On 3/11/2011 9:44 AM, Bonno Bloksma wrote:
Hi,
I remember reading somewhere research was being done about ipv6 block lists
using the fact that the same /64 net would probably be the same machine or
very near it. Prety much what we now Block when we list an ipv4 NATted
gateway to a private network which houses an infected PC.
I had some heated conversations about this at HostingCon in Texas last
year. The fellow was pushing IPv6 preparedness and had not considered
some of the issues I raised about it.
As I see it the real trouble is going to show up where IPv6 and
virtualization meet. Consider that to keep costs and manageability
reasonable a /64 (or some largeish sub block) will be allocated to a
chunk of hardware hosting virtualized machines. Consider also that
virtualization is being highly optimized. Therefore an attacker (spammer
etc) will be able to map themselves a virtually inexhaustible supply of
IP addresses and hosts and move them around at will.
Even if they violate TOS on a legitimate system they will be able to do
it for such a short period of time with such a small data footprint that
they will be able to remain undetected for long periods-- perhaps even
indefinitely. By the time anybody looks to see what is going on the
offending VPS will long since have been destroyed and it's cousin will
be living in a completely different data-center picking up where it left
off.
The good news is that this behavior is still dramatically different than
that of legitimate senders so it leaves a statistically important footprint.
What might be predicted from this? Off the top of my head I think maybe
the following...
* Attacks from anonymously controlled virtual bots will rise
dramatically and will be very difficult to defend. Consider that we
currently have sufficient RAM available to completely bitmap every IP4
address if we choose to do so -- and that could be done at wire speed on
even the fastest routers (Still can't get any love for the concept, but
it's been possible for a long while now). This will not be possible with
large scale IPv6 deployment.
* Black-listing will become softer and much more difficult. Due to the
convergence of virtualization and IPv6 deployment, IPs of legitimate
systems will necessarily merge with the IPs of illegitimate systems.
Only specific, long-lived IPs from legitimate systems will be worth
tracking.
* Legitimate systems that do bulk mailing will make increasing use of
virtualization to keep costs down -- standing up large bot-nets of their
own to deliver a campaign and then evaporating those bot-nets when
delivery is complete. This will make such systems virtually
indistinguishable from illegitimate senders since the IP blocks will
have significant overlap and the usage statistics will be very similar.
* White-listing mechanisms will become more important.
* Content analysis will become more important. SNF is good at that :-)
* Systems that delay delivery of messages from unknown and untrusted
systems will be more important -- especially those that allow for
delivery after re-scanning content rather than conventional
gray-listing. Conventional gray-listing mechanisms will become more
difficult to use because all kinds of legitimate bulk mailing systems
simply will not be there to re-send undelivered messages due to the
systems being shut-down after the first volley in order to contain
costs. I expect some significant increases in the complexity of such
systems to compensate for this.
* On the way to IPv6 there will be a lot of fragmentation and confusion
of all types. For a long time to come some folks will be unable to
deploy IPv6. Others will be unavoidably required to do so. Bridges
between these networks will be necessary, difficult to regulate, and
unpredictable. Best practices for IPv6 and mixed networks will be
difficult to define and constantly evolving -- this churn in general
will slow adoption and increase fragmentation.
What other things might we expect?
Anybody think one or more of these predictions are unrealistic? If so,
why? After all, it's just conjecture at this point ;-)
In any case, SNF is evolving to become ever more intelligent and
adaptive. We will concentrate not only on more sophisticated content
analysis, but also behavioral analysis and an increasingly "cognitive"
approach to blending data from all of these subsystems and responding in
realtime.
_M
--
Pete McNeil
Chief Scientist
ARM Research Labs, LLC
www.armresearch.com
866-770-1044
x7010
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
This list is for discussing Message Sniffer,
Anti-spam, Anti-Malware, and related email topics.
For More information see http://www.armresearch.com
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>
