(Translated from the original Italian)
The day has come where Network service providers are reporting the first IPV6 distributed denial-of-service (DDoS) attacks, and the event is extremely significant from a security point of view.
The news has been reported in the Arbor Networks' 7th Annual Worldwide Infrastructure Security Report.
(click image to enlarge)
Despite the fact that IPv6 DDoS attacks remain relatively rare, the news should alert the world wide community regarding the incoming threat. DDoS attacks have been largely used during the operations of protest made by several groups of hacktivists during the last few years.
The phenomena has seen continuous grow that is difficult to stem - in fact, experts of the major security firms believe that ideological and political motivations have become the principal motivation behind the DDoS attacks.
The switchover from the existing address protocol IPv4 to IPv6 will give attackers a great opportunity. With the introduction of the protocol a huge quantity of new internet addresses is available, and those addresses could be used as sources for DDoS attacks.
Attacks based on IPV6 will benefit from the switchover due to the increased difficulty of identifying and banning the addresses involved, for which an offender has an availability that is significantly amplified. Consider also the context in which we operate, the migration between protocols is an event that needs to be taken into account and for which companies and governments must be prepared.
The fact that the DDoS attacks on IPv6 are not widely diffused is a clear indication that the protocol is still not widespread, but surely it will attract increasing attention from cyber criminals and governments:
"There is a strong correlation between the economic significance of a given technology and criminal activity taking advantage of said technology."
Let's consider also that the IPv6 network traffic may as of yet be un-monitored, masking the real threats on IPv6 networks. Network devices such as Firewalls, IPS and Load-Balancers continue to suffer in DDoS attacks.
How to mitigate DDoS attacks?
It has been expected that for DDoS Attack Mitigation Tools, the most used will be:
- Access control lists (ACL)
- Intelligent DDoS mitigation systems (IDMS)
- Destination-based remote triggered blackhole (D/RTBH) a filtering technique that provides the ability to drop undesirable traffic before it enters a protected network.
- Source-based remote triggered blackhole (S/RTBH) technique allows an ISP to stop malicious traffic on the basis of the source address it comes from FlowSpec
(click image to enlarge)
DDoS attacks are also used in warfare to conduct cyber operations against enemy governments. Groups of hackers engage in attacks on strategic targets with the intent to make unusable services provided by agencies and institutions.
It happened earlier this year when Israel has been victim of a true escalation in cyberwar when unidentified attackers pulled down two principal national web sites, the Tel Aviv Stock Exchange and El Al, the national airline.
The attackers used a DDoS attack to saturating in a short period the resources of the servers making the websites inaccessible. The services was restored within few hours, but unfortunately to defend against such attacks is not easy even though the offensive did not come unexpectedly.
DDoS attacks are even more dangerous when they are used in conjunction with other types of offensive measure. DDoS attacks can be used as a diversionary strategy to distract opposing defenses from the real intent of the attackers.
This type of attack is simple in construction and therefore likely to be among the main cyber threats in the short and medium term, and the spread of the IPv6 protocol could result in a qualitative leap in the offense capabilities of this dangerous technique.
Cross-posted from Security Affairs