Large-Scale IPv6 Internet Reconnaissance (Part 2 of 2)

Share On Facebook
Share On Twitter
Share On Linkedin

Part 1

Part one of this article discussed how it was previously believed that IPv6 scanning was nearly impossible.  But it is trivial to scan IPv6 addresses that are on the local link, in DNS, easily guessed, or found using other creative methods.  IPv6 addresses can also be found in other places and then used for active scanning.

IPv6 Hitlists and Target Generation Algorithms (TGAs)

People have been creating lists of Internet-reachable IPv6 addresses for years.  This is akin to the early ARPANET /etc/hosts (or yellow pages) for the IPv6 Internet.  The IPv6 Hitlist Service is a large list of known and responsive IPv6 addresses on the public Internet.  It has aliased and non-aliased prefixes and is openly accessible.  “Scanning the IPv6 Internet: Towards a Comprehensive Hitlist”, written in 2016 by Oliver Gasser, Quirin Scheitle, Sebastian Gebhard, and Georg Carle, discusses how to construct a hitlist from other sources and perform active reachability measurements on the data.  Their 2018 paper (and RIPE77 presentation) titled “Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists”, by Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczyński, Stephen D. Strowes, Luuk Hendriks, and Georg Carle, discussed constructing the IPv6 Hitlist.  They discuss performing a longitudinal active measurement study over six months and targeting more than 50 million addresses in a comprehensive hitlist.  They used entropy clustering to discover aliased prefixes and leveraged crowdsourcing using AWS MTurk and ProA.

The Center for Applied Internet Data Analysis (CAIDA), based at the San Diego Supercomputer Center on the UC San Diego campus, also has several IPv6 datasets: the Ark IPv6 Topology Dataset, the IPv6 DNS Names Dataset, the IPv6 Routed /48 Topology Dataset, and the IPv6 AS Links Dataset.  Security researchers and attackers alike can use this information for remote reconnaissance.

Ramakrishna Padmanabhan, Zhihao Li, Dave Levin, and Neil Spring, at the University of Maryland, wrote a paper in 2015 titled “UAv6: Alias Resolution in IPv6 Using Unused Addresses”.  Their paper discussed actively scanning the IPv6 Internet looking for router interfaces that are associated with the same router (alias resolution).  They probed the router’s other IPv6 addresses, soliciting ICMPv6 Address Unreachable (AU) errors and using traceroutes and the Too-Big-Trick (TBT) to determine if the aliases are in fact connected to the same router.

One of the important papers in this area is “Entropy/IP: Uncovering Structure in IPv6 Addresses”, by Paweł Foremski, David Plonka, and Arthur Berger (Akamai Technologies), 2016.  Entropy/IP is a tool for analyzing patterns in IPv6 addresses; it is not primarily a Target Generation Algorithm (TGA) per se.  Their system analyzes and visualizes IPv6 addresses and creates candidate addresses for active scanning.

Another often-cited 2017 paper (and presentation) titled “Target Generation for Internet-wide IPv6 Scanning”, by Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, and Vern Paxson, discusses finding IPv6 seed addresses prior to scanning.  The concept is to try to figure out likely IPv6 addresses (using 6Gen) that might be in use ahead of time to save effort performing active probes to confirm reachability.

Since the publication of these papers, there have been many other papers published on many other Target Generation Algorithms (TGAs) for pre-calculating IPv6 address targets to probe.

  • 6Tree: Efficient dynamic discovery of active addresses in the IPv6 address space, 2019
  • 6GCVAE: Gated Convolutional Variational Autoencoder for IPv6 Target Generation, 2020
  • 6Hit: A Reinforcement Learning-based Approach to Target Generation for Internet-wide IPv6 Scanning, 2020
  • 6GAN: IPv6 Multi-Pattern Target Generation via Generative Adversarial Nets with Reinforcement Learning, 2021
  • 6VecLM: Language Modeling in Vector Space for IPv6 Target Generation, 2021
  • 6Graph: A graph-theoretic approach to address pattern mining for Internet-wide IPv6 scanning, 2022
  • 6Forest: An Ensemble Learning-based Approach to Target Generation for Internet-wide IPv6 Scanning, 2022
  • AddrMiner: A Comprehensive Global Active IPv6 Address Discovery System, 2022
  • DET: Enabling Efficient Probing of IPv6 Active Addresses, 2022
  • 6Scan: A High Efficiency Dynamic Internet-Wide IPv6 Scanner With Regional Encoding, 2023

The most recent paper (published in 2023) on this topic is “Target Acquired? Evaluating Target Generation Algorithms for IPv6”, by Lion Steger, Liming Kuang, Johannes Zirngibl, Georg Carle, and Oliver Gasser.  This paper discusses the IPv6 hitlist and compares various TGA methods to improve the responsive IPv6 addresses in the hitlist.

The work to develop these hitlists and TGAs gives attackers a head start so they can simply load these IPv6 addresses into their scanning tools and fire away.

IPv6 Scanning Tools

For years, tools like ZMap and Masscan have been trolling the whole IPv4 Internet finding targets.  However, these tools didn’t initially support IPv6.  Internet scanning tools have evolved to perform broader scanning, including IPv6 targets.

Now there is a new version of ZMapv6 that can send ICMPv6 Echo Requests, TCP SYNs, and UDP probes.  This updated version of ZMap was developed by Oliver Gasser and the team of IPv6 security researchers mentioned above, who work at the TUM School of Computation, Information and Technology at the Technical University of Munich.

Masscan has now been updated to perform IPv6 scanning but there is no need for a “-6” option.  Simply use an IPv6 or IPv4 address as the targets or create a text file with the destinations to scan.

ZGrab 2.0 is a fast network scanner written in Go that can perform large-scale IPv6 Internet surveys.

fi6s (Fast IPv6 Scanner) is an IPv6 TCP and UDP port scanner which can scan individual addresses as well as prefix ranges.  The destinations can be loaded into the tool with a text file, and you can set the scanning rate with the “max-rate” option.

Yarrp (Yelling at Random Routers Progressively) is an open-source tool developed by Robert Beverly and the team of security researchers previously mentioned who work at NPS and Center for Measurement and Analysis of Network Data (cMAND).  Yarrp can perform stateless scanning with randomly chosen destinations and hop-limits.  This utility facilitates fast active large-scale Internet remote reconnaissance.

RustScan is a modern and fast IPv6-capable port scanner that runs as a Docker container that claims to scan all 65,536 ports in 3 seconds.  It uses adaptive learning to improve itself over time.  RustScan internally uses nmap to do all the scanning and is more a multithreaded wrapper on top of nmap than an independent scanner itself.

XMap is another dual-protocol Internet-wide scanner developed by the team in the Network & Information Security Lab at Tsinghua University in Beijing.

There are many utilities that can make the work of large-scale IPv6 Internet scanning easier for attackers or security researchers.

Examples of IPv6 Internet Scanning

Many organizations have observed IPv6 scanning destined for their networks or passing through their transit networks or monitoring systems.  In the past few years there have been published works showing examples of large scale IPv6 Internet scanning and analysis of the results.

Attackers could easily discover IPv6-enabled CPE devices using Modified EUI-64 IIDs and comparing how those IIDs moved to new IPv6 prefixes as a result of the DHCPv6-PD prefix rotation policies of various ISPs.  This was written about in the paper “Follow the Scent: Defeating IPv6 Prefix Rotation Privacy”, by Erik Rye, Robert Beverly, and K C Claffy. 2021.  CPE devices using EUI-64 IIDs have been shown to have security privacy implications, as documented in “One Bad Apple Can Spoil Your IPv6 Privacy”, by Said Jawad Saidi, Oliver Gasser, and Georgios Smaragdakis.

Performing IPv6 remote reconnaissance of CPE devices using EUI-64 IID was written about in “IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation”.  This published paper and Black Hat 2021 presentation (video) by Robert Beverly and Erik C. Rye resulted from their work performed at CMAND, the NPS, and CAIDA.  The authors used yarrp to find 60 million CPE devices using EUI-64, and knowledgeably determined the offset of WAN interface MAC and internal/Wi-Fi MACs.  From there, they cross-referenced the CPEs’ BSSIDs with geolocation data (from war-drivers, Apple, Google, and others), thus mapping IPv6 addresses to latitude/longitude coordinates.  It should be noted that this only works for CPE that use EUI-64, are responsive to probes, and use predictable MACs and Wi-Fi, which unfortunately is many devices.  Furthermore, the penultimate hop shows the IPv6 (e.g. /48) prefix of nearby CPEs, even if those are using privacy addresses.

The Shadowserver foundation is a nonprofit organization that collects information on nefarious Internet activity and publishes this data to their subscribers and law enforcement organizations globally.  Shadowserver published an article in July 2022 titled “Hello IPv6 Scanning World!” in which they described their IPv6 scanning methods (using DNS, certificate transparency streams, hitlists, and other sources).  Piotr Kijewski wrote the APNIC article “Shadowserver now scanning IPv6” on this same topic.  Shadowserver  used ZMapv6 and ZGrab 2.0 to scan various well-known TCP port numbers.  Shadowserver found over 1.3 million Internet-reachable MySQL servers accessible over IPv6.  Dave De Coster and Piotr Kijewski gave a presentation at the 2022 FIRST conference titled “Internet Spelunking: IPv6 Scanning and Device Fingerprinting” showing their IPv6 scanning results.

Furthermore, organizations are encouraged to proactively scan their own public-facing IPv4 and IPv6 reachable services as described in the paper “The implications of neglecting IPv6 on your internet facing services”, by Stefan Grimminck, May 12, 2021.  In Stefan’s esearch, they performed port scans and vulnerability scans over IPv4 and IPv6 and compared the results to make sure both protocols were equally protected and noted when they were different.

Akamai observed IPv6 Internet scanning traffic over a 15-month period from their global perspective of CDN servers and observation points.  In fact, the IPv6 addresses of their servers can be scanned and do show up on hitlists.  Akamai’s Philipp Richter published an article in October 2022 titled “Who’s Scanning the IPv6 Space? And, Frankly, Why Do We Even Care?”  Their work also focused on analyzing the source addresses, the ASes, and the volume of scanning traffic.  Akamai found that scans are often sourced from a variety of networks and IIDs instead of from a single 128-bit static IPv6 host address.  Scanners could use an entire /64, /48, or even /32 to source their scanning traffic, attempting to avoid detection and ending up on a block list.  They found that the top scanner sourced traffic from a single 128-bit address, but another source used nearly an entire /32 for the source addresses.  They discovered that 93% of the scanning traffic came from just five scanners.  Philipp Richter (Akamai), Oliver Gasser (Max Planck Institute for Informatics), and Arthur Berger (Akamai/MIT) wrote a paper they presented at the ACM Internet Measurement Conference 2022 titled “Illuminating Large-Scale IPv6 Scanning in the Internet” discussing this IPv6 Internet scanning activity.

Conclusions

Internet-wide IPv6 active scanning is possible and is being performed at this very moment.  It is also feasible to scan private IPv6 networks just as easily and it is trivial to discover targets on a link-local access network.  The tools exist to perform IPv6 Internet scanning and there are hitlists of IPv6 addresses to make reconnaissance even easier.  Every organization connected to the IPv6 Internet can observe this scanning traffic.

Knowledge of an organization’s global IPv6 prefix address, their networks, and the individual IPv6 addresses assigned to hosts should not be a security measure that is solely relied upon.  In other words, sooner or later the IPv6 address could be discovered by a remote or local attacker, so “security through obscurity” of the IPv6 address is not a valid security measure.

Just as end nodes have moved away from using the EUI-64 method of configuring their IPv6 IID, CPE devices should also deprecate this method toward RFC 8064 “Recommendation on Stable IPv6 Interface Identifiers” methods.

Enterprises may want to utilize these techniques themselves to proactively check which IPv6 networks and addresses are reachable within their environments.  Enterprises may want to consider these techniques when performing IPv6 network-based vulnerability scanning.

Labels:

Scott Hogg

Co-founder and CTO at HexaBuild.io

Scott Hogg is CTO and a co-founder of HexaBuild.io, an IPv6 consulting and training firm. Scott is a CCIE #5133 and CISSP #4610 with over 25 years of network and security experience. Scott actively works on cloud systems, possessing many AWS certifications along with the CCSK and CCSP cloud security certifications. Scott is the author of the A Cloud Guru course “Rapidly Deploying IPv6 on AWS”. Scott is Chair Emeritus of the Rocky Mountain IPv6 Task Force (RMv6TF), and a member of the Infoblox IPv6 Center of Excellence (COE). Scott has authored the Cisco Press book on IPv6 Security and also writes for NetworkWorld.com.

View All Posts

You might also be interested in

You might also be interested in

×