On Tue, Oct 04, 2016 at 12:44:59AM -0400, Bill Bogstad wrote: > http://www.infoworld.com/article/3126784/security/ipv6-servers-beat-ipv4-in-security-for-now.html#tk.rss_networking > > The above article reports on how long it took for unadvertised > insecure servers to > be "owned". Servers with IPv4 addresses were owned in less than 30 minutes. > After a week, the servers with only IPv6 addresses had yet to be scanned. > > Is this an example of security through obscurity actually working? > Or is it increasing the size of a brute force search space (like we do > when we ask people to use longer passwords or encryption keys)? > > Obviously, there would be no benefit for publicly known servers whose > IP addresses can be found with DNS via published hostnames. (Or even > guessable hostnames.) If everybody switched to IPv6 only for > non-public systems, how would hackers respond? Would this help with > IoT (Internet of Things) > security? > > Thoughts?
Hidden causality: the kind of people who set up IPv6-only systems in 2016 pay more attention to security than everyone else. This will change. In the meantime, it is the case that a 10-gige connection can scan the whole of IPv4 space for a vulnerability in a few hours (TCP) or, best-case UDP, 5 minutes. -dsr- _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
