On 15/12/12 18:46, Jeremy Kitchen wrote:
> Sorry about the direct first reply, my brain wasn't thinking properly
> and I hit reply instead of list-reply.
>
> On Fri, Dec 14, 2012 at 09:07:45PM +0000, Andy Smith wrote:
>> I must admit I don't have an IPv6 SSH dictionary attack
>> countermeasure myself at the moment. However, across 40 of my
>> IPv6-enabled hosts there have been a total of only four failed
>> attempts to log in from an IPv6 host. Some of those logs go back
>> three years...
>
> Not to say that this makes it any less critical to secure your hardware,
> but scanning ipv6 ranges for even a single open port is extremely
> impractical.
>
> Take, for instance, a single /64, which is pretty much the most common
> prefix size (and what we are allocated).
>
> That's 2**64 ips. Or the equivalent of the current internet. Squared.
> 18446744073709551615 IP addresses. Assuming you could test for a port
> being responsive with just a single packet, and assuming each packet is
> a single byte (which it's not, by a long shot), that's 16 EXAbytes of
> outbound traffic.
I'm not sure that's true. Scanners won't just try to guess a server's
address when it's publicly available. For example:
$ dig -t aaaa ipv6.he.net
<snip>
;; ANSWER SECTION:
ipv6.he.net. 86246 IN AAAA 2001:470:0:64::2
which reveals the exact address to target.
(And it also reveals that some servers use 'easy to guess' addresses
ending in <prefix>::1, <prefix>::2 etc.)
cheers
Chris
--
Chris Dennis cgdennis@???
Fordingbridge, Hampshire, UK
