15 Dec
2012
15 Dec
'12
8:44 p.m.
On 15/12/12 18:46, Jeremy Kitchen wrote:
Sorry about the direct first reply, my brain
wasn't thinking properly
and I hit reply instead of list-reply.
On Fri, Dec 14, 2012 at 09:07:45PM +0000, Andy Smith wrote:
I'm not sure that's true. Scanners won't just try to guess a server's
address when it's publicly available. For example:
$ dig -t aaaa ipv6.he.net
<snip>
;; ANSWER SECTION:
ipv6.he.net. 86246 IN AAAA 2001:470:0:64::2
which reveals the exact address to target.
(And it also reveals that some servers use 'easy to guess' addresses
ending in <prefix>::1, <prefix>::2 etc.)
cheers
Chris
--
Chris Dennis cgdennis(a)btinternet.com
Fordingbridge, Hampshire, UK
I must admit I don't have an IPv6 SSH
dictionary attack
countermeasure myself at the moment. However, across 40 of my
IPv6-enabled hosts there have been a total of only four failed
attempts to log in from an IPv6 host. Some of those logs go back
three years...
Not to say that this makes it any less critical to secure your hardware,
but scanning ipv6 ranges for even a single open port is extremely
impractical.
Take, for instance, a single /64, which is pretty much the most common
prefix size (and what we are allocated).
That's 2**64 ips. Or the equivalent of the current internet. Squared.
18446744073709551615 IP addresses. Assuming you could test for a port
being responsive with just a single packet, and assuming each packet is
a single byte (which it's not, by a long shot), that's 16 EXAbytes of
outbound traffic.