Blog
Tags:
AI attacks thrive on predictable networks
The most dangerous attacker isn’t the one who breaks through your firewall.
It’s the one who finds it in seconds.
That’s exactly why IPv4 is becoming increasingly problematic.
Many organizations still run on IPv4 because it works. Or rather: because we’ve kept it working. With NAT, PAT, subnets, firewalls, policies, exceptions, and an ever-increasing number of smart middle layers. Technically impressive. Practically understandable. But also: complex, outdated, and predictable.
And predictability is exactly what modern attacks thrive on.
Especially now that AI makes attacks faster, smarter, and cheaper. Whereas a human attacker used to need time to scout a network, AI can instantly recognize patterns, combine vulnerabilities, and test attack paths. Not just once. Not manually. But continuously, at scale, and with ever-improving timing.
In an IPv4 environment, that reconnaissance is relatively straightforward. The address space is small. Scanning is feasible. Segments are often recognizable. Devices, firewalls, and services are easier to find. And once an attacker is inside, lateral movement becomes much more attractive.
IPv6 fundamentally changes that playing field.
Not because IPv6 automatically makes everything secure. It doesn’t. Poor configuration remains poor configuration. But IPv6 does have properties that make an attacker’s job much more difficult. The address space is enormous. Scanning a network completely is practically unfeasible. Even for AI. Quantum computers do little to change that, because faster computation doesn’t make the network itself infinitely faster.
This eliminates a key advantage for the attacker: getting a quick overview.
That is crucial. Because modern cyberattacks aren’t just about getting in. They’re about finding, understanding, moving, and striking. IPv6 makes that reconnaissance phase in particular more difficult. Less visible. Less predictable. Less scannable.
And that is no longer a minor detail.
In a world where firewalls, VPNs, and security appliances are themselves regularly targeted, you don’t want your infrastructure to be easily identifiable. What isn’t found quickly isn’t automatically safe. But it’s also no longer laid out like a free roadmap.
IPv6 is therefore not a modernization project for later.
It’s a layer of defense that many organizations have been ignoring for too long.
Why AI Stumbles on IPv6
Larger address range: Implicitly very secure
IPv6 doesn’t just have “more addresses.”
IPv6 has so many addresses that it fundamentally changes the attack landscape. A single standard IPv6 network already contains more addresses than the entire global IPv4 internet.
Let that sink in for a moment.
The entire IPv4 internet can be scanned faster than a single IPv6 network. You can scan a standard IPv4 network in less than a second. The entire IPv4 internet in about a minute.
With IPv6, it’s a different story.
It takes hundreds of years to fully scan a standard IPv6 network. Count on about 584 years. Scanning the entire IPv6 internet takes longer than the age of the universe.
No AI magic can compete with that.
An AI attack can search smarter, combine faster, and prioritize better. But it can’t just “try out” 18 trillion addresses without drawing attention. Before even a fraction of them are hit, your detection systems will already be blaring, and the source will be blocked.
That’s the security difference.
IPv4 gives attackers a map.
IPv6 gives them fog, distance, and time loss.
And in cybersecurity, time loss is often exactly what you need.
Why NAT is not a security strategy
“But Hugo, don’t we have private addressing in IPv4? Isn’t that secure?”
Yes. Sort of.
Private addressing with NAT has kept IPv4 afloat for a long time. And to be fair: it shields internal addresses from the outside world. But it’s not a security architecture. It’s mainly a clever stopgap solution that we’ve come to treat as if it were a line of defense.
That’s where the trouble starts.
Because as soon as internal devices are allowed to go outside via NAT, they can still connect to a command-and-control server after a successful infection. Then an attacker no longer needs to break in. The infected device calls out on its own. After that, it’s used as a stepping stone to crawl further into your network.
With PAT, things get even messier. Internal services can still become directly accessible from the internet via port translation. One forgotten rule. One old device. One incorrectly published management interface. And you’ve just handed over another entry point.
IPv6 takes a more fundamental approach to this.
Not every device needs to have a globally routable address. IPv6 works with address scoping. You determine at which level an address is valid. Global addresses are accessible within the IPv6 internet. Site-local addresses remain within your own infrastructure. Link-local addresses work only on the local network segment.
That’s not a cosmetic difference. That’s control.
A device that only needs to communicate locally is not given a global route. A sensor, printer, controller, measurement point, or internal system does not need to be visible to the internet to do its job. So you don’t make it visible.
That is more important than ever.
Because every additional device on your network is an additional potential entry point. Not because the device is “bad.” But because everything that is reachable will eventually be tested. By people. By scripts. By AI.
IPv6 lets you determine much more precisely who is allowed to communicate where.
Don’t just lock things down after the fact.
Restrict access right from the address itself.
What malware can’t see, it can’t attack
Hacking a firewall becomes virtually impossible if you can’t find it.
That’s exactly where IPv6 comes into play. Network devices don’t need to be visible everywhere to simply do their job. Routers and firewalls can handle traffic via link-local addresses. They are then only accessible within the network segment they serve.
Not from the internet.
Not from another network.
Not from the laptop of someone who just clicked on a phishing email.
That last point is important.
Because many attacks don’t start at your firewall. They start with a user. An email. An attachment. A careless click. After that, malware tries to look further. Which systems respond? Which management interfaces are open? Which network devices can be accessed?
With IPv6, you can block that route much more effectively.
Even the connection to your internet service provider can be configured this way. Our own external firewall is not visible or accessible from the internet via IPv6. Management runs only through specially configured management networks.
What isn’t found isn’t attacked.
Why dual stack isn’t secure
“But Hugo, if I run dual stack, won’t they just attack me via IPv4 anyway?”
Exactly.
That’s the problem.
Dual stack sounds like a neat interim phase. You run IPv4 and IPv6 side by side on the same devices, so the migration can proceed smoothly. Technically convenient. Strategically half-baked.
Because as long as IPv4 remains active on everything that matters, your old attack surface simply persists. You may have added IPv6, but you haven’t disabled IPv4. The door you wanted to close is still open. Only now there’s a more modern sign next to it.
That’s not a security gain. That’s extra complexity.
Anyone who seriously deploys IPv6 as a defense layer should therefore not remain stuck in dual stack indefinitely. There are migration strategies where you immediately take IPv4 out of service on the majority of your internal network. Then you benefit from the start of the larger address space, better address scoping, and less visible network equipment.
With techniques like NAT64 and DNS64, external IPv4 services remain accessible as usual. Your internal network communicates via IPv6. The translation happens in a controlled manner at the edge.
You can also securely manage your own accessibility from the IPv4 internet without tying your entire internal network to IPv4.
Dual stack feels like a safe migration.
But if you approach it correctly, you can skip that insecure intermediate phase.
From IPv4 hassle to IPv6 control
IPv6 migration doesn’t have to be a multi-year project.
Nor does it have to be a technical survival journey where you’re stuck with dual stack, exceptions, and half-solutions for months on end.
With the right strategy, you can make the switch quickly. Without disruption. Without unnecessary complexity. And above all: with immediate security gains.
We’ve been on IPv6 for eight years now. Not because it was trendy, but because it works better. Safer. More transparent. Easier to manage.
Want to know what that looks like for your environment?
Schedule a no-obligation consultation with me. Then we’ll work together on a practical roadmap for your IPv6 migration.
No hassle. Immediately safer.