Monday, July 17, 2017

Shooting fish in a barrel

by Craig Miller


I say this often, IPv6 is not like IPv4. There are key differences which one can and should take advantage of.

Like shooting "fish" in a barrel
Address space is one of them. Scanning an IPv4 address range takes very little time. And the return is rich, with the conservation of address space mind-set, the hosts/targets are closely packed in an IPv4 subnet. It is like shooting fish in a barrel.

Malware using the zmap scanner

A recent Linux malware Linux.MulDrop.14 uses the scanner, zmap, to search for other victims on the network. Zmap man page boasts that given a 1 Gbit connection to the internet, it can scan the entire internet in 45 minutes. Of course, it isn't the entire internet, since zmap doesn't support IPv6 (yet). So what it is really saying is that it can scan 2^32 (or 4 billion) addresses in about 45 minutes.

The numbers of high performance scanning in IPv6

So let's work with that number for a minute. Assuming that zmap and other scanners will support IPv6 in the future, how much time will it take to scan a /64 with a high performance scanner like zmap. How many 2^32 chunks are in a /64? Conveniently the answer is 2^32 or 4 billion internets (of addresses) in each /64 subnet.

So given that it takes 45 minutes to scan 4 billion addresses, how long would it take to scan a /64? It should be 4 billion times 45 minutes or 367,719 years. As you can see, what looks to be a high performance IPv4 scanner, is quite impracticable for scanning IPv6 subnets.

But that is based on the assumption that the IID (Interface IDs) are taking the entire /64 range. I have seen many DHCPv6 installations where the IPv6 address range is much smaller, as small as /119 or 512 addresses! Clearly, one does not need a high performance scanner to scan 512 addresses. In fact, tightly restricting the IPv6 address space (via your DHCPv6 pool) in a subnet is asking scanners to target your hosts.

Make it harder for the bad guys, don't confine your hosts to a barrel

Use the advantages of IPv6 when creating your network, including utilization of very large DHCPv6 address pools. After all, you don't want the bad guys finding your hosts,  to be like shooting fish in a barrel.


* graphic from ralphiesportal.me