[129377] in North American Network Operators' Group
RE: just seen my first IPv6 network abuse scan, is this the start
daemon@ATHENA.MIT.EDU (Deepak Jain)
Fri Sep 3 16:33:42 2010
From: Deepak Jain <deepak@ai.net>
To: Owen DeLong <owen@delong.com>, "Dobbins, Roland" <rdobbins@arbor.net>
Date: Fri, 3 Sep 2010 16:33:23 -0400
In-Reply-To: <3238DBCC-0258-47EA-B804-D8E254492182@delong.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> > Plus, setting bots to go scan isn't very labor-intensive. All the
> talk about how scanning isn't viable in IPv6-land due to large
> netblocks doesn't take into account the benefits of illicit automation.
> >
> Uh... He mentioned 1000 addresses/second... At that rate, scanning a
> /64 will take more than
> 18,000,000,000,000,000 seconds. Converted to hours, that's
> 5,000,000,000,000 hours which
> works out to 208,333,333,333 days or roughly 570,776,255 years.
>=20
> If you want to scan a single IPv6 subnet completely in 1 year, you will
> need to automate
> 570,776,255 machines scanning at 1000 ip addresses per second, and,
> your target network
> will need to be able to process 570,776,255,000 packets per second.
>=20
> Yes, you can do a certain amount of table-overflow DOS with an IPv6
> scan, but, you really
> can't accomplish much else in practical terms.
>=20
Since I mentioned a thread about technology prognostication...=20
Right now 1000 pps per host seems like a number that is on the high end of =
what could go reasonably unnoticed by a comprised bot-machine. I'm sure if =
we roll back our clocks to IPv4's origination we'd have never imagined 1000=
pps scans.
If history is any judge, the technology will grow faster and farther than w=
e can see from here. Designers will put stupid kludges in their code [becau=
se the space is so vast] like picking Fibonacci numbers as "unique" inside =
of large sections of space -- who knows.
The point is that while every smart person thinks this is a lot of space fo=
r current attack technology, in some period of time, it may not seem to dif=
ficult and safe to hide in.
Moreover, when every enterprise has a /48 or better, network admins are goi=
ng to need to be able to track down machines/devices/ear pieces/what have y=
ou on a better basis then trapping them when they speak up. There is a huge=
potential for sleepers in IPv6 space that we don't see any more in IPv4 (b=
ecause the tools are better). Eventually someone will find an approach to d=
o this kind of surveying and then make it cheap enough everyone can do it. =
(how often do security-admins use NMAP/Nessus/what have you to survey their=
own space -- an IPv6 analog will *need* to be created eventually).
Just my thoughts,
Deepak
