IPv6 has always been a hot topic! Available for years, many ISP's deployed IPv6 up to their residential customers. In Belgium, we were for a long time, the top-one country with IPv6 deployment because all big players provided IPv6 connectivity. In today's operating systems, IPv6 will be used first if your computer sees "RA" packets (for "router advertisement" [1]) and can get an IPv6 address. This will be totally transparent. That's why many people think that they don't use IPv6 but they do!

To access online resources, a host will try to resolve a domain or hostname by generating "A" or "AAAA" DNS requests. A malware that relies on the host resolver doesn't need to know if the C2 is available via IPv4, IPv6 or both!

I'm wondering for a long time why attackers do not pay more attention to IPv6 connectivity because it could be less hardened or not monitored at all! How many security controls rely on regexes to catch IPv4 addresses only?

Today, I found a malicious Python script that creates a footprint of the victim (usual behaviour) but, this time, it also try to get the IPv6 of the victim's computer:

def get_ipv6_address():
    try:
        i6_s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
        i6_s.connect(("2001:4860:4860::8888", 80))
        i6s_s = i6_s.getsockname()[0]
        i6_s.close()
        return i6s_s
    except socket.error:
        return None

(The tested IPv6 address is Google public DNS)

Does it mean that attackers will pay more attention to IPv6? Let's see in the future!

[1] https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key