Attackers Can Use IPv6 to Launch Man-in-the-Middle Attacks
Organizations face several information security challenges as they transition from IPv4 to IPv6, according to security experts. The difficulties are compounded by the fact that some attackers are using the IPv6 address space to sneak attacks onto IPv4 networks.
Even though the transition to IPv6 has been notoriously slow amongst organizations, many cyber-criminals have already made the switch, James Lyne, director of technology strategy at Sophos, told eWEEK. Many scammers are pushing out spam over the IPv6 infrastructure and taking advantage of misconfigured firewalls.
Many modern firewalls are configured by default to just let IPv6 traffic pass through, Lyne said. Organizations not interested in IPv6 traffic should be setting up rules to explicitly block IPv6 packets, according to Lyne. IT managers need "to know how to talk IPv6" so they can write appropriate rules to handle the protocol correctly, he said.
"From an industry standpoint, we are selling IPv6 wrong," Lyne said, noting there has been little discussion about how the protocol's built-in features help increase privacy. Instead, the general perception of IPv6 as being hard to implement or confusing has made organizations vulnerable to potential attacks.
As a general rule, IPv4 and IPv6 networks operate in parallel. Computers with the legacy IPv4 addresses can't access servers and Websites operating on the newer IPv6 address space. With the near-exhaustion of IPv4 addresses, organizations are being encouraged to switch over to IPv6 or be unable to get newer IP addresses. The Asia Pacific Network Information Center, the registration Internet registry responsible for assigning IP addresses to the Asia-Pacific region, recently announced that all new requests will be assigned IPv6 addresses.
A security researcher has recently identified a scenario in which attackers could launch man-in-the-middle attacks over an IPv6 network. Attackers would overlay a "parasitic" IPv6 network on top of the targeted IPv4 network to intercept Internet traffic, Alec Waters, a security researcher for InfoSec Institute, wrote on the institute's blog on April 4. His proof-of-concept attack considered only Windows 7 systems, but would also work on Windows Vista, Windows 2008 Server and any operating system with IPv6 enabled by default, Waters said.
For the attack to succeed, the attacker would need to gain physical access to the targeted network long enough to connect an IPv6 router, according to Waters. In the case of a corporate network, the attacker would need to connect the IPv6 router to the existing IP4 hub, but for a public WiFi hotspot, it may be as simple as dropping an IPv6 router to piggyback on the wireless signal.
The rogue IPv6 router would automatically create new IPv6 addresses using fake router advertisements for all the IPv6-enabled machines on the network.
Router advertisements act like DHCP (Dynamic Host Configuration Protocol) for IPv6 addresses, as it provides a pool of addresses that a host can pick up, according to Johannes Ullrich, chief research officer at SANS Institute. Machines can become IPv6-ready without the user or IT manager knowing.
Even though the system already has an IPv4 address assigned by the enterprise, it gets shuffled onto the IPv6 network because of the way the operating system handles IPv6. Modern operating systems default to IPv6 as the preferred connection by design if the machine has both IPv6 and IPv4 addresses assigned, according to Lyne.
Since the IPv6 systems can't communicate with the enterprise's actual IPv4 router, the systems have to go through the malicious router, Waters said. Attackers can then use a tunnel to translate IPv6 addresses to IPv4, such as NAT-PT, he said. NAT-PT is an experimental IPv4-to-IPv6-transition mechanism, but it's not a widely supported mechanism because of its many issues.
"Just because it's an obsolete mess doesn't mean it can't be useful," Waters said.
With NAT-PT, machines with IPv6 addresses access the IPv4 Internet through the malicious router, giving attackers full visibility in their Internet activity, he said.
The severity of the attack is under dispute, according to Jack Koziol, a senior instructor and security program manager at InfoSec Institute. According to the vulnerability listing on the Common Vulnerabilities and Exposures list (maintained by MITRE), "it can be argued that preferring IPv6 complies with RFC 3484 [the IPv6 protocol], and that attempting to determine the legitimacy of an RA is currently outside the scope of recommended behavior of host operating systems."
Organizations that don't need IPv6 or haven't made the transition yet should turn off IPv6 on all systems, according to Ullrich. Otherwise, the organization should "monitor and defend it like IPv4," Ullrich said.