Google IPv6 crossed 50%, your IPv4 controls didn't follow

Google’s public IPv6 measurement crossed 50 percent. Half the users reaching Google now arrive over IPv6. The metric is sampled continuously at Google’s edge and counts real terminating connections, not survey responses. A protocol that ran as a minority overlay for two decades is now the majority transport for one of the largest properties on the internet.

IPv6 is not the vulnerability. The protocol is sound. The exposure is that controls written for IPv4 do not see IPv6, and IPv6 is enabled by default on every modern endpoint, server, and mobile carrier network. Default-on dual stack is the condition. Detection parity is the gap.

Crossing majority flips an assumption. While IPv6 was a minority transport, an operator could treat it as an edge case - present on some segments, absent on most, safe to under-prioritise. At half of Google’s traffic the default reverses. An attacker can assume an IPv6 path exists and is reachable rather than probe for one. A defender can no longer treat IPv6 visibility as optional coverage for a fringe protocol. The transport carrying half the traffic is not a fringe protocol.

Start with the dual-stack blind spot. A host with both stacks active prefers IPv6 when a AAAA record resolves - Happy Eyeballs, RFC 8305, races both paths and IPv6 frequently wins. Egress filtering, ACLs, and proxy enforcement built around IPv4 ranges do not apply to a connection that never touches IPv4. The firewall rule exists. The traffic routes around it. This is defense evasion by configuration, not by attacker action. MITRE T1599, network boundary bridging, describes the class. The attacker does not need a technique. The network supplies one.

Then the kernel surface. CVE-2024-38063. Remote unauthenticated RCE in the Windows TCP/IP stack, tcpip.sys, CVSS v3.1 base 9.8. The root cause is an integer underflow during IPv6 packet processing that drives a buffer overflow in kernel memory. The attacker controls a field that feeds a size calculation, the calculation underflows, and a subsequent copy overruns a kernel pool allocation. The primitive is kernel pool corruption reachable from an unauthenticated remote packet. No authentication. No user interaction. The only precondition is that crafted IPv6 packets reach the target. Microsoft rated it Exploitation More Likely and flagged it wormable. It affects Windows 10, Windows 11, and Server builds back to 2008. IPv6 cannot be cleanly removed as mitigation - Microsoft does not support disabling the stack components - so the patch is the boundary. Every host that processes an inbound IPv6 packet before patching is reachable. With IPv6 on by default, that is most of them. Pre-auth, no interaction, ring 0 - the most dangerous shape a network bug takes.

CVE-2024-38063 is not the first. CVE-2020-16898, Bad Neighbor, was a stack overflow in the same driver, triggered by a malformed ICMPv6 Router Advertisement carrying an RDNSS option with an even-length field. CVSS 9.8. The difference is reach. Bad Neighbor required link-local access - the attacker on the same segment. CVE-2024-38063 is routable. As IPv6 routing reaches more of the internet, the population of hosts where a routable IPv6 packet arrives unfiltered grows. The bug class - memory corruption in IPv6 parsing inside kernel network drivers - is not exhausted.

The link-local layer is where the cheap attacks live. IPv6 hosts autoconfigure through SLAAC and Neighbor Discovery. A host accepts Router Advertisements to learn its default gateway and prefix. Base NDP authenticates nothing about the advertiser. A rogue RA installs an attacker as the default route. The result is adversary-in-the-middle, MITRE T1557, against every host on the segment that accepts the advertisement. The THC-IPv6 toolkit has shipped fake_router6, flood_router6, and parasite6 for over a decade. RA Guard is the switch-level control. RA Guard is also bypassable - fragmenting the RA across IPv6 extension headers pushes the ICMPv6 type beyond where many switch ASICs inspect, and the malicious advertisement passes. RFC 7113 documented the evasion. Hardware that has not been updated still falls to it.

The claim that IPv6 simplifies scanning is wrong, and the correction matters operationally. A single /64 subnet holds 2^64 addresses. At one million packets per second, exhaustive enumeration of one subnet runs roughly 580,000 years. IPv4-style mass sweeps are dead in IPv6. What replaces them is targeted enumeration. Administrators assign memorable low-byte addresses - ::1, ::2, ::53. EUI-64 interface identifiers embed the MAC and leak the vendor OUI. Forward and reverse DNS, NSEC zone walking on DNSSEC-signed reverse zones, certificate transparency logs, and passive harvesting from server access logs all yield live IPv6 addresses without sending a packet to the target. Published IPv6 hitlists aggregate millions of responsive addresses. Tooling - alive6 and scan6 from THC-IPv6, ZMapv6 - runs on these inputs. Reconnaissance does not get easier. It moves from brute force to enumeration, MITRE T1590.005 and T1596, and the channels it moves to are ones IPv4-era monitoring rarely watches.

The vast subnet also enables a denial-of-service specific to IPv6. Sending traffic to many addresses in an off-link /64 forces the last-hop router to perform Neighbor Discovery for each destination, creating neighbor cache state and queuing packets while it waits for resolution. RFC 6583 documented the exhaustion - the neighbor cache fills, legitimate resolution fails, the segment degrades. The address space that defeats scanning becomes a resource-exhaustion primitive against the router that serves it.

Amplification does not change character under IPv6. DNS and NTP reflection produce the same factors regardless of IP version, because the amplifier is the application protocol, not the network layer. What IPv6 changes is addressing. There is no NAT. Every host is globally routable by design. The accidental obscurity NAT gave IPv4 internal hosts - never a control, but a frequent side effect of one - is gone. Reflectors and victims are directly addressable. Source rotation is the sharper problem. An attacker controlling one allocated /64 holds 2^64 source addresses. Per-IP rate limiting and per-IP reputation collapse against that. Blocking individual IPv6 addresses is theatre when the adversary never reuses one.

Transition mechanisms add their own paths. Teredo, 6to4, and ISATAP encapsulate IPv6 inside IPv4 to cross IPv4-only segments. On a network that monitors IPv4 and assumes IPv6 is absent, an encapsulated tunnel is a covert channel carrying traffic the IPv4 inspection stack does not decode. MITRE T1572, protocol tunneling, and T1095, non-application-layer protocol. Teredo punches through NAT over UDP and shipped enabled on consumer Windows for years. An endpoint with an active transition tunnel holds a route the network map does not show. The defender inventories IPv4 and one IPv6 prefix. The host is also reachable through a tunnel neither is watching.

This is where defenders are blind. Sysmon Event ID 3 logs IPv6 connections - the DestinationIsIpv6 field is set true and the address is colon-hex - but detections filtering on dotted-quad IPv4 CIDR never match them. SIEM correlation rules written with IPv4 regex silently skip every IPv6 event. NetFlow v5 has no IPv6 export; collectors not migrated to IPFIX or NetFlow v9 with IPv6 templates drop the flows entirely. Rogue Router Advertisements are ICMPv6 type 134 frames at layer 2 - invisible to layer 3 firewalls and absent from EDR telemetry that records socket events rather than raw NDP. IDS evasion through extension-header chains and fragment overlap defeats signature engines that do not reassemble IPv6 fragments or parse the full header chain; older Snort and Suricata rule sets are anchored to IPv4 offsets. IPv4-mapped addresses in the ::ffff:0:0/96 range break asset attribution when correlation logic does not normalise them. Threat-intel blocklists ship as IPv4 CIDR; IPv6 reputation feeds are thin, and prefix-level aggregation is rarely applied, so a single /64 walks straight through. The traffic is logged. The detections do not fire.

For Australian critical infrastructure the exposure sits inside the SOCI Act risk management program - the asset register has to account for IPv6-reachable systems, and an intrusion over an unmonitored IPv6 path remains a notifiable breach under the Privacy Act NDB scheme. Where exploitation is suspected over an IPv6 path, escalation goes to the network and incident response teams who can pull the flow data, not to a host owner reading IPv4 logs.

The technical reality after the milestone is narrow. The protocol is mature. The kernel bugs that matter - CVE-2024-38063, CVE-2020-16898 - have patches, and residual exposure on patched hosts is configuration, not code. The gap is monitoring and control parity across both stacks. RA Guard and DHCPv6 Guard on access switches. IDS fragment reassembly and extension-header parsing enabled. SIEM correlation that normalises IPv6 before matching. Reputation and rate limiting aggregated to prefix, not address. Asset inventory that includes link-local fe80:: and ULA fd00:: ranges. None of this is novel. It is the IPv4 control set, applied to the transport that now carries half the traffic. The exploitation window is the interval between IPv6 reaching majority transport and the controls catching up. That interval is open now.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.