NATO warns of IPv6 security concerns that network intrusion detection systems may miss
IPv6 is currently being rolled out around the world, but IPv6 security concerns continue to pour in. Internet protocol version 6, or IPv6, is the successor to IPv4. Recently, researchers working for NATO warned that they had found potential attack vectors relating to IPv6 that are undetectable by most widespread network security solutions. In December 2016, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCE) released a paper detailing the research and showing proof of concepts titled: Hedgehog in the Fog: Creating and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels.
The researchers showed that it is possible to use IPv6 transition mechanisms to setup data exfiltration channels or even remote system control, and provided the proof of concepts to do so. These IPv6 attacks are not detectable by most network intrusion detection systems (NIDS). In the paper, the CCDCE noted:
“IPv6 and IPv6-based evasion techniques pose a difficult task for network security monitoring. While detection of various transition mechanisms is relatively straightforward, other evasion methods prove more challenging. Additionally, some security solutions do not yet fully support IPv6.”
Namely, NIDS such as Bro, Moloch, Snort, and Suricata were found to be ineffective against the researchers’ proofs of concept.
IPv6 security can’t be left to NIDS
These IPv6 security concerns are concerning to say the least:
“… any reasonably sophisticated method for exfiltrating data will be hard to detect in real-time by existing NIDSs, especially in situations where the data is split into smaller chunks and the resulting pieces use different connections or protocols (e.g. IPv4 and IPv6).”
These proof of concept IPv6 attacks can be done on IPv4-only networks or IPv4/IPv6 dual-stack networks. At this point in time, NIDS such as Bro, Moloch, Snort, and Suricata don’t consider IPv6 to be the security threat that they should, leaving users to use more blunt forms of IPv6 security, such as disabling it entirely.