Global adoption of IPv6 continues to grow, with Google reporting IPv6 as 22% of its client traffic. IPv6 comes with a slew of improvements from larger address space to self-organizing addressing to required support of multicast, but these improvements are a double-edged sword. With NAT going away, DHCP no longer being required, modern operating systems and networks supporting and preferring IPv6 over IPv4, ICMP being required for network operation, iptables not applying to IPv6, and multiple IP addresses being associated with individual interfaces, IPv666 conjures the perfect storm of fail open defaults. Taken in sum, this means that swathes of hosts are exposed to the Internet without firewalls and without the knowledge of their admins.
Why, then, haven’t more boxes been popped via IPv6? Because 2^128 is far larger than 2^32.
In this talk we will take a practical look at how to enumerate and attack hosts over IPv6, using statistical models to discover servers and novel IPv6 honeypotting techniques to discover clients. We’ll talk about what works and what doesn’t when it comes to finding IPv6 addresses and how we used our model and scanning techniques to start amassing a corpus of the global IPv6 address space. We’ll cover statistics about how much more exposed IPv6 hosts are over their IPv4 counterparts and how prevalent IPv6 hosts are on various hosting platforms. Lastly, we will release our model and the code that built it as well as the full list of IPv6 addresses that we discovered in the hopes that putting these tools and data into the hands of the community will enable further research of IPv6 security posture.
Through the information provided in this talk we aim to convince you that a storm is brewing with IPv6 security posture, to provide you with the tooling necessary to validate our claims yourself, and with the knowledge to protect yourself moving forward.