Address family exploitation (MP-BGP)¶
Attack pattern¶
Address family exploitation refers to attacks that target the interaction between different network address families, primarily IPv4 and IPv6, during the transition period where both protocols coexist. These attacks exploit inconsistencies, misconfigurations, and implementation differences between address families to bypass security controls, intercept traffic, or cause service disruption. As organisations increasingly implement dual-stack configurations and transition mechanisms, attackers have developed sophisticated methods to leverage these complex network environments for malicious purposes.
1. Address family exploitation [OR]
1.1 Protocol preference manipulation [OR]
1.1.1 DNS-based attack vector
1.1.1.1 AAAA record poisoning to force IPv6 connectivity
1.1.1.2 DNS64 manipulation for malicious translation
1.1.1.3 Forced protocol selection through DNS manipulation
1.1.2 Happy eyeballs exploitation
1.1.2.1 Timing attacks to influence protocol selection
1.1.2.2 Artificial latency injection to force preferred protocol
1.1.2.3 Algorithm manipulation to bypass security controls
1.1.3 Application-level preference abuse
1.1.3.1 API manipulation to force specific address family
1.1.3.2 Socket option manipulation for protocol forcing
1.1.3.3 Library-level address family exploitation
1.2 Transition mechanism attacks [OR]
1.2.1 Translation protocol exploitation
1.2.1.1 NAT64/NAT46 state table manipulation
1.2.1.2 SIIT (stateless IP/ICMP translation) exploitation
1.2.1.3 MAP-T (mapping of address and port) attacks
1.2.2 Tunnelling protocol vulnerabilities
1.2.2.1 6to4 relay exploitation
1.2.2.2 Teredo tunnel manipulation
1.2.2.3 ISATAP (intra-site automatic tunnel addressing protocol) attacks
1.2.3 Dual-stack implementation flaws
1.2.3.1 Stack selection algorithm manipulation
1.2.3.2 Fallback mechanism exploitation
1.2.3.3 Simultaneous connection abuse
1.3 Security control bypass [OR]
1.3.1 Asymmetric policy enforcement
1.3.1.1 IPv4-only security policy evasion via IPv6
1.3.1.2 Differential firewall rule exploitation
1.3.1.3 Protocol-specific ACL bypass
1.3.2 Monitoring evasion
1.3.2.1 IPv6 blind spot exploitation
1.3.2.2 Logging inconsistency manipulation
1.3.2.3 Forensic evidence separation
1.3.3 Authentication bypass
1.3.3.1 Protocol-specific authentication mechanism flaws
1.3.3.2 Cross-protocol credential reuse
1.3.3.3 Address family confusion in access controls
1.4 Routing and path manipulation [OR]
1.4.1 BGP address family interworking
1.4.1.1 Multiprotocol BGP manipulation
1.4.1.2 Route redistribution exploitation
1.4.1.3 Address family-specific path preference manipulation
1.4.2 ICMP manipulation across families
1.4.2.1 ICMP error message translation attacks
1.4.2.2 Path MTU discovery exploitation
1.4.2.3 Redirect message manipulation
1.4.3 MPLS label stack manipulation
1.4.3.1 IPv6-over-IPv4 label switching attacks
1.4.3.2 Layer 3 VPN address family confusion
1.4.3.3 Pseudowire address family exploitation
1.5 Application layer exploitation [OR]
1.5.1 HTTP protocol manipulation
1.5.1.1 Dual-stack web application exploitation
1.5.1.2 Content preference manipulation (IPv4 vs IPv6)
1.5.1.3 Protocol-specific content delivery network exploitation
1.5.2 Email protocol attacks
1.5.2.1 SMTP address family manipulation
1.5.2.2 DNS MX record preference exploitation
1.5.2.3 Cross-protocol email routing attacks
1.5.3 Voice and video exploitation
1.5.3.1 SIP protocol address family manipulation
1.5.3.2 RTP stream protocol forcing
1.5.3.3 Real-time communication protocol downgrade
1.6 Operating system implementation attacks [OR]
1.6.1 Dual-stack socket API exploitation
1.6.1.1 getaddrinfo() behaviour manipulation
1.6.1.2 Address selection policy table poisoning
1.6.1.3 Source address selection algorithm exploitation
1.6.2 Kernel protocol stack vulnerabilities
1.6.2.1 IPv4/IPv6 stack interaction flaws
1.6.2.2 Memory corruption across protocol stacks
1.6.2.3 Resource exhaustion through stack interaction
1.6.3 Network stack configuration manipulation
1.6.3.1 Registry/database poisoning for protocol preferences
1.6.3.2 Service configuration manipulation
1.6.3.3 Protocol stack disabling attacks
1.7 Cloud and virtualisation targeting [OR]
1.7.1 Multi-cloud address family exploitation
1.7.1.1 Cross-cloud protocol preference manipulation
1.7.1.2 Cloud provider-specific address family implementation flaws
1.7.1.3 Hypervisor network stack exploitation
1.7.2 Container networking attacks
1.7.2.1 Docker network driver address family manipulation
1.7.2.2 Kubernetes CNI plugin exploitation
1.7.2.3 Container-to-host protocol stack attacks
1.7.3 SDN controller exploitation
1.7.3.1 OpenFlow address family manipulation
1.7.3.2 Network function virtualisation exploitation
1.7.3.3 Software-defined WAN address family attacks
1.8 Resource exhaustion attacks [OR]
1.8.1 Memory consumption attacks
1.8.1.1 Dual-stack connection table exhaustion
1.8.1.2 Translation state table overflow
1.8.1.3 Protocol buffer memory exhaustion
1.8.2 CPU utilisation attacks
1.8.2.1 Translation processing overload
1.8.2.2 Protocol stack context switching exhaustion
1.8.2.3 Cryptographic overhead exploitation
1.8.3 Network resource consumption
1.8.3.1 Bandwidth exhaustion through protocol amplification
1.8.3.2 Routing table memory exhaustion
1.8.3.3 Control plane saturation
1.9 Evasion and persistence techniques [OR]
1.9.1 Detection evasion
1.9.1.1 Protocol hopping for stealth
1.9.1.2 Cross-family traffic splitting
1.9.1.3 Forensic evidence separation
1.9.2 Persistent access maintenance
1.9.2.1 Dual-protocol backdoors
1.9.2.2 Fallback channel establishment
1.9.2.3 Protocol-specific persistence mechanisms
1.9.3 Advanced anti-forensics
1.9.3.1 Cross-protocol log manipulation
1.9.3.2 Forensic timeline disruption
1.9.3.3 Evidence distribution across address families
1.10 Zero-day and emerging threat vectors [OR]
1.10.1 Protocol interworking zero-days
1.10.1.1 Unknown translation vulnerabilities
1.10.1.2 Emerging transition mechanism flaws
1.10.1.3 New dual-stack implementation vulnerabilities
1.10.2 Architecture-specific exploits
1.10.2.1 IoT protocol stack exploitation
1.10.2.2 5G network address family attacks
1.10.2.3 Edge computing protocol manipulation
1.10.3 AI-enhanced attacks
1.10.3.1 Machine learning for protocol vulnerability discovery
1.10.3.2 Adaptive protocol selection attacks
1.10.3.3 Intelligent evasion techniques
Why it works¶
Protocol complexity: The interaction between IPv4 and IPv6 creates a large attack surface with numerous implementation inconsistencies and edge cases
Differential security policies: Many organisations implement different security controls for IPv4 and IPv6, creating opportunities for bypasses
Monitoring gaps: IPv6 traffic is often less monitored than IPv4, providing opportunities for stealthy attacks
Transition mechanism vulnerabilities: Translation technologies (NAT64, SIIT) and tunnelling protocols introduce new attack vectors
Implementation inconsistencies: Different operating systems and network devices handle dual-stack environments differently, leading to vulnerabilities
Skill gap: Many network administrators have less experience with IPv6, leading to misconfigurations and security oversights