[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Using IPv6 with prefixes shorter than a /64 on a LAN
On Jan 26, 2011, at 11:17 AM, Jimmy Hess wrote:
> There are other methods of discovery as well, but they are not close in scale or 'ease of use' to what brute-force address space scanning
> could easily accomplish with IPv4.
Most botted hosts today are compromised in the first place via layer-7 exploits, not via scanning and network-based exploits.
Pushing the miscreants in the direction of hinted scanning will further strain already overloaded whois and DNS servers.
And just because iterative scanning is a crapshoot in IPv6, it costs attackers nothing to do it, anyways, and so they will.
So, the fact that IPv6 access networks can contain huge numbers of possible endpoint addresses as compared to IPv4 is largely irrelevant; and in fact will have negative consequences with regards to the second-order effects of hinted scanning.
------------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.
-- Alan Kay