problems for malware authors, anti-virus companies, and system/network administrators. All non-network centric aspects of malicious code will be unaffected by the eventual migration to IPv6. However, the impact will be notable on malicious code that propagates around networks, attempts to disrupt network services and attempts to profile network enabled attack vectors.

Protocol Version Address Size Example Address Address Range

Version 4

32 bits.

127.0.0.1

4,294,967,296

Version 6

128 bits.

0:0:0:0:0:0:0:1

340,282,366,920,938,463,463,374,607,431,768,211,456

 

Internet Protocol version 4 was first deployed in 1983 for use in “interconnected systems of packet-switched computer communication networks”. It became apparent that the number of IPv4 addresses could not sustain the huge demand for network enabled devices, stopgap measures were introduced to maximize the lifespan of IPv4 32-bit addressing and work began on a replacement protocol, IPv6. Internet Protocol version 6 was first deployed in 1999 and contains a number of improvements over the legacy IPv4. The most notable improvement in IPv6 was the huge increase in possible address space.

With the introduction of IPv6, the massive amount of possible addresses in a default subnet and additional software tweaks has created new challenges for malware authors and cyber criminals. It is now unfeasible to perform brute force IPv6 address scans in order to profile a network or identify a possible attack vector in this way. IPv6 also mitigates a number of existing IPv4 attacks by design. The SMURF or Broadcast Amplification attacks that were popular in the late 90s are made redundant by the introduction of key features in IPv6 and associated ICMPv6. IPv6 also attempts to control data interception, or sniffing, by introducing a security protocol, IPsec, to authenticate and encrypt data transmitted across an IP enabled network.

The adaption of IPv6 may also cause some unforeseen difficulties. Firewall software and hardware can be bypassed if they do not accurately detect and inspect IPv6 traffic. As we move to the replacement protocol we are facing a learning curve where new threats, that are not yet fully apparent, will emerge.

We are slowly moving towards replacing IPv4 and events like World IPv6 Day are important steps towards a full adoption of the replacement protocol. Unfortunately, as IPv6’s profile is raised and we slowly begin implementing the replacement standard, malware authors are certain to take note and begin adapting.

As always, Symantec recommends that you keep your definitions, signatures and firewall rules up to date to ensure protection against threats mentioned in this blog.