[GLLUG] Speculative IPv6 probing

[Andy Smith]

On Wed, Sep 25, 2019 at 06:44:35PM +0100, Tim Woodall via GLLUG wrote:
> I'm seeing probes obviously attempting to hunt for machines on IPv6.

[…]

> Is this going to be the state of IPv6 going forwards?

Yes. What you're running on which IPs and ports is valuable
information which is being compiled and sold.

> Anyone else seeing anything like this.

Yes. Also in the last year I've been seeing frequent SSH dictionary
attacks on non-standard (IPv4) ports.

On Wed, Sep 25, 2019 at 06:50:21PM +0100, John Winters via GLLUG wrote:
> I can't help wondering what the objective is.

To compile a database of what is running on what IPs and ports and
sell that to people.

> Scanning the whole of the IPv6 address space is going to take a while, and
> all it's going to tell you is that there is a machine at a particular
> address - just the same as if you did it for IPv4.

It already is being done for IPv4 extensively, and there are
multiple subscription services such as Shodan which sell [searches
on] that database to their users.

So, for example, you find out some Internet of Shit device has an
open telnet on port 54321, you then put that into the Shodan-like
service and it spits back every machine on the Internet with that
port open. You can even give if strings that it should have
responded with, to narrow down the list. Boom, instant botnet.

It used to be extremely frowned-upon to mass-scan the Internet;
abuse reports used to get filed and people used to get told to stop
doing it by their upstream providers. Now they just say they are a
research tool and their money is as green as anyone else's.

Scanning all of IPv6 currently poses a bit more of a challenge, but
heuristics will be used to give it a good try anyway.

> What's there to be gained?

Information that has monetary value.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting