环境下的网络安全观察IPv6关于绿盟科技北京神州绿盟信息安全科技股份有限公司（简称绿盟科技）成立于2000年4月，总部位于北京。在国内外设有30多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户，提供具有核心竞争力的安全产品及解决方案，帮助客户实现业务的安全顺畅运行。基于多年的安全攻防研究，绿盟科技在网络及终端安全、互联网基础安全、合规及安全管理等领域，为客户提供入侵检测/防护、抗拒绝服务攻击、远程安全评估以及Web安全防护等产品以及专业安全服务。北京神州绿盟信息安全科技股份有限公司于2014年1月29日起在深圳证券交易所创业板上市。股票简称：绿盟科技 股票代码：300369特别声明为避免合作伙伴及客户数据泄露，所有数据在进行分析前都已经过匿名化处理，不会在中间环节出现泄露，任何与客户有关的具体信息，均不会出现在本报告中。IPv6环境下的网络安全观察A目录1. 执行摘要 ······························································································································································ 22. IPv6攻击态势概览 ·············································································································································· 52.1 热点态势 ······················································································································································································· 62.2 重要观点 ······················································································································································································· 83. IPv6攻击中的热点类型 ······································································································································· 94. IPv6攻击中的行业分布 ····································································································································· 115. IPv6攻击中的地域分布 ····································································································································· 135.1 国内分析 ····················································································································································································· 155.2 国外分析 ····················································································································································································· 206. “惯犯”跟踪 ····················································································································································· 247. 总结 ···································································································································································· 28IPv6环境下的网络安全观察2执行摘要1. 执行摘要1执行摘要IPv6环境下的网络安全观察3执行摘要未来的时代里，数字化和全球化将深入到世界各地每一个角落，人人受惠。基于IPv6的下一代互联网，将成为支撑前沿技术和产业快速发展的基石。2017年11月，中共中央办公厅和国务院办公厅联合印发了推进互联网协议第六版（IPv6）规模部署行动计划，为互联网技术的普及和应用，以及未来产业奠定了良好的基础。该文指出到2020年末国内IPv6活跃用户要达到5亿，2025年末中国IPv6规模要达到世界第一。图 1.1 推进互联网协议第六版（IPv6）规模部署行动计划根据第43次中国互联网络发展状况统计报告，截至2018年12月，我国IPv6地址数量为41079块/32，年增长率为75.3%。与此同时，我国网民使用手机上网的比例达 98.6%，较 2017 年底提升 1.1 个百分点；网民使用电视上网的比例达 31.1%，较 2017 年底提升 2.9 个百分点；使用台式电脑上网的比例为 48.0%，较 2017 年底下降 5 个百分点。可以看出，传统计算机与互联网的应用比例有 gov/zhengce/2017-11/26/content_5242389.htm cac.gov/2019-02/28/c_1124175677.htm1执行摘要IPv6环境下的网络安全观察4执行摘要所下降，移动生活的普及、物联网的发展和工业4.0的推进，都将对地址空间，服务质量以及安全性等提出更高的要求，而未来IPv6的大范围部署可以一定程度满足上述需求。IPv6的设计对安全性有一定的提升，例如集成了虚拟专网（VPN）的功能和IPSec，然而许多在IPv4中存在的网络安全问题在IPv6中同样存在，例如应用层协议或服务导致的漏洞无法消除，未实施双向认证的情况下中间人攻击仍然存在，同时网络嗅探，设备仿冒和洪泛攻击等也无法避免。因此，本团队对IPv6环境中的攻击告警进行抽样分析，下文将从安全态势、热点攻击、行业/地域分布，以及“惯犯”等角度对IPv6用户面临的威胁进行刻画。IPv6环境下的网络安全观察5IPv6攻击态势概览2. IPv6攻击态势概览2IPv6攻击态势概览IPv6环境下的网络安全观察6IPv6攻击态势概览2.1 热点态势当前随着IPv6的普及，IPv6的攻击也呈现上升态势。第一起有记录的IPv6 DDoS攻击事件发生在2018年3月，此次攻击涉及了1900个IPv6地址。同时利用漏洞的IPv6攻击行为也被陆续捕获到。通过对捕获到的相关数据分析得知，目前大部分IPv6攻击所使用的漏洞都是应用层漏洞，即与IPv4攻击的目标相同，暂时还未发现针对IPv6自身协议漏洞的攻击。同时根据对IPv4环境下的远程漏洞的研究发现，只要存在漏洞的目标系统支持IPv6环境，绝大多数漏洞都可以通过直接使用IPv4环境下的攻击载荷在IPv6环境下进行攻击。通过对IPv6相关协议族的漏洞追踪和研究发现，针对IPv6协议族的漏洞数量整体不大，CVE漏洞库中的IPv6相关协议漏洞，主要为对畸形数据包处理不当导致共125个。主要分布为Linux内核、Linux发行版本系统、Windows等系统，tcpdump、Wireshark等应用程序和Juniper、Cisco、Huawei路由器等硬件产品。Linux中出现的漏洞主要集中在IPv6的实现上，出现频次比较高的模块是IPv6的分片模块；Cisco上的漏洞主要在Cisco IOS上。从漏洞上涉及模块来看，IPv6 snooping模块上出现的问题比较多，Tcpdump 在4.9.2前版本中的IPv6 routing header parser模块以及IPv6 mobility parser模块中也连续爆出了一系列漏洞。 scmagazineuk/first-true-native-IPv6-ddos-attack-spotted-wild/article/1473177IPv6环境下的网络安全观察7IPv6攻击态势概览按年份来看IPv6相关漏洞数如下：图 2.1 近年IPv6相关漏洞数量200205101520252003 2004 2005 2015 2016 2017 2018 2019漏洞201420132012201120102009200820072006112620711139310133451223IPv6环境下的网络安全观察8IPv6攻击态势概览其中CVSS小于3的低危漏洞占3.2%，3-7的中危漏洞占51.2%，7以上的高危漏洞占45.6%：图 2.2 IPv6相关漏洞的危害占比情况高危漏洞45.6%中危漏洞51.2%低危漏洞3.2%IPv6相关漏洞危害占比情况2.2 重要观点观点一：2010年后，IPv6相关漏洞成倍攀升，高危漏洞占比较高，值得持续关注。观点二：在IPv6环境中，目前观测到的主要攻击来自于对传输层和应用层漏洞的利用，传统IPv4环境中的安全威胁仍然值得关注。观点三：当前IPv6网络环境中，安全威胁主要集中在僵木蠕相关攻击，以及面向Web服务和Web框架类的攻击，需要进行针对性防御。观点四：运营商、教育机构、事业单位和政府的IPv6应用较为广泛，遭受到的攻击也最多，相关机构需要加强防护。