IPv6 – Plaything of the vicious

George Egri

Did you know that using IPv6 on your server can completely bypass all your security? On Linux, there are separate kernel stacks, and separate mechanisms to filter traffic for the original IPv4 traffic and for IPv6. The kernel module responsible for this filtration is called ipfilter, and there is an other module called ipfilter6 for IPv6 traffic filtration.

 

ipv6

 

The bad news is, you can have any rules for IPv4, it won’t help you against IPv6 traffic. Recently there was a case where BitNinja’s general port honeypot module started to catch malicious packets on an interface which had only one IPv4 address from the private address space of 10.*  How could it happen? After investigating the case deeper, we realized that this interface also had a public IPv6 address, so it was publicly available through IPv6 without any protection.

 

v4_v6_table

 

Is your server vulnerable?

You can easily find out by running this command:

# ip -6 addr

1: lo: mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qlen 1000
inet6 xxxx:xxxx:x:xxxx:6ff:fe9b:3e85/64 scope global dynamic
valid_lft 2591998sec preferred_lft 604798sec
inet6 fe80::64dc:6ff:fe9b:3e85/64 scope link
valid_lft forever preferred_lft forever
3: eth1: mtu 1500 qlen 1000
inet6 fe80::f4d2:e3ff:fe30:f14a/64 scope link
valid_lft forever preferred_lft forever

Only the global scope ipv6 addresses make your server reachable from outside, but it worth to take a look, as we saw all the same attacks coming through IPv6 as on IPv4.

If you don’t use ipv6, it is the safest to disable this functionality. To disable IPv6 on your Linux server, use  these two commands as root:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

Don’t forget to add this line to rc.local to run it on every boot as the command above only temporarily disables IPv6, until the next reboot.

Share your ideas with us about this article

Previous posts

Hydra: One of the most well-known bruteforce tools
The Kali Linux is an open source code operational system which is based in Debian. In the system we can find several „penetration” applications, such as: Aircrack-ng Hydra Nmap Wireshark Metasplot framework Maltego Owasp-Zap SQLMap John Burpsuite Johnny Pyrit SIPcrack PWdump Rainbowcrack Maskgen Hexinject SSLSniff Dsniff In this article, I am going to tell you more about the Hydra’s operation and elaborate on how the BitNinja provides protection against it. Hydra works as a bruteforce program and it is one of the best password cracking tools in th...
Our port Honeypot module is out of Beta
We are happy to announce that our developers officially released the port honeypot module. The port honeypot is a perfect way to fight against zero-day attacks and many of our customers are satisfied with it because the module catches and entraps hackers who attempt to break into or scan their servers making them aware of the incoming malicious traffic. The module sets up 100 honeypots chosen randomly from the 1000 most commonly used ports and is able to detect malicious port scanning conducted by hackers.For example, it gets installed on a port where usually there should not be in...