[ale] hack attempts

Michael H. Warfield mhw at wittsend.com
Fri Feb 11 20:25:19 EST 2005


Hmmm

	Interrupting my longer reply to the earlier message for a brief aside.

On Fri, 2005-02-11 at 19:31 -0500, James Baldwin wrote:
> On 11 Feb 2005, at 14:59, Jason Day wrote:
> 
> > I'm completely ignorant when it comes to IPv6 and how it compares with
> > IPv4.  I wasn't aware that IPv6 was unscanable, for instance.  Do you
> > have any pointers to more information?

> IPv6 is not unscanable. Rather it is inefficient to scan random IPs 
> looking for vulnerable hosts. The address range for IPv6 is that 

	Yeah, gee, it's only 4 billion times more difficult to scan a single
IPv6 SUB-NET than it is to scan the entire IPv4 INTERNET from end to
end.  Most people thinking in IPv4 terms fail to appreciate even the
order of magnitude of just how difficult it is.  Plus there are no
broadcast addresses, so you can forget about directed broadcasts helping
you out.

	IPv6 EUI (local host) addresses have the same bit space as an md5
checksum and we rely on people NOT being able to forge md5 sums OFF-LINE
(and scanning would have to be ON-LINE and very noisy).

> enormous. This could change if the address space fills up sufficiently,

	Not a prayer.  16 billion billion addresses in each subnet.  THINK
ABOUT IT.  Not a prayer.  Not even for a stage three civilization
spanning the galaxy.  How are you going to drive the host density on a
single subnet high enough to be worth while to be scanned?
 
> or other better manners of scanning hosts are discovered but that is 
> unlikely in the near term. Hopefully by the time this happens there 
> will be better anomaly at the edges so the provider would detect a 
> scan.

	The nature of attacks on IPv6 has to change.  You simply can NOT scan
IPv6 because the signal to noise ratio is orders of magnitude too high
(you create too much noise for way too little return signal) and nothing
is going to change that because there will NEVER be a high enough
density of hosts on a given subnet.  If they can scan by DNS, they
might, but you just shut off zone transfers.  If they can scan by
addresses discovered through other transactions, you fall back to
privacy enhanced or cryptographically generated addresses.

	IPv6 is not just IPv4 with large addresses.  The paradigm changes.
>From rom a paradigm of scarcity, we change to a paradigm of bounty and that
enables tools we have not seen since the beginning of the internet.
IPv6 is not just IPv4 with large addresses.  Even if it was, which it
isn't, the paradigm change insures that it can't be.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list