|
Here we are, half-way through this list of the top 10 IPv6 security myths! Welcome to myth #6. Since IPv6 is just now being deployed at any real scale on true production networks, some may think that the attackers have yet to catch up. As we learned in Myth #2, IPv6 was actually designed starting 15-20 years ago. While it didn’t see widespread commercial adoption until the last several years, there has been plenty of time to develop at least a couple suites of test/attack tools.
Myth: IPv6 is too New to be Attacked
Reality: Tools are Already Available
The first toolkit I learned about is THC-IPv6 (THC stands for The Hackers Choice). Originally released in 2005, the current version 2.5 was published just this past summer (2014-06-02). THC-IPv6 is, according to it’s own website, “A complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library.” This publicly available toolkit includes:
That’s fairly comprehensive from what I can tell!
The other IPv6 toolkit I am currently aware of is from SI6 Networks: “The SI6 Networks’ IPv6 toolkit is a set of IPv6 security assessment and trouble-shooting tools. It can be leveraged to perform security assessments of IPv6 networks, assess the resiliency of IPv6 devices by performing real-world attacks against them, and to trouble-shoot IPv6 networking problems. The tools comprising the toolkit range from packet-crafting tools to send arbitrary Neighbor Discovery packets to the most comprehensive IPv6 network scanning tool out there (our scan6 tool).” This toolkit includes:
What should be clear now is that IPv6 is not safe from attack based on a lack of tools. The understanding and “equipment” necessary is readily available to any potentially nefarious folks. Luckily these tools are also available to you and your security team, to test and harden your own network before the attackers show up!
Another aspect of a device, technology, or protocol being too new to attack is knowledge of bugs and vulnerabilities. Having tools to probe for deployment weaknesses is great but if you can jump right to a software bug all the better, right?
Myth: IPv6 is too New to be Attacked
Reality: Bugs and Vulnerabilities are Published
The fact is that folks are paying attention to IPv6, now more than ever. This means that you can’t rely on any type of security through obscurity. Hardware and software bugs and other vulnerabilities are well known and widely published.
One of my favorite sites to keep track of such bugs and vulnerabilities is securityfocus.com. An easy way to pull a list of IPv6 specific vulnerabilities is to search for: “securityfocus.com inurl:bid ipv6”
The bottom line is that while IPv6 may be new to you or your organization, it’s not new to those who may want to attack your network. They have the tools and knowledge they need, so be sure that you do as well. I sincerely hope that this series of posts on IPv6 security is your first step in acquiring that knowledge—be sure to check out all the posts so far, and stay tuned for the next 4 installments!
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byDNIB.com