DDOS attacks in an IPv6 World
Tom Paseka
HKNOG 1.0
September 2014
Who are we?
2
How does CloudFlare Work?
CloudFlare works at the network level.
• Once a website is part of the CloudFlare community, its web traffic is routed through CloudFlare’s global network of 24
(and growing) data centers.
• At each edge node, CloudFlare manages DNS, caching, bot filtering, web content optimization and third party app
installations.
3
IPv6 Gateway
With the Internet's explosive growth and the number of on-net
devices closing in on IPv4's maximum capacity, CloudFlare now
offers an automatic IPv6 gateway seamlessly bridging the IPv4 and
IPv6 networks.
•
For most businesses, upgrading to the IPv6 protocol is costly and
time consuming.
•
CloudFlare’s solution requires NO hardware, software, or other
infrastructure changes by the site owner or hosting provider.
•
Enabled via the flip of a switch on the site owner’s CloudFlare
dashboard.
•
Users can choose two options: (FULL) which will enable IPv6 on all
subdomains that are CloudFlare Enabled, or (SAFE) which will
automatically create specific IPv6-only subdomains (e.g.
www.ipv6.yoursite.com).
4
DDoS Overview
DDoS Overview
• Purpose of a DDoS is to overwhelm an internet resource, to take it offline
• This can be:
• Volumetric (eg. High Gbps, High PPS or SYN Flooding).
To overwhelm infrastructure to the website / resource.
SYN floods overwhelm the
• Application based (eg. Excessive HTTP POST or search)
To overwhelm the application or server.
• A website suddenly becoming very popular can also be like a DDOS
DDoS Overview
• Growing Trend
• Increasing in size all
the time
• Now regularly attacks
are greater than
400Gbps+
•
Source:
http://www.arbornetworks.com/images/P
eakDDoSAttack_rev2.jpg
DDoS Overview
• Large scale DDoS is a common occurrence.
• Used for exploitation, even for relatively low amounts (US$500 and below).
• Online services available for purchase of DDoS
• Known as ‘Booters’
• Large purpose is to kick competitors off online-games so they forfeit the game
• Free trails are often available for ‘Booters’ too!
So, what’s this got to do with IPv6?
So, what’s this got to do with IPv6?
Nothing?
So, what’s this got to do with IPv6?
Or maybe a lot?
So, what’s this got to do with IPv6?
Aged tools without IPv6 support:
NetFlow (v5):
Interface (SNMP) Graph:
So, what’s this got to do with IPv6?
Aged tools without IPv6 support:
NetFlow (v5):
Interface (SNMP) Graph:
So, what’s this got to do with IPv6?
Aged tools without IPv6 support:
NetFlow (v5):
?
Interface (SNMP) Graph:
So, what’s this got to do with IPv6?
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet f?
Possible completions:
> flow
Include flow NLRI
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet6 f?
No valid completions
So, what’s this got to do with IPv6?
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet f?
Possible completions:
> flow
Include flow NLRI
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet6 f?
No valid completions
So, what’s this got to do with IPv6?
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet f?
Possible completions:
> flow
Include flow NLRI
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet6 f?
No valid completions
So, what’s this got to do with IPv6?

[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet f?
Possible completions:
> flow
Include flow NLRI
[edit protocols bgp group ROUTESERVER neighbor]
tom@edge01.syd01# set family inet6 f?
No valid completions
So, what’s this got to do with IPv6?
• Without supporting systems, many things may be impeded:
• Ability to identify attacks:
No NetFlow data?
• Ability to filter the attacks:
IP Tables support? (ip6tables)
IP ACL / Access-lists
BGP FlowSpec
Remotely Triggered Black Holing
So, what’s this got to do with IPv6?
• So, is this IPv6’s fault?
• Looking at the vendors in the room.
• Why is any product released without FULL IPv6 support today.
So, what’s this got to do with IPv6?
• A lot of IPv6 deployments feel like “best effort”
• Best effort doesn’t cut it under big attacks and with
security
• We all still have a long way to come.
IPv6 Attacks in the Wild
IPv6 Attacks in the Wild
• For the most part, in our experience, they’re the same as
IPv4 based attacks.
• Typically, attack scope is smaller, due to much smaller
number of IPv6 hosts on the internet
• Not true for all attacks
IPv6 Attacks in the Wild
• DNS cache-busted query attacks.
• Not only a IPv6 attack, but interesting because of how it
came in over IPv6.
• Botnet bots, query through their normal configured
recursors, using random strings which aren’t cachable
IPv6 Attacks in the Wild
Queries look like this:
ebepexklyfaxmloh.www.popvote.hk
ktylstudkr.www.popvote.hk
ohunarajmbkrej.www.popvote.hk
wwtdheilzcv.www.popvote.hk
zktvvotoyrewaku.www.popvote.hk
…….
khyhavsnijslyb.www.popvote.hk
gchjpexychflvfv.api-token.popvote.hk
ruqnpvp.api-token.popvote.hk
fapzefvgowzonss.api-token.popvote.hk
mcvhothfketpgre.api-token.popvote.hk
IPv6 Attacks in the Wild
• We see about equal break down between
normal DNS traffic and Attack DNS traffic
with IPv4 and IPv6
• Often in ISP networks, first thing IPv6
enabled on is their own infrastructure, eg:
DNS Servers
• When infrastructure is dual stacked, the
abuse will follow!
$ host tom.ns.cloudflare.com
tom.ns.cloudflare.com has address 173.245.59.147
tom.ns.cloudflare.com has IPv6 address
2400:cb00:2049:1::adf5:3b93
IPv6
IPv4
IPv6 Attacks in the Wild
• These attacks are very effective
• Attacks growing past 100M PPS (packets per second)
• With the prior ratio of IPv6 traffic
• That’s ~20M PPS of IPv6 traffic
IPv6 Attacks in the Wild
• About the same amount of IPv6 PPS going across AMS-IX
Internet exchange!
IPv6 Attacks in the Wild
• IPv6 SYN Floods (and other flooding based attacks)
• Botnet send commands/attacks to direct traffic towards a
hostname, eg: example.com
$ host example.com
example.com has address 93.184.216.119
example.com has IPv6 address
2606:2800:220:6d:26bf:1447:1097:aa7
IPv6 Attacks in the Wild
• Botnet master may not be intentional to send traffic towards
IPv6 hosts
• But bots inside the botnet see the AAAA and send traffic
that way
• IPv6 preferred selection.
IPv6 Attacks in the Wild
Aged tools without IPv6 support:
NetFlow (v5):
?
Interface (SNMP) Graph:
IPv6 Attacks in the Wild
Is all of this interesting?
IPv6 Attacks in the Wild
• Show’s IPv6 adoption is growing, not just in users
networks, but other parts of the internet.
• Expands scope of where IPv6
attacks can come in
• Helps change the IPv4 only
mindset
Moving Forward
Moving Forward
Moving Forward
• We’re making sure IPv6 is
enabled for everyone
• Previously, we had IPv6 as an
option, now its default on and
enabled for all our customers
Moving Forward
Moving Forward
• This is just the tip of the iceberg
• Nothing over IPv6 has been that unique yet
• Most attacks are still directed at an IP (IPv4) Address
• Most sophisticated are still IPv4 only
• Who knows what is coming next?
Moving Forward
• Unless we can see what’s happening now
• We can’t know what to expect going forward
• Except that if you’re not prepared with the same principles
in IPv4 security, IPv6 will byte you.
• Once you’ve reached equality in IPv4 and IPv6, the issues
of IPv4 v. IPv6 in attacks is moot.
Questions?
Thank You!