Peek-a-boo ping

Security researchers have uncovered shortcomings in firewall rules that meant IPv6 hosts are more frequently openly exposed to internet attacks than IPv4-connected devices.

A “significant number” of scanned hosts had less filtering on the IPv6 side than on IPv4, resulting in additional exposure of these devices and their networks, Cisco Talos discovered.

“When we started this research, we hypothesized that we would likely find hosts that have proper filtering, all important ports firewalled, on IPv4 side, but more relaxed, or non-existent filtering on the IPv6 side,” Talos researcher Joe Marshall reports.

“And indeed, after comparing the top 100 TCP port scan results on corresponding IPv6 and IPv4 addresses, we have found 3% of hosts to have more open ports on IPv6 side. This leads to unintended exposure of sensitive data and services such as SMB network shares, FTP and HTTP servers.”

The researchers reached these conclusions after developing a new technique to enumerate active IPv6 hosts in the vast address space occupied in cyberspace by the next generation internet protocol.

Cisco Talos discovered that dual-homed IPv4/IPv6 hosts can be induced to divulge their IPv6 addresses through an approach to scanning based on support for the Universal Plug and Play (UPnP) Protocol.

More specifically the technique – dubbed IPv6 unmasking via UPnP – relies on UPnP NOTIFY packets to uncover pairs of IPv4 and IPv6 addresses on dual-homed hosts configured to support both protocols.

“The scanning consists of two steps,” the researchers explain in a blog post. “First, we send specific UPnP NOTIFY packets to every IPv4 address to gather IPv6/IPv4 pairs. Then, we perform full port scans of uncovered pairs and compare the open port states on the IPv4 and IPv6 side.”

The Cisco Talos team used Masscan’s modified packet templates to send their NOTIFY packet.

Cisco Talos researchers were able to apply the technique to develop a dataset of “client-side, consumer devices that are largely not covered” in previous IPv6 mapping efforts. The tool might be applied by sys admins to audit the security of enterprise environments they manage.

Running the numbers

Exhaustive scans of IPv6 are impractical because of the huge size of the address space. The Cisco Talos technique adds to the small but growing corpus of IPv6 active host mapping techniques previously developed by other researchers.

The Shodan project, for example, leverages features of the Network Time Protocol to get hosts to reveal their IPv6 addresses. Other approach uses a privileged network position to compile lists of active hosts.

IPv6 was developed by the Internet Engineering Task Force (IETF) to cope with IPv4 address exhaustion. IPv4 uses a 32-bit address giving 4.3 billion addresses. IPv6 uses a 128-bit address, giving 3.3 x 1038 possible addresses.

Smartphones and the growing number of IoT devices mean the number of devices linked to the internet in growing apace and there simply aren't enough IPv4 address to cope. The march of IPv6 is slow but inevitable and, with its introduction, security boundaries will change.

UPnP is designed for network discovery and has no place outside the local network, yet many devices are configured to leave UPnP ports accessible to all and sundry on the internet. This security faux-pas has been the root cause of numerous abuses and hacking attacks over the years.

Related IPv6 scanning tool opens up new cybersphere for researchers