You can -j REJECT but you can not hide: Global scanning of the IPv6 Internet: Finding interesting targets in 128bit of entropy

Presented at 33C3 (2016), Dec. 27, 2016, 11 p.m. (60 minutes).

In this talk we will explore and present various IPv6 scanning techniques that allow attackers to peek into IPv6 networks. With the already known difference between IPv4 and IPv6 firewalling (the latter is worse... ) we then demonstrate how these techniques can be combined and used to obtain a large-scale view on the state of IPv6 in infrastructures and data centers. To give the whole issue a somewhat more fun dimension, we will also look at some (security) sensitive applications of this technique. Complimentary code-snippets will be provided.

Scanning networks is a basic tool for security researchers. Software misconfiguration like with unprotected key-value stores and software bugs like heartbleed are analyzed and investigated in the wild using scanning of networks.

At least since the rise of zMap, scanning the I---Pv4---nternet has become a rather simple endeavour. When one happens to be at a conference that tends to supply 1gE or 10gE ports on the access layer, scanning the Internet can be done in 60-10 Minutes. Scanning the 2^32 possible addresses (with certain limitations) of IPv4 has become cheap.

However, the small searchspace of IPv4 that makes it so scannable is also what renders it increasingly obsolete. To overcome this issue, IPv6 was designed. Along with IPv6 we receive a theoretical maximum of 2^128 different addresses. Scanning this larger space is a challenge that---so far---has been mostly approached by researchers. Specifically, not security but network measurement researchers. Their works usually focus on having access to large datasets of IPv6 addresses, the most famous ones using the access logs of a large CDN.

With the average nerd lacking a small enterprise scale CDN in the basement, we set out to utilize other techniques for enumerating IPv6 that only utilizes public data sources. Following RFC7707, we found various interesting candidate techniques. Especially probing the PTR sets of IPv6 networks sounded promising.

However, when implementing the techniques, we had to realize that these were not yet ready to be used on a global scale. During the last couple of months we discovered pitfalls, adjusted the tools and ran enumerations.

In this talk we will present the approaches we used to enumerate IPv6. From this presentation, the average person in the audience should be able to easily implement these tools for them self---with subsequent "spasz am geraet". Furthermore, we will present anecdotes, case-studies and investigations on the data we gathered so far. This includes peeks into transit networks of large ISPs, datacenters of global cloud providers and a suprisingly high amount of things one would not expect (or hope to be) on the Internet.


Presenters:

  • Tobias Fiebig
    BSc in Cognitive Science from University of Osnabrueck in 2012, MSc in System and Networkengineering from the University of Amsterdam in 2013, pursuing a PhD in $something_with_computers at TU Berlin since then. While I initially started with the security group of Prof. Seifert, my networking interests brought me into a dual-adviser-disorder situation, with Prof. Feldmann as my second adviser by now. I am currently working on measuring misconfiguration on the Internet, which basically boils down to telling people that there are no experts in OPS, and we do need usable and secure-by-default systems there, as well as for end users. While zMap used to be a fun tool to research misconfigurations, IPv6 is currently putting an end to this. Well... I am working on this,... In summary, following a statement from a collaborator of the first paper we published together: "Where the hell do you always get these stupid ideas?!"

Links:

Similar Presentations: