[81877] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: OMB: IPv6 by June 2008

daemon@ATHENA.MIT.EDU (Stephen Sprunk)
Fri Jul 1 14:49:07 2005

From: "Stephen Sprunk" <stephen@sprunk.org>
To: "Joe Maimon" <jmaimon@ttec.com>,
	"Christopher L. Morrow" <christopher.morrow@mci.com>
Cc: "Mohacsi Janos" <mohacsi@niif.hu>,
	"Fergie (Paul Ferguson)" <fergdawg@netzero.net>,
	"North American Noise and Off-topic Gripes" <nanog@merit.edu>
Date: Fri, 1 Jul 2005 13:29:32 -0500
Errors-To: owner-nanog@merit.edu


Thus spake "Joe Maimon" <jmaimon@ttec.com>
> Christopher L. Morrow wrote:
> > On Fri, 1 Jul 2005, Mohacsi Janos wrote:
> >>- Not feasible scanning of subnets remotely
> >
> > eh... maybe, I'm not convinced this matters anyway.
> >
> If your argument is that it is "to hard" to scan that many addresses,
> do you really think that in an age of 100Gbps broadband 100ghrz
> home PC's that will really be the barrier you think it is? Or better
> put: Over the possible lifetime of v6 will that barrier remain real? And
> the scanner merely has to get lucky once.

At 100Gbps, you can send about 2^28 probes per second.  To scan a /64 subnet
would take 2^36 seconds -- 2177 years.  I'm pretty sure that's not within
IPv6's lifetime.

> Or they can have a zombie army of scanners that will be statistically
> guaranteed to get lucky at least once.

The bandwidth into that subnet will be the limiting factor, but let's
somehow assuming you could get 100Gbps for _each_ attacker.  You'd need to
commandeer 2^31 hosts (difficult, but not impossible) connected at 100Gbps
and coordinate them all probing the same subnet without duplication to scan
it within one minute.  More than a few hosts per subnet would bring that
number down a bit, but not enough to make it feasible for worms to spread
via scanning.

What this really does is change the detection method.  Instead of scanning
randomly, you sit and watch what other IP addresses the local host
communicates with (on- and off-subnet), and attack each of them.  How many
degrees of separation are there really between any two unrelated computers
on the Internet?  You could probably collect half of all addresses in use
just by infecting Google...

S

Stephen Sprunk      "Those people who think they know everything
CCIE #3723         are a great annoyance to those of us who do."
K5SSS                                             --Isaac Asimov


home help back first fref pref prev next nref lref last post