Re: just seen my first IPv6 network abuse scan, is this the start for more?

[Owen DeLong <owen () delong com>]

Sent from my iPad

On Sep 4, 2010, at 4:12 AM, Joel Jaeggli <joelja () bogus com> wrote:

> On 9/3/10 11:25 AM, Bill Bogstad wrote:
> > On Fri, Sep 3, 2010 at 9:49 AM, Dobbins, Roland <rdobbins () arbor net> wrote:
> > > On Sep 3, 2010, at 7:58 PM, Owen DeLong wrote:
> > >
> > > > However, scanning in IPv6 is not at all like the convenience of comprehensive scanning of the IPv4 address space.
> > >
> > >
> > > Concur, but I still maintain that lots of illicit automation plus refined scanning via DNS, et. al. is a viable 
> > > practice.
> >
> > These are very big numbers, so I don't see how.
>
> Consider you have a dual stack deployment.
I do...

> what are the most likely ipv6 numbering schemes you're likely to use to
> number hosts.
In my case, there are seven numbering schemes in use.

> If I query one of your hosts in the forward zone and get back and a and
> a aaaa record what can I likely conclude about the numbering scheme for
> that net?
>
> joelja-mac:~ joelja$ host ns3.xxxxxx.net
> ns3.xxx.net has address xxxx.xxx.0.81
> ns3.xxx.net has IPv6 address xxxx:xxx:1::81
In my case, this will only help you find the other hosts which have DNS entries in IPv6. Any host which does not have 
an AAAA record already uses a different numbering scheme entirely.

Even the hosts that do have AAAAs are broken up into different numbering ranges based on my own criteria.

> if you do stateful dhcp v6 assignment what are the likely constraints as
> to the size of the pool you're going to use for that subnet.
1. Stateful DHCP on a subnet is the exception, not the rule.
2. On networks with DHCP, I would give at least a 48 bit pool.

> This is like brute force password guessing... there's some high
> probability answers that are low hanging fruit you reach for them, they
> don't exist you move on.
In other words, you'll get lucky on a few networks where the administrator failed to move beyond IPv4think.

> >     If you use easy to guess/remember host/service names and put them
> > in public DNS then those IP addresses are in some sense already public
> > (whether IPv4 or IPv6).   The definition of "easy to guess" is pretty
> > much everything which has ever been used in a wordlist for password
> > cracking programs (plus the code which generates variants of same).
> > Real attackers are going to flood
> > your DNS servers, not do brute force IPv6 ICMP scans.  Even a pure
> > brute force DNS scan of all 10 character long hostnames (asuming
> > a-z0-9) is going to take around 5000 times fewer queries then a full
> > ICMP v6 scan of a /64.   (Which at an attack speed of 1000pps is still
> > going to take around 100,000 years.)

Good luck getting 1000 dns answers per second from most zones.

I suspect a useful DNS scan would be limited to something more like 200 qps.

Even then, you'll trip over my query rate limiter unless you use a whole lot of hosts to do the scan.

> >     For machines which you want to make it REALLY hard to find, but
> > need publicly accessible addresses, you shouldn't put them in publicly
> > queryable DNS servers at all and use a random number generator to
> > generate their static IPv6 addresses.   Even if you put a thousand of
> > these machines in a single subnet, it is going to take half a million
> > years at reasonable packet rates before even one of them is
> > discovered.

Or better yet, have the, cycle through privacy addresses using dynamic updates tom private name server.
 
> >    Hmm, thinking about it in terms of passwords might help.  Many
> > people consider a totally random 10 character monocase+numbers
> > password to be reasonably secure against brute force attacks.   ICMP
> > scanning a /64 is thousands of times more difficult and all it gives
> > you is the existence of the machine.   Even if you find that needle in
> > a hay stack , you don't get access to its resources.

About 6,000 times to be slightly more precise.

36^10 is.         ~3,656,158,440,000,000
2^64 is.    18,446,744,073,709,551,616 addresses.

 
> >    I took a quick look at the paper that SMB linked to and I would
> > argue that for wide area attacks, packet sniffing is going to be how
> > people find your "hidden" addresses.    Compromising SMB wi-fi hotspot
> > hardware and logging every address accessed is one possibility.   Or
> > just compromise people's laptops and have them run network sniffers
> > which generate "seen" address lists which are forwarded to dummy gmail
> > accounts.
> >
> > Bill Bogstad
I think that's much more likely.

Owen