Essay: Reconnaissance attacks in IPv6 networks

2.1.1 Reconnaissance attacks in IPv6 networks
The 1st larger attack in IPv6 is usually a reconnaissance attack. An attacker try reconnaissance attacks to get some confidential information about the victim network that can be misused by the attacker in further attacks. For this he uses active methods, such as scanning techniques or data mining strategies. To start, an intruder begins to ping the victim network to determine the IP addresses currently used in the victim network. After getting some of the accessible system, he starts to scan the port to find out any open port in the desired system. The size of subnet is bigger than that of the in IPv4 networks. To perform a scan for the whole subnet an attacker should make 264 probes and that???s impossible. With this fact, IPv6 networks are much more resistant to reconnaissance attacks than IPv4 networks. Unfortunately, there are some addresses which are multicast address in IPv6 networks that help an intruder to identify and attack some resources in the target network.
2.1.2 Security threats related to IPv6 routing headers
As per IPv6 protocol specification, all of the IPv6 nodes must be able to process routing headers. In fact, routing headers can be used to avoid access controls based on destination addresses. Such action can cause security effects. It may be happen that an attacker sends a packet to a publicly accessible address with a routing header containing a ???forbidden??? address on the victim network. In such matter the publicly accessible host will forward the packet to the destination address stated in the routing header even though that destination is already filtered before as a forbidden address. By spoofing packet source addresses an intruder can easily perform denial of service attack with use of any publicly accessible host for redirecting attack packets.
2.1.3 Fragmentation related security threats
As per IPv6 protocol specification, packet fragmentation by the intermediate nodes is not permitted. Since in IPv6 network based on ICMPv6 messages, the usage of the path MTU discovery method is a duty, packet fragmentation is only allowed at the source node.1280 octets is the minimal size of the MTU for IPv6 network. The packets with size less than 1280 octets to be discarded unless it???s the last packet in the flow as per security reasons. With use of fragmentation, an attacker can get that port numbers not found in the first fragment and thus they bypass security monitoring devices expecting to find transport layer protocol data in the very first fragment. An attacker will send a huge amount of small fragments and create an overload of reconstruction buffers on the victim system which resulted to the system crash. To prevent system from such attacks it???s necessary to bound the total number of fragments and their permissible arrival rate.