Tag Archive: DDoS

IPv6 Challenges

There’s been a lot of discussion about the advantages of IPv6 in the press in recent months, focusing mainly on the huge increase in address space that a migration will give. But there are other features of IPv6 that are both a boon for the individual user and a headache for an IT department. Like many things, it’s a bit of a double-edged sword, one that cannot be ignored indefinitely.

The wonders of IPv4

IPv4 is one version of the “Internet Protocol“, an integral part of TCP/IP which was developed in the mid-1970s as a set of scalable communications protocols. The intention was to keep it as simple as possible, allowing any type of equipment with the right protocol stack installed to communicate with any other device, regardless of what those devices were. In those days, four billion addresses seemed like “enough”.

One of the consequences of this design strategy was to include no provision for security in general, with unencrypted networks, no authentication and any number of potential ways of attacking a victim. To be fair, in those days, people had a very different attitude to these networks; it was never envisaged that anyone would want to attack someone else. It just wasn’t “the done thing”.

Fast forward 30 years and a number of things have happened: an explosion in the number of devices connecting to the Internet, malicious software, Denial of Service attacks holding on-line companies hostage and the fear of being snooped on by anyone who has access to your data connection (anyone from the Government to Phorm).

The issue of a fast-reducing available address space was identified, and to some extent mitigated by using Network Address Translation, to allow organisations to use reserved IPv4 address ranges, (, and and only use a limited number of properly routable addresses on the Internet, effectively hiding the machines they have on their internal networks; all consumer equipment these days is configured to use NAT.

IPv6 – a new era

In 1998, the IETF published RFC2460 that outlined IPv6 which had a number of features not included in IPv4, including:

  • a vastly increased address space – IPv4 had a total of 4,294,967,296 addresses. IPv6 has 2128 (approximately 340 undecillion or 3.4×1038) this amounts to approximately 5×1028
    addresses for each of the 6.8 billion people alive in 2010 (taken from Wikipedia)
  • integration of IPSec, including packet authentication and encryption
  • stateless address autoconfiguration

These are real advances over IPv4. However, there are some things that companies do routinely that may become a whole lot more complicated:

Penetration testing: LSE, for example, has been allocated an IPv6 address space which has more available addresses than are available in IPv4 in total. The length of time to scan a space of this size is enormous.

Firewalling: subnetting works differently in IPv6 to IPv4 and there is provision for frequent address changes. In addition, having every outbound connection effectively opening up a VPN into an organisation’s network means that banned traffic can be transparently tunnelled through a firewall which would otherwise block it.

Deep packet inspection: this becomes very difficult if all packets are encrypted

Web filtering: again, with packet-layer encryption, how can traffic be inspected before it hits the end device?

SSL has always been difficult to monitor on IPv4 networks, with companies needing to inspect this traffic having to simulate a man-in-the-middle attack to terminate a connection from a user on a device and re-establish a secured connection to the requested resource, e.g. a bank, to create a break in the session to inspect the traffic. It’s a messy solution and doesn’t go down well with users. In a full IPv6 world, this type of challenge will be with us every day.

There’s a really great paper on some of these issues here.


So, here’s a question: how much hacktivism should be tolerated?

This cropped up in a discussion with a friend regarding the arrest of the Anonymous members who had taken part in the LOIC attacks against organisations perceived to be against WikiLeaks, including Amazon and PayPal. In the “Real World”, people have a right to demonstrate, get out on a march and wave banners and all the rest, as well as peaceful sit-ins, flashmobs and other acts of disruption. Some members of our society would shudder at rubbing shoulders with thousands of people and would prefer to spend their time in front of a screen.

Are their views any less important that those more socially adept? And if not, what outlet do they have to express their views?

From an information security perspective, you have to assume that there are always people out to get you and, if you do a good job, it should affect you too much if people start targeting you. However, recent events have shown that Distributed Denial of Service attacks against organisations with very sophisticated infrastructures can be very disruptive.

Should the organisers or participants in online demonstrations be punished more severely than those taking part in equivalent physical demonstrations? How should companies react to them?


Something that has intrigued me about the Anonymous attacks on those companies/organisations and countries that are perceived to be anti-Wikileaks: the fact that members of the public are voluntarily installing a botnet client and allowing Anonymous to control their machine and direct their resources at will. The tool is called Low Orbit Ion Cannon (LOIC) and is so popular it is now available for iPhone and iPad.

This post isn’t a comment on Wikileaks or on Anonymous but rather the fact that there is a big unknown risk in installing something like this on your own computer which could so easily be hijacked and redirected to another target, not Wikileaks-related or even be used as a backdoor to install something far worse.

On top of this, it needs to be pointed out that the act of knowingly participating in a Distributed Denial of Service attack is probably illegal in the UK and USA.

%d bloggers like this: