Re: [swinog] Strange IPv6 scans from big networks
Hallo Klaus Sind da etwa Hosts aus dem Bereich 2001:918:::/48 dabei? Falls ja, wäre ich froh um eine Liste (PM), um das untersuchen zu können. Viele Grüsse, Martin ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Strange IPv6 scans from big networks
Hi Nico, was macht die Kunst? Am So den 1. Dez 2019 um 19:05 schrieb Nico Schottelius: > I am surprised you are surprised. Naja, diese Scans sind mir immer noch ein Rätsel. Um so mehr als das ein kleiner Teil UDP ist und es sich bei einem größeren Teil um TCP-Reflections handelt. Alles mit SYN+ACK. Beides, die UDP, als auch die TCP-Pakete sind von Port 443 (Wer auch immer auf die Idee kommt, bei 443/UDP handele es sich um was besonderes). Das ganze ergibt für mich keinen Sinn. Die TCP-SYN/ACK-Pakete sind nicht groß genug um auch nur irgendwelche Reflection-DDOS-Attacken mit Aussicht auf Erfolg machen zu können. Es könnte höchstens sein, daß diese als Fake-SYN/ACK gesendet werden, was wiederum die Scan-Theorie bestätigt. Aber wie kommt es, das in diesen Netzränges (mal abgesehen von Microsoft, da ist das zu erwarten) so viele Zombie-Hosts sind. > Why would one *not* want to scan your particular home network? Andersrum, weshalb IPv6 und nicht IPv4, was eine viel größere Aussicht auf Erfolg hätte. Und dann sollte man bei IPv6 zumindest ne Idee haben welchen Teil des /48-Range sich lohnt zu scannen. Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Strange IPv6 scans from big networks
except scanning a /64 takes a ethernity > On 1 Dec 2019, at 19:05, Nico Schottelius > wrote: > > > Hey Klaus, > > I am surprised you are surprised. > > Why would one *not* want to scan your particular home network? > > IPv6 is on the rise and scanning networks / IPs is a standard thing in > the IPv4 world. So it would be a surprise to me, why people would not > want to at least try to find devices in IPv6 based networks. > > Best, > > Nico > > > Klaus Ethgen writes: > >> Hi, >> >> Currently I see day long IPv6 scans from networks of Akamai >> (2a02:26f0:f3::/48), Google (2a00:1450:4000::/37), Apple >> (2a01:110::/31), Microsoft (2a01:b740::/29), Swisscom (2001:918::/32) >> and Init7 (2001:1620::/32) to my Network @HOME. They all try to >> enumerate hosts and ports in 2a02:168:4e82:0:* that does not and never >> have exists. >> >> The net is a fiber7 port. >> >> Anybody an idea what is going on here? On request I can provide more >> informations like pcaps. >> >> The scans are sourced from all over that mentioned networks above. >> >> While I have no scruples to block Apple, Microsoft, Akamai or other bad >> behaving networks, I do not want to block Swisscom or Init7 if not >> needed. >> >> Needless to say that I do not have any public service behind my fiber7 >> port. >> >> Gruß >> Klaus > > > -- > Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Strange IPv6 scans from big networks
Hey Klaus, I am surprised you are surprised. Why would one *not* want to scan your particular home network? IPv6 is on the rise and scanning networks / IPs is a standard thing in the IPv4 world. So it would be a surprise to me, why people would not want to at least try to find devices in IPv6 based networks. Best, Nico Klaus Ethgen writes: > Hi, > > Currently I see day long IPv6 scans from networks of Akamai > (2a02:26f0:f3::/48), Google (2a00:1450:4000::/37), Apple > (2a01:110::/31), Microsoft (2a01:b740::/29), Swisscom (2001:918::/32) > and Init7 (2001:1620::/32) to my Network @HOME. They all try to > enumerate hosts and ports in 2a02:168:4e82:0:* that does not and never > have exists. > > The net is a fiber7 port. > > Anybody an idea what is going on here? On request I can provide more > informations like pcaps. > > The scans are sourced from all over that mentioned networks above. > > While I have no scruples to block Apple, Microsoft, Akamai or other bad > behaving networks, I do not want to block Swisscom or Init7 if not > needed. > > Needless to say that I do not have any public service behind my fiber7 > port. > > Gruß >Klaus -- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] Strange IPv6 scans from big networks
Hi, Currently I see day long IPv6 scans from networks of Akamai (2a02:26f0:f3::/48), Google (2a00:1450:4000::/37), Apple (2a01:110::/31), Microsoft (2a01:b740::/29), Swisscom (2001:918::/32) and Init7 (2001:1620::/32) to my Network @HOME. They all try to enumerate hosts and ports in 2a02:168:4e82:0:* that does not and never have exists. The net is a fiber7 port. Anybody an idea what is going on here? On request I can provide more informations like pcaps. The scans are sourced from all over that mentioned networks above. While I have no scruples to block Apple, Microsoft, Akamai or other bad behaving networks, I do not want to block Swisscom or Init7 if not needed. Needless to say that I do not have any public service behind my fiber7 port. Gruß Klaus -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16Klaus Ethgen Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C signature.asc Description: PGP signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
