June 6th is known as World IPv6 Day so we thought it was a good time to
look at the trends in IPv6 usage across CloudFlare's network. Two big
themes we've seen: 1) IPv6 usage is growing steadily, but at the current
pace we're still going to be living with IPv4 for many years to come;
and 2) while the majority of IPv6 traffic comes from legitimate users on
mobile networks, attackers too are beginning to launch attacks over the
protocol.
IPv6 Growth
CloudFlare has supported IPv6 on our network for the last year and a
half. We have become one of the largest providers of the IPv6 web
because we offer a free IPv6 gateway
that allows any website to be available
over IPv6 even if a site's origin network doesn't yet support the
protocol. For the last year, we've enabled IPv6 for customers on
CloudFlare by default. Today, IPv6 is enabled for more than 1 million of
our customers' websites.
Since the beginning of 2013, IPv6 connections as a percentage of
CloudFlare's total traffic fluctuate daily with the minimum 0.849% on
January 5 to a maximum of 1.645% on June 3, 2013. If look at the overall
trend, IPv6 connections to our network have grown 26.5% since the start
of the year.
Digging into where IPv6 connections are coming from it appears the
majority of the growth has been from mobile network providers.
Increasingly, traffic from mobile devices to the web has passed over
IPv6. We saw a significant drop in IPv6 connection from mid-March
through early-April when it appears a large mobile operator appears to
have disabled and then reenabled IPv6 connectivity from their network.
While the overall increase in IPv6 usage is encouraging, the trend
unfortunately indicates we are going to be living with IPv4 for some
time to come. At current growth rates, assuming adoption of IPv6 is
linear, it will take almost 67 years for IPv6 connections to surpass
IPv4 connections and the last IPv4 connection won't be retired until
May 10, 2148.
Things are a bit more optimistic if IPv6 adoption turns out to be
exponential rather than linear. In that case, IPv6 connections will
surpass IPv4 in about 5 years and 9 months. Not long thereafter, we'll
extinguish IPv4 entirely on January 10, 2020. Our guess is the reality
will be somewhere between the linear and exponential case. Regardless
of what IPv6's adoption curve looks like, as a CloudFlare user you're
covered. We anticipate we will be operating a dual-stack network with
both IPv4 and IPv6 support for all our customers until IPv4 is fully
retired, whether that takes 7 years or 140.
IPv6 Attacks
While the majority of IPv6 connections today are coming from legitimate
users on mobile networks, over the last two months we've seen a marked
increase in the number of IPv6-based web attacks. Largely these have
been DDoS attacks. The attacks have typically been both Layer 4 (e.g.,
SYN floods) as well as Layer 7 (e.g., application layer attacks).
To date, the IPv6-based DDoS attacks have been relatively modest. The
largest we've seen to date generated approximately 3 gigabits per second
of traffic and accompanied a much larger traditional IPv4-based DDoS.
While a novelty, these attacks don't cause significant harm to
CloudFlare's systems. We designed CloudFlare anticipating the transition
to IPv6, so our defenses assume an IPv6-enabled world. We speculate,
however, that attackers may be targeting IPv6 as a way of bypassing
older protections that base their protection largely on IPv4 blacklists.
IPv6 makes a strict blacklist on a per-IP basis much more challenging
since the number of addresses available to an attacker can be
significantly larger. This is a challenge that large blacklist operators
like Spamhaus are currently thinking
through. While IPv6 can present a challenge to some attack filtering
strategies, it also presents opportunities. For example, since IPv6
reduces the need for NATs and provides users addresses that are routable
all the way to the end device, we believe over time IPv6 will provide
the ability to build significantly more accurate whitelists.
We will continue to monitor overall IPv6 growth rates as well as
interesting trends in IPv6-based attacks. In the meantime, there's no
better way to celebrate World IPv6 Day than
signing up for CloudFlare
and ensuring your site is automatically available for the increasing
percentage of users that are accessing it over IPv6. It's free and will
only take you 5 minutes to join the modern web.