just seen my first IPv6 network abuse scan, is this the start for more?

Owen DeLong owen at delong.com
Sat Sep 4 00:12:25 UTC 2010


I was not attempting to defend security through obscurity. It doesn't ultimately help at all.

However, compared to the network and other resource costs of scanning, even at more than a billion pps, I think there will be more effective vectors of attack that are more likely to be used in IPv6. In IPv4, an exhaustive scan is quite feasible. In IPv6, scanning a single subnet is 4 billion times harder than scanning the entire IPv4 Internet.

My point isn't that hiding hosts in arbitrarily large address space makes them safe. My point is that scanning is not the vector by which they are most likely to get discovered.

Owen


Sent from my iPad

On Sep 4, 2010, at 6:03 AM, Deepak Jain <deepak at ai.net> wrote:

> 
>>> Plus, setting bots to go scan isn't very labor-intensive.  All the
>> talk about how scanning isn't viable in IPv6-land due to large
>> netblocks doesn't take into account the benefits of illicit automation.
>>> 
>> Uh... He mentioned 1000 addresses/second... At that rate, scanning a
>> /64 will take more than
>> 18,000,000,000,000,000 seconds. Converted to hours, that's
>> 5,000,000,000,000 hours which
>> works out to 208,333,333,333 days or roughly 570,776,255 years.
>> 
>> If you want to scan a single IPv6 subnet completely in 1 year, you will
>> need to automate
>> 570,776,255 machines scanning at 1000 ip addresses per second, and,
>> your target network
>> will need to be able to process 570,776,255,000 packets per second.
>> 
>> Yes, you can do a certain amount of table-overflow DOS with an IPv6
>> scan, but, you really
>> can't accomplish much else in practical terms.
>> 
> 
> Since I mentioned a thread about technology prognostication... 
> 
> Right now 1000 pps per host seems like a number that is on the high end of what could go reasonably unnoticed by a comprised bot-machine. I'm sure if we roll back our clocks to IPv4's origination we'd have never imagined 1000pps scans.
> 
> If history is any judge, the technology will grow faster and farther than we can see from here. Designers will put stupid kludges in their code [because the space is so vast] like picking Fibonacci numbers as "unique" inside of large sections of space -- who knows.
> 
> The point is that while every smart person thinks this is a lot of space for current attack technology, in some period of time, it may not seem to difficult and safe to hide in.
> 
> Moreover, when every enterprise has a /48 or better, network admins are going to need to be able to track down machines/devices/ear pieces/what have you on a better basis then trapping them when they speak up. There is a huge potential for sleepers in IPv6 space that we don't see any more in IPv4 (because the tools are better). Eventually someone will find an approach to do this kind of surveying and then make it cheap enough everyone can do it. (how often do security-admins use NMAP/Nessus/what have you to survey their own space -- an IPv6 analog will *need* to be created eventually).
> 
> Just my thoughts,
> 
> Deepak




More information about the NANOG mailing list