Shulou(Shulou.com)06/01 Report--

Introduction: IP is not only the most basic identity of the Internet, but also an indispensable underlying resource support for the development of black ash industry. If IPv4 is a planet, then IPv6 is a whole universe, and its address space is close to infinite. This article will analyze the current utilization of IPv6 resources by black ash products, and expose the security challenges in the business scenario during the upgrade from IPv4 to IPv6.

First, the black ash production uses IPv6 to launch the offensive irreversible

IP is not a new word, for us ordinary people, it is the address that will be assigned after the device is connected to the Internet. But in the hands of black ash production, the use of IP is almost beyond our imagination. It has been living in a dark market for many years with the strong demand of the black industry.

Different from the network tools we see on the big screen, IP does not have the powerful lethality of the virus, nor does it have the destructive power to destroy the decadent, but it is an indispensable underlying resource support for black ash production business activities, supporting the smooth progress of malicious actions such as malicious registration, brushing, cleaning wool, hitting the library and so on.

At present, the IP we are talking about usually refers to the IPv4 address, which is also one of the fiercest security confrontations between us and the underground industry.

IPv4 consists of 32 binary bits, and there are 2 ^ 32 (about 4.3 billion) addresses in the space, of which about 280 million are reserved for special purposes. However, as addresses are constantly assigned to end users, the problem of IPv4 address exhaustion arises.

This situation has stimulated the promotion of IPv6, which is currently the only long-term solution.

Compared with IPv4, IPv6 consists of 128 binary bits and has 2 ^ 128 addresses, which is 7.9 × 10 ^ 28 times that of IPv4. The huge address space is almost infinite, so it is vividly said that it can assign an address to every grain of sand in the world.

However, the address space of IPv6 is far larger than that of the current IPv4, which also means that the amount of IP resources mastered by Black Grey products will be infinitely expanded, and they will be able to use an independent IP for each malicious account. The risk control strategy accumulated in the process of confrontation in the past, with a complete IPv4 security system, will face new challenges after the large-scale popularization of IPv6.

With the development of network, security comes first. The data monitored by the threat Hunter Ghost Valley Lab show that there is already malicious machine traffic initiated on the IPv6 address of the data center, and IPv6 proxy resources have already appeared in the foreign black and gray market. The laboratory speculates that this is to some extent related to the popularity of IPv6. When the domestic IPv6 deployment is gradually carried out, the evil of the black ash production based on this will certainly come along with the trend. It is worth noting that the underground industry IP resource-second dial, which is the biggest headache for the business side at present, has also quietly increased its support for IPv6.

Black ash production has begun to make use of IPv6 resources.

The development of IP resources driven by strong market demand has become an important link in the black ash industry chain, and black ash production groups specializing in providing IP resources have also emerged.

The technology of black ash production keeps pace with the times, and the means of doing evil have also been upgraded in the process of playing "cat-and-mouse game" with enterprises. For example, from the early way of bypassing risk control rules through agent IP to now evolved "second dial" and "mixed dial" and so on, Party A's confrontation strategy has also been improved and accumulated in the environment of IPv4.

However, when IPv4 begins to migrate to IPv6, the change of IP environment not only involves the corresponding changes of network equipment, route management and IPv6 protocol stack, but also the risk control system built under IPv4 will face transformation and upgrade in the process of migration.

What is the risk of the protection strategy originally applicable to IPv4 if it is not modified in a timely manner? This is a problem that all enterprises need to consider and face. For example:

Massive address scanning: IPv6 consists of 128 binaries, which means that if a subnet uses 64 bits in the IPv6 network to allocate IP, the total capacity of the subnet, that is, the number of IP that can be allocated is 2 to the 64th power. Suppose it takes an hour to traverse all the addresses of IPv4. Then it will take 500000 years to traverse all the IP addresses under this subnet.

Blacklist database invalidation: a large number of black IP data accumulated in the IPv4 environment are significantly helpful to identify the IP of the underground industry. However, when the era of IPv6 comes, the nearly infinite IP address will have a strong impact on the blacklist library, and the original efficient identification mechanism will be close to "invalid" in the IPv6 environment.

Miscalculation under the unknown: in the initial stage of IPv6 deployment, it will face the problem of lack of risk data such as IPv6 geographical location and device fingerprints, resulting in inability to accurately determine the nature of IP, resulting in misjudgment.

.

At present, the global IPv6 penetration rate is 23.97%, the IPv6 penetration rate in developed countries is 25%, and the IPv6 penetration rate in Asia is 27.13%. Among them, the IPv6 penetration rate in China has reached 14.46%. The following are the results of IPv6 penetration statistics by continent and developed countries as well as China:

Then, we looked at the malicious machine traffic captured by the threat hunter monitoring platform, and through the analysis of the resources, we found that there are traces of IPv6 in the main IP resources currently mastered by Black Grey products.

Agent

According to the survey, the situation of trading IPv6 agents has long existed in foreign agent platforms. As the current IPv6 penetration rate is still low, IPv6 agents do not directly provide IPv6 addresses and ports, but still provide IPv4 and ports. Through tunneling protocols like 6in4, IPv6 packets are encapsulated in IPv4 packets and then transmitted to users through agents.

We collect these IPv6 agents, analyze their characteristics, and find that they mainly come from foreign IDC computer rooms.

Compared with foreign countries, there is no special platform for bulk trading of IPv6 agents in China, but we have also captured some samples of domestic IPv6 agents, and interestingly, most of the domestic IPv6 agents come from the IDC computer room of the domestic education network.

Because of the nature of its education network, if we simply intercept the corresponding IPv6 segments of each education network IDC, the most direct result is to accidentally injure a large part of the normal student users.

Second dial

Second dial IP is one of the major IP resources mastered by black ash production, and now some second dial manufacturers have begun to support and provide IPv6 services.

We analyze the IPv6 address obtained from the second dial machine and find that it belongs to domestic home broadband. Using the principle of dial-up Internet access (PPPoE), we will get a new IP every time we disconnect and reconnect. Similar to the second dial nature of IPv4, but more advantageous over IPv4, its IP pool is so large that it is nearly infinite, and IP addresses are more difficult to identify.

Infinite IP Pool

Assuming that the broadband resource on a second wave machine belongs to the telecom operator in the XX area, the second dialer can be dialed to the IP in the telecom IP pool in the whole XX area, which has the order of magnitude of as little as 100, 000 to 1 million in the IPv4 environment. In IPv6 environment, the order of magnitude is huge and difficult to estimate. We do repetitive statistics on a batch of IPv6 addresses, and there are almost no duplicate IPv6 addresses in the monitored 100000 data, but in the actual IPv6 second dial pool, it is much more than this number. This means that the traditional way of using the IP blacklist library to label IP risk will no longer apply.

Second dial IP is difficult to recognize

In addition, because the second dial IP and the normal user IP exist in the same IP pool, every time the connection is disconnected, the second dial IP originally used by the underground industry may flow into the hands of the normal user the next time it is dialed, which will bring great difficulty to the distinction between the second dial IP and the normal IP.

Figure: using second dial to test IPv6 support

The laboratory tested all kinds of domestic mainstream websites through IPv6 and found that most of the manufacturers did not start to support IPv6 access. A small number of manufacturers that support IPv6 only support that the main network can be accessed through IPv6, but the speed of web page loading and the stability of access links are a little less than satisfactory. Once the need to involve user login or other user operations, access failure or login timeout will often occur. Foreign websites that support IPv6 access are much better than domestic ones in terms of stability and response rate, as well as supporting user-related operations.

III. Summary and thinking

With the development of the next generation Internet based on IPv6, the seemingly inexhaustible IP resources do bring redemption for the current depleted IPv4, but what can not be ignored is the hidden security danger behind "inexhaustible". From the above data, we can infer that the utilization of IPv6 by black ash production is largely related to popularity.

Due to the high popularity and adoption of IPv6 in most developed countries, a platform for trading IPv6 agents has been born. At present, under the condition that most of the mainstream websites in China do not support IPv6 access, Black Grey production has begun to study IPv6 technology and make use of IPv6 resources. When the scale of IPv6 deployment in China follows the step-by-step implementation and promotion of the policy, IPv4 has to be transferred to IPv6. If the transformation and upgrading of risk control facilities of enterprises do not keep up with the pace of deployment, they will face a "window period" of security protection for a period of time, and black ash products can easily enter the platform to stir up trouble and dance.

Therefore, preparing in advance is the best way for enterprises to deal with risks. We have reason to believe that when more and more domestic websites support IPv6, and the functionality and stability tend to improve, the battlefield based on IPv4 is bound to shift to IPv6. For all technical and security personnel, while ensuring the stable upgrading of technology, the consideration of security issues is equally important. Threat hunter, as the forerunner of business security industry, has invested a lot of manpower and resources in the research of IPv6 underground industry resources, and began to accumulate real-time IPv6 risk data, hoping to help manufacturers migrating to IPv6 to solve unexpected security problems.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.