Sent from my iPad
On Sep 4, 2010, at 4:12 AM, Joel Jaeggli <joe...@bogus.com> wrote: > On 9/3/10 11:25 AM, Bill Bogstad wrote: >> On Fri, Sep 3, 2010 at 9:49 AM, Dobbins, Roland <rdobb...@arbor.net> wrote: >>> >>> On Sep 3, 2010, at 7:58 PM, Owen DeLong wrote: >>> >>>> However, scanning in IPv6 is not at all like the convenience of >>>> comprehensive scanning of the IPv4 address space. >>> >>> >>> Concur, but I still maintain that lots of illicit automation plus refined >>> scanning via DNS, et. al. is a viable practice. >> >> These are very big numbers, so I don't see how. > > Consider you have a dual stack deployment. > I do... > what are the most likely ipv6 numbering schemes you're likely to use to > number hosts. > In my case, there are seven numbering schemes in use. > If I query one of your hosts in the forward zone and get back and a and > a aaaa record what can I likely conclude about the numbering scheme for > that net? > > joelja-mac:~ joelja$ host ns3.xxxxxx.net > ns3.xxx.net has address xxxx.xxx.0.81 > ns3.xxx.net has IPv6 address xxxx:xxx:1::81 > In my case, this will only help you find the other hosts which have DNS entries in IPv6. Any host which does not have an AAAA record already uses a different numbering scheme entirely. Even the hosts that do have AAAAs are broken up into different numbering ranges based on my own criteria. > > if you do stateful dhcp v6 assignment what are the likely constraints as > to the size of the pool you're going to use for that subnet. > 1. Stateful DHCP on a subnet is the exception, not the rule. 2. On networks with DHCP, I would give at least a 48 bit pool. > This is like brute force password guessing... there's some high > probability answers that are low hanging fruit you reach for them, they > don't exist you move on. > In other words, you'll get lucky on a few networks where the administrator failed to move beyond IPv4think. >> If you use easy to guess/remember host/service names and put them >> in public DNS then those IP addresses are in some sense already public >> (whether IPv4 or IPv6). The definition of "easy to guess" is pretty >> much everything which has ever been used in a wordlist for password >> cracking programs (plus the code which generates variants of same). >> Real attackers are going to flood >> your DNS servers, not do brute force IPv6 ICMP scans. Even a pure >> brute force DNS scan of all 10 character long hostnames (asuming >> a-z0-9) is going to take around 5000 times fewer queries then a full >> ICMP v6 scan of a /64. (Which at an attack speed of 1000pps is still >> going to take around 100,000 years.) Good luck getting 1000 dns answers per second from most zones. I suspect a useful DNS scan would be limited to something more like 200 qps. Even then, you'll trip over my query rate limiter unless you use a whole lot of hosts to do the scan. >> >> For machines which you want to make it REALLY hard to find, but >> need publicly accessible addresses, you shouldn't put them in publicly >> queryable DNS servers at all and use a random number generator to >> generate their static IPv6 addresses. Even if you put a thousand of >> these machines in a single subnet, it is going to take half a million >> years at reasonable packet rates before even one of them is >> discovered. Or better yet, have the, cycle through privacy addresses using dynamic updates tom private name server. >> >> Hmm, thinking about it in terms of passwords might help. Many >> people consider a totally random 10 character monocase+numbers >> password to be reasonably secure against brute force attacks. ICMP >> scanning a /64 is thousands of times more difficult and all it gives >> you is the existence of the machine. Even if you find that needle in >> a hay stack , you don't get access to its resources. About 6,000 times to be slightly more precise. 36^10 is. ~3,656,158,440,000,000 2^64 is. 18,446,744,073,709,551,616 addresses. >> >> I took a quick look at the paper that SMB linked to and I would >> argue that for wide area attacks, packet sniffing is going to be how >> people find your "hidden" addresses. Compromising SMB wi-fi hotspot >> hardware and logging every address accessed is one possibility. Or >> just compromise people's laptops and have them run network sniffers >> which generate "seen" address lists which are forwarded to dummy gmail >> accounts. >> >> Bill Bogstad >> > I think that's much more likely. Owen
