[129350] in North American Network Operators' Group
Re: just seen my first IPv6 network abuse scan,
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Sep 3 09:04:48 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <6AD92173-D423-49E4-81BF-7E141249222B@arbor.net>
Date: Fri, 3 Sep 2010 05:58:40 -0700
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 3, 2010, at 3:46 AM, Dobbins, Roland wrote:
>=20
> On Sep 3, 2010, at 5:14 PM, Igor Ybema wrote:
>=20
>> I discovered a external IPv6 host was doing a (rather useless due to =
the amount of addresses) IPv6 ICMP scan on our network recurring daily =
and mostly during the nights, sometimes with speeds of 1000 scans per =
second.
>=20
> Not necessarily so useless, as it was hitting your boxen, eh?
>=20
> ;>
>=20
> Plus, setting bots to go scan isn't very labor-intensive. All the =
talk about how scanning isn't viable in IPv6-land due to large netblocks =
doesn't take into account the benefits of illicit automation.
>=20
Uh... He mentioned 1000 addresses/second... At that rate, scanning a /64 =
will take more than
18,000,000,000,000,000 seconds. Converted to hours, that's =
5,000,000,000,000 hours which
works out to 208,333,333,333 days or roughly 570,776,255 years.
If you want to scan a single IPv6 subnet completely in 1 year, you will =
need to automate
570,776,255 machines scanning at 1000 ip addresses per second, and, your =
target network
will need to be able to process 570,776,255,000 packets per second.
Yes, you can do a certain amount of table-overflow DOS with an IPv6 =
scan, but, you really
can't accomplish much else in practical terms.
> Note that hinted scanning, based upon DNS treewalking and so forth, is =
a useful refinement.
>=20
Yes, you can find hosts for which you already know the addresses easily =
this way. Obviously,
there are a few other tricks that make it easy to find individual =
targets (such as the convention
of making a router <subnet>::1). However, scanning in IPv6 is not at all =
like the convenience
of comprehensive scanning of the IPv4 address space.
>> Due to the ammount of IPv6 neighbor discoveries from our routers =
resulting from this scan the Neighbour table overflow messages appeared =
on the machines.
>=20
>=20
> Any noticeable effect on router CPU?
>=20
Probably not a lot. Probably even less on the boxes reporting the =
neighbor table overflow.
Other than generating some noisy error messages, this should have been =
pretty much a non-
event.
Owen
