> Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence.
That needs to sink in for anyone ever allowing themselves to believe the fallacy that they can slip under the radar with a security vulnerability or sleeping soundly with security by obfuscation. You aren't a computer port hiding on one specific computer on the internet, you are data trying to hide in a relational database.
Does IPv6 reduce the feasibility of full Web port scans? If so that to me would be a compelling reason to use IPv6 beyond “it’s the right thing to do”.
Not really. I scan the internet in a similar fashion to Shodan and have found some promising methods to do host discovery. You obviously can't guarantee 100% coverage, but you can get a reasonable percentage without having to do an exhaustive incremental scan.
> You obviously can't guarantee 100% coverage, but you can get a reasonable percentage without having to do an exhaustive incremental scan.
Depends on what you mean by "a reasonable percentage" there.
If you can scan all of 2^32 addresses in IPv4 in ~5mins (as suggested elsewhere in this thread), then it'd take something like 75,000,000,000,000,000,000,000 years to do the same for all 2^128 addresses in IPv6.
It's possible you've got a technique to find "a reasonable percentage" of all devices listening/responding on IPv6 addresses, but unless 10^-22% is "a reasonable percentage" - then no, you can't randomly portscan IPv6 and ever even realistically expect to connect to anything at all, never mind come up with some Shonan-Like map of almost the entire address space.
This mostly just moves the problem from brute forcing into dictionary attacks though, similar to how passwords get mostly attacked these days. Any IPv6 address that's doing anything on the internet leaves traces of it's existence/activity somewhere. I'm guessing there are people popping log files and monitoring major traffic interchanges, and creating their own haveibeenpwned-style lists of IPv6 addresses that're actually in use, then selectively scanning them and probably the closely related subnets of them. If your "promising methods of host discovery" extend radially beyond that, I'd be super interested if you're prepared to share them?
The reasonable percentage is still relatively high because while the number of addresses goes up stupid fast, the number of hosts connected to the internet does not. The distribution of hosts across allocated blocks is also not random, dhcp6 implementations have predictable allocators so they don't have to keep 4 bn records in memory.
Almost all machines are dual homed, which gives you opportunities for them to leak their v6 address over v4. Once you find a statistically significant sample of addresses you can figure out how each network allocates addresses and then scan them until you start turning up no new hits. For example on my v6 blocks I just use the same last octet as their v4 addresses.
You can buy "passive DNS" which is anonymous records of DNS queries and their answers.
So e.g. you can see that the answer for www.google.com was 2a00:1450:4009:81a::2004 for somebody at about 0200 UTC today, but the people providing this data don't provide (and in some cases may not know or be contractually obligated never to tell) "who" asked that question and got that answer.
So this is pretty useful if you're trying to figure out which DNS names exist (as a startup I worked for were doing) and if they have AAAA record then you get all those records.
If you've got a deliberately public IPv6 server it's very likely it can be found by this sort of method.
Do your maths again though. The smallest allowed conventional subnet in IPv6 is 64 bits wide. So surveying "closely related subnets" is 4 billion times more work than surveying the entire IPv4 Internet.
If there's a machine with IPv6 privacy addressing on a "closely related subnet" you're just never going to find it by brute force.
I wonder what percentage of ip addesses have a dns name that ever gets looked up? I seriously doubt my residential internet connection’s isp-supplied dns name ever gets queried... And I wonder if the numbers change there for ipv4 vs ipv6?
The people who run shodan.io are trying to find workarounds to mitigate that. They were caught a few years ago adding their servers to NTP server pools, and scanning any IPv6 addresses that connected to their NTP server.
All of the NTP servers had hostnames ending in "shodan.io". The pool account itself was registered using a shodan.io email address. I told the pool operator what we were doing. And I answered anybody who emailed me asking about it (including Brad before he wrote a blog post pretending that he figured it out by himself). At no point were we trying to hide this activity and we made no attempts to do so. I understand that to the end-user this was an unexpected way to discover IPv6 but we really weren't trying to hide it and Brad conveniently didn't mention in his blog post that I told him what we were doing.
It seems like splitting hairs to say that you didn't try to hide it, but most end-users didn't know that it was being done. It'd be like me recording my neighbors through their window and claiming there is nothing wrong with it because I haven't tried to hide it from them, even though I also didn't let them know I was doing it.
I don't think that's a good comparison but I doubt we'll agree on it and I'm obviously biased on the matter. I hope the additional context will help readers make their own decision.
> Shodan has servers located around the world that crawl the Internet 24/7 to provide the latest Internet intelligence.
That needs to sink in for anyone ever allowing themselves to believe the fallacy that they can slip under the radar with a security vulnerability or sleeping soundly with security by obfuscation. You aren't a computer port hiding on one specific computer on the internet, you are data trying to hide in a relational database.