Shadowserver now scanning IPv6

By on 15 Aug 2022

Category: Tech matters

Tags: , ,

Blog home

In recent months, Shadowserver has been systematically rolling out IPv6 scanning of services. Blindly scanning the full IPv6 space is, of course, completely unfeasible as the total IPv6 space is about 3.4×10^38 unique addresses (that’s 340 trillion trillion trillion addresses). With Shadowserver’s current capabilities, it would take roughly 2×10^25 years to scan the entire IPv6 space. Scanning all IPv4 space, for comparison, typically takes us minutes, because there are only about 4.3 billion addresses, of which we scan 3.7 billion addresses.

A variety of techniques have been proposed to solve the IPv6 scanning problem. Essentially, it is about finding ways to narrow down potential IPv6 address deployments to allow for more targeted scanning. For an introduction to IPv6 scanning please read 2016’s ‘Network Reconnaissance in IPv6 networks’ (RFC 7707). Since that time, far more literature on this topic has become available.

At the 2022 FIRST conference in Dublin, we at Shadowserver gave a presentation on Internet Spelunking: IPv6 Scanning and Device Fingerprinting, which forms the basis of this article. You can find the slides here.

How Shadowsever scans

We chose to conduct our IPv6 scanning based on hit lists of IPv6 addresses observed being used in the wild. We compile a list of /128 addresses from various internal and external sources, which include:

  • DNS AAAA records (passive DNS)
  • Certificate transparency streams
  • The IPv6 hitlist
  • Sinkholes
  • Other lists sourced from partners

These combined sources form our IPv6 hitlist, which currently contains up to 1 billion individual (/128) IPv6 addresses. Once an IPv6 address enters our hitlist, it stays there for 30 days before dropping out, unless it generates scanning hits (that is, when an IPv6 address responds positively to at least one of our scans).

IPv6 scanning is still in its infancy. As such, there are far fewer scanning tool options available compared to IPv4. For Shadowserver’s IPv6 scanning, we use an IPv6-aware version of zmap – zmap6 – as well as zgrab/zgrab2. The latter two tools both feature native IPv6 support.

Observations on tool performance

We find IPv6 scanning to be slower than IPv4 since it requires less aggressive timing than IPv4. We start experiencing potential packet loss at 100,000pps for IPv6 compared to 500,000pps for IPv4. For IPv6, we start to experience packet loss at 1,500 concurrent senders, versus 3,500 for IPv4.

The average number of IPs/second that can be processed by zmap6 on our scanning infrastructure is as follows:

  • IPv4: 243,116 IPs/second
  • IPv6: 58,542 IPs/second

As can be seen above, zmap IPv6 scanning is over four times slower than IPv4. If we include all the scanning and processing of data (not just zmap) across the aggregation of IPv4 and IPv6 scans, the numbers for IPv6 look even slower:

  • IPv4: 116 348 IPs/second
  • IPv6: 11 009 IPs/second

Results

Currently (at 13 July 2022), we scan for nine different services on IPv6 via 11 different ports, as shown in Table 1:

ScanPortResponses
SSL443/TCP8,375,757
SSL8443/TCP230,687
SMTP25/TCP408,367
Telnet23/TCP24,377
SSH22/TCP849,193
HTTP80/TCP118,704,816
HTTP8080/TCP415,197
MySQL3306/TCP1,697,870
FTP21/TCP1,405,128
PostgreSQL5432/TCP10,712
RDP3389/TCP21,887

Table 1 — IPv6 services responding on 11 July 2022.

Data on all services shown in Table 1 is shared daily in our free threat feeds, filtered by subscriber networks or constituencies.

For scans that we consider to be just ‘population’ scans (that is, not reporting usage of vulnerable or weak protocols) like HTTP, SSL (HTTPS), SSH, and so on, we find the highest exposure by far to be in the United States (119.6M), followed by Denmark (1.37M), Germany (657K), and the Netherlands (455K).

Map showing accessible SSL/HTTP/SSH services (population scan) by unique IPv6 on 11 July 2022.
Figure 1 — Accessible SSL/HTTP/SSH services (population scan) by unique IPv6 on 11 July 2022.
Chart showing accessible SSL/HTTP/SSH services (population scan) by unique IPv6 on 11 July 2022.
Figure 2 — Accessible SSL/HTTP/SSH services (population scan) by unique IPv6 on 11 July 2022.

For exposed/vulnerable services, we find the highest exposure to be in the United States (636.8K), followed by the Netherlands (366K), Singapore (273.5K), and Germany (250.7K).

Map showing accessible vulnerable/abusable or exposed services by unique IPv6 on 11 July 2022.
Figure 3 — Accessible vulnerable/abusable or exposed services by unique IPv6 on 11 July 2022.
Chart showing accessible vulnerable/abusable or exposed services by unique IPv6 on 11 July 2022.
Figure 4— Accessible vulnerable/abusable or exposed services by unique IPv6 on 11 July 2022.

Observations on results

Here are a few observations on how services compare between IPv4 and IPv6.

SSL

  • Fewer hosts with old ciphers (SSLv3, TLSv1.0, TLSv1.1) on IPv6
  • 3.86% IPv4 vs 0.04% IPv6

FTP

  • Far higher ratio of FTP+SSL on IPv6
  • 55% IPv4 vs 91% IPv6

MySQL

  • Far fewer hosts with deny rules on IPv6
  • 42% IPv4 vs 4% IPv6

RDP

  • Interestingly, we uncovered around 22,000 RDP services accessible on IPv6. This is an area of security concern, as exposed Remote Desktop (RDP) instances are often exploited by bad actors. We still see over 3.2M exposed RDP instances on IPv4. While IPv6 amounts are much lower, the number is still significant.
  • Based on SSL certificate comparison with RDP scans for IPv6 hit lists and the entirety of IPv4, we find only around SSL 1,500 certificates that overlap. This may suggest many of the hosts found on IPv6 are uniquely exposed on IPv6 only.

TELNET vs SSH

  • The lower ratio of TELNET vs SSH suggests less legacy equipment on IPv6
  • TELNET vs SSH ratio 0.1 on IPv4 vs 0.03 on IPv6

Secure and monitor your IPv6 traffic and infrastructure!

Large-scale IPv6 scanning is feasible. You should not assume that your IPv6 infrastructure will never be found by attackers and that you are ‘safe’. Securing and monitoring IPv6 and open IPv6 services on your network is critical, otherwise, you may be leaving gaping holes in your network that a bad actor may exploit. Unfortunately, tools for IPv6 security are not at the same level of maturity as for IPv4. Human analysts are also much less experienced/skilled in dealing with IPv6.

We encourage all organizations to make sure they also focus on securing their IPv6 infrastructure, implement their own specific IPv6 monitoring program and of course, subscribe to our free daily feeds to stay alert on their IPv6 attack surface exposure.

Subscribe to Shadowserver’s new reports

If you are an existing subscriber, you will get the above-mentioned IPv6 scan reports should any IPv6 be found in your network/constituency. If you are not already a subscriber to Shadowserver’s public benefit daily network reports and would like to receive IPv6 scan reports and our other existing IPv6/IPv4 report types (covering not just other scan results, but observations from sinkholes, honeypots, darknets, sandboxes, blocklists and other sources), then please sign up to our free daily public benefit network remediation feed service.

For more information on our scanning efforts, check out our Internet scanning summary page.

If you have an active feed of IPv6 addresses you can share with us, please let us know! This helps us become aware of other blocks of in-use IPv6 space. We can expand our hit lists and better protect everyone.

For any questions, please contact us.

IPv6 scanning has been enabled by Shadowserver as part of the EU CEF VARIoT project.

Piotr helps make things happen at the Shadowserver Foundation, coordinating large-scale data collection and analysis projects, and managing Shadowserver’s CSIRT relationships.

This post was originally published on Shadowserver’s blog.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published.

Top