We hit half-million: The Cidr Report

Rick Astley jnanog at gmail.com
Wed Apr 30 09:53:47 UTC 2014

Security is a layered approach though. I can't recall any server or service
that runs in listening state (and reachable from public address space) that
hasn't had some type of remotely exploitable vulnerability. It's hard to
lean on operating systems and software companies to default services to
off. When you run "netstat -a" on a lot of operating systems there are too
many things in listening state without a convincing enough reason.

NAT is stateful only out of necessity but after IPv6 a small layer of
security will go away but there is potentially another alternative.
Scanning blocks of IPv6 addresses for valid hosts is mostly a waste of time
but you could do things like looking at server logs or getting IP addresses
of clients you are connected with on P2P networks.
A good way to prevent that is to assign multiple IPv6 addresses to
operating systems as security "zones" so a source address a browser or P2P
client would use is not the same one with potentially remotely exploitable
services running in listening state.

As a bonus they should probably take it one step further and just place web
browsers and email clients in a dedicated VM sandbox that can be blown out
and recreated in case of infection or persistent browser toolbars and
stuff. So far malware seems to be winning the war so it might be best to
just acknowledge that people are likely to be attacked successfully and
attempt to quarantine it when it happens. It would probably be less
intrusive than trying to force people into restricted user accounts so I
never understood why nobody ever really pushed for this.

Technical users have been running suspect code and links in VM's for a
while now.

On Wed, Apr 30, 2014 at 1:13 AM, Owen DeLong <owen at delong.com> wrote:

> On Apr 29, 2014, at 7:54 PM, Jeff Kell <jeff-kell at utc.edu> wrote:
> > On 4/29/2014 2:06 PM, Owen DeLong wrote:
> >> If everyone who had 30+ inaggregable IPv4 prefixes replaced them with 1
> (or even 3) IPv6 prefixes…
> >>
> >> As a bonus, we could get rid of NAT, too. ;-)
> >>
> >> /me ducks (but you know I had to say it)
> >
> > Yeah, just when we thought Slammer / Blaster / Nachi / Welchia / etc /
> > etc  had been eliminated by process of "can't get there from here"... we
> > expose millions more endpoints...
> >
> > /me ducks too (but you know *I* had to say it)
> Pretending that endpoints are not exposed to those things with NAT is kind
> of like putting a screen door in front of a bank vault and saying “now safe
> from tornadoes”.
> Owen

More information about the NANOG mailing list