IPv6 Advertisements

Stephen Sprunk stephen at sprunk.org
Wed May 30 23:39:23 UTC 2007


Thus spake "Donald Stahl" <don at calis.blacksun.org>
> I'm not sure I understand what you are saying- if you number
> based on hardware addresses then I have no idea what you
> mean by "address ranges." The hosts you are trying to
> compromise could be anywhere in the subnet- that's the 3500
> years I was referring to above. That's 3500 years to scan a
> single /64 subnet- not the entire Internet- not even a tiny little
> fraction of it.

If people use stateless autoconfig, you know what 16 of the bits are, and 
you can guess 24 of them from a relatively small set.  If you're writing a 
worm that targets residential Wintel users, just scan the OUIs from Dell, 
HP, etc.  Throw in Lenovo if you want to go after business folks.  Looking 
at it another way, you can toss out OUIs from vendors whose gear you know 
your worm _doesn't_ work on (e.g. Apple, embedded manufacturers, etc.) or 
only include OUIs for vendors you want to make look bad (e.g. Dell might 
write a worm that only probes HP machines).

(This is also mentioned in the draft Dale referenced, but I came up with it 
independently in a few seconds, so I think it falls in the "obvious" 
category for someone with the sk1llz needed to write a worm.)

S

Stephen Sprunk      "Those people who think they know everything
CCIE #3723         are a great annoyance to those of us who do."
K5SSS                                             --Isaac Asimov 





More information about the NANOG mailing list