(IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

Daniel Marks d at nielmarks.com
Wed Feb 8 00:20:40 UTC 2023

Anecdotal but I've seen hacked AWS accounts with Cloudformation scripts 
to create and destroy lots of tiny instances to rotate through IPv4 
addresses. Being able to rotate through IP addresses is not a new thing, 
I'm sure we all have networks in mind when we think of garbage/malicious 
traffic just over IPv4 alone.

Internally at my company (corp network that went all in on IPv6), we 
have a script that looks through logs and will ban an entire /64 for a 
period of time if it has more than a few banned IP addresses in the same 
subnet (I think ~10 /128s is a 30 minute ban, but we're still tuning it).

There are some strange implementations of IPv6 that end up having a lot 
of dissociated users grouped together in a /64 (i.e. Linode, AT&T 
Wireless, etc) which makes me hesitant to implement automatic /64 bans 
for 1 or 2 spammy IP addresses. At one point we accidentally banned a 
large portion of US users on AT&T when we banned 2600:387:f:10::/64

On 2/6/2023 10:05 PM, William Herrin wrote:
> On Mon, Feb 6, 2023 at 6:43 PM Fernando Gont <fgont at si6networks.com> wrote:
>> On 6/2/23 20:39, Owen DeLong wrote:
>>> After all, they’re only collecting addresses to ban at the rate they’re actually being used to send packets.
>> Yeah, but the whole point of banning is that the banned address is
>> actually used by an attacker subsequently,
> You both have valuable points here. Listen to each other.
> On the one hand, sophisticated attackers already scatter attacks
> between source addresses to evade protection software. Attackers who
> don't have control over their computer's IP address do not. This is
> not new and IPv6 does not really change that picture.
> On the other hand, there are so many addresses in a /64 that an
> attacker can literally use a fresh one for each and every probe he
> sends. Without a process for advancing the /128 ban to a /64 ban (and
> releasing it once activity stops), reactive firewalls are likely to
> become less and less effective.
> Regards,
> Bill Herrin

More information about the NANOG mailing list