[152257] in North American Network Operators' Group
Re: Host scanning in IPv6 Networks
daemon@ATHENA.MIT.EDU (Fernando Gont)
Fri Apr 20 20:55:57 2012
Date: Fri, 20 Apr 2012 21:55:12 -0300
From: Fernando Gont <fernando@gont.com.ar>
To: Jimmy Hess <mysidia@gmail.com>
In-Reply-To: <CAAAwwbWXWpQDqCP1VyBR72MX+_BBEQUnozDRkz+r5y_KhMc0Xw@mail.gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi, Jimmy,
On 04/20/2012 09:22 PM, Jimmy Hess wrote:
> The mathematical argument in the draft doesn't really work, because
> it's too focused on there being "one specific site" that can be
> scanned.
Not sure what you mean. Clearly, in the IPv6 world you'd target specific
networks.
How could you know which networks to scan? -- Easy: the attacker is
targeting a specific organization, are you gather possible target
networks as this information leaks out all too often (e-mail headers, etc.).
> You can't just "pick a random 120 bit number" and have a good chance
> of that random IP happening to be a live host address.
That would be pretty much a "brute force" attack, and the argument in
this paper is that IPv6 host-scanning attacks will not be brute force
(as we know them).
> The draft is unconvincing. The expected result is there will be very
> little preference for scanning, and those that will be launching
> attacks against networks will be utilizing simpler techniques that
> are still highly effective and do not require scanning.
Not sure what you mean. Could you please clarify?
> Such as the exploit of vulnerable HTTP clients who _navigate to the
> attacker controlled web page_, walking directly into their hands,
> instead of worms "searching for needles in haystacks".
Well, this is part of alternative scanning techniques, which so far are
not the subject of this draft.
Thanks,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
