[LAC-TF] Fwd: IPv6 port scanning observed

Fernando Gont fernando at gont.com.ar
Fri Nov 26 22:25:16 BRST 2010


FYI

-------- Original Message --------
Subject: IPv6 port scanning observed
Date: Thu, 18 Nov 2010 10:29:06 +0100
From: Bjørn Mork <bjorn at mork.no>
Organization: m
To: ipv6-ops at lists.cluenet.de

Just to register that these things actually exist...

Got lucky and logged 15000 probes from a single IPv6 source address in a
couple of seconds.

Looks like it is targeted at two of the /64s I am using (could easily be
picked up from mail, web server logs etc).  Not all of the /64s in use
were targetted, but those missing have probably never been used as
source addresses outside my network.  But I may have missed a lot of
destinations as most of the prefix is null routed without any logging at
all.

Anyway, the destination protocols/ports logged are 22/tcp, 25/tcp,
53/udp, 443/tcp and 9511/tcp, and one I must admit I'm quite clueless
about: protocol 128.  This is listed as "sscopmce" by IANA, without that
helping me a lot.  Anyone?  I'm wondering whether this is merely a
scanning bug, or if there could be something interesting around
processing such packets?

The destination interface id's look like they've been chosen to maximise
the chance of hitting manually configured boxes (possibly with some
holes - I've not scripted this list):

:: to ::2ff
::1000 to ::10ac
::2000 to ::2111
::1:0 to ::1:1ff
::500
::aaa
::fff
::1337
::3128
::2525
::5353
::6667
::8000
::aaaa
::abcd
::babe
::cafe
::beef
::ffff
::[0-9]:25
::[0-9]:53
::[0-9]:80



Bjørn




More information about the LACTF mailing list