Thus spake "Joe Maimon" <jmaimon@ttec.com>
Christopher L. Morrow wrote:
On Fri, 1 Jul 2005, Mohacsi Janos wrote:
- Not feasible scanning of subnets remotely
eh... maybe, I'm not convinced this matters anyway.
If your argument is that it is "to hard" to scan that many addresses, do you really think that in an age of 100Gbps broadband 100ghrz home PC's that will really be the barrier you think it is? Or better put: Over the possible lifetime of v6 will that barrier remain real? And the scanner merely has to get lucky once.
At 100Gbps, you can send about 2^28 probes per second. To scan a /64 subnet would take 2^36 seconds -- 2177 years. I'm pretty sure that's not within IPv6's lifetime.
Or they can have a zombie army of scanners that will be statistically guaranteed to get lucky at least once.
The bandwidth into that subnet will be the limiting factor, but let's somehow assuming you could get 100Gbps for _each_ attacker. You'd need to commandeer 2^31 hosts (difficult, but not impossible) connected at 100Gbps and coordinate them all probing the same subnet without duplication to scan it within one minute. More than a few hosts per subnet would bring that number down a bit, but not enough to make it feasible for worms to spread via scanning. What this really does is change the detection method. Instead of scanning randomly, you sit and watch what other IP addresses the local host communicates with (on- and off-subnet), and attack each of them. How many degrees of separation are there really between any two unrelated computers on the Internet? You could probably collect half of all addresses in use just by infecting Google... S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov