Don't enable IPV6?

Discussion in 'other firewalls' started by Spartan, Jun 14, 2020.

  1. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    1,426
    Location:
    Dubai
    So my ISP recently announced that they support IPV6 so I enabled it in my router. I've been using it since then and didn't notice anything good nor bad.

    Today I wa son Reddit and mentioned that I was using Google's DNS for IPV4 and IPV6 then one dude said "do not enable IPV6 if you are using IPV4" so I started wondering what all that is about. He didn't reply back to me when I asked for the reasoning behind this. Is there anything bad doing this that I am missing.

    I searched on Google and this is one post I read:

    Now I have to mention that I have been having issues with the connection on my Galaxy S20+ when I connect to WiFi, a speedtest would show regular speeds but when browsing one of the forums that I frequent usually (Notebook Review Forum) my phone would have a hard time connecting to that site or would take ages to load, if I disabled my WiFi and just used regular data it's fast and snappy again so I'm not sure if enabling IPV6 has anything to do with this but I will disable it for now.

    Just wanted to get the PROs opinion on this.
     
  2. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    585
    It would be good to get an update on this situation... I understood that it is evolving somewhat, and am unsure whether to still turn off/block ipv6
     
  3. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    1,426
    Location:
    Dubai
    I don't know if it's a placebo effect but I am finding the loading of sites much faster now. I will try browsing that Notebook Review Forum on my phone for a while if it works then all my suffering all these days could have been from IPV6
     
  4. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,283
    Location:
    UK
    i assume you flushed your caches when trying without ip v6?
     
  5. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    1,426
    Location:
    Dubai
    I didn't but thanks for the reminder
     
  6. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    ipv6 is bad for security reasons, theoretically easier to find/enumerate network devices
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,928
    Location:
    USA
    True and as also stated above it will slow things down. Most of the ISPs I have used don't support it yet anyway. I don't think there are many websites that are IPv6 only yet anyway, and to my understanding most of them are in China. As I don't read Chinese I'm not too worried about it. It will be an issue someday, but that someday seems to be very slow in coming. If your ISP does support it and you have it enabled it allows ALL of you devices to be individually identified from the internet as there won't be any NAT.
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,132
    Somehow that's rubbish. It is necessary to have all those people having access to the web because IPv4 is full. Some providers only give IPv6 ips and that for ever to a special Port and customer is not able to change it. nevertheless it means nothing to security. In case of Windows 10 it will malfunctioning if IPv6 is internally not activated. But - in some routers it is possible to have IPv6 disabled - and that could mean in worst case that you cant connect to the web because (read above) IPv4 ip were no longer applied.
     
  9. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    if you have the option then disable/harden if you are not an advanced user, I am a noob so I disable
    REM disable
    netsh int ipv6 isatap set state disabled
    netsh int ipv6 6to4 set state disabled
    netsh interface teredo set state disable
    netsh interface ipv4 set global mldlevel=none
    REG ADD "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d "255" /f

    REM harden
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DeadGWDetectDefault" /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "SynAttackProtect" /t REG_DWORD /d 00000002 /f
    REG ADD "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "EnablePMTUDiscovery" /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "KeepAliveTime" /t REG_DWORD /d 3000000 /f
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" /v "NoNameReleaseOnDemand" /t REG_DWORD /d 1 /f
    it is not inherently more insecure but it is often used by attackers to setup backdoors, especially when ipv6 is misconfigured, because the technology is not well understood there was a wave of attacks based on ipv6 tunneling that IDPS systems would not pick up (separate rule sets for ipv4 and 6, and 6 is often ignored)

    Consequently, it also makes it easy for an intruder who has already gained access to a local subnetwork to announce rogue routes and routers to spread the infection, or to route multiple compromised systems through tunnels under control, set dual stack stealthy communication.
    - best regards
     
    Last edited: Sep 20, 2020
  10. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,132
    If the attacker is already inside your locale network then there was something wrong since beginning. You screw the wrong nuts and in your case you make your windows malfunctioning. Never screw anything if you are not aware of the results, that's all I wanted to tell you. Tips and tricks from the web are not customizable to all systems. And in fact they don't cover a way out if you got in trouble, forums are full of questions about this and need help out to recover functionality of a product.

    Hardening windows is a solution for people who got scared by other opinions which do not know better or try to sell a product. Best example are antivirus-vendors, they do scare people to sell their product while the built-in windows defender is equal or better and is covered from the rest of windows settings. It doesn't need kernel drivers which makes the whole system unstable and unsafe because of leaks.

    If hardware = router is vulnerable I suggest getting updates or a newer safer hardware.
     
  11. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,127
    Location:
    Member state of European Union
    I agree.

    It is usually an /64 block, so there are 2^64 = 18,446,744,073,709,551,616 possibilities. Just have some form of brute force scanning protection and you're safe. And you still can firewall devices so you're not exposed...
     
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,227
    Location:
    USA
    I wasn't aware of this; just turned off IPv6 (in the router and in Windows) since, as you say, it's unlikely to have an impact. Is there any workaround for the loss of NAT when IPv6 is enabled?
     
    Last edited: Sep 20, 2020
  13. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    @
    Brummelchen
    long story short if you don't know how to setup ipv6 and you don't understand the technology it is better to disable, I disable
    and hardening can save you from cve-2019-0708 for example so it is not so useless, backward compatibility and too many services is what makes the system more vulnerable (powershell 2.0, net framework 3.5, SMB), a change in a rule could indicate a breach, having one set yourself makes you learn to recognize patterns
    also I don't feel safe with MS defender because a typical hacker would learn to hack MS defender first then other security products, the literature is full of MS defender hacks and vulnerabilities, but less is known about other security products, any script kid would try to get his feet wet with defender first, especially since he can just find the hack, wfp rules from third party firewalls are also better than windows firewall (WF), which allows outgoing connections from "legitimate apps", and reverting WF rules is not too difficult
    I agree though that defender is much better now than it was yesterday, especially since EMET
    best
     
    Last edited: Sep 20, 2020
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,928
    Location:
    USA
    I am unaware of any workarounds. I don't think there are intended to be any by design.
     
  15. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    6,132
    I marked red what you'd better have written because you speak of yourself and not for me.
    this cve do not apply to current windows os versin 8.1 and 10, only windows 7 and older and winServ 2008 which are out of support. to read here
    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
    pointless argument!
    that's your point of view, anyhow defender is only one wheel of windows security concept. that's ever told from experienced people - dont rely on an antivirus only, it will fail some day. but its your decision.

    just read
    https://www.wilderssecurity.com/thr...port-udp-239-255-255-250.428946/#post-2949496
    thats multicast as written (SSDP) and not dangerous.
    https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

    i think we two should stop it right here.
     
  16. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    @Brummelchen
    as you wish, I like talking to you just as with anybody else, you seam to be jumping to conclusions too fast or not reading text, yes I know about the cve is for vista and I wasn't referring to you when I said "if you don't know how" and I don't rely on AV alone, I generally speak with a high level of abstraction but the forum is not ideal for that or to convey emotions, I also tried to shorten my text, in the end some people understand me wrong lol,

    it doesn't matter if the cve is for vista or windows 10, I just mentioned BlueKeep because it is prime example that hardening could save you even if you had vista, there are plenty of undocumented vulnerabilities and hardening can save you from some vulnearbilities, unexpectedly so to speak (abstract thinking my friend..), "rdp open to the Internet" is asking for trouble regardless of vista or 10.

    about ipv6:

    1) Teredo-style IPv6 over UDP tunneling, bypasses the NAT devices and firewalls, and IDPS system must dig much deeper to un-encapsulate a IPv6 traffic of UDP,
    static SIT or 6to4 auto SIT type. At least sanitize traffic before the IDPS.
    Some routers are not designed to unroll these tunneling protocols to analyze and to apply rules directly, if IPv6 is not provided or supported, any form of above mentioned traffic is spotted and considered abnormal and its what I aim for
    2) because IPv6 networks are big, rate limiting or ip filtering is unpractical
    3) log analysis is more difficult on IPV6, as an address can be written in different ways (long/ short)
    4) more completex neighbor discovery protocol (which translates into vulnerabilities and bugs: NS – NA messages or DAD)
    5) many underground tools are ipv6 related, they seem to be the vast majority and favor the attacker
    6) ipv6 subprotocol Multicast Listener Discovery (MLD) attacks at local link

    that said I don't believe there is a whole lot of a difference running ipv6 or 4, just that ipv6 requires extra care and it seams a tiny bit less secure especially if misconfigured
     
    Last edited: Sep 21, 2020
  17. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    @Brummelchen I never said I am an expert, case in point I come here to learn about defence and security, asking lots of questions some stupid some less so, but what you say is a bit controversial? On Windows systems, SSDP service controls communication for the Universal Plug and Play feature (uPnP), with this you can seek uPnP vulnerabilities or get useful information on devices (during reacon phase), it recemmended to be disabled in most hardening guides or on sites about defence and pentesting as it is an extended local plug and play to the Internet
     
    Last edited: Oct 3, 2020
  18. IRONY

    IRONY Registered Member

    Joined:
    May 29, 2013
    Posts:
    43
    IPv6 is useless on a private network (LAN). The main reason IPv6 exists is that IPv4 address allocation (WAN) is exhausted, IPv6 does provide some benefits but nothing you're going to need on a simple home network. Microsoft/Apple ought to be disable IPv6 by default unless it's really needed by your CPE.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.