On 9/3/10 11:25 AM, Bill Bogstad wrote:
On Fri, Sep 3, 2010 at 9:49 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Sep 3, 2010, at 7:58 PM, Owen DeLong wrote:
However, scanning in IPv6 is not at all like the convenience of comprehensive scanning of the IPv4 address space.
Concur, but I still maintain that lots of illicit automation plus refined scanning via DNS, et. al. is a viable practice.
These are very big numbers, so I don't see how.
Consider you have a dual stack deployment. what are the most likely ipv6 numbering schemes you're likely to use to number hosts. If I query one of your hosts in the forward zone and get back and a and a aaaa record what can I likely conclude about the numbering scheme for that net? joelja-mac:~ joelja$ host ns3.xxxxxx.net ns3.xxx.net has address xxxx.xxx.0.81 ns3.xxx.net has IPv6 address xxxx:xxx:1::81 if you do stateful dhcp v6 assignment what are the likely constraints as to the size of the pool you're going to use for that subnet. This is like brute force password guessing... there's some high probability answers that are low hanging fruit you reach for them, they don't exist you move on.
If you use easy to guess/remember host/service names and put them in public DNS then those IP addresses are in some sense already public (whether IPv4 or IPv6). The definition of "easy to guess" is pretty much everything which has ever been used in a wordlist for password cracking programs (plus the code which generates variants of same). Real attackers are going to flood your DNS servers, not do brute force IPv6 ICMP scans. Even a pure brute force DNS scan of all 10 character long hostnames (asuming a-z0-9) is going to take around 5000 times fewer queries then a full ICMP v6 scan of a /64. (Which at an attack speed of 1000pps is still going to take around 100,000 years.)
For machines which you want to make it REALLY hard to find, but need publicly accessible addresses, you shouldn't put them in publicly queryable DNS servers at all and use a random number generator to generate their static IPv6 addresses. Even if you put a thousand of these machines in a single subnet, it is going to take half a million years at reasonable packet rates before even one of them is discovered.
Hmm, thinking about it in terms of passwords might help. Many people consider a totally random 10 character monocase+numbers password to be reasonably secure against brute force attacks. ICMP scanning a /64 is thousands of times more difficult and all it gives you is the existence of the machine. Even if you find that needle in a hay stack , you don't get access to its resources.
I took a quick look at the paper that SMB linked to and I would argue that for wide area attacks, packet sniffing is going to be how people find your "hidden" addresses. Compromising SMB wi-fi hotspot hardware and logging every address accessed is one possibility. Or just compromise people's laptops and have them run network sniffers which generate "seen" address lists which are forwarded to dummy gmail accounts.
Bill Bogstad