Experiment proves that IPv4 servers can be taken down in 12 minutes while IPv6 prove resilient

Daniel Cid, Founder & CTO of Sucuri, had carried out an experiment a few weeks ago to see how long it would take for IPv4-only and IPv6-only servers to be compromised via SSH brute force attacks.

The experiment besides showing the security advantages IPv6 has over IPv4, also exposes the dangers of using factory default or common user-password combinations to secure online servers.

In order to carry out the experiment, Cid set up ten servers at the start of the month and left their SSH ports exposed to external connections. He ran five servers on IPv4-only addresses, while the other five ran only on IPv6 addresses.

The root password of both the servers was set to “password,” which is strictly avoided in production environments.

According to Cid, the IPv4 experiment did not last very long, as the first IPv4 server was hacked within 12 minutes, with the other four servers getting hacked shortly afterwards. The hackers took only 20 seconds to brute-force the SSH root account.

However, on the other hand, the IPv6 servers had much better results. According to Cid, nobody even bothered to scan any of the IPv6 servers at least once after a week, forget to hack them.

“What we can draw from this is that the obscurity of IPv6 helps to minimize the noise of attacks,” Cid says. “Most likely, this is because it is more difficult to map the range of IPv6 addresses (2^128) than it is with the range of IPv4 addresses (2^32).”

In addition, there are so-called scan lists of IPv4 addresses available online, which include the IP ranges of many of the well-known hosting providers, which also help attackers in hacking IPv4 servers.

However, that was not the end of the SSH brute force experiment. Before Cid could go and scrap the compromised IPv4 servers, he received a notice from Digital Ocean who detected the huge 800+ Mbps SYN packet flood initiating from the five hacked servers, and interfered to shut down the servers:

We got alerted that SSH-TEST-SERVER-X was participating in a SYN flood along with 4 other droplets on 3 other customers aimed at 118.184.XX.YY. This was happening at about 800mbps or so; after pulling a tcpdump and validating the pcap we took action on all 4 droplets.

Right now the droplet has the networking disabled to stop the outgoing attack, and please let us know if we can help resolve this.

Trust & Safety,
Digital Ocean Support

Apparently, the attacker had already downloaded the Linux/XOR.DDoS malware and was busy launching attacks against a Chinese website.

The conclusion of the experiment is that you cannot set up online servers and defer changing to root password for another time. You can very easily lose control over the server in a span of 15 minutes, and would need to start all over again. At the time, the servers are put and connected online need to have all security mechanisms up and running.

Source: Sucuri Blog