[ipv6hackers] IPv6 host scanning in IPv6

Fernando Gont fgont at si6networks.com
Fri Apr 20 10:46:56 CEST 2012

Hi, Marc!

Nice to hear from you! -- Please find my comments in-line...

On 04/20/2012 04:32 AM, Marc Heuse wrote:
> in chapter 4, the distribution is not what I have seen, neither at

Seen for clients, or seen for servers? -- Note that the aforementioned
distribution is for clients, rather than servers.

That said, those data are possibly outdated, and if not, will be as IPv6
gets deployed: e.g., I really doubt there will be such a large
percentage of manually configured addresses in the case of "normal" clients.

> customers, nor DNS analysis (host scanning results are biased of course
> and therefore not valid as comparison). 2008 - so four years ago - the
> IPv6 internet was different from what it is today, and the same will be
> the case four years in the future. but thats rather a marginal thing I
> guess.

Agreed. The only reason for which I'm referencing Malone's paper is that
I do not know of any other publication with more recent results. -- For
instance, I was urging Malone to run his experiment again. :-)

> the "abuse scan" mentioned by [Ybema2010] was most likely my scan I did
> on the IPv6 internet to perform a statistical analysis to optimize
> further ipv6 pentests (some rough results being in my ipv6 presentations
> from 2010-2011).

I've been meaning to drop you en e-mail about your presentation, but I
think I never did so. (just to double-check if what you were doing is
what I thought you were doing) -- more on this later (i.e., the actual
questions/comments :-) )

BTW, which of your presentations should I reference for this? (conf
name, where, when, url to slides, etc.)

> I had some people complaining that they got something like 50k packets
> per minute (which means they were on a slow connection... ;-) )
> (everyone who sent my ISP a "we dont want that" email got on the
> blacklist for future scans of course)

IIRC, you were not sweeping the address space, but rather grabbed some
DNS names, bruteforced other names (with a dictionary), and tried those,

> at my presentations at the coming conferences (HITB Kuala Lumpur in
> October, H2HC Sao Paulo in October and Hackingzone Cali in November) I
> will show all remote and local host detection techniques I have found
> and developed, and a little later the tool which does that will finally
> be released with a big update to thc-ipv6 with a lots of new tools and
> attacks. (in my trainings already includes all this stuff)

Please post a note when conference registration opens, or the like --
it's interesting stuff for the community to know about!

> Greets,
> Marc
> P.S. the reference date for Ybema2010 is wrong:
> August 2011 - but URL says /nanog/2010-September/

Hacking the xml (to produce the I-D) at night wasn't much of a good
idea, it seems :-) -- I will fix this one in the next rev.

P.S.: I will also reference the two implementations posted recently
on-list for the inverse-DNS-based scanning attack, too.


Best regards,
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list