IPv6 Is Already Here
Since June 1, 2016, Apple stipulated that all apps submitted to the App Store must be compatible with the IPv6-only standard. Currently, a significantly large number of Internet resources and users utilize the IPv6 protocol. Therefore, the Internet services that do not support IPv6 may lose a large number of users.
At the end of 2017, the General Office of the CPC Central Committee and the General Office of the State Council issued the “Action Plan for Promoting the Scale Deployment of IPv6”, requiring the number of active IPv6 users to reach 200 million by the end of 2018, and requiring the top 50 commercial websites and apps with the largest number of users in China to support IPv6. IPv6 had become a national strategy.
With the advent of IPv6, attacks under IPv6 networks began to emerge.
At the beginning of 2018, Neustar announced that it was attacked by IPv6 distributed denial of service (DDoS). It was the first publicly reported IPv6 DDoS attack. Subsequently, IPv6 DDoS attack tools, such as thc-ipv6 and hping, also emerged on the Internet.
In November 2018, Taobao and Youku ran IPv6 during the Double 11 Shopping Festival for the first time. Alibaba Cloud Security built the first IPv6 DDoS defense system in China, which supports second-level monitoring and massive IP address defense, providing IPv4+IPv6 dual-stack automatic DDoS protection for the cloud services of Taobao and Youku.
During the Double 11 Shopping Festival, the dual-stack defense system intercepted more than 5,000 DDoS attacks, with maximum attack traffic of 397 Gbit/s.
New Network Security Challenges Under IPv6
Although the defense system under IPv4 is mature, it cannot be directly used for IPv6 protection. Instead, it must be completely redeveloped to support IPv6. It must be re-adapted to the new network environment of IPv6 in terms of traffic monitoring, scheduling, scrubbing, and black holes. The new features of the IPv6 protocol may be exploited by hackers to launch DDoS or denial of service (DoS) attacks.
This is because in IPv6:
- Hackers may exploit the Next Header feature of the IPv6 protocol to launch DoS attacks. For example, a hacker may exploit the Type 0 Routing header vulnerability of two servers to bounce carefully crafted data packets back and forth between the two servers so that link bandwidth is exhausted, or make valid IP addresses bounce packets by bypassing source IP address restrictions.
- Hacker may exploit the Neighbor Solicitation (NS), Neighbor Advertisement (NA), Router Solicitation (RS), and Router Advertisement (RA) messages of IPv6 to launch DoS or DDoS attacks.
- IPv6 supports automatic stateless configuration. A large number of available IP addresses that may exist under subnets are easy targets to launch random source DDoS attacks.
- IPv6 adopts end-to-end fragmentation and reassembly, which may expose vulnerable servers to DoS attacks through carefully crafted packet fragments.
The Attack and Defense Situation in IPv6 Has Changed
IPv6 provides massive IP addresses, allowing an Internet Data Center (IDC) to apply for many available CIDR blocks. In this situation, defense algorithms that rely on requests-based throttling of source IP addresses no longer work.
It is more difficult to prevent application-layer DDoS attacks, such as HTTP flooding, malicious ticket brushing, and crawlers. Hackers may intrude into Internet-connected smart devices, such as self-driving vehicles, Internet of Things (IoT) devices, and mobile terminals, and turn them into zombies for launching DDoS attacks. This may result in massive attack packets.
DDoS attacks are usually for commercial interests. According to the cybersecurity report for the first half of 2018 released by Alibaba Cloud, DDoS attacks often aim at highly competitive fields such as games, mobile apps, and e-commerce.
As enterprises migrate their services to IPv6, DDoS attacks under IPv6 may be effective and easy initially because many enterprises are not ready to defend against IPv6 DDoS attacks.
In such a situation, IPv6 DDoS attacks may spread and become a pain point for many enterprises.
Best Practices of IPv6 DDoS Defense by Alibaba Cloud
Challenges and Changes
Let’s take a look at some new challenges and changes concerning the IPv6.
- Networks and DDoS defense systems must be transformed or even redeveloped to support IPv6. Many enterprises with mature IPv4 networks must replace devices and redevelop systems for their networks and servers to support IPv6 and its security features. Some enterprises hope for carriers to provide a smooth transition solution, but carriers will only transform and upgrade within their network boundaries. Enterprises must transform and upgrade by themselves to support IPv6.
- The total number of IPv6 addresses is more than that of IPv4 addresses by 296 times. More powerful processing performance is required to defend against attacks that are launched by using massive IP addresses.
- The carrier-level IPv6 black hole capability is required to prevent high-traffic DDoS attacks.
- Defense algorithms and modes must meet the new challenges of IPv6.
- The IPv6 security capability is required to protect services that are switched to IPv6 networks.
IPv6 Implementation by Alibaba Cloud
Alibaba Cloud implements IPv6 security in the following aspects.
1. Redevelop Systems to Support IPv4+IPv6 Dual-stack Automatic DDoS Protection
a. Traffic Monitoring and Alert System
The traffic monitoring and alert system must support IPv6 and IPv4 and monitor dual-stack traffic. To detect massive IPv6 IP addresses, Alibaba Cloud DDoS Protection uses a distributed cluster architecture to distribute traffic to clusters for collaborative computing, and collects statistics on traffic metrics to detect abnormal traffic in seconds.
b. Scheduling System
The scheduling system is upgraded to support dual-stack, automatically determine the IP address type, and enable the appropriate defense mode and traffic scrubbing algorithm.
c. Traffic Scrubbing System
Alibaba Cloud redesigns and deploys the traffic redirection, reinjection, and scrubbing systems, and develops an IPv6-specific traffic scrubbing algorithm.
2. Provide Carrier-Level Black Hole Capability
Bandwidth congestion occurs when massive attack traffic is initiated by an IPv4 or IPv6 address. All the services of an IDC or a cloud service provider may become unavailable due to an attack aimed at a single IP address. This is a disastrous situation. Compared with IPv4, IPv6 networks are exposed to a higher threat of attack-caused bandwidth congestion at the early stage of bandwidth development. Alibaba Cloud and major Internet service providers (ISPs) establish an IPv6 black hole linkage capability to discard traffic that exceeds the black hole threshold on carriers’ IPv6 backbone networks and provide a secure cloud environment.
3. Upgrade the Protection Mode
a. Prefix-Level Defense Algorithm
The massive IP addresses that may be requested by an IDC belong to a limited number of CIDR blocks. Even though an attacker can exploit massive IP addresses, the zombie IP addresses in the same IDC are relatively concentrated in certain CIDR blocks. An effective measure to mitigate the impact of massive IPv6 addresses is collecting analytical statistics on CIDR blocks.
b. Collaborative Defense
For traditional IDCs and independent security devices, it is difficult to determine whether the traffic from an IP address is an attack or normal access and whether the IP address is subjected to network address translation (NAT) or located at a campus egress if most metrics of this IP address are normal. This further reduces the possibility of identifying attacks that exploit massive IPv6 addresses. However, for cost and efficiency considerations, attackers tend to use one IP address to attack more than one victim. For example, the IP address in the format X.X.X.X may be used to launch a challenge collapsar (CC) attack against Server B after launching a DDoS attack against Server A.
Under the scale effect, Alibaba Cloud simultaneously protects massive IP addresses and analyzes all scrubbed data online. This helps identify attacks based on the behavior of a single IP address and allow all tenants to collaborate in their defense and share threat intelligence.
c. Intelligent, Deep Defense
It is difficult to prevent application-layer DDoS attacks through throttling. Under IPv6, an attacker can obtain 10,000 IP addresses at a low cost and initiate one request from every IP address per second to destroy a website even though when website supports 10,000 queries per second (QPS). Therefore, IPv6 application-layer DDoS attacks must be prevented by advanced bot identification technologies and countermeasures. Alibaba Cloud applies a series of bot countermeasures to web application firewalls (WAFs).
It is recommended that ISPs build IPv6 services by using cloud services, instead of using the costly method to redevelop and upgrade systems to support IPv6.
Currently, many Alibaba Cloud products support IPv6 and provide IPv6 DDoS protection in terms of software as a service (SaaS), helping enterprises build higher levels of defense capabilities in 1 second.