The good news: To accommodate the ever-increasing demand for IP Addresses around the world, every network will eventually transition to IPv6 from IPv4.

The bad news: Spammers are already spoofing IPv6 addresses because it is easy for them to bypass mail spam filters and launch phishing attacks on a new protocol.

When Google launched their Adwords advertising program in 2000, few predicted that the major challenge for the company would be preventing what’s known as click fraud. While every service provider is obligated to stay on top of spamming trends to protect their customers, the industry is on high alert to protect their networks and prevent breaches in the new IPv4/IPv6 environment.

At any given search marketing conference, advertisers and affiliates alike complain that they are the consistent victims of click fraud.

Even with NAT (network address translation) spammers have notoriously been able to hide behind constantly changing IP addresses - this is not going to improve with an IPv6 deployment! With IPv6, every device has a unique identifying address. You can expect to find new devices - including servers, desktops and mobile devices - that automatically turn on and configure IPv6 out of the box.

We know that some (but not all) of the primary ways service providers attempt to identify click fraud are:

  • Logging where the IP Addresses clicks are coming from – including the Source IP address
  • Timing of click frequency
  • Measuring the volume shape patterns of clicks
  • Assessing search terms that led to clicks
  • Watching the navigation pattern of clicks on a site after the ad has been clicked
  • Identifying and Blacklisting “Bad” IP addresses (blocks or single hosts).


Let’s look at how IPv6 changes the dynamics of each of the 6 ways identified above:

1. Logging where the IP Addresses clicks are coming from - There are so many possible v6 addresses that, with some creative coding, a spammer could use their allocation and create randomized IP lists to further obscure their actions.

Google has stated publicly that it does not consider multiple clicks from a single IP address necessarily fraudulent as potential customers may come back several times before purchasing. That makes sense in a v4 World, but when multiplied by the sheer size of the IPv6 address schema, this can become challenging for even the search giant to monitor.

2. Timing of click frequency - Again, just the sheer number of v6 addresses means that spammers have the luxury of not having to repeat click activity from a limited number of IP addresses or even A blocks of addresses.

This helps spammers create click bots who have a timed and sporadic manner of clicking ads repeatedly to mimic human behavior. In fact, it’s really easy to reverse engineer human behavior and how people click ads within a certain business vertical - it’s called Google Analytics reports!

A B2B clickbot as well as a B2C clickbot (since those two populations behave and click very differently) could be created with an ocean of new/randomized IPv6 addresses to represent them.

3. Measuring the volume shape patterns of clicks - IPv6 address volume makes it easier than ever before to create more sophisticated clickbots that mimic human behavior and make pattern discovery more difficult.

4. Assessing search terms that led to clicks - Google knows (and we can easily find out as well through analytics reports) that certain industries have over 500 search terms (not uncommon) that potential customers use to find the websites of advertisers. If a spammer has a near unlimited pool of IP addresses, that increases the number of search terms (or keywords) that an IP address can originate click spam from.

5. Watching the navigation patterns of clicks on a site after the ad has been clicked - Called “landing pages,” Google can track if those who click an ad actually “convert” into an action that can be measured by the advertiser. These can include phone calls (a new feature Google tracks for $1 per call) clicking links in the navigation bar (indicating behavior more akin to a real human’s behavior) as well as filling out forms or shopping carts.

The challenge here is that more and more Internet enabled devices including smartphones and tablets, support both v4 and v6 and may even have it enabled (unknown to their owners). For example, an improperly configured wireless access point that supports v6 but doesn’t authenticate to the same v4 method can be an easy vector for rogue v6 connections - these providing a method for ghost networks of zombie clickers to be unwittingly enabled.

6. Identifying and Blacklisting “Bad” IP address blocks - While monitoring blocks of v4 address space can be managed, v6 data cannot be monitored nearly as easily. With Google’s vast resources and knowledge of network technology, they can begin to amass a block of v6 addresses that create click fraud, but this will take a considerable amount of time as fraudsters (and the rest of the world) take a few years to migrate to using v6.

The challenge here is two fold - how does a service provider protect their clients and how does a client grade their vendors on dealing with IPv6? For both parties, it will come down to updated monitoring in addition to automated tracking tools (i.e. not spreadsheets). Otherwise, network administrators will simply continue to be fire fighting and trying to get a handle on IPv6 instead of taking active steps to prepare.

Best practices

As IPv6 rolls out, advertisers and search engines alike will have to reassess how they filter out clicks from bots whose intent is to generate fraudulent clicks and intimidate competitors with increasing costs or to drive up affiliate revenues for themselves. NAT goes away in an IPv6 world - IPv4's "default level of obscurity" is going to disappear. As more organizations run dual stack networks, we anticipate many new threats and vulnerabilities will arise as click spammers devote more attention to IPv6.

Some of the best practices search vendors can employ to handle v6 click fraud and keep their network safe include:

1. Tracking the machines that are creating the clicks: IPv6 addresses can be tied to MAC addresses.

2. Using smarter algorithms that support IPv6 addressing schema nuances: Always allow legitimate traffic in.

3. Building a different set of behavior analysis for IPv6:

  • With IPv4, the approach to management was “conservation of limited IP resources.”
  • With IPv6, that mindset is shifting to “resource management of a seemingly unlimited IP resource.”

4. Use network automation software in network administration environments wherever possible.

In 2012, more mainstream enterprises and service providers are turning on, and keeping on, their IPv6 networks. Getting the most out of existing IPv4 space, seeing future IPv6 needs and cleaning up data will help them simply operations, increase security and support network efficiency. As they do so, guarding against click spam and click fraud should catch up with those trying to leverage IPv6 to create artificial online advertising environments.

By John Sung Kim



Category: News

Archived news