Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM

Researchers Seek Out Ways to Search IPv6 Space

Security researchers regularly search IPv4 address space looking for servers with ports exposing vulnerable software. With the massive number of IPv6 addresses, however, they have lost that ability. Can tricks and workarounds save the day?

In April 2014, Google announced that one of its researchers had found a critical vulnerability in the widely deployed OpenSSL software used to encrypt connections to Web servers and other Internet hosts. 

To assess the risk from the vulnerability, security professionals and academic researchers began scanning the 4.3 billion addresses on the Internet, looking for unpatched servers vulnerable to the now-infamous Heartbleed flaw. Researchers were not the only ones searching the entire Internet. Within a few days, attacks came from more than 700 different sources, according to a 2014 paper published by a team of researchers from various universities.

The ability to gain similar intelligence in the future may disappear, however. About a quarter of Internet users currently connect to Google over IPv6, up from 5% four years ago, according to data collected by the search giant. As service providers adopt the next-generation Internet protocol, IPv6 will become more common, and researchers worry that their ability to exhaustively search the network will fail. 

"As the number of IPv6 users continues to increase, we are beginning to see some of the security implications present in many of the default configurations being deployed around the world," says Earl Carter, manager of security research at Cisco. "This has contributed to many of the threats that are being encountered by organizations on a daily basis," he says.

Time for a little math.

The IPv6 Internet has 2^128 addresses, or 3.4 times 10^38 — an astronomical number. (For comparison, astronomers estimate that there are 2 times 10^23 stars in the universe, which means there are a million billion times more IPv6 addresses than stars.) If it took a single second to scan the entire IPv4 address space, it would take 25 billion billion centuries to scan all of the IPv6 address space.

In a March 18 blog post, two members of the Cisco Talos research group highlighted the issue.

"Enumerating all active hosts by scanning all of this address space is practically, and theoretically, infeasible," wrote Martin Zeiser and Aleksandar Nikolich. "With the greater adoption of IPv6, this threatens to hide an ever-larger number of hosts in future internet surveys. This is especially critical as a growing number of unsecured internet-of-things devices come online."

Yet researchers should not be counted out quite yet. While an exhaustive search of the IPv6 Internet is not possible, researchers have been searching for workarounds that could allow them to find active systems in the dark recesses of the IPv6 Internet.

"It comes down to tricks," said Tod Beardsley, research director at vulnerability-management firm Rapid7. "IPv6 is a ginormous space. ... Your server cannot be found unless you are advertising its address."

Rapid7 regularly scans the entire IPv4 Internet for 70 different protocols under its Project Sonar service, which feeds the company's other security and threat-intelligence products. In 2018, the company found that the United States had the most exposed systems, including 6.1 million exposed databases and 1.2 million exposed SMB servers.

The company has not yet developed a way to provide a similar service under IPv6, Beardsley said.

In their blog post, the two Cisco Talos researchers described one way that servers could be located in the dark matter of the IPv6 space. Universal Plug and Play (UPnP), a protocol designed to allow automated network discovery on local networks, is often exposed to the Internet and can be used to fool devices into revealing their IPv6 addresses. 

By sending out a UPnP notify packet to every IPv4 address, the research duo found about 12,000 devices that advertised their IPv6 addresses. Most of the devices were consumer devices, such as security cameras, smart TVs, and, in some cases, Windows machines set up as BitTorrent peers.

"Even though our resulting dataset is small, it represents a unique subset of active IPv6 devices which were so far unexplored," the researchers stated. "Users should ensure that their devices don't have unintentional IPv6 connectivity or if it's intentional, that it's adequately firewalled."

Others have also found some ways around the enormous, and sparsely populated, IPv6 address space. The scanning service Shodan, which offers a searchable database of exposed Internet services, exploited the details of a widely used pool of servers that allow others to synchronize times, according to a description published by the SANS ISC Internet Forum. A server that wants to update its time to the global norm contacts its default Network Time Protocol (NTP) servers and requests the latest time. To do so, it has to provide its address. Servers using an IPv6 address essentially announce themselves, says Johannes Ullrich, dean of research for the SANS Technology Institute.

"Shodan came up with this ingenious idea of having systems connect to them," he says. "And, of course, there is nothing that you can do at that point, and they will scan you based on that. That is one of the more efficient ways to find IPv6 hosts."

The question for companies is whether being scanned is good or bad. While it could allow altruistic researchers the ability to find unknown problems and notify the company, more often attackers will use scanning to find servers vulnerable to a specific attack. 

"As a first step, you probably should 'fix' your NTP infrastructure," Ullrich stated in the blog post. "Systems in your network should only synchronize with internal NTP servers, and only these authorized NTP servers should communicate with the outside."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
3/21/2019 | 5:13:17 AM
IPv6 address patterns
This reminds me of a presentation I've seen about using patterns in IPv6 addressing to make the search space smaller: https://www.ipv6.org.uk/wp-content/uploads/2018/10/fgont-uk2017-ipv6-security-tools.pdf
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I feel safe, but I can't understand a word he's saying."
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same add...
PUBLISHED: 2020-03-30
An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a pa...
PUBLISHED: 2020-03-30
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your applicati...