IPv6 DDoS is now a threat

Distributed Denial of Service (DDoS) has always been a major threat to organisations’ networks. DDoS attacks are cheap and easy to carry out but defending against these kind of attacks can cost 100 to 1000 times more than the cost of launching an attack. Before I stopped hosting Team Fortress 2 game servers, my IPv4 address has always been under constant DDoS. Every few days, I would receive billion of packets per second floods, bringing down my Internet for a few hours. It was such an annoyance to both my ISP and I; the attacker won and I stopped hosting the Team Fortress 2 game servers.

ddos-attack

However, attacks has always been constrained to IPv4 as implementation of IPv6 was lacking globally. When IPv4 addresses started becoming dry a few years back, lots of ISPs started implementing CGNAT but most of them still didn’t bother with implementing IPv6.

CGNAT

As time passes by, and NICs of different regions become drier in IPv4 addresses, ISPs worldwide started to become aware of IPv4 exhaustion. Then, they slowly and finally moved their ass to implementing IPv6 addresses. It’s not super difficult to do it, they’re just lazy. Okay granted, maybe it is difficult for such a large scale process to happen quickly in bureaucratic ISPs but seriously, if your company did not see the shortage of IPv4 addresses becoming real 5 years ago, I’ve got real bad news for ya.

ipv4-exhaustion

In 2014 and 2015, my friend kcaj, has already suffered from 2 IPv6 DDoS attacks. These attacks were originating from trolls in the Efnet #troll channel. Folks from there seem to love to DDoS each other for “fun”, very childish anti social behaviour. Attacks originating from this channel is strong enough to take down OVH DDoS protected boxes and heck, even Voxility boxes. These script kiddies’ parents sure are rich enough to fund their kids with booter credits to wreck havoc on the Internet. I frown upon such action and desperately urge everyone not to carry out these attacks just for the sake of “fun”. Sure, it might sound “fun” but wait until you get hit by these attacks or worse still, get arrested for such actions.

2015-08-18_23-13-41

So as you can see, DDoS using IPv6 network is now a threat. DDoS protection providers should start offering protection that covers these kind of attacks. Just a thought and question for you, is your company prepared to face against IPv6 DDoS attacks? If so, which DDoS protection provider are you using?

Author: Woo Huiren

Howdy, I'm a IT student who is currently pursuing a diploma at Ngee Ann Polytechnic. I do lots of things related to IT but I have an exceptionally great love for the web and opensource, so expect me to blog a lot about it! :)

4 thoughts on “IPv6 DDoS is now a threat”

  1. Thanks for the clear and simple article on DDoS. So are we saying that:
    1. IPv4 is an easy DDoS target to take down.
    2. IPv6 is more difficult to take down but increasingly it can be taken down.
    Apart from just giving up providing the service (e.g. your Team Fortress 2 servers) is there any sure way to mitigate the attacks?
    If you had the financial resources would it be possible to track down the perpetrators ?

    I just came out of a DDoS situation that lasted 3 days, it was detected to come from more than 2 dozen countries from over 3000 unique IP addresses.

    1. Hello! I’m really sorry to hear that you are also a victim of DDoS attacks.

      The ability to track down the attackers will depend on how the attackers attack. Our Internet is done through “packet switching”, where the source of the packets are not confirmed by multiple edge routers. The benefit of this is that IP packets will can be routed quickly. However, what this means is that spoofing/faking of the packets is very easy and possible. Therefore, if the attackers spoof their packets. There will be no way of tracking these malicious attackers, even if you had tons of money to do so. The only possible solution is to stand against them. To fend against DDoS attacks will require a lot of resources to do so.

      If you’re interested, I would be happy to write a detailed article on DDoS protection.

      Thanks for reading and have a great day ahead! :”)

      1. Thanks for your prompt reply. Yes, I would be interested in a detail article on DDoS protection.

        Indeed the attackers had spoof their packets, probably with zombies.

        Best Regards

Leave a Reply