Back to All Scenarios
PASSEDinfrastructure / ipv6_dual_stack_misconfig
IPv6 Transition Issue — Dual-Stack Misconfiguration
A network upgrade enables IPv6 on production servers without properly configuring the application firewall rules for IPv6. The application binds to both IPv4 and IPv6, but the firewall only has IPv4 rules. The IPv6 interface is completely unprotected, and port scans from the internet are discovering open management ports via IPv6.
Pattern
FIREWALL_RULE_BLOCK
Severity
CRITICAL
Confidence
95%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | FIREWALL_RULE_BLOCK | FIREWALL_RULE_BLOCK | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 18 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
Dual-stack IPv4/IPv6 enabled on 30 production servers. ip6tables rules empty (default ACCEPT). iptables rules properly configured. Management ports (SSH, RDP) accessible via IPv6 from internet. No IPv6 monitoring configured.
Injected Error Messages (2)
firewall rule gap detected — IPv6 enabled on 30 production servers but ip6tables/nftables contains no rules (default policy: ACCEPT ALL), iptables (IPv4) properly configured with 47 deny rules, but IPv6 traffic bypassing all protections, management ports SSH(22), RDP(3389), and database(5432) accessible via IPv6 from any source, blocked by firewall on IPv4 only, IPv6 address space 2001:db8:1::/48 is publicly routable and unprotected
security scan CRITICAL — 30 production servers with unprotected IPv6 interfaces detected, external port scan results via IPv6: SSH(22) OPEN on 30 servers, RDP(3389) OPEN on 12 servers, PostgreSQL(5432) OPEN on 8 servers, MySQL(3306) OPEN on 5 servers, management interfaces directly accessible from internet via IPv6, blocked by firewall on IPv4 but firewall rule missing for entire IPv6 stack, active exploitation attempts detected from 14 unique IPv6 source addresses, deny rule needed for IPv6 traffic
Neural Engine Root Cause Analysis
Critical security vulnerability detected where IPv6 is enabled on 30 production servers but lacks firewall protection, while IPv4 is properly secured with 47 deny rules. The IPv6 address space 2001:db8:1::/48 is publicly routable with default ACCEPT ALL policy, creating a complete security bypass. Critical management services (SSH, RDP, database) are exposed via IPv6 without any filtering, effectively negating all IPv4 firewall protections and creating an uncontrolled attack vector.
Remediation Plan
1. Immediately implement emergency IPv6 firewall rules mirroring IPv4 protections using ip6tables/nftables 2. Block public access to management ports (22, 3389, 5432) on IPv6 3. Apply deny-by-default policy for IPv6 traffic 4. Audit all 30 affected servers for IPv6 configurations 5. Implement monitoring for IPv6 firewall rule consistency 6. Consider disabling IPv6 on servers that don't require it 7. Update security policies to include mandatory IPv6 firewall reviews
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmnckift109slobqe2qmsi83v