A small experiment carried out by Sucuri's CTO, Daniel Cid, shows the security advantages IPv6 has over IPv4, but also the dangers of using factory default or common user-password combinations to secure online servers.

Cid carried out his experiment at the start of the month when he set up ten servers and left their SSH ports open to external connections. He ran five servers on IPv4-only addresses, while the other five ran only on IPv6 addresses.

Both servers had their root password set to "password," a big no-no on live production environments.

Party at IPv4's house, while crickets sing at IPv6

According to Cid, the first IPv4 server fell after only 12 minutes, with the other four servers getting hacked after a few more minutes. It took the hacker 20 seconds to brute-force the SSH root account.

On the other hand, Cid says that after a week, nobody even bothered to scan any of the IPv6 servers, at least once, let alone hack them.

"What we can draw from this is that the obscurity of IPv6 helps to minimize the noise of attacks," Cid says. "Most likely, this is because it is more difficult to map the range of IPv6 addresses (2^128) than it is with the range of IPv4 addresses (2^32)."

Additionally, there are so-called scan lists of IPv4 addresses available online, which include the IP ranges of several well-known hosting providers, which also aid attackers in hacking IPv4 servers.

Hacked servers used for DDoS attacks

But things didn't end there. Before Cid had any time to disable and scrap the compromised IPv4 servers, the attacker had already downloaded the Linux/XOR.DDoS malware and was busy launching attacks against a Chinese website.

Digital Ocean detected the massive 800+ Mbps SYN packet flood originating from the five hacked servers, and intervened to shut down the servers.

The conclusion is that you can't set up online servers and defer changing to root password for another time. In the span of 15 minutes, you can very easily lose control over the server and have to start over again. Servers put online need to have all security mechanisms up and running at the time they're connected online.

My experiment: Setting up an ipv4 and an ipv6 server in the cloud. SSH open with root password "password". How long until they are hacked? — Daniel Cid (@danielcid) September 6, 2016