New Research Explores How to Detect Attacks like Malware Over IPv6

Honeypots are isolated hosts that lure attackers so that the honeypot creator can gather data to refine intrusion detection systems, improve threat responses, and better manage and prevent attacks. 

Traditionally, honeypots have only been available using IPv4 (the first widely used protocol on the Internet). With the increasing prevalence of IPv6 —IPv4’s much larger replacement— we can only expect IPv6-based attacks to grow. We must find ways to identify and mitigate IPv6-based attacks. 

Our new GCA Internet Integrity Paper, “Expanding IoT Honeypots to Include IPv6-Connected Devices” investigates the possibility of including the IPv6 address space in honeypot operations to, among other things, stop malware at its source. We propose a way to extend ProxyPot, the Global Cyber Alliance’s proprietary honeypot technology, to detect attacks over SSH, Telnet, HTTP, and HTTPS, over both IPv4 and IPv6— a first of its kind. 

This paper is the third in a series of research projects done in collaboration with Microsoft to help make the Internet more secure, specifically related to Internet of Things (IoT) devices attached to the Internet. You can read the first two papers here and here.

In the paper, we explain our AIDE project, recap the difficulty of scanning IPv6 address space for attacks, outline current IPv6 practices that might increase attack vulnerability, define best practices at the device level, and explore potential IPv6 scanning options.

Key Takeaways

  • IPv4 remains a pervasive technology that provides an easy attack vector for malicious actors. IPv4 will continue to be the main protocol used to distribute malware for now.
  • However, we foresee a time in the not-too-distant future where IPv6 will become the preferred technology for certain attacks in the Internet of Things (IoT) space. Detecting malicious activity in this realm will become urgent quickly.
  • There are many challenges to detecting attack traffic using IPv6, and it is important to stay ahead of the curve as new attacks begin to emerge.
  • Our honeypot technology, ProxyPot, may be enhanced to detect attacks occurring over IPv6, and this would be a first of its kind.

We encourage you to read the full report, check your own IPv6 resources and security practices, and contact us to get involved with AIDE to support this work.