Click Here


IPv4 Server Hacked In 12 Minutes While IPv6 Server Remained Intact

Experiment proves that IPv4
servers can be taken down in 12
minutes while IPv6 prove resilient
Daniel Cid, Founder & CTO of Sucuri,
had carried out an experiment a few
weeks ago to see how long it would take
for IPv4-only and IPv6-only servers to
be compromised via SSH brute force
The experiment besides showing the
security advantages IPv6 has over IPv4,
also exposes the dangers of using
factory default or common user-
password combinations to secure online
In order to carry out the experiment, Cid
set up ten servers at the start of the
month and left their SSH ports exposed
to external connections. He ran five
servers on IPv4-only addresses, while
the other five ran only on IPv6
password of both the servers was set to
“password,” which is strictly avoided in
production environments.
According to Cid, the IPv4 experiment
did not last very long, as the first IPv4
server was hacked within 12 minutes,
with the other four servers getting
hacked shortly afterwards. The hackers
took only 20 seconds to brute-force the
SSH root account.
However, on the other hand, the IPv6
servers had much better results.
According to Cid, nobody even bothered
to scan any of the IPv6 servers at least
once after a week, forget to hack them.
“What we can draw from this is that the
obscurity of IPv6 helps to minimize the
noise of attacks,” Cid says. “Most likely,
this is because it is more difficult to
map the range of IPv6 addresses
(2^128) than it is with the range of IPv4
addresses (2^32).”
In addition, there are so-called scan
lists of IPv4 addresses available online,
which include the IP ranges of many of
the well-known hosting providers, which
also help attackers in hacking IPv4

However, that was not the end of the
SSH brute force experiment. Before Cid
could go and scrap the compromised
IPv4 servers, he received a notice from
Digital Ocean who detected the huge
800 Mbps SYN packet flood initiating
from the five hacked servers, and
interfered to shut down the servers:
We got alerted that SSH-TEST-SERVER-X
was participating in a SYN flood along with
4 other droplets on 3 other customers
aimed at 118.184.XX.YY. This was
happening at about 800mbps or so; after
pulling a tcpdump and validating the pcap
we took action on all 4 droplets.
Right now the droplet has the
networking disabled to stop the
outgoing attack, and please let us know
if we can help resolve this.
Trust & Safety,
Digital Ocean Support
Apparently, the attacker had already
downloaded the Linux/XOR.DDoS
malware and was busy launching
attacks against a Chinese website.
The conclusion of the experiment is that
you cannot set up online servers and
defer changing to root password for
another time. You can very easily lose
control over the server in a span of 15
minutes, and would need to start all
over again. At the time, the servers are
put and connected online need to have
all security mechanisms up and running.
Next Post »