15 Dec
2012
15 Dec
'12
6:46 p.m.
Sorry about the direct first reply, my brain wasn't thinking properly
and I hit reply instead of list-reply.
On Fri, Dec 14, 2012 at 09:07:45PM +0000, Andy Smith wrote:
I must admit I don't have an IPv6 SSH dictionary
attack
countermeasure myself at the moment. However, across 40 of my
IPv6-enabled hosts there have been a total of only four failed
attempts to log in from an IPv6 host. Some of those logs go back
three years...
Not to say that this makes it any less critical to secure your hardware,
but scanning ipv6 ranges for even a single open port is extremely
impractical.
Take, for instance, a single /64, which is pretty much the most common
prefix size (and what we are allocated).
That's 2**64 ips. Or the equivalent of the current internet. Squared.
18446744073709551615 IP addresses. Assuming you could test for a port
being responsive with just a single packet, and assuming each packet is
a single byte (which it's not, by a long shot), that's 16 EXAbytes of
outbound traffic.
Now consider that there are the same number of those huge IPv6 ranges as
there are IPs inside them.
Scanning entire networks looking for open ports, vulnerable servers,
etc, becomes completely impractical with IPv6.
What's going to start happening now is hostname fuzzing, to try to
discover machines by probing your dns.
I can't remember where I heard/read about this, but it's interesting.
-Jeremy