Grey Rhino Warning: IPv6 is Becoming Fertile Ground for Reflection Amplification Attacks

TL;DR

This paper investigates IPv6 vulnerabilities to reflection amplification attacks, revealing that a significant portion of autonomous systems lack protections, making IPv6 networks susceptible to DDoS threats.

Contribution

It introduces a novel methodology combining ICMP Time Exceeded detection, IPv6 address scanning, and dual vantage points to identify vulnerable ASes and amplifiers in IPv6 networks.

Findings

61.36% of measured ASes lack ISAV deployment

Identified reflection amplifiers in 3,507 ASes from 47 million addresses

IPv6 networks are highly susceptible to reflection amplification attacks

Abstract

Distributed Denial-of-Service (DDoS) attacks represent a cost-effective and potent threat to network stability. While extensively studied in IPv4 networks, DDoS implications in IPv6 remain underexplored. The vast IPv6 address space renders brute-force scanning and amplifier testing for all active addresses impractical. Innovatively, this work investigates AS-level vulnerabilities to reflection amplification attacks in IPv6. One prerequisite for amplification presence is that it is located in a vulnerable autonomous system (AS) without inbound source address validation (ISAV) deployment. Hence, the analysis focuses on two critical aspects: global detection of ISAV deployment and identification of amplifiers within vulnerable ASes. Specifically, we develop a methodology combining ICMP Time Exceeded mechanisms for ISAV detection, employ IPv6 address scanning for amplifier identification, and utilize dual vantage points for amplification verification. Experimental results reveal that 4,460 ASes (61.36% of measured networks) lack ISAV deployment. Through scanning approximately 47M active addresses, we have identified reflection amplifiers in 3,507 ASes. The analysis demonstrates that current IPv6 networks are fertile grounds for reflection amplification attacks, alarming network security.