How to Deal With DDoS Attacks on a Global Scale

Image for post
Image for post

IPv6 Is Already Here

Since June 1, 2016, Apple stipulated that all apps submitted to the App Store must be compatible with the IPv6-only standard. Currently, a significantly large number of Internet resources and users utilize the IPv6 protocol. Therefore, the Internet services that do not support IPv6 may lose a large number of users.

New Network Security Challenges Under IPv6

Although the defense system under IPv4 is mature, it cannot be directly used for IPv6 protection. Instead, it must be completely redeveloped to support IPv6. It must be re-adapted to the new network environment of IPv6 in terms of traffic monitoring, scheduling, scrubbing, and black holes. The new features of the IPv6 protocol may be exploited by hackers to launch DDoS or denial of service (DoS) attacks.

  • Hacker may exploit the Neighbor Solicitation (NS), Neighbor Advertisement (NA), Router Solicitation (RS), and Router Advertisement (RA) messages of IPv6 to launch DoS or DDoS attacks.
  • IPv6 supports automatic stateless configuration. A large number of available IP addresses that may exist under subnets are easy targets to launch random source DDoS attacks.
  • IPv6 adopts end-to-end fragmentation and reassembly, which may expose vulnerable servers to DoS attacks through carefully crafted packet fragments.

The Attack and Defense Situation in IPv6 Has Changed

IPv6 provides massive IP addresses, allowing an Internet Data Center (IDC) to apply for many available CIDR blocks. In this situation, defense algorithms that rely on requests-based throttling of source IP addresses no longer work.

Best Practices of IPv6 DDoS Defense by Alibaba Cloud

Challenges and Changes

Let’s take a look at some new challenges and changes concerning the IPv6.

  • The total number of IPv6 addresses is more than that of IPv4 addresses by 296 times. More powerful processing performance is required to defend against attacks that are launched by using massive IP addresses.
  • The carrier-level IPv6 black hole capability is required to prevent high-traffic DDoS attacks.
  • Defense algorithms and modes must meet the new challenges of IPv6.
  • The IPv6 security capability is required to protect services that are switched to IPv6 networks.

IPv6 Implementation by Alibaba Cloud

Alibaba Cloud implements IPv6 security in the following aspects.

Security Recommendations

It is recommended that ISPs build IPv6 services by using cloud services, instead of using the costly method to redevelop and upgrade systems to support IPv6.

Original Source

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store