[BBLISA] IPv6 as a security improvement?

Bill Bogstad bogstad at pobox.com
Tue Oct 4 17:26:05 EDT 2016


On Tue, Oct 4, 2016 at 9:46 AM, Edward Harvey <uber at nedharvey.com> wrote:
>> From: bblisa [mailto:bblisa-bounces at bblisa.org] On Behalf Of Bill Bogstad
>>
>> Is this an example of security through obscurity actually working?
>
> It's a case of "The attackers have yet to adopt tactics to do this."
>
> If IPv6 addresses used the entire 128 bits, *and* clients could randomly chose their own IP, then you would get actual security through obscurity. (Just as you have security through obscurity when you keep your 128-bit encryption key private). It's not called "security through obscurity" when you have *actual* security, by keeping a private secret, without which it is infeasible for the attacker to attack you. Then we just call it "secure."
>
> But neither of these assumptions is correct - The number of bits of an IPv6 address that are actually used for addressing varies, based on the type of address (local link only, etc) but a realistic best case for a public address might have 70 or so bits of variability, and the rest predictable. In practice, the number of unknown bits is probably much smaller, like 40-50 or so, because IPv6 addresses aren't globally distributed at random. I don't know what patterns to look for, myself personally, but I'm pretty sure if you wanted to target IP's in China, or IP's in the US, etc, you could identify some ranges, just as you can now with IPv4.
>
> If a lot of systems (relative to IPv4) start using IPv6 exclusively, attackers will gather all the missing information from the above paragraph, and start systematically scanning the IPv6 space just like they do IPv4.

Thanks for this response.

Certainly if you gather advertised IPv6 address space from BGP
sources, you can drastically reduce your search space.   Also, you can
trawl public DNS records another source of active networks.   I'm not
an IPv6 expert, but I seem to recall that in some environments hosts
use their MAC address for the local network part of dynamically
allocated IPv6 addresses.   But will all of this actually be enough to
make scanning IPv6 address space feasible to attackers?  If as DSR
states, you can UDP scan a 32 bit address space in 5 minutes, it seems
to me that even if you end up reducing your scan space down to
effectively 48bits you are still talking about over 227 days OR using
large botnets (10s of thousands) with 10G interfaces to do your scans
in a reasonable period of time.   Hmm, given current DDOS cannons,
this doesn't sound impossible.   Does anybody have better back of
envelope WAGs
then the above?

Bill Bogstad



More information about the bblisa mailing list