- Researchers in collaboration with the Max Planck Institute for Informatics have completed the first empirical study of large-scale vulnerability scanning in the IPv6 space, and their findings are available here.
- The research found that scanners have started scanning the IPv6 space. Scanning the IPv6 space is very time-consuming, so we still don’t see a lot of scanning in that space when compared to scanning in IPv4.
- A small number of large sources are heavily scanning the web, both geographically and based on the raw amount they scan. One way to see who is seeing your site content is by looking at the top sources of traffic. You’ll notice that some of these visitors are cybersecurity companies, and others are part of the host’s cloud provider network address space.
- Scanners often do not use a single 128-bit IPv6 address to source scan traffic, but instead use other addresses such as those in prefixes up to 32 bits long. This makes detection and blocking of scanners extremely difficult, so it is best to keep any computer running services exposed to the Internet behind a carefully configured firewall that identifies these types of scans.
- With more scanning of the IPv6 space, reliable detection and blocking of the IPv6 protocol will be a significant challenge for many companies.
Attackers, researchers and defenders alike have been using scanning to find/expose vulnerabilities in internet-connected devices. Although their goals may be a bit different, you’ll find that with tens of thousands of continuous sources in IPv4 scanning has become one of the cornerstones for anyone looking for or defending against cyber threats. As soon as new vulnerabilities are found in software, attackers race to find the vulnerable hosts for exploitation. At the same time, botnets continuously scan the address space & identify new targets for lateral spreading. Additionally, security companies & researchers want to know details about the IPv4 space so that they can identify weak spots.
Have you thought much about IPv6? The number of people scanning it has gone down over the past few years. Is that really worth the effort?
Given how long it can take for IPv6 to propagate over the entire Internet, which is still about 40% not yet on it, we believe that security risks should not be ignored by this community. This paper presents our methodology to reveal thousands of new IPv6 hosts scanning for IP address spoofing and infected with what appears to be worms. Educational institutions are often targeted by digital scans and the companies that perform such scans. What they scan for, and what the key challenges are when it comes to identifying and blocking such scans, is my main concern in this report.
What is IPv6 ?
IPv6 is the latest iteration of the Internet Protocol that provides each device on the internet an IP address, enabling it to communicate with each other. The new protocol is designed to support a much larger network of devices and expand the connectivity of networks such as mobile devices.
There are two types of IP addresses: IPv4 and IPv6. IPv4 was the first type of IP address and has a maximum number of 4,294,967,296 addresses. IPv6 is the newest type of IP address, and it has a much larger number: 340,282,366,920,938,463,463. That’s enough for every person in the world .IPv6 addresses are usually written in hexadecimal. For example, “192.168.” is an IPv6 address.
Why is scanning the IPv6 space difficult?
There are approximately 4 billion IPv4 addresses, and a high-bandwidth machine can scan the entire space of them in less than an hour. Low bandwidth IoT bots just generate & scan random IPv4 addresses to spread laterally. This is usually enough to find a responsive host, given enough time.
Contrary to IPv4, which limits you to 4.3 billion addresses, IPv6 allows for 340 trillion trillion trillion addresses. That is many orders of magnitude more than the number of available IP addresses on the IPv4 protocol. It would take the human race trillions of years to search through the entirety of IPv6 with today’s technology. The IPv6 protocol has a ton of benefits. But one downside is that traditional full scans won’t work in this space. That’s why attackers usually resort to other methods, like hit lists or DNS queries, to find target addresses. Though the scope of IPv6 makes it difficult for attackers to use random scanning to find targets, this does not mean you can ignore it. A “security by obscurity” ideology would suggest methods of “securing” IPv6, like.
Why is detecting IPv6 scans difficult?
In the IPv4 space, every IP address receives thousands of scanning packets every day – a result of actors scanning the entire IPv4 space, or randomly generating target IPs to find vulnerable hosts. This means that by monitoring traffic in unused prefixes (“darknets”) we can study overall scanning trends within the IPv4 space.
Scanning traffic on IPv6 networks isn’t easy. Your best bet? Find vantage points with high levels of scan traffic and target them. As mentioned above, randomly scanning the full address space is not practical. As a result, monitoring traffic on unused IPv4 prefixes (darknets, which are common for IPv6) will hardly reveal any scanning traffic.
Another challenge is to identify and isolate the sources of scans. Attackers and legitimate scanning sources are both actively surveying or scanning for vulnerabilities, so it’s important to isolate them. This will help you assess where the problem areas currently lie in your network environment. Then isolation will be key in production environments to block communications from malicious actors, especially since a lot of that information is transit data. We analyzed the scan traffic from scanners and found that some of them had the device’s IPv6 address in more specific prefixes. For example, they would probe with a prefix length of /64 or /48 and not with just a single 128-bit IPv6 address like they should. The size of IPv6 makes it possible to assign a large block of IPv6 space to a scanner. For example, RIRs (Regional Internet Registries) can provide IPv6 allocations of up to 2 x 1028 addresses (i.e., they can allocate as much as 2x 1024 or 2x 1028) and where individual customers might have an allocation. We sometimes use the bits in IPv6 addresses to encode scan information. We do this because other scanners are using these bits to help find us.
Scan source networks
This table shows the top 20 networks that source scanning traffic. We also show for each network the number of addresses scanned, which are as-scanner-detected and either /48, or /64 or /128 addresses. The next column shows the share of each respective type of address relative to all scans in that particular ASN
The table below features the top 20 scan source networks in order by volume. While edge devices scan traffic sourced from their assigned prefixes (/64s or /128s) out of scope for scanning, we notice that some networks can exceed that of a /48 if the combined traffic from all or part of the address space satisfies a specific scan definition and does not when it is.
We find that scanning is heavily concentrated: the top five source networks account for almost 93% of all scan traffic. The top two most active networks are data centers in China, followed by cyber security companies and government agencies. Our research shows that scanning traffic mostly originates from large providers, namely data centres and cloud servers. We did not find any internet service provider in the top 20 for scanning traffic.
Scanning the AS sources show major differences across networks The scanners at the top of the list are sourced from a single 128-bit IP address, while some networks like AS 18 present us with scanners discovered on more than 1000 different /48 prefixes. At the same time, AS 18 only makes up a tiny fraction of all scanning traffic, 0.1% in fact, but it has a significant impact on passive scanning tasks.
Of course, to answer that question we need to know what the appropriate prefix size is when scanning an IPv6 address.
As shown in Table 1 the answer varies: The scanner device in AS 1 can and should be specified using its 128-bit IPv6 address, while the Scanner actor in AS 18 needs to be grouped together with a whole /32 prefix. Taking a prefix length so long would make it hard to differentiate between individual scanning sources, especially since they often get allocated smaller prefixes. If you turn on scan detection, a too coarse aggregation will also block legitimate traffic.
Our initial research shows that there are still very few port scanners specifically looking for IPv6 vulnerabilities. The scan traffic is mostly centralized and a small number of port scanners are currently scanning for it. It has been noted that IPv6 vulnerability scanning is on the rise, and this is especially the case if more of the fundamentals are brought to light. Correctly pinpointing scan sources presents a delicate matter, however.