NATO CCDCoE: IPv6 Transition Opens Up Covert Info Exfiltration

Written by

The Internet Protocol Version 6 (IPv6) transition is well underway, and as the internet in toto undertakes this massive sea change, it opens a wide scope for potential attack vectors for covert information-stealing, according to NATO Cooperative Cyber Defence Centre of Excellence (CCDCoE) research.

The current IP system for web addressing, version 4 (IPv4), makes four billion IP addresses available. That sounds plentiful, but the massive increase in internet users and devices worldwide means that IPv4 addresses are running out. IPv6, the next-generation protocol, provides approximately 340 undecillion IP addresses, according to the FCC, ensuring availability of new IP addresses far into the future.

The web is thus transitioning from IPv4 to IPv6 addresses, and the complexity is mammoth. To ensure that the internet and online services continue to operate, ISPs and computer OSs are upgrading to IPv6, but most legacy routers and servers will need to be switched out. And, as it turns out, so do network security tools.

The FCC breaks down initial concerns: “If the switch to IPv6 is not done or not complete, online services could be impaired or degraded: your favorite web programs may slow down; computers may have a harder time communicating with each other, impairing the ability to offer services like voice-over-IP and web conferencing; and your privacy could be compromised because of increased dividing and transferring of IPv4 addresses.”

Other findings go further, noting the cybercrime dimension. Recent research under the auspices of NATO CCDCoE shows that tunnel-based IPv6 transition mechanisms could allow the set-up of malicious egress communication channels over an IPv4-only or dual-stack network while evading detection by a network intrusion detection system (NIDS). This is proven out with two newly developed IPv6 transition mechanism-based proof-of-concept tools for the establishment of covert information exfiltration channels.

Worse, existing security tools aren’t up to the job. NATO CCDCoE uncovered significant vulnerabilities and serious drawbacks in how the modern network security solutions and intrusion detection techniques detect recent threats. The increased usage of IPv6 in attacks thus often results in long-term persistence, sensitive information exfiltration or system remote control, it said.

“Effective tools are required for the execution of security operations for assessment of possible attack vectors related to IPv6 security,” the group warned. “IPv6 and various evasion techniques pose a difficult task for network security monitoring. While detection of various transition mechanisms is relatively straightforward, other evasion methods prove more challenging. Additionally, some solutions do not yet fully support IPv6.”

The paper offers best practices for the transition.

“This research for the first time engages multiple technical domains, covering the topic from the offensive red teaming to the defensive—monitoring and detection perspectives,” said Bernhards Blumbergs, principal author of the research and researcher at NATO CCDCoE. “Such technical synergy has produced a research paper that has both the scientific and truly practical approaches combined. The developed tools are made public and allow cybersecurity community to test and verify the research deliverables against their own information systems.”

What’s hot on Infosecurity Magazine?