Quantcast
Channel: SANS Internet Storm Center, InfoCON: green
Viewing all articles
Browse latest Browse all 8244

IPv6 Focus Month: Guest Diary: Matthew Newton - IPv6 Cat Feeder - Turning those extra bits into bytes, literally, (Thu, Mar 21st)

$
0
0

Today were bringing you another guest diary, this one by Matthew Newton on some of his experiences when he first turned up a novel service on World IPv6 Day in 2011.

------------------------------------

The 8th June 2011 - World IPv6 Day - will always be a significant day in the history of the Internet when networks and content providers from all over the globe took part in a collective test of IPv6 to raise awareness, test what worked and what didnt, and of course tease out some of the issues facing future IPv6 adoption...



I was taking part in my ISPs (Plusnet) native-IPv6 trial and took the opportunity to release to the world my IPv6-enabled Internet Cat Feeder (http://www.newtonnet.co.uk/catfeeder). Okay, so it admittedly wasnt quite the IPv6 killer app that everyone has been waiting for but it did represent an example of the so-called Internet of Things that IPv6 will inevitably underpin and enable.

Normally the cat feeder is secured through an authentication mechanism such that only I can view/control it however on World IPv6 Day I opened the doors to the proverbial world and his dog... as long as they were connecting over IPv6 of course.

Doing something like this was always going to attract some unwanted attention and it was barely a few minutes after midnight when I started to see connections being made that werent quite in the spirit of the day. I was using parameters specified in the URL to pass control variables to the underlying PHP script and so naturally some users started to handcraft their own to see what damage they could do. Id anticipated this and made sure that the scripts wouldnt respond outside of their intended usage envelopes however what I hadnt anticipated was how futile my attempts would be to manually block persistent offenders.

In IPv4 - with a relatively static addressing model - it is very easy, and relative effective, to blacklist particular (ab)users IP addresses and this can usually be done with minimal collateral damage. However, with IPv6 this wasnt quite so straightforward because no sooner would I blacklist an individual /128 address when the miscreant would hop over to another address to continue their attack. It became something of a game a Whack-A-Mole and I was inevitably always one step behind. In an attempt to keep the feeder up and running I ended up resorting to a broadbrush strategy of widening the blacklisting scope up to the point of blocking entire /32s. Thats a whole lot of potential users being tarred by the same brush.



Whilst in this scenario the collateral damage was likely minimal it did bring to the fore the fact that not all security strategies from IPv4 are equally applicable to IPv6. The one user, many addresses principle of IPv6 is very much a double edged sword as whilst the benefits are plentiful there are also drawbacks.



Still, overall the day was a success for IPv6, and the cat feeder too. To help quantify this, prior to the day the cats were fed twice a day over IPv4. Over the 24hr period on the 8th June 2011 with IPv6 they received 168 meals so unless there-)

------------------------------------
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Viewing all articles
Browse latest Browse all 8244

Trending Articles