[129390] in North American Network Operators' Group
Re: just seen my first IPv6 network abuse scan,
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Sep 3 20:16:26 2010
From: Owen DeLong <owen@delong.com>
To: Deepak Jain <deepak@ai.net>
In-Reply-To: <D338D1613B32624285BB321A5CF3DB251037180FE5@ginga.ai.net>
Date: Sat, 4 Sep 2010 09:42:25 +0930
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I was not attempting to defend security through obscurity. It doesn't =
ultimately help at all.
However, compared to the network and other resource costs of scanning, =
even at more than a billion pps, I think there will be more effective =
vectors of attack that are more likely to be used in IPv6. In IPv4, an =
exhaustive scan is quite feasible. In IPv6, scanning a single subnet is =
4 billion times harder than scanning the entire IPv4 Internet.
My point isn't that hiding hosts in arbitrarily large address space =
makes them safe. My point is that scanning is not the vector by which =
they are most likely to get discovered.
Owen
Sent from my iPad
On Sep 4, 2010, at 6:03 AM, Deepak Jain <deepak@ai.net> wrote:
>=20
>>> Plus, setting bots to go scan isn't very labor-intensive. All the
>> talk about how scanning isn't viable in IPv6-land due to large
>> netblocks doesn't take into account the benefits of illicit =
automation.
>>>=20
>> Uh... He mentioned 1000 addresses/second... At that rate, scanning a
>> /64 will take more than
>> 18,000,000,000,000,000 seconds. Converted to hours, that's
>> 5,000,000,000,000 hours which
>> works out to 208,333,333,333 days or roughly 570,776,255 years.
>>=20
>> If you want to scan a single IPv6 subnet completely in 1 year, you =
will
>> need to automate
>> 570,776,255 machines scanning at 1000 ip addresses per second, and,
>> your target network
>> will need to be able to process 570,776,255,000 packets per second.
>>=20
>> Yes, you can do a certain amount of table-overflow DOS with an IPv6
>> scan, but, you really
>> can't accomplish much else in practical terms.
>>=20
>=20
> Since I mentioned a thread about technology prognostication...=20
>=20
> Right now 1000 pps per host seems like a number that is on the high =
end of what could go reasonably unnoticed by a comprised bot-machine. =
I'm sure if we roll back our clocks to IPv4's origination we'd have =
never imagined 1000pps scans.
>=20
> If history is any judge, the technology will grow faster and farther =
than we can see from here. Designers will put stupid kludges in their =
code [because the space is so vast] like picking Fibonacci numbers as =
"unique" inside of large sections of space -- who knows.
>=20
> The point is that while every smart person thinks this is a lot of =
space for current attack technology, in some period of time, it may not =
seem to difficult and safe to hide in.
>=20
> Moreover, when every enterprise has a /48 or better, network admins =
are going to need to be able to track down machines/devices/ear =
pieces/what have you on a better basis then trapping them when they =
speak up. There is a huge potential for sleepers in IPv6 space that we =
don't see any more in IPv4 (because the tools are better). Eventually =
someone will find an approach to do this kind of surveying and then make =
it cheap enough everyone can do it. (how often do security-admins use =
NMAP/Nessus/what have you to survey their own space -- an IPv6 analog =
will *need* to be created eventually).
>=20
> Just my thoughts,
>=20
> Deepak
