June 6th is known as World IPv6 Day so we thought it was a good time to look at the trends in IPv6 usage across CloudFlare’s network. Two big themes we’ve seen: 1) IPv6 usage is growing steadily, but at the current pace we’re still going to be living with IPv4 for many years to come; and 2) while the majority of IPv6 traffic comes from legitimate users on mobile networks, attackers too are beginning to launch attacks over the protocol.
CloudFlare has supported IPv6 on our network for the last year and a half. We have become one of the largest providers of the IPv6 web because we offer a free IPv6 gateway that allows any website to be available over IPv6 even if a site’s origin network doesn’t yet support the protocol. For the last year, we’ve enabled IPv6 for customers on CloudFlare by default. Today, IPv6 is enabled for more than 1 million of our customers’ websites.
Since the beginning of 2013, IPv6 connections as a percentage of CloudFlare’s total traffic fluctuate daily with the minimum 0.849% on January 5 to a maximum of 1.645% on June 3, 2013. If look at the overall trend, IPv6 connections to our network have grown 26.5% since the start of the year.
Digging into where IPv6 connections are coming from it appears the majority of the growth has been from mobile network providers. Increasingly, traffic from mobile devices to the web has passed over IPv6. We saw a significant drop in IPv6 connection from mid-March through early-April when it appears a large mobile operator appears to have disabled and then reenabled IPv6 connectivity from their network.
While the overall increase in IPv6 usage is encouraging, the trend unfortunately indicates we are going to be living with IPv4 for some time to come. At current growth rates, assuming adoption of IPv6 is linear, it will take almost 67 years for IPv6 connections to surpass IPv4 connections and the last IPv4 connection won’t be retired until May 10, 2148.
Things are a bit more optimistic if IPv6 adoption turns out to be exponential rather than linear. In that case, IPv6 connections will surpass IPv4 in about 5 years and 9 months. Not long thereafter, we’ll extinguish IPv4 entirely on January 10, 2020. Our guess is the reality will be somewhere between the linear and exponential case. Regardless of what IPv6’s adoption curve looks like, as a CloudFlare user you’re covered. We anticipate we will be operating a dual-stack network with both IPv4 and IPv6 support for all our customers until IPv4 is fully retired, whether that takes 7 years or 140.
While the majority of IPv6 connections today are coming from legitimate users on mobile networks, over the last two months we’ve seen a marked increase in the number of IPv6-based web attacks. Largely these have been DDoS attacks. The attacks have typically been both Layer 4 (e.g., SYN floods) as well as Layer 7 (e.g., application layer attacks).
To date, the IPv6-based DDoS attacks have been relatively modest. The largest we’ve seen to date generated approximately 3 gigabits per second of traffic and accompanied a much larger traditional IPv4-based DDoS.
While a novelty, these attacks don’t cause significant harm to CloudFlare’s systems. We designed CloudFlare anticipating the transition to IPv6, so our defenses assume an IPv6-enabled world. We speculate, however, that attackers may be targeting IPv6 as a way of bypassing older protections that base their protection largely on IPv4 blacklists.
IPv6 makes a strict blacklist on a per-IP basis much more challenging since the number of addresses available to an attacker can be significantly larger. This is a challenge that large blacklist operators like Spamhaus are currently thinking through. While IPv6 can present a challenge to some attack filtering strategies, it also presents opportunities. For example, since IPv6 reduces the need for NATs and provides users addresses that are routable all the way to the end device, we believe over time IPv6 will provide the ability to build significantly more accurate whitelists.
We will continue to monitor overall IPv6 growth rates as well as interesting trends in IPv6-based attacks. In the meantime, there’s no better way to celebrate World IPv6 Day thansigning up for CloudFlare and ensuring your site is automatically available for the increasing percentage of users that are accessing it over IPv6. It’s free and will only take you 5 minutes to join the modern web.Tags: challenge dualstack ipv6 savetheweb thefuture attacks