;login - Worm Propogation and IPv6

Colm MacCarthaigh colm at stdlib.net
Wed Jan 24 19:37:35 CET 2007

On Wed, Jan 24, 2007 at 02:20:38AM -0800, Roland Dobbins wrote:
> I'll also point out that, despite the baseless claims of those who've  
> asserted that IPv6 somehow provided a 'defense' against worms due to  
> the large address space, those of us who think about these things  
> have known about every single one of the techniques discussed in this  
> paper and talked about them at length.  Messrs. Bellovin, Cheswick,  
> and Keromytis simply wrote them down; no research was required in  
> order to write this article, it's simply a useful compilation of  
> 'hints' which worm writers may use; also note that none except ND are  
> IPv6-specific (and ARP can be used in similar fashion in the IPv4  
> world).  They seem to've not discussed Link-Local, but add it to the  
> list.

I think it's missing some powerful ones too. Default EUI-64 behaviour
means we an attacker can grep a webserver log and get a convenient list
addresses of NICs from a particular manufacturer/type to go and attack
with vulnerabilities similar to the Wifi explotable stacks announced
last summer. And once there, it can act as a device-specific worm
by just poking the all-nodes address to get some more, and so on.

That's way more efficient than just trying all of IPv4 space for
device-specific exploits. Now that sounds like fun :-)

Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net

More information about the ipv6-ops mailing list