Re: just seen my first IPv6 network abuse scan, is this the start for more?

[Joel Jaeggli <joelja () bogus com>]

On 9/3/10 11:25 AM, Bill Bogstad wrote:
> On Fri, Sep 3, 2010 at 9:49 AM, Dobbins, Roland <rdobbins () arbor net> wrote:
> > On Sep 3, 2010, at 7:58 PM, Owen DeLong wrote:
> >
> > > However, scanning in IPv6 is not at all like the convenience of comprehensive scanning of the IPv4 address space.
> >
> >
> > Concur, but I still maintain that lots of illicit automation plus refined scanning via DNS, et. al. is a viable 
> > practice.
>
> These are very big numbers, so I don't see how.

Consider you have a dual stack deployment.

what are the most likely ipv6 numbering schemes you're likely to use to
number hosts.

If I query one of your hosts in the forward zone and get back and a and
a aaaa record what can I likely conclude about the numbering scheme for
that net?

joelja-mac:~ joelja$ host ns3.xxxxxx.net
ns3.xxx.net has address xxxx.xxx.0.81
ns3.xxx.net has IPv6 address xxxx:xxx:1::81


if you do stateful dhcp v6 assignment what are the likely constraints as
to the size of the pool you're going to use for that subnet.

This is like brute force password guessing... there's some high
probability answers that are low hanging fruit you reach for them, they
don't exist you move on.

>      If you use easy to guess/remember host/service names and put them
> in public DNS then those IP addresses are in some sense already public
> (whether IPv4 or IPv6).   The definition of "easy to guess" is pretty
> much everything which has ever been used in a wordlist for password
> cracking programs (plus the code which generates variants of same).
> Real attackers are going to flood
> your DNS servers, not do brute force IPv6 ICMP scans.  Even a pure
> brute force DNS scan of all 10 character long hostnames (asuming
> a-z0-9) is going to take around 5000 times fewer queries then a full
> ICMP v6 scan of a /64.   (Which at an attack speed of 1000pps is still
> going to take around 100,000 years.)
>
>      For machines which you want to make it REALLY hard to find, but
> need publicly accessible addresses, you shouldn't put them in publicly
> queryable DNS servers at all and use a random number generator to
> generate their static IPv6 addresses.   Even if you put a thousand of
> these machines in a single subnet, it is going to take half a million
> years at reasonable packet rates before even one of them is
> discovered.
>
>     Hmm, thinking about it in terms of passwords might help.  Many
> people consider a totally random 10 character monocase+numbers
> password to be reasonably secure against brute force attacks.   ICMP
> scanning a /64 is thousands of times more difficult and all it gives
> you is the existence of the machine.   Even if you find that needle in
> a hay stack , you don't get access to its resources.
>
>     I took a quick look at the paper that SMB linked to and I would
> argue that for wide area attacks, packet sniffing is going to be how
> people find your "hidden" addresses.    Compromising SMB wi-fi hotspot
> hardware and logging every address accessed is one possibility.   Or
> just compromise people's laptops and have them run network sniffers
> which generate "seen" address lists which are forwarded to dummy gmail
> accounts.
>
> Bill Bogstad