[lacnog] Fwd: IPv6 port scanning observed
Carlos M. Martinez
carlosmarcelomartinez en gmail.com
Vie Nov 26 23:21:53 BRST 2010
Es un ... buen... sintoma supongo :-)
On 11/26/10 10:25 PM, Fernando Gont wrote:
> FYI
>
> -------- Original Message --------
> Subject: IPv6 port scanning observed
> Date: Thu, 18 Nov 2010 10:29:06 +0100
> From: Bjørn Mork <bjorn en mork.no>
> Organization: m
> To: ipv6-ops en lists.cluenet.de
>
> Just to register that these things actually exist...
>
> Got lucky and logged 15000 probes from a single IPv6 source address in a
> couple of seconds.
>
> Looks like it is targeted at two of the /64s I am using (could easily be
> picked up from mail, web server logs etc). Not all of the /64s in use
> were targetted, but those missing have probably never been used as
> source addresses outside my network. But I may have missed a lot of
> destinations as most of the prefix is null routed without any logging at
> all.
>
> Anyway, the destination protocols/ports logged are 22/tcp, 25/tcp,
> 53/udp, 443/tcp and 9511/tcp, and one I must admit I'm quite clueless
> about: protocol 128. This is listed as "sscopmce" by IANA, without that
> helping me a lot. Anyone? I'm wondering whether this is merely a
> scanning bug, or if there could be something interesting around
> processing such packets?
>
> The destination interface id's look like they've been chosen to maximise
> the chance of hitting manually configured boxes (possibly with some
> holes - I've not scripted this list):
>
> :: to ::2ff
> ::1000 to ::10ac
> ::2000 to ::2111
> ::1:0 to ::1:1ff
> ::500
> ::aaa
> ::fff
> ::1337
> ::3128
> ::2525
> ::5353
> ::6667
> ::8000
> ::aaaa
> ::abcd
> ::babe
> ::cafe
> ::beef
> ::ffff
> ::[0-9]:25
> ::[0-9]:53
> ::[0-9]:80
>
>
>
> Bjørn
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
Más información sobre la lista de distribución LACNOG