IPv6 port scanning observed

Bjørn Mork bjorn at mork.no
Thu Nov 18 10:29:06 CET 2010


Just to register that these things actually exist...

Got lucky and logged 15000 probes from a single IPv6 source address in a
couple of seconds.

Looks like it is targeted at two of the /64s I am using (could easily be
picked up from mail, web server logs etc).  Not all of the /64s in use
were targetted, but those missing have probably never been used as
source addresses outside my network.  But I may have missed a lot of
destinations as most of the prefix is null routed without any logging at
all. 

Anyway, the destination protocols/ports logged are 22/tcp, 25/tcp,
53/udp, 443/tcp and 9511/tcp, and one I must admit I'm quite clueless
about: protocol 128.  This is listed as "sscopmce" by IANA, without that
helping me a lot.  Anyone?  I'm wondering whether this is merely a
scanning bug, or if there could be something interesting around
processing such packets?

The destination interface id's look like they've been chosen to maximise
the chance of hitting manually configured boxes (possibly with some
holes - I've not scripted this list):

:: to ::2ff
::1000 to ::10ac
::2000 to ::2111
::1:0 to ::1:1ff
::500
::aaa
::fff
::1337
::3128
::2525
::5353
::6667
::8000
::aaaa
::abcd
::babe
::cafe
::beef
::ffff
::[0-9]:25
::[0-9]:53
::[0-9]:80



Bjørn



More information about the ipv6-ops mailing list