Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

3/20/2019
07:30 PM
50%
50%

Researchers Seek Out Ways to Search IPv6 Space

Security researchers regularly search IPv4 address space looking for servers with ports exposing vulnerable software. With the massive number of IPv6 addresses, however, they have lost that ability. Can tricks and workarounds save the day?

In April 2014, Google announced that one of its researchers had found a critical vulnerability in the widely deployed OpenSSL software used to encrypt connections to Web servers and other Internet hosts. 

To assess the risk from the vulnerability, security professionals and academic researchers began scanning the 4.3 billion addresses on the Internet, looking for unpatched servers vulnerable to the now-infamous Heartbleed flaw. Researchers were not the only ones searching the entire Internet. Within a few days, attacks came from more than 700 different sources, according to a 2014 paper published by a team of researchers from various universities.

The ability to gain similar intelligence in the future may disappear, however. About a quarter of Internet users currently connect to Google over IPv6, up from 5% four years ago, according to data collected by the search giant. As service providers adopt the next-generation Internet protocol, IPv6 will become more common, and researchers worry that their ability to exhaustively search the network will fail. 

"As the number of IPv6 users continues to increase, we are beginning to see some of the security implications present in many of the default configurations being deployed around the world," says Earl Carter, manager of security research at Cisco. "This has contributed to many of the threats that are being encountered by organizations on a daily basis," he says.

Time for a little math.

The IPv6 Internet has 2^128 addresses, or 3.4 times 10^38 — an astronomical number. (For comparison, astronomers estimate that there are 2 times 10^23 stars in the universe, which means there are a million billion times more IPv6 addresses than stars.) If it took a single second to scan the entire IPv4 address space, it would take 25 billion billion centuries to scan all of the IPv6 address space.

In a March 18 blog post, two members of the Cisco Talos research group highlighted the issue.

"Enumerating all active hosts by scanning all of this address space is practically, and theoretically, infeasible," wrote Martin Zeiser and Aleksandar Nikolich. "With the greater adoption of IPv6, this threatens to hide an ever-larger number of hosts in future internet surveys. This is especially critical as a growing number of unsecured internet-of-things devices come online."

Yet researchers should not be counted out quite yet. While an exhaustive search of the IPv6 Internet is not possible, researchers have been searching for workarounds that could allow them to find active systems in the dark recesses of the IPv6 Internet.

"It comes down to tricks," said Tod Beardsley, research director at vulnerability-management firm Rapid7. "IPv6 is a ginormous space. ... Your server cannot be found unless you are advertising its address."

Rapid7 regularly scans the entire IPv4 Internet for 70 different protocols under its Project Sonar service, which feeds the company's other security and threat-intelligence products. In 2018, the company found that the United States had the most exposed systems, including 6.1 million exposed databases and 1.2 million exposed SMB servers.

The company has not yet developed a way to provide a similar service under IPv6, Beardsley said.

In their blog post, the two Cisco Talos researchers described one way that servers could be located in the dark matter of the IPv6 space. Universal Plug and Play (UPnP), a protocol designed to allow automated network discovery on local networks, is often exposed to the Internet and can be used to fool devices into revealing their IPv6 addresses. 

By sending out a UPnP notify packet to every IPv4 address, the research duo found about 12,000 devices that advertised their IPv6 addresses. Most of the devices were consumer devices, such as security cameras, smart TVs, and, in some cases, Windows machines set up as BitTorrent peers.

"Even though our resulting dataset is small, it represents a unique subset of active IPv6 devices which were so far unexplored," the researchers stated. "Users should ensure that their devices don't have unintentional IPv6 connectivity or if it's intentional, that it's adequately firewalled."

Others have also found some ways around the enormous, and sparsely populated, IPv6 address space. The scanning service Shodan, which offers a searchable database of exposed Internet services, exploited the details of a widely used pool of servers that allow others to synchronize times, according to a description published by the SANS ISC Internet Forum. A server that wants to update its time to the global norm contacts its default Network Time Protocol (NTP) servers and requests the latest time. To do so, it has to provide its address. Servers using an IPv6 address essentially announce themselves, says Johannes Ullrich, dean of research for the SANS Technology Institute.

"Shodan came up with this ingenious idea of having systems connect to them," he says. "And, of course, there is nothing that you can do at that point, and they will scan you based on that. That is one of the more efficient ways to find IPv6 hosts."

The question for companies is whether being scanned is good or bad. While it could allow altruistic researchers the ability to find unknown problems and notify the company, more often attackers will use scanning to find servers vulnerable to a specific attack. 

"As a first step, you probably should 'fix' your NTP infrastructure," Ullrich stated in the blog post. "Systems in your network should only synchronize with internal NTP servers, and only these authorized NTP servers should communicate with the outside."

Related Content

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tom.kuznicki
50%
50%
tom.kuznicki,
User Rank: Apprentice
3/21/2019 | 5:13:17 AM
IPv6 address patterns
This reminds me of a presentation I've seen about using patterns in IPv6 addressing to make the search space smaller: https://www.ipv6.org.uk/wp-content/uploads/2018/10/fgont-uk2017-ipv6-security-tools.pdf
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15160
PUBLISHED: 2019-08-19
The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.
CVE-2019-15150
PUBLISHED: 2019-08-19
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
CVE-2017-18550
PUBLISHED: 2019-08-19
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
CVE-2017-18551
PUBLISHED: 2019-08-19
An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
CVE-2017-18552
PUBLISHED: 2019-08-19
An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.