just seen my first IPv6 network abuse scan, is this the start for more?

Bill Bogstad bogstad at pobox.com
Fri Sep 3 18:25:14 UTC 2010

On Fri, Sep 3, 2010 at 9:49 AM, Dobbins, Roland <rdobbins at arbor.net> wrote:
> On Sep 3, 2010, at 7:58 PM, Owen DeLong wrote:
>> However, scanning in IPv6 is not at all like the convenience of comprehensive scanning of the IPv4 address space.
> Concur, but I still maintain that lots of illicit automation plus refined scanning via DNS, et. al. is a viable practice.

These are very big numbers, so I don't see how.

     If you use easy to guess/remember host/service names and put them
in public DNS then those IP addresses are in some sense already public
(whether IPv4 or IPv6).   The definition of "easy to guess" is pretty
much everything which has ever been used in a wordlist for password
cracking programs (plus the code which generates variants of same).
Real attackers are going to flood
your DNS servers, not do brute force IPv6 ICMP scans.  Even a pure
brute force DNS scan of all 10 character long hostnames (asuming
a-z0-9) is going to take around 5000 times fewer queries then a full
ICMP v6 scan of a /64.   (Which at an attack speed of 1000pps is still
going to take around 100,000 years.)

     For machines which you want to make it REALLY hard to find, but
need publicly accessible addresses, you shouldn't put them in publicly
queryable DNS servers at all and use a random number generator to
generate their static IPv6 addresses.   Even if you put a thousand of
these machines in a single subnet, it is going to take half a million
years at reasonable packet rates before even one of them is

    Hmm, thinking about it in terms of passwords might help.  Many
people consider a totally random 10 character monocase+numbers
password to be reasonably secure against brute force attacks.   ICMP
scanning a /64 is thousands of times more difficult and all it gives
you is the existence of the machine.   Even if you find that needle in
a hay stack , you don't get access to its resources.

    I took a quick look at the paper that SMB linked to and I would
argue that for wide area attacks, packet sniffing is going to be how
people find your "hidden" addresses.    Compromising SMB wi-fi hotspot
hardware and logging every address accessed is one possibility.   Or
just compromise people's laptops and have them run network sniffers
which generate "seen" address lists which are forwarded to dummy gmail

Bill Bogstad

More information about the NANOG mailing list