Re: Host scanning in IPv6 Networks

[Jimmy Hess <mysidia () gmail com>]

For certain definitions of "host scanning"  it is possible to achieve
some level of that in IPv6.
But massively far less efficient and far more limited than the brute
force option that is available in IPv4.

The mathematical argument in the draft doesn't really work,  because
it's too focused on  there being "one specific site"  that can be
scanned.

You can't just "pick a random 120 bit number"  and have a good chance
of that random IP happening to be a live host address.    You can't
just pick a random  /64   and have a good chance of that random /64
happening to be part of a live site.

How useful more informed attacks are,  remains to be seen.  For worm
authors it will seem like a lot of sugar for a dime.

Malware propagation against open ports doesn't work so well if your
nodes  can't effect wide scans efficiently.  If you are so misguided
as to not have a firewall preventing access to vulnerable services.

The draft is unconvincing.   The expected result is there will be very
little preference for scanning,  and those  that will be launching
attacks against networks will  be utilizing simpler techniques that
are still highly effective and do not require scanning.

Such as the exploit of vulnerable HTTP clients  who _navigate to the
attacker controlled web page_, walking directly into their hands,
instead of worms  "searching for needles in haystacks".

Any worms searching for needles in haystacks are likely to be
utilizing a combination of search engines, common dictionary name
lookups, and DNS  to discover IP addresses of potential target web
servers.

--
-JH

On 4/20/12, Steven Bellovin <smb () cs columbia edu> wrote:
> Also see https://www.cs.columbia.edu/~smb/papers/v6worms.pdf
> (Worm propagation strategies in an IPv6 Internet. ;login:,
> pages 70-76, February 2006.)
>
> On Apr 20, 2012, at 3:08 50AM, Fernando Gont wrote:
>
> > FYI
> >
> > -------- Original Message --------
> > Subject: IPv6 host scanning in IPv6
> > Date: Fri, 20 Apr 2012 03:57:48 -0300
> > From: Fernando Gont <fgont () si6networks com>
> > Organization: SI6 Networks
> > To: IPv6 Hackers Mailing List <ipv6hackers () lists si6networks com>
> >
> > Folks,
> >
> > We've just published an IETF internet-draft about IPv6 host scanning
> > attacks.
> >
> > The aforementioned document is available at:
> > <http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt>
> >
> > The Abstract of the document is:
> > ---- cut here ----
> >   IPv6 offers a much larger address space than that of its IPv4
> >   counterpart.  The standard /64 IPv6 subnets can (in theory)
> >   accommodate approximately 1.844 * 10^19 hosts, thus resulting in a
> >   much lower host density (#hosts/#addresses) than their IPv4
> >   counterparts.  As a result, it is widely assumed that it would take a
> >   tremendous effort to perform host scanning attacks against IPv6
> >   networks, and therefore IPv6 host scanning attacks have long been
> >   considered unfeasible.  This document analyzes the IPv6 address
> >   configuration policies implemented in most popular IPv6 stacks, and
> >   identifies a number of patterns in the resulting addresses lead to a
> >   tremendous reduction in the host address search space, thus
> >   dismantling the myth that IPv6 host scanning attacks are unfeasible.
> > ---- cut here ----
> >
> > Any comments will be very welcome (note: this is a drafty initial
> > version, with lots of stuff still to be added... but hopefully a good
> > starting point, and a nice reading ;-) ).
> >
> > Thanks!
> >
> > Best regards,
>
>
>               --Steve Bellovin, https://www.cs.columbia.edu/~smb


-- 
-Mysid