[ppml] And as for assignments...
Jonathan Barker
jonathan at qx.net
Sun Aug 26 17:28:34 EDT 2007
William,
Today, you're completely right... It would be impractical to scan a /64.
There are too many numbers for today's hardware, and internet
connections. But, it was once very difficult to break 128 bit
encryption, too. As years pass by, systems get ever more powerful, and
people get Gig-E at home (Which with E-band wireless (I'm a big
Bridgewave fan) and FiOS, actually gets easier by the day) maybe it'll
get a little easier. Then, let's say you have a worm that only attacks
Sun Solaris OS boxes. You can check online MAC databases and get this.
Search results for "Sun Microsystems"
* MAC Address
Prefix Vendor*
00007D Sun Microsystems (was: Cray Research Superservers,Inc)
00015D Sun Microsystems, Inc. (was: Pirus Networks)
0003BA Sun Microsystems
00144F Sun Microsystems, Inc
0020F2 SUN MICROSYSTEMS,
080020 Sun Microsystems Inc.
Or, maybe you have a vulnerability that affects Directv's new MPEG-4 set
top boxes -
00189B Thomson Inc.
It could take a little while, but you could find mine. 00:18:9B:F0:F0:E4
Or better yet, target my Playstation 3. It is sitting here in my living
room, on Gig-E to the Internet via my Bridgewave, Folding proteins. With
7 blazing fast cores, and the ability to run Linux - it would be an
excellent attack system. (I do firewall all this, btw...)
Using the MAC database could narrow the /64 considerably, by giving you
part of the address without needing to do a blanket scan. And if you add
a few logical assumptions, like that ISPs will start allocating at the
beginning of their /32 first, and go up a /62 at a time, it gets easier
and easier. Viruses and worms could in theory methodically target the
hardware they want more efficiently. Or by using the address of a known
server, they could determine the make / model (which for the most part
can be done today, anyway) and find a vulnerability specifically
designed for it. I've brainstormed this one for a few minutes. There are
hackers out there that will spend years on the problem. A well designed
worm that replicates, and increases it's efficiency with each new
installation by only scanning a pre-set area per infection could be
devastating. Imagine a million networked Playstations targeting the
Internet's core infrastructure all at once. We wouldn't stand a chance.
Double edged sword, I guess. Much like cdp (Cisco Discovery
Protocol)... Using autoconfiguration is useful now for diagnostics, and
good against non-directed general DoS attacks like slammer, but may
speed more directed, and more dangerous attacks in the future, by giving
away more info than system administrators would like about their systems.
Jonathan
William Herrin wrote:
> On 8/26/07, Jonathan Barker <jonathan at qx.net> wrote:
>
>> for years people have launched bots to scan the network for open
>> hosts to infect. Now - they have infinitely more space to scan, and have
>> to transmit more and larger packets to do it. With ever increasing
>> processor power... Bot scanning and the massive number of packets now
>> needed to scan for hosts could become a real problem.
>>
>
> Jonathan,
>
> I think you have this backwards. The massive size of the subnet will
> make it impractical to scan for hosts off the local subnet, regardless
> of the available bandwidth and processor power. Its an unintended but
> useful consequence of the large subnet size. Worms will have to look
> for other cues to find addresses to infect, such as publicly posted
> http transaction logs. That will tend to blunt their spread a bit.
>
> On the flip side, I can remotely identify the make and model of the
> ethernet card from the MAC address encoded in the IP address which
> ought to make it much easier to target driver bugs. For example, I can
> trivially tell that 6to4.nro.net (2001:dc0:2001:7:2d0:b7ff:feb7:f7f9)
> is using a NIC made by Intel (MAC 00-d0-b7-b7-f7-f9). With a better
> MAC database than what I found in 5 minutes of searching, I could
> figure out which model Intel NIC, when it was made and what revision
> of the firmware it shipped with.
>
> Regards,
> Bill Herrin
>
>
>
>
>
More information about the ARIN-PPML
mailing list