just seen my first IPv6 network abuse scan,

Joe Greco jgreco at ns.sol.net
Tue Sep 7 09:26:54 CDT 2010


> Forgive the top posting, but Lookout is the corporate standard.

It prevents you from typing at the bottom?  How quaint :-)

> Now, on to the topic at hand.  Why would you scan the address space in
> the first place? 

Maybe because you haven't really thought about the magnitude of the
task?

Maybe you feel that there's some likelihood of certain addresses being
used?  We've seen stupid things under IPv4, and it seems certain that
IPv6 won't be immune to stupid vendor tricks.

> Wouldn't it be easier to compromise a known host and
> look at the ARP table? 

Maybe; however, it's not clear that this would be useful in generating
a complete list of available hosts, though it would certainly provide
the opportunity for finding more of them.

> Or better yet, the router on the edge?  If it's
> moving packets, something on the network has mapped the MAC address to
> its IP at some point.

And if it isn't moving packets, then maybe nothing has.  The devices 
on a network that are just idling and may be forgotten or unloved may
be at a fairly high risk for exploits and all that.  Eventually this
sort of thing is going to be a problem, as the number of network-
attached devices is exploding.  What's going to be more interesting is
the number of devices that are (re-)programmable; we'll eventually see
malware networks that are able to target more than just your CPE/router
device, and will have attack vectors against your ATA, your TV, your
DVR, your fridge, etc.  The trick is to find those devices, but even in
a bad case scenario, where you might have to scan the network to find 
additional devices to infect, the use of scanning alone isn't practical,
but scanning for devices from a given manufacturer's MAC assignment pool
might be, especially if you've essentially got forever in which to do 
it, and certainly sitting there passively on the network snooping is 
very practical.

The fact that many people walk around with a cell phone that has a high
speed processor and lots of memory in it says a lot about where consumer
electronics is going, and that we're likely to be seeing a lot more of
this sort of low-level bad guy activity that is able to target a list of
heterogeneous targets.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list