Researchers Seek Out Ways to Search IPv6 Space

Security researchers regularly search IPv4 address space looking for servers with ports exposing vulnerable software. With the massive number of IPv6 addresses, however, they have lost that ability. Can tricks and workarounds save the day?

5 Min Read
Dark Reading logo in a gray background | Dark Reading

In April 2014, Google announced that one of its researchers had found a critical vulnerability in the widely deployed OpenSSL software used to encrypt connections to Web servers and other Internet hosts. 

To assess the risk from the vulnerability, security professionals and academic researchers began scanning the 4.3 billion addresses on the Internet, looking for unpatched servers vulnerable to the now-infamous Heartbleed flaw. Researchers were not the only ones searching the entire Internet. Within a few days, attacks came from more than 700 different sources, according to a 2014 paper published by a team of researchers from various universities.

The ability to gain similar intelligence in the future may disappear, however. About a quarter of Internet users currently connect to Google over IPv6, up from 5% four years ago, according to data collected by the search giant. As service providers adopt the next-generation Internet protocol, IPv6 will become more common, and researchers worry that their ability to exhaustively search the network will fail. 

"As the number of IPv6 users continues to increase, we are beginning to see some of the security implications present in many of the default configurations being deployed around the world," says Earl Carter, manager of security research at Cisco. "This has contributed to many of the threats that are being encountered by organizations on a daily basis," he says.

Time for a little math.

The IPv6 Internet has 2^128 addresses, or 3.4 times 10^38 — an astronomical number. (For comparison, astronomers estimate that there are 2 times 10^23 stars in the universe, which means there are a million billion times more IPv6 addresses than stars.) If it took a single second to scan the entire IPv4 address space, it would take 25 billion billion centuries to scan all of the IPv6 address space.

In a March 18 blog post, two members of the Cisco Talos research group highlighted the issue.

"Enumerating all active hosts by scanning all of this address space is practically, and theoretically, infeasible," wrote Martin Zeiser and Aleksandar Nikolich. "With the greater adoption of IPv6, this threatens to hide an ever-larger number of hosts in future internet surveys. This is especially critical as a growing number of unsecured internet-of-things devices come online."

Yet researchers should not be counted out quite yet. While an exhaustive search of the IPv6 Internet is not possible, researchers have been searching for workarounds that could allow them to find active systems in the dark recesses of the IPv6 Internet.

"It comes down to tricks," said Tod Beardsley, research director at vulnerability-management firm Rapid7. "IPv6 is a ginormous space. ... Your server cannot be found unless you are advertising its address."

Rapid7 regularly scans the entire IPv4 Internet for 70 different protocols under its Project Sonar service, which feeds the company's other security and threat-intelligence products. In 2018, the company found that the United States had the most exposed systems, including 6.1 million exposed databases and 1.2 million exposed SMB servers.

The company has not yet developed a way to provide a similar service under IPv6, Beardsley said.

In their blog post, the two Cisco Talos researchers described one way that servers could be located in the dark matter of the IPv6 space. Universal Plug and Play (UPnP), a protocol designed to allow automated network discovery on local networks, is often exposed to the Internet and can be used to fool devices into revealing their IPv6 addresses. 

By sending out a UPnP notify packet to every IPv4 address, the research duo found about 12,000 devices that advertised their IPv6 addresses. Most of the devices were consumer devices, such as security cameras, smart TVs, and, in some cases, Windows machines set up as BitTorrent peers.

"Even though our resulting dataset is small, it represents a unique subset of active IPv6 devices which were so far unexplored," the researchers stated. "Users should ensure that their devices don't have unintentional IPv6 connectivity or if it's intentional, that it's adequately firewalled."

Others have also found some ways around the enormous, and sparsely populated, IPv6 address space. The scanning service Shodan, which offers a searchable database of exposed Internet services, exploited the details of a widely used pool of servers that allow others to synchronize times, according to a description published by the SANS ISC Internet Forum. A server that wants to update its time to the global norm contacts its default Network Time Protocol (NTP) servers and requests the latest time. To do so, it has to provide its address. Servers using an IPv6 address essentially announce themselves, says Johannes Ullrich, dean of research for the SANS Technology Institute.

"Shodan came up with this ingenious idea of having systems connect to them," he says. "And, of course, there is nothing that you can do at that point, and they will scan you based on that. That is one of the more efficient ways to find IPv6 hosts."

The question for companies is whether being scanned is good or bad. While it could allow altruistic researchers the ability to find unknown problems and notify the company, more often attackers will use scanning to find servers vulnerable to a specific attack. 

"As a first step, you probably should 'fix' your NTP infrastructure," Ullrich stated in the blog post. "Systems in your network should only synchronize with internal NTP servers, and only these authorized NTP servers should communicate with the outside."

Related Content

About the Author

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights