Part one of this article<\/a> discussed how it was previously believed that IPv6 scanning was nearly impossible.\u00a0 But it is trivial to scan IPv6 addresses that are on the local link, in DNS, easily guessed, or found using other creative methods.\u00a0 IPv6 addresses can also be found in other places and then used for active scanning.<\/p>\n People have been creating lists of Internet-reachable IPv6 addresses for years.\u00a0 This is akin to the early ARPANET \/etc\/hosts<\/a> (or yellow pages) for the IPv6 Internet.\u00a0 The IPv6 Hitlist<\/a> Service is a large list of known and responsive IPv6 addresses<\/a> on the public Internet.\u00a0 It has aliased<\/a> and non-aliased prefixes<\/a> and is openly accessible.\u00a0 \u201cScanning the IPv6 Internet: Towards a Comprehensive Hitlist<\/a>\u201d, written in 2016 by Oliver Gasser, Quirin Scheitle, Sebastian Gebhard, and Georg Carle, discusses how to construct a hitlist from other sources and perform active reachability measurements on the data.\u00a0 Their 2018 paper (and RIPE77 presentation<\/a>) titled \u201cClusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists<\/a>\u201d, by Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczy\u0144ski, Stephen D. Strowes, Luuk Hendriks, and Georg Carle, discussed constructing the IPv6 Hitlist.\u00a0 They discuss performing a longitudinal active measurement study over six months and targeting more than 50 million addresses in a comprehensive hitlist.\u00a0 They used entropy clustering to discover aliased prefixes and leveraged crowdsourcing using AWS MTurk and ProA.<\/p>\n The Center for Applied Internet Data Analysis (CAIDA<\/a>), based at the San Diego Supercomputer Center on the UC San Diego campus, also has several IPv6 datasets<\/a>: the Ark IPv6 Topology Dataset<\/a>, the IPv6 DNS Names Dataset<\/a>, the IPv6 Routed \/48 Topology Dataset<\/a>, and the IPv6 AS Links Dataset<\/a>.\u00a0 Security researchers and attackers alike can use this information for remote reconnaissance.<\/p>\n Ramakrishna Padmanabhan, Zhihao Li, Dave Levin, and Neil Spring, at the University of Maryland, wrote a paper in 2015 titled \u201cUAv6: Alias Resolution in IPv6 Using Unused Addresses<\/a>\u201d.\u00a0 Their paper discussed actively scanning the IPv6 Internet looking for router interfaces that are associated with the same router (alias resolution).\u00a0 They probed the router\u2019s other IPv6 addresses, soliciting ICMPv6 Address Unreachable (AU) errors and using traceroutes and the Too-Big-Trick (TBT) to determine if the aliases are in fact connected to the same router.<\/p>\n One of the important papers in this area is \u201cEntropy\/IP: Uncovering Structure in IPv6 Addresses<\/a>\u201d, by Pawe\u0142 Foremski, David Plonka, and Arthur Berger (Akamai Technologies), 2016.\u00a0 Entropy\/IP is a tool for analyzing patterns in IPv6 addresses; it is not primarily a Target Generation Algorithm (TGA) per se.\u00a0 Their system analyzes and visualizes IPv6 addresses and creates candidate addresses for active scanning.<\/p>\n Another often-cited 2017 paper (and presentation<\/a>) titled \u201cTarget Generation for Internet-wide IPv6 Scanning<\/a>\u201d, by Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, and Vern Paxson, discusses finding IPv6 seed addresses prior to scanning.\u00a0 The concept is to try to figure out likely IPv6 addresses (using 6Gen) that might be in use ahead of time to save effort performing active probes to confirm reachability.<\/p>\n Since the publication of these papers, there have been many other papers published on many other Target Generation Algorithms (TGAs) for pre-calculating IPv6 address targets to probe.<\/p>\n The most recent paper (published in 2023) on this topic is \u201cTarget Acquired? Evaluating Target Generation Algorithms for IPv6<\/a>\u201d, by Lion Steger, Liming Kuang, Johannes Zirngibl, Georg Carle, and Oliver Gasser.\u00a0 This paper discusses the IPv6 hitlist and compares various TGA methods to improve the responsive IPv6 addresses in the hitlist.<\/p>\n The work to develop these hitlists and TGAs gives attackers a head start so they can simply load these IPv6 addresses into their scanning tools and fire away.<\/p>\n For years, tools like ZMap<\/a> and Masscan<\/a> have been trolling the whole IPv4 Internet finding targets.\u00a0 However, these tools didn\u2019t initially support IPv6.\u00a0 Internet scanning tools have evolved to perform broader scanning, including IPv6 targets.<\/p>\n Now there is a new version of ZMapv6<\/a> that can send ICMPv6 Echo Requests, TCP SYNs, and UDP probes.\u00a0 This updated version of ZMap was developed by Oliver Gasser and the team of IPv6 security researchers mentioned above, who work at the TUM School of Computation, Information and Technology at the Technical University of Munich.<\/p>\n Masscan<\/a> has now been updated to perform IPv6 scanning but there is no need for a \u201c-6\u201d option.\u00a0 Simply use an IPv6 or IPv4 address as the targets or create a text file with the destinations to scan.<\/p>\n ZGrab 2.0<\/a> is a fast network scanner written in Go that can perform large-scale IPv6 Internet surveys.<\/p>\n fi6s<\/a> (Fast IPv6 Scanner) is an IPv6 TCP and UDP port scanner which can scan individual addresses as well as prefix ranges.\u00a0 The destinations can be loaded into the tool with a text file, and you can set the scanning rate with the \u201cmax-rate\u201d option.<\/p>\n Yarrp<\/a> (Yelling at Random Routers Progressively) is an open-source tool developed by Robert Beverly and the team of security researchers previously mentioned who work at NPS and Center for Measurement and Analysis of Network Data<\/a> (cMAND).\u00a0 Yarrp can perform stateless scanning with randomly chosen destinations and hop-limits.\u00a0 This utility facilitates fast active large-scale Internet remote reconnaissance.<\/p>\n RustScan<\/a> is a modern and fast IPv6-capable port scanner that runs as a Docker container that claims to scan all 65,536 ports in 3 seconds.\u00a0 It uses adaptive learning to improve itself over time.\u00a0 RustScan internally uses nmap<\/a> to do all the scanning and is more a multithreaded wrapper on top of nmap than an independent scanner itself.<\/p>\n XMap<\/a> is another dual-protocol Internet-wide scanner developed by the team in the Network & Information Security Lab at Tsinghua University in Beijing.<\/p>\n There are many utilities that can make the work of large-scale IPv6 Internet scanning easier for attackers or security researchers.<\/p>\n Many organizations have observed IPv6 scanning destined for their networks or passing through their transit networks or monitoring systems.\u00a0 In the past few years there have been published works showing examples of large scale IPv6 Internet scanning and analysis of the results.<\/p>\n Attackers could easily discover IPv6-enabled CPE devices using Modified EUI-64 IIDs<\/a> and comparing how those IIDs moved to new IPv6 prefixes as a result of the DHCPv6-PD prefix rotation policies of various ISPs.\u00a0 This was written about in the paper \u201cFollow the Scent: Defeating IPv6 Prefix Rotation Privacy<\/a>\u201d, by Erik Rye, Robert Beverly, and K C Claffy. 2021.\u00a0 CPE devices using EUI-64 IIDs have been shown to have security privacy implications, as documented in \u201cOne Bad Apple Can Spoil Your IPv6 Privacy<\/a>\u201d, by Said Jawad Saidi, Oliver Gasser, and Georgios Smaragdakis.<\/p>\n Performing IPv6 remote reconnaissance of CPE devices using EUI-64 IID was written about in \u201cIPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation<\/a>\u201d.\u00a0 This published paper and Black Hat 2021 presentation<\/a> (video<\/a>) by Robert Beverly and Erik C. Rye resulted from their work performed at CMAND, the NPS, and CAIDA.\u00a0 The authors used yarrp to find 60 million CPE devices using EUI-64, and knowledgeably determined the offset of WAN interface MAC and internal\/Wi-Fi MACs.\u00a0 From there, they cross-referenced the CPEs\u2019 BSSIDs with geolocation data (from war-drivers, Apple, Google, and others), thus mapping IPv6 addresses to latitude\/longitude coordinates.\u00a0 It should be noted that this only works for CPE that use EUI-64, are responsive to probes, and use predictable MACs and Wi-Fi, which unfortunately is many devices.\u00a0 Furthermore, the penultimate hop shows the IPv6 (e.g. \/48) prefix of nearby CPEs, even if those are using privacy addresses.<\/p>\n The Shadowserver<\/a> foundation is a nonprofit organization that collects information on nefarious Internet activity and publishes this data to their subscribers and law enforcement organizations globally.\u00a0 Shadowserver published an article in July 2022 titled \u201cHello IPv6 Scanning World!<\/a>\u201d in which they described their IPv6 scanning methods (using DNS, certificate transparency streams, hitlists, and other sources).\u00a0 Piotr Kijewski wrote the APNIC article \u201cShadowserver now scanning IPv6<\/a>\u201d on this same topic.\u00a0 Shadowserver\u00a0 used ZMapv6 and ZGrab 2.0 to scan various well-known TCP port numbers.\u00a0 Shadowserver found over 1.3 million Internet-reachable MySQL servers<\/a> accessible over IPv6.\u00a0 Dave De Coster and Piotr Kijewski gave a presentation at the 2022 FIRST conference<\/a> titled \u201cInternet Spelunking: IPv6 Scanning and Device Fingerprinting<\/a>\u201d showing their IPv6 scanning results.<\/p>\n Furthermore, organizations are encouraged to proactively scan their own public-facing IPv4 and IPv6 reachable services as described in the paper \u201cThe implications of neglecting IPv6 on your internet facing services<\/a>\u201d, by Stefan Grimminck, May 12, 2021.\u00a0 In Stefan\u2019s esearch, they performed port scans and vulnerability scans over IPv4 and IPv6 and compared the results to make sure both protocols were equally protected and noted when they were different.<\/p>\n Akamai observed IPv6 Internet scanning traffic over a 15-month period from their global perspective of CDN servers and observation points.\u00a0 In fact, the IPv6 addresses of their servers can be scanned and do show up on hitlists.\u00a0 Akamai\u2019s Philipp Richter published an article in October 2022 titled \u201cWho\u2019s Scanning the IPv6 Space? And, Frankly, Why Do We Even Care?<\/a>\u201d\u00a0 Their work also focused on analyzing the source addresses, the ASes, and the volume of scanning traffic.\u00a0 Akamai found that scans are often sourced from a variety of networks and IIDs instead of from a single 128-bit static IPv6 host address.\u00a0 Scanners could use an entire \/64, \/48, or even \/32 to source their scanning traffic, attempting to avoid detection and ending up on a block list.\u00a0 They found that the top scanner sourced traffic from a single 128-bit address, but another source used nearly an entire \/32 for the source addresses.\u00a0 They discovered that 93% of the scanning traffic came from just five scanners.\u00a0 Philipp Richter (Akamai), Oliver Gasser (Max Planck Institute for Informatics), and Arthur Berger (Akamai\/MIT) wrote a paper they presented at the ACM Internet Measurement Conference 2022 titled \u201cIlluminating Large-Scale IPv6 Scanning in the Internet<\/a>\u201d discussing this IPv6 Internet scanning activity.<\/p>\n Internet-wide IPv6 active scanning is possible and is being performed at this very moment.\u00a0 It is also feasible to scan private IPv6 networks just as easily and it is trivial to discover targets on a link-local access network.\u00a0 The tools exist to perform IPv6 Internet scanning and there are hitlists of IPv6 addresses to make reconnaissance even easier.\u00a0 Every organization connected to the IPv6 Internet can observe this scanning traffic.<\/p>\n Knowledge of an organization\u2019s global IPv6 prefix address, their networks, and the individual IPv6 addresses assigned to hosts should not be a security measure that is solely relied upon.\u00a0 In other words, sooner or later the IPv6 address could be discovered by a remote or local attacker, so \u201csecurity through obscurity\u201d of the IPv6 address is not a valid security measure.<\/p>\n Just as end nodes have moved away from using the EUI-64 method of configuring their IPv6 IID, CPE devices should also deprecate this method toward RFC 8064<\/a> \u201cRecommendation on Stable IPv6 Interface Identifiers\u201d methods.<\/p>\nIPv6 Hitlists and Target Generation Algorithms (TGAs)<\/h3>\n
\n
IPv6 Scanning Tools<\/h3>\n
Examples of IPv6 Internet Scanning<\/h3>\n
Conclusions<\/h3>\n