On Tue, Oct 4, 2016 at 9:46 AM, Edward Harvey <[email protected]> wrote: >> From: bblisa [mailto:[email protected]] On Behalf Of Bill Bogstad >> >> Is this an example of security through obscurity actually working? > > It's a case of "The attackers have yet to adopt tactics to do this." > > If IPv6 addresses used the entire 128 bits, *and* clients could randomly > chose their own IP, then you would get actual security through obscurity. > (Just as you have security through obscurity when you keep your 128-bit > encryption key private). It's not called "security through obscurity" when > you have *actual* security, by keeping a private secret, without which it is > infeasible for the attacker to attack you. Then we just call it "secure." > > But neither of these assumptions is correct - The number of bits of an IPv6 > address that are actually used for addressing varies, based on the type of > address (local link only, etc) but a realistic best case for a public address > might have 70 or so bits of variability, and the rest predictable. In > practice, the number of unknown bits is probably much smaller, like 40-50 or > so, because IPv6 addresses aren't globally distributed at random. I don't > know what patterns to look for, myself personally, but I'm pretty sure if you > wanted to target IP's in China, or IP's in the US, etc, you could identify > some ranges, just as you can now with IPv4. > > If a lot of systems (relative to IPv4) start using IPv6 exclusively, > attackers will gather all the missing information from the above paragraph, > and start systematically scanning the IPv6 space just like they do IPv4.
Thanks for this response. Certainly if you gather advertised IPv6 address space from BGP sources, you can drastically reduce your search space. Also, you can trawl public DNS records another source of active networks. I'm not an IPv6 expert, but I seem to recall that in some environments hosts use their MAC address for the local network part of dynamically allocated IPv6 addresses. But will all of this actually be enough to make scanning IPv6 address space feasible to attackers? If as DSR states, you can UDP scan a 32 bit address space in 5 minutes, it seems to me that even if you end up reducing your scan space down to effectively 48bits you are still talking about over 227 days OR using large botnets (10s of thousands) with 10G interfaces to do your scans in a reasonable period of time. Hmm, given current DDOS cannons, this doesn't sound impossible. Does anybody have better back of envelope WAGs then the above? Bill Bogstad _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
