[sniffer] Re: IPv6
Hi, I remember reading somewhere research was being done about ipv6 block lists using the fact that the same /64 net would probably be the same machine or very near it. Prety much what we now Block when we list an ipv4 NATted gateway to a private network which houses an infected PC. Unfortunately I cannot find the reference to that article anymore, I thought I had it bookmarked. :-( Yours sincerely, Bonno Bloksma senior systeembeheerder tio university of applied sciences for hospitality and tourism julianalaan 9 / 7553 ab hengelo netherlands t +31-74-255 06 10 / f +31-74-255 06 11 b.blok...@tio.nl / www.tio.nl -Oorspronkelijk bericht- Van: Message Sniffer Community [mailto:sniffer@sortmonster.com] Namens Peer-to-Peer (Support) Verzonden: vrijdag 11 maart 2011 14:25 Aan: Message Sniffer Community Onderwerp: [sniffer] IPv6 Hi everyone, I've been thinking about the potential risk of IPv6 will have on filtering spam. I suspect RBL's (real time blacklists) may become obsolete once IPv6 arrives.?. From what I've learned, IPv6 has 340 undecillion (1 followed by 36 zeros) IP addresses. And devices can refresh every 24 hours. IPv4 only has 4.3 billion IP addresses. Pete: Grab a cup of coffee. The botNet's are coming... --Paul # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to sniffer-dig...@sortmonster.com To switch to the INDEX mode, E-mail to sniffer-in...@sortmonster.com Send administrative queries to sniffer-requ...@sortmonster.com
[sniffer] Re: IPv6
On 3/11/2011 9:44 AM, Bonno Bloksma wrote: Hi, I remember reading somewhere research was being done about ipv6 block lists using the fact that the same /64 net would probably be the same machine or very near it. Prety much what we now Block when we list an ipv4 NATted gateway to a private network which houses an infected PC. I had some heated conversations about this at HostingCon in Texas last year. The fellow was pushing IPv6 preparedness and had not considered some of the issues I raised about it. As I see it the real trouble is going to show up where IPv6 and virtualization meet. Consider that to keep costs and manageability reasonable a /64 (or some largeish sub block) will be allocated to a chunk of hardware hosting virtualized machines. Consider also that virtualization is being highly optimized. Therefore an attacker (spammer etc) will be able to map themselves a virtually inexhaustible supply of IP addresses and hosts and move them around at will. Even if they violate TOS on a legitimate system they will be able to do it for such a short period of time with such a small data footprint that they will be able to remain undetected for long periods-- perhaps even indefinitely. By the time anybody looks to see what is going on the offending VPS will long since have been destroyed and it's cousin will be living in a completely different data-center picking up where it left off. The good news is that this behavior is still dramatically different than that of legitimate senders so it leaves a statistically important footprint. What might be predicted from this? Off the top of my head I think maybe the following... * Attacks from anonymously controlled virtual bots will rise dramatically and will be very difficult to defend. Consider that we currently have sufficient RAM available to completely bitmap every IP4 address if we choose to do so -- and that could be done at wire speed on even the fastest routers (Still can't get any love for the concept, but it's been possible for a long while now). This will not be possible with large scale IPv6 deployment. * Black-listing will become softer and much more difficult. Due to the convergence of virtualization and IPv6 deployment, IPs of legitimate systems will necessarily merge with the IPs of illegitimate systems. Only specific, long-lived IPs from legitimate systems will be worth tracking. * Legitimate systems that do bulk mailing will make increasing use of virtualization to keep costs down -- standing up large bot-nets of their own to deliver a campaign and then evaporating those bot-nets when delivery is complete. This will make such systems virtually indistinguishable from illegitimate senders since the IP blocks will have significant overlap and the usage statistics will be very similar. * White-listing mechanisms will become more important. * Content analysis will become more important. SNF is good at that :-) * Systems that delay delivery of messages from unknown and untrusted systems will be more important -- especially those that allow for delivery after re-scanning content rather than conventional gray-listing. Conventional gray-listing mechanisms will become more difficult to use because all kinds of legitimate bulk mailing systems simply will not be there to re-send undelivered messages due to the systems being shut-down after the first volley in order to contain costs. I expect some significant increases in the complexity of such systems to compensate for this. * On the way to IPv6 there will be a lot of fragmentation and confusion of all types. For a long time to come some folks will be unable to deploy IPv6. Others will be unavoidably required to do so. Bridges between these networks will be necessary, difficult to regulate, and unpredictable. Best practices for IPv6 and mixed networks will be difficult to define and constantly evolving -- this churn in general will slow adoption and increase fragmentation. What other things might we expect? Anybody think one or more of these predictions are unrealistic? If so, why? After all, it's just conjecture at this point ;-) In any case, SNF is evolving to become ever more intelligent and adaptive. We will concentrate not only on more sophisticated content analysis, but also behavioral analysis and an increasingly cognitive approach to blending data from all of these subsystems and responding in realtime. _M -- Pete McNeil Chief Scientist ARM Research Labs, LLC www.armresearch.com 866-770-1044 x7010 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. This list is for discussing Message Sniffer, Anti-spam, Anti-Malware, and related email topics. For More information see http://www.armresearch.com To unsubscribe, E-mail to: sniffer-...@sortmonster.com To switch to the DIGEST mode, E-mail to
