Re: Host scanning in IPv6 Networks

[Fernando Gont <fernando () gont com ar>]

Hi, Jimmy,

On 04/20/2012 09:22 PM, Jimmy Hess wrote:
> The mathematical argument in the draft doesn't really work,  because
> it's too focused on  there being "one specific site"  that can be
> scanned.

Not sure what you mean. Clearly, in the IPv6 world you'd target specific
networks.

How could you know which networks to scan? -- Easy: the attacker is
targeting a specific organization, are you gather possible target
networks as this information leaks out all too often (e-mail headers, etc.).



> You can't just "pick a random 120 bit number"  and have a good chance
> of that random IP happening to be a live host address.

That would be pretty much a "brute force" attack, and the argument in
this paper is that IPv6 host-scanning attacks will not be brute force
(as we know them).


> The draft is unconvincing.   The expected result is there will be very
> little preference for scanning,  and those  that will be launching
> attacks against networks will  be utilizing simpler techniques that
> are still highly effective and do not require scanning.

Not sure what you mean. Could you please clarify?



> Such as the exploit of vulnerable HTTP clients  who _navigate to the
> attacker controlled web page_, walking directly into their hands,
> instead of worms  "searching for needles in haystacks".

Well, this is part of alternative scanning techniques, which so far are
not the subject of this draft.

Thanks,
-- 
Fernando Gont
e-mail: fernando () gont com ar || fgont () si6networks com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1