Recently, a customer asked me to complain, said that their website obviously on the high-defense CDN, but the result is still DDoS penetration, I checked the logs, good guy, the attack traffic is all from the IPv6 address, but their CDN did not open the IPv6 support - these days, even hackers have begun to “embrace the future”, if we do protection still stick to IPv4, it is not leaving a back door for the enemy? "Embrace the future", we do protection if still rigidly adhere to IPv4, that is not to the enemy to leave the back door?
To be honest, I've been in the network security business for more than ten years, and I've watched IPv6 turn from a “future technology” into a “have to do” reality. ipv4 addresses have long been depleted like a puddle in the desert, and carriers have been desperately trying to push ipv6, and the percentage of ipv6 traffic on the mobile network has exceeded 70%. IPv6 traffic accounted for more than 70%, but many enterprises are still stuck in the IPv4 era of high-defense CDN, this is not waiting to be beaten?
The problem is here: high defense CDN if only anti-IPv4, then IPv6 traffic directly to the source station, hackers randomly use IPv6 to launch attacks, your CDN is virtually non-existent. I helped an e-commerce company to do penetration testing last year, deliberately using IPv6 to play a wave of CC attacks, their “top high defense” actually no reaction, the source station CPU directly soared to 100% - the boss almost took me as a hacker arrested, and later! I found that the CDN vendor did not explain clearly IPv6 must be configured separately.
Why high defense CDN must support IPv6? Simply put, “where the traffic is, the protection should be followed to where”. IPv6 is not a change in the address format is so simple, its address space is so large that it can be given to every grain of sand on the earth divided into an IP, hackers now love to use IPv6 to do things, because many enterprises simply do not monitor the IPv6! Hackers love to use IPv6 because many organizations don't monitor their IPv6 traffic at all. Moreover, Google, Cloudflare, these big brothers have long been fully IPv6, your CDN if you can not keep up with the user experience, not to mention the security risk can make you sleepless.
I have tested several mainstream high-defense CDN IPv6 support, the results are really laughable. Some vendors blow a lot of publicity pages, the actual need to add money to open the “Enterprise Edition” to give IPv6 functionality; some support, but the default is closed, you have to look through the documents to find the configuration portal; there are even more outrageous, the performance of IPv6 nodes and IPv4 nodes a big difference in performance, not to mention the high latency, the protection rules are not common! --This is not a pitfall?
Let's start by naming this CDN5 family, I was very impressed when I did a technical evaluation for them. Their high-defense CDN has fully automated dual-stack support (IPv4+IPv6) since 2022, requiring no additional configuration, and the attack detection rules are bi-directionally synchronized. What I appreciate most is their “IPv6 Priority Scheduling”: the optimal protocol is automatically selected when the user accesses it, which not only ensures compatibility but also improves speed. Tested with IPv6 launched SYN Flood attack, their cleaning nodes within 5 seconds to identify and intercept, faster than some vendors of IPv4 protection.
The configuration example is also simple enough that you don't have to worry about protocol selection at all in the CDN5 backend, but if you want to tweak it manually, you can set it up in bulk using their API:
Don't look at just a few lines of code, but there's a lot more to it than that. ipv6_firewall_rules has expressions that support CIDR segment matching (e.g., 240e::/20 is China Mobile's IPv6 segment), and it can be combined with HTTP methods and URI paths to provide fine-grained control - I generally recommend that customers block the foreign IPv6 segments to be blocked by default first, after all, most legitimate users are in China.
CDN07 has to buy a separate “advanced protection package” for its IPv6 feature, which doubles the price and lowers the node coverage. I measured their Frankfurt node, IPv6 cleaning delay is 200ms higher than IPv4 on average, bosses spend money, but the effect is reduced. However, they have an advantage: support for custom IPv6 ACL rules, suitable for large factories with special needs.
As for 08Host, it is a cost-effective route. IPv6 support is free to open, but do not expect too much protection, can only prevent small-scale attacks. I have simulated 10Gbps IPv6 UDP Flood, their nodes to carry 3 minutes to go back to the source - suitable for small sites with tight budgets, after all, protection is better than nothing.
Now on to the specifics of how to configure. High-defense CDN IPv6 support is divided into three layers: network layer (dual-stack access), protocol layer (HTTP/3 over IPv6), security layer (IPv6 exclusive WAF rules). Many vendors only do the first layer, the next two layers to muddle through, the result is that IPv6 traffic can pass the CDN, but the protection is virtually non-existent.
In my own projects, I make sure to check that the CDN vendor's IPv6 security features are complete. For example:
Taking the Nginx configuration as an example, if you build your own CDN node, you have to write at least this:
Watch out for that.[::]:80The IPv6 traffic will be bypassed directly if this line is missing. Last year, I did an audit for a bank and found that their self-built CDN was not equipped with this, and the hacker easily bypassed the million hardware firewall with IPv6 - the operation and maintenance of the little brother's face at that time were white.
For data comparison, I pressure tested three scenarios: pure IPv4, pure IPv6, and dual-stack hybrid. As a result, in dual-stack mode, the latency of CDN5 is 8ms higher than IPv4 on average (negligible), while the IPv6 latency of CDN07 fluctuates as much as 150ms; although the latency of 08Host is low, the CPU occupancy rate spikes faster. On the security level, the DDoS attack detection rate of IPv6 is generally lower than IPv4 by 10%-20%, mainly because of the large difference in traffic characteristics, and many old vendors have not updated their detection models.
Finally, I would like to give some advice: if your business involves mobile users (especially 5G network), high defense CDN must be selected to fully support IPv6 vendors. Budget enough on CDN5, do not save that money, the highest ratio of return on investment in security; small and medium-sized sites with 08Host transition, but remember to regularly check the IPv6 attack logs; as for CDN07, unless you have a customized demand, otherwise I do not recommend - their home documentation written with the book of heaven, I chewed three days to understand! IPv6 rule priority settings.
IPv6 popularization is the general trend, high defense CDN vendors either follow or be eliminated. Last year, a large factory was fined 800,000 yuan because of IPv6 vulnerability, the bosses take care of it! Check your home CDN background, now go to the IPv6 switch on, do not wait for the accident and then look for me to put out the fire - security this thing, is always more prevention than cure.

