nanog mailing list archives
Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet
From: Todd Vierling <tv () duh org>
Date: Tue, 14 Feb 2006 23:47:35 -0500 (Eastern Standard Time)
On Wed, 15 Feb 2006, Mark Andrews wrote:
I suggest that you re-read RFC 1034 and RFC 1035. A empty node returns NOERROR. A non-existant node returns NXDOMAIN (Name Error).
Right. This means depth-first walk, which will reduce the *possible* address space to probe, but that is the antithesis of traditional scanning (which is often at least partly stochastic). To a worm, the benefit of stochastic scanning is that no collaboration between infected hosts is needed; but with a walking traversal, you have to have some kind of statekeeping if the walk search is not intended to take ~forever. I can see this vector as being useful for scanning within some specific organization's subnet, but even then, you'll need some kind of collaboration with NDP solicitations for most internal setups. Stateless autoconfig, for instance, is unscannable without listening for NDP at the same time -- and from a remote network, you can basically forget it. You're also assuming that there will be PTR records for the most commonly infectable OS ([vendor product elided]) in the most commonly used configuration (desktop). It's highly likely that such systems will use some sort of autoconfiguration, and stateless form as above presents a fairly large address space to scan. If there are PTRs assigned for such hosts at all, the attack vector is actually somewhat simple to minimize: have the DNS product in use return empty NOERROR, rather than NXDOMAIN, for any unassigned addresses in the /64. Don't get me wrong, I'm not one for security through obscurity in the primary case. But attack vector minimization is still useful for this particular angle. -- -- Todd Vierling <tv () duh org> <tv () pobox com> <todd () vierling name>
Current thread:
- Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Suresh Ramasubramanian (Feb 14)
- Message not available
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Suresh Ramasubramanian (Feb 14)
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Valdis . Kletnieks (Feb 14)
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Suresh Ramasubramanian (Feb 14)
- Message not available
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Steven M. Bellovin (Feb 14)
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Mark Andrews (Feb 14)
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Todd Vierling (Feb 14)
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Mark Andrews (Feb 14)
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Todd Vierling (Feb 14)
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Mark Andrews (Feb 14)
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Mark Andrews (Feb 14)
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Mark Andrews (Feb 14)
- Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet Michael . Dillon (Feb 15)