Quick look – IPv6 vs IPv4 security – comparing drop rate on firewalls

Scanning the Internet on IPv4 vs. IPv6

When you first get IPv6 deployed operationally, you start to notice certain things. One of the things I noticed is how much less frequently IPv6 space is scanned by malicious hosts on the Internet.

 

Normally, when you put an IPv4 public IP on a router or firewall, you’ll see drops start incrementing within seconds due to the high volume of scanning that happens on the Internet.

 

However, because the IPv6 space is so vast, it makes it difficult (but not impossible) to scan. This slows down attackers quite a bit.

 

Taking that thought even further, out of the compromised hosts and network devices on the internet used to initiate attacks and scanning, only a small fraction of them are IPv6 enabled, so for the moment at least, that reduces the amount of malicious traffic coming into your network significantly.

Comparing IPv4 and IPv6 drops on a live network

It’s one thing to discuss this, but seeing it in action helps quite a bit to compare the difference in the two protocols.

 

Below are screenshots we put together to illustrate just how big of a difference IPv6 makes using stats from a dual stacked IPA MikroTik border router

 

in 30 days, the IPv4 firewall dropped 935,216 packets

in 30 days IPv6 firewall dropped 0 packets

 

That’s right….zero packets!