Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM

Researchers Seek Out Ways to Search IPv6 Space

Security researchers regularly search IPv4 address space looking for servers with ports exposing vulnerable software. With the massive number of IPv6 addresses, however, they have lost that ability. Can tricks and workarounds save the day?

In April 2014, Google announced that one of its researchers had found a critical vulnerability in the widely deployed OpenSSL software used to encrypt connections to Web servers and other Internet hosts. 

To assess the risk from the vulnerability, security professionals and academic researchers began scanning the 4.3 billion addresses on the Internet, looking for unpatched servers vulnerable to the now-infamous Heartbleed flaw. Researchers were not the only ones searching the entire Internet. Within a few days, attacks came from more than 700 different sources, according to a 2014 paper published by a team of researchers from various universities.

The ability to gain similar intelligence in the future may disappear, however. About a quarter of Internet users currently connect to Google over IPv6, up from 5% four years ago, according to data collected by the search giant. As service providers adopt the next-generation Internet protocol, IPv6 will become more common, and researchers worry that their ability to exhaustively search the network will fail. 

"As the number of IPv6 users continues to increase, we are beginning to see some of the security implications present in many of the default configurations being deployed around the world," says Earl Carter, manager of security research at Cisco. "This has contributed to many of the threats that are being encountered by organizations on a daily basis," he says.

Time for a little math.

The IPv6 Internet has 2^128 addresses, or 3.4 times 10^38 — an astronomical number. (For comparison, astronomers estimate that there are 2 times 10^23 stars in the universe, which means there are a million billion times more IPv6 addresses than stars.) If it took a single second to scan the entire IPv4 address space, it would take 25 billion billion centuries to scan all of the IPv6 address space.

In a March 18 blog post, two members of the Cisco Talos research group highlighted the issue.

"Enumerating all active hosts by scanning all of this address space is practically, and theoretically, infeasible," wrote Martin Zeiser and Aleksandar Nikolich. "With the greater adoption of IPv6, this threatens to hide an ever-larger number of hosts in future internet surveys. This is especially critical as a growing number of unsecured internet-of-things devices come online."

Yet researchers should not be counted out quite yet. While an exhaustive search of the IPv6 Internet is not possible, researchers have been searching for workarounds that could allow them to find active systems in the dark recesses of the IPv6 Internet.

"It comes down to tricks," said Tod Beardsley, research director at vulnerability-management firm Rapid7. "IPv6 is a ginormous space. ... Your server cannot be found unless you are advertising its address."

Rapid7 regularly scans the entire IPv4 Internet for 70 different protocols under its Project Sonar service, which feeds the company's other security and threat-intelligence products. In 2018, the company found that the United States had the most exposed systems, including 6.1 million exposed databases and 1.2 million exposed SMB servers.

The company has not yet developed a way to provide a similar service under IPv6, Beardsley said.

In their blog post, the two Cisco Talos researchers described one way that servers could be located in the dark matter of the IPv6 space. Universal Plug and Play (UPnP), a protocol designed to allow automated network discovery on local networks, is often exposed to the Internet and can be used to fool devices into revealing their IPv6 addresses. 

By sending out a UPnP notify packet to every IPv4 address, the research duo found about 12,000 devices that advertised their IPv6 addresses. Most of the devices were consumer devices, such as security cameras, smart TVs, and, in some cases, Windows machines set up as BitTorrent peers.

"Even though our resulting dataset is small, it represents a unique subset of active IPv6 devices which were so far unexplored," the researchers stated. "Users should ensure that their devices don't have unintentional IPv6 connectivity or if it's intentional, that it's adequately firewalled."

Others have also found some ways around the enormous, and sparsely populated, IPv6 address space. The scanning service Shodan, which offers a searchable database of exposed Internet services, exploited the details of a widely used pool of servers that allow others to synchronize times, according to a description published by the SANS ISC Internet Forum. A server that wants to update its time to the global norm contacts its default Network Time Protocol (NTP) servers and requests the latest time. To do so, it has to provide its address. Servers using an IPv6 address essentially announce themselves, says Johannes Ullrich, dean of research for the SANS Technology Institute.

"Shodan came up with this ingenious idea of having systems connect to them," he says. "And, of course, there is nothing that you can do at that point, and they will scan you based on that. That is one of the more efficient ways to find IPv6 hosts."

The question for companies is whether being scanned is good or bad. While it could allow altruistic researchers the ability to find unknown problems and notify the company, more often attackers will use scanning to find servers vulnerable to a specific attack. 

"As a first step, you probably should 'fix' your NTP infrastructure," Ullrich stated in the blog post. "Systems in your network should only synchronize with internal NTP servers, and only these authorized NTP servers should communicate with the outside."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/21/2019 | 5:13:17 AM
IPv6 address patterns
This reminds me of a presentation I've seen about using patterns in IPv6 addressing to make the search space smaller: https://www.ipv6.org.uk/wp-content/uploads/2018/10/fgont-uk2017-ipv6-security-tools.pdf
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.