Security specialists

ThreatLabs specializes in security assessments providing valuable insights into vulnerabilities and weaknesses as well as actionable advice to increase the security posture of IT assets and environments.

Security strategies must evolve for IPv6

With version 4 of the Internet Protocol, rate limiting, throttling, and even firewall blocks are often straightforward. If an IP address is associated with abusive behavior, it can be (temporarily) blocked. The limited IPv4 address space somewhat constrains threat actors.

With IPv6, this changes drastically. The vast address space makes blocking single addresses far less effective, as threat actors can easily switch to alternative addresses within the same prefix. This happens even in legitimate scenarios, as users are automatically assigned new addresses when Stateless Address Autoconfiguration (SLAAC) and privacy extensions are used.

IPv6 bypass rate limiting
Rate limiting is ineffective when IPv6 clients rotate addresses

As a result, security strategies for IPv6 must evolve. One approach to consider is to block entire prefixes, such as a /64, instead of individual addresses. This must be done carefully to avoid unintentionally impacting legitimate users. This downside is not new, as Network Address Translation (NAT) often results in multiple users sharing the same public IPv4 address.

IPv6 prefix blocked
Rate limiting is more effective when the IPv6 prefix is blocked