IPv6 attack vectors (was: Re: IPv6 Firewall on CPEs - Default on or off)

Benedikt Stockebrand me at benedikt-stockebrand.de
Mon Dec 10 11:54:50 CET 2012 

Hi Merike and list,

Merike Kaeo <merike at doubleshotsecurity.com> writes:

> 4. I really am wary about arguments where 'we have not seen an IPv6
> attack so there is no need to worry' - it's a matter of time.

since you mention it and I frequently have to deal with this kind of
discussion, let me elaborate a bit, especially for those of you who
have to face this kind of discussion with their bosses.


Aside from malicious script kiddies, who hack machines just to boost
their ego, today we are facing a rather significant fraction of
attacks by professionals who are simply after the quick---and
preferably tax-free---money.  These are business people in the worst
possible sense, trying to make as much money with as little effort as
they can get away with.

Right now IPv6 connectivity is rare, and still mostly used by people
who are above average network savvy.  In money terms, trying to attack
them takes above-average effort and provides below-average yield.

This is going to change as soon as IPv6 becomes widely available.  At
some point attacks against IPv6 are economically more interesting than
those against IPv4.  When this happens the IT crime industry will
quickly shift their focus from IPv4 to IPv6.  This effect is highly
non-linear and abrupt, and in consequence difficult to predict.

What we _can_ predict is that professional attackers will go for
whatever attack path they consider the most lucrative.  They haven't
stuck with UUCP, SNA, AppleTalk or IPX; they won't stick with IPv4
either.

So please, don't reason that we don't have to worry about IPv6 based
attacks because we don't see a significant number in the wild today.
That attitude can only lead to ugly surprises of massive and highly
successful attacks, followed by severe embarrassment and the all to
common quick patch-up "solutions" that won't last.


Cheers, and have a nice week everybody,

    Benedikt

-- 
			 Business Grade IPv6
		    Consulting, Training, Projects

Benedikt Stockebrand, Dipl.-Inform.   http://www.benedikt-stockebrand.de/

More information about the ipv6-ops mailing list