Nonetheless, Salient Federal is seeing Routing Header Type 0 attacks on IPv6 production networks that it monitors. For example, Command Information traced this type of attack to one of its own border routers that was no longer in operation. The attack originated from a research network in China. Had it been a successful attack, it would have allowed the Chinese hacker to send malicious traffic from Command Information's compromised border router to other networks.
"Network managers have to turn this feature off in their routers," Duncan says. "This capability was shipped with all Cisco routers by default a few years ago. The newer routers have turned this feature off; the problem is with older routers."
Another IPv6-related threat comes from the way the Internet's DNS system broadcasts so-called Quad A records that are used by IPv6. Duncan says Quad A queries are present on every network that the company is monitoring, even though many of those networks are not supporting IPv6 traffic.
When Quad A queries are being broadcast, this indicates that some nodes on the network are IPv6-enabled and can then be targeted with an IPv6-based attack. Because the network itself doesn't support IPv6, it's likely that the network manager is not monitoring IPv6 traffic with deep packet inspection tools.
Duncan refers to IPv4 networks that broadcast Quad-A records as "the loaded gun."
"When companies have IPv6-enabled machines but not IPv6 enabled, hackers know that the network management for IPv6 is lacking," Duncan says. "They can easily flood the organization's mail servers with spam that contains malware. All they need is one user with elevated privileges to open one spam message with malware, and that malware can open IPv6 in a tunnel through the firewall."
Duncan points out that he hasn't seen the Quad-A vulnerability being exploited yet, but he believes it is a significant threat for enterprises.
"We haven't seen this exact exploit, but we have seen a lot of IPv6 tunneled traffic that is not being inspected," Duncan says. "Every enterprise could have tens of thousands of Quad A records being broadcast.... The solution is to lock down IPv6 if you're not using it and to use deep packet inspection."
Finally, Salient Federal is reporting that it is seeing rogue router advertisements for IPv6, although the company admits that it hasn't seen a malicious actor sending them. Rogue router announcements are a threat that the IETF warned against in February, pointing out that this vulnerability could be used for denial-of-service or man-in-the-middle attacks.
This threat comes from the fact that IPv6-enabled workstations are always listening for router announcements due to the autoconfiguration features of IPv6. However, these workstations can be fooled by fake announcements due to network administrator errors or hacking attacks. Rogue routing announcements for IPv6 are being seen in both wireless and wired networks.
"Enterprises need to deploy a fix like Cisco's RA Guard on their switches and router, but then you need to have IPv6 enabled on your core," Duncan says. "You also need to use deep packet inspection in your core."