[129337] in North American Network Operators' Group
Re: just seen my first IPv6 network abuse scan, is this the start
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Fri Sep 3 06:46:29 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Fri, 3 Sep 2010 10:46:17 +0000
In-Reply-To: <AANLkTimrj7ZqcE2dq1wbgJbokFyWbbG=FY08_n9S2T5D@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 3, 2010, at 5:14 PM, Igor Ybema wrote:
> I discovered a external IPv6 host was doing a (rather useless due to the =
amount of addresses) IPv6 ICMP scan on our network recurring daily and most=
ly during the nights, sometimes with speeds of 1000 scans per second.
Not necessarily so useless, as it was hitting your boxen, eh?
;>
Plus, setting bots to go scan isn't very labor-intensive. All the talk abo=
ut how scanning isn't viable in IPv6-land due to large netblocks doesn't ta=
ke into account the benefits of illicit automation.
Note that hinted scanning, based upon DNS treewalking and so forth, is a us=
eful refinement.
> Due to the ammount of IPv6 neighbor discoveries from our routers resultin=
g from this scan the Neighbour table overflow messages appeared on the mach=
ines.
Any noticeable effect on router CPU?
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Sell your computer and buy a guitar.
