Fwd: Host scanning in IPv6 Networks
FYI -------- Original Message -------- Subject: IPv6 host scanning in IPv6 Date: Fri, 20 Apr 2012 03:57:48 -0300 From: Fernando Gont <fgont@si6networks.com> Organization: SI6 Networks To: IPv6 Hackers Mailing List <ipv6hackers@lists.si6networks.com> Folks, We've just published an IETF internet-draft about IPv6 host scanning attacks. The aforementioned document is available at: <http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt> The Abstract of the document is: ---- cut here ---- IPv6 offers a much larger address space than that of its IPv4 counterpart. The standard /64 IPv6 subnets can (in theory) accommodate approximately 1.844 * 10^19 hosts, thus resulting in a much lower host density (#hosts/#addresses) than their IPv4 counterparts. As a result, it is widely assumed that it would take a tremendous effort to perform host scanning attacks against IPv6 networks, and therefore IPv6 host scanning attacks have long been considered unfeasible. This document analyzes the IPv6 address configuration policies implemented in most popular IPv6 stacks, and identifies a number of patterns in the resulting addresses lead to a tremendous reduction in the host address search space, thus dismantling the myth that IPv6 host scanning attacks are unfeasible. ---- cut here ---- Any comments will be very welcome (note: this is a drafty initial version, with lots of stuff still to be added... but hopefully a good starting point, and a nice reading ;-) ). Thanks! Best regards,
It would be a very fast dictionary attack :D accede bade dad decade face axed babe deaf bed Abe bee Decca exec fade bead bedded deed exceed Abba deface efface feed On 20 April 2012 09:08, Fernando Gont <fernando@gont.com.ar> wrote:
FYI
-------- Original Message -------- Subject: IPv6 host scanning in IPv6 Date: Fri, 20 Apr 2012 03:57:48 -0300 From: Fernando Gont <fgont@si6networks.com> Organization: SI6 Networks To: IPv6 Hackers Mailing List <ipv6hackers@lists.si6networks.com>
Folks,
We've just published an IETF internet-draft about IPv6 host scanning attacks.
The aforementioned document is available at: <http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt>
The Abstract of the document is: ---- cut here ---- IPv6 offers a much larger address space than that of its IPv4 counterpart. The standard /64 IPv6 subnets can (in theory) accommodate approximately 1.844 * 10^19 hosts, thus resulting in a much lower host density (#hosts/#addresses) than their IPv4 counterparts. As a result, it is widely assumed that it would take a tremendous effort to perform host scanning attacks against IPv6 networks, and therefore IPv6 host scanning attacks have long been considered unfeasible. This document analyzes the IPv6 address configuration policies implemented in most popular IPv6 stacks, and identifies a number of patterns in the resulting addresses lead to a tremendous reduction in the host address search space, thus dismantling the myth that IPv6 host scanning attacks are unfeasible. ---- cut here ----
Any comments will be very welcome (note: this is a drafty initial version, with lots of stuff still to be added... but hopefully a good starting point, and a nice reading ;-) ).
Thanks!
Best regards,
-- -- ℱin del ℳensaje.
On 04/20/2012 08:17 AM, Tei wrote:
It would be a very fast dictionary attack :D
accede bade dad decade face axed babe deaf bed Abe bee Decca exec fade bead bedded deed exceed Abba deface efface feed
On 20 April 2012 09:08, Fernando Gont<fernando@gont.com.ar> wrote:
FYI
-------- Original Message -------- Subject: IPv6 host scanning in IPv6 Date: Fri, 20 Apr 2012 03:57:48 -0300 From: Fernando Gont<fgont@si6networks.com> Organization: SI6 Networks To: IPv6 Hackers Mailing List<ipv6hackers@lists.si6networks.com>
Folks,
We've just published an IETF internet-draft about IPv6 host scanning attacks.
The aforementioned document is available at: <http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt>
The Abstract of the document is: ---- cut here ---- IPv6 offers a much larger address space than that of its IPv4 counterpart. The standard /64 IPv6 subnets can (in theory) accommodate approximately 1.844 * 10^19 hosts, thus resulting in a much lower host density (#hosts/#addresses) than their IPv4 counterparts. As a result, it is widely assumed that it would take a tremendous effort to perform host scanning attacks against IPv6 networks, and therefore IPv6 host scanning attacks have long been considered unfeasible. This document analyzes the IPv6 address configuration policies implemented in most popular IPv6 stacks, and identifies a number of patterns in the resulting addresses lead to a tremendous reduction in the host address search space, thus dismantling the myth that IPv6 host scanning attacks are unfeasible. ---- cut here ----
Any comments will be very welcome (note: this is a drafty initial version, with lots of stuff still to be added... but hopefully a good starting point, and a nice reading ;-) ).
Thanks!
Best regards,
exec ? exceed ? -- Stephen Clark *NetWolves* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark@netwolves.com http://www.netwolves.com
exec ? exceed ?
Not a lot of x's in hexidecimal numbers outside of C-style formatting (0xnnnn). IPv6 addresses are not generally notated in said style and certainly don't include said x in a suitable context for that to be part of a dictionary attack. However, he also left out the common use of 7(t), 6/9(g), 1/7(I/L/T), 2(Z), 5(S), and 0(O). c is also often substituted for k (as in face:b00c). Owen
On 20 April 2012 17:16, Owen DeLong <owen@delong.com> wrote:
exec ? exceed ?
Not a lot of x's in hexidecimal numbers outside of C-style formatting (0xnnnn).
IPv6 addresses are not generally notated in said style and certainly don't include said x in a suitable context for that to be part of a dictionary attack.
However, he also left out the common use of 7(t), 6/9(g), 1/7(I/L/T), 2(Z), 5(S), and 0(O).
c is also often substituted for k (as in face:b00c).
Owen
Sorry. I did a quick filter of the openoffice dictionary file. seems that I made a ugly mistake :-/ postdata: I have made a [0-9] to [aeioutnshrdlcmwf] conversor. http://jsbin.com/ibepup/ This convert a decimal number into a "hexadecimal" number not using the [0-9A-F] table, but the [aeioutnshrdlcmwf] table. The aeioutnshrdlcmwf table may allow a big number of numbers have a existing word of expression. postdata2: Using this conversor, 123442553445523 is the word NaouuScuch. -- -- ℱin del ℳensaje.
Also see https://www.cs.columbia.edu/~smb/papers/v6worms.pdf (Worm propagation strategies in an IPv6 Internet. ;login:, pages 70-76, February 2006.) On Apr 20, 2012, at 3:08 50AM, Fernando Gont wrote:
FYI
-------- Original Message -------- Subject: IPv6 host scanning in IPv6 Date: Fri, 20 Apr 2012 03:57:48 -0300 From: Fernando Gont <fgont@si6networks.com> Organization: SI6 Networks To: IPv6 Hackers Mailing List <ipv6hackers@lists.si6networks.com>
Folks,
We've just published an IETF internet-draft about IPv6 host scanning attacks.
The aforementioned document is available at: <http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt>
The Abstract of the document is: ---- cut here ---- IPv6 offers a much larger address space than that of its IPv4 counterpart. The standard /64 IPv6 subnets can (in theory) accommodate approximately 1.844 * 10^19 hosts, thus resulting in a much lower host density (#hosts/#addresses) than their IPv4 counterparts. As a result, it is widely assumed that it would take a tremendous effort to perform host scanning attacks against IPv6 networks, and therefore IPv6 host scanning attacks have long been considered unfeasible. This document analyzes the IPv6 address configuration policies implemented in most popular IPv6 stacks, and identifies a number of patterns in the resulting addresses lead to a tremendous reduction in the host address search space, thus dismantling the myth that IPv6 host scanning attacks are unfeasible. ---- cut here ----
Any comments will be very welcome (note: this is a drafty initial version, with lots of stuff still to be added... but hopefully a good starting point, and a nice reading ;-) ).
Thanks!
Best regards,
--Steve Bellovin, https://www.cs.columbia.edu/~smb
For certain definitions of "host scanning" it is possible to achieve some level of that in IPv6. But massively far less efficient and far more limited than the brute force option that is available in IPv4. The mathematical argument in the draft doesn't really work, because it's too focused on there being "one specific site" that can be scanned. You can't just "pick a random 120 bit number" and have a good chance of that random IP happening to be a live host address. You can't just pick a random /64 and have a good chance of that random /64 happening to be part of a live site. How useful more informed attacks are, remains to be seen. For worm authors it will seem like a lot of sugar for a dime. Malware propagation against open ports doesn't work so well if your nodes can't effect wide scans efficiently. If you are so misguided as to not have a firewall preventing access to vulnerable services. The draft is unconvincing. The expected result is there will be very little preference for scanning, and those that will be launching attacks against networks will be utilizing simpler techniques that are still highly effective and do not require scanning. Such as the exploit of vulnerable HTTP clients who _navigate to the attacker controlled web page_, walking directly into their hands, instead of worms "searching for needles in haystacks". Any worms searching for needles in haystacks are likely to be utilizing a combination of search engines, common dictionary name lookups, and DNS to discover IP addresses of potential target web servers. -- -JH On 4/20/12, Steven Bellovin <smb@cs.columbia.edu> wrote:
Also see https://www.cs.columbia.edu/~smb/papers/v6worms.pdf (Worm propagation strategies in an IPv6 Internet. ;login:, pages 70-76, February 2006.)
On Apr 20, 2012, at 3:08 50AM, Fernando Gont wrote:
FYI
-------- Original Message -------- Subject: IPv6 host scanning in IPv6 Date: Fri, 20 Apr 2012 03:57:48 -0300 From: Fernando Gont <fgont@si6networks.com> Organization: SI6 Networks To: IPv6 Hackers Mailing List <ipv6hackers@lists.si6networks.com>
Folks,
We've just published an IETF internet-draft about IPv6 host scanning attacks.
The aforementioned document is available at: <http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt>
The Abstract of the document is: ---- cut here ---- IPv6 offers a much larger address space than that of its IPv4 counterpart. The standard /64 IPv6 subnets can (in theory) accommodate approximately 1.844 * 10^19 hosts, thus resulting in a much lower host density (#hosts/#addresses) than their IPv4 counterparts. As a result, it is widely assumed that it would take a tremendous effort to perform host scanning attacks against IPv6 networks, and therefore IPv6 host scanning attacks have long been considered unfeasible. This document analyzes the IPv6 address configuration policies implemented in most popular IPv6 stacks, and identifies a number of patterns in the resulting addresses lead to a tremendous reduction in the host address search space, thus dismantling the myth that IPv6 host scanning attacks are unfeasible. ---- cut here ----
Any comments will be very welcome (note: this is a drafty initial version, with lots of stuff still to be added... but hopefully a good starting point, and a nice reading ;-) ).
Thanks!
Best regards,
--Steve Bellovin, https://www.cs.columbia.edu/~smb
-- -Mysid
Hi, Jimmy, On 04/20/2012 09:22 PM, Jimmy Hess wrote:
The mathematical argument in the draft doesn't really work, because it's too focused on there being "one specific site" that can be scanned.
Not sure what you mean. Clearly, in the IPv6 world you'd target specific networks. How could you know which networks to scan? -- Easy: the attacker is targeting a specific organization, are you gather possible target networks as this information leaks out all too often (e-mail headers, etc.).
You can't just "pick a random 120 bit number" and have a good chance of that random IP happening to be a live host address.
That would be pretty much a "brute force" attack, and the argument in this paper is that IPv6 host-scanning attacks will not be brute force (as we know them).
The draft is unconvincing. The expected result is there will be very little preference for scanning, and those that will be launching attacks against networks will be utilizing simpler techniques that are still highly effective and do not require scanning.
Not sure what you mean. Could you please clarify?
Such as the exploit of vulnerable HTTP clients who _navigate to the attacker controlled web page_, walking directly into their hands, instead of worms "searching for needles in haystacks".
Well, this is part of alternative scanning techniques, which so far are not the subject of this draft. Thanks, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
participants (6)
-
Fernando Gont
-
Jimmy Hess
-
Owen DeLong
-
Steve Clark
-
Steven Bellovin
-
Tei