Host scanning in IPv6 Networks

Fernando Gont fernando at
Fri Apr 20 19:55:12 CDT 2012

Hi, Jimmy,

On 04/20/2012 09:22 PM, Jimmy Hess wrote:
> The mathematical argument in the draft doesn't really work,  because
> it's too focused on  there being "one specific site"  that can be
> scanned.

Not sure what you mean. Clearly, in the IPv6 world you'd target specific

How could you know which networks to scan? -- Easy: the attacker is
targeting a specific organization, are you gather possible target
networks as this information leaks out all too often (e-mail headers, etc.).

> You can't just "pick a random 120 bit number"  and have a good chance
> of that random IP happening to be a live host address.

That would be pretty much a "brute force" attack, and the argument in
this paper is that IPv6 host-scanning attacks will not be brute force
(as we know them).

> The draft is unconvincing.   The expected result is there will be very
> little preference for scanning,  and those  that will be launching
> attacks against networks will  be utilizing simpler techniques that
> are still highly effective and do not require scanning.

Not sure what you mean. Could you please clarify?

> Such as the exploit of vulnerable HTTP clients  who _navigate to the
> attacker controlled web page_, walking directly into their hands,
> instead of worms  "searching for needles in haystacks".

Well, this is part of alternative scanning techniques, which so far are
not the subject of this draft.

Fernando Gont
e-mail: fernando at || fgont at
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

More information about the NANOG mailing list