How discoverable are IPv6 addresses and AAAA names by potential attackers?

Philip Couling asked:

It is fairly standard to receive a significant number of minor hacking attempts each day trying common username / passwords for services like SSH and SMTP. I’ve always assumed these attempts are using the “small” address space of IPv4 to guess IP addresses. I notice that I get zero hacking attempts on IPv6 despite my domain having AAAA Name records mirroring every A Name record and all IPv4 services are also open to IPv6.

Assuming a public DNS (AWS route 53) with an obscure subdomain pointing to a reasonably randomised \64 suffix; Are IPv6 addresses and / subdomains remotely discoverable without trying every address in a \64 bit prefix or every subdomain in a very long list of common names?

I am of course aware that crawling the web looking for listed (sub)domain names is simple enough. I’m also aware that machines on the same subnet can use NDP. I’m more interested in whether DNS or the underlying protocols of IPv6 allow discovery / listing unknown domains and addresses by remote.

My answer:

Malicious bots don’t guess IPv4 addresses anymore. They simply try them all. On modern systems this can take as little as a few hours.

With IPv6, this is not really possible any longer, as you’ve surmised. The address space is so much larger that it’s not even possible to brute-force scan a single /64 subnet within a human lifetime.

Bots will have to get more creative if they are to continue blind scanning on IPv6 as on IPv4, and malicious bot operators will have to get accustomed to waiting far longer between finding any machines, let alone vulnerable ones.

Fortunately for the bad guys and unfortunately for everyone else, IPv6 adoption has gone much more slowly than it really should have. IPv6 is 23 years old but has only seen significant adoption in the last five years or so. But everyone is keeping their IPv4 networks active, and extremely few hosts are IPv6-only, so malicious bot operators have had little incentive to make the switch. They probably won’t do until there is a significant abandonment of IPv4, which probably won’t happen in the next five years.

I expect that blind guessing probably won’t be productive for malicious bots, when they finally do move to IPv6, so they’ll have to move to other means, like brute-forcing DNS names, or targeted brute-forcing of small subsets of each subnet.

For instance, a common DHCPv6 server configuration gives out addresses in ::100 through ::1ff by default. That’s just 256 addresses to try, out of a whole /64. Reconfiguring the DHCPv6 server to pick addresses from a much larger range mitigates this problem.

And using modified EUI-64 addresses for SLAAC reduces the search space to 2^24 multiplied by the number of assigned OUIs. While this is over 100 billion addresses, it’s far less than 2^64. Random bots won’t bother to search this space, but state-level malicious actors will, for targeted attacks, especially if they can make educated guesses as to which NICs might be in use, to reduce the search space further. Using RFC 7217 stable privacy addresses for SLAAC is easy (at least on modern operating systems that support it) and mitigates this risk.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.