[ppml] And as for assignments...

Jonathan Barker jonathan at qx.net
Sun Aug 26 17:28:34 EDT 2007


Today, you're completely right... It would be impractical to scan a /64. 
There are too many numbers for today's hardware, and internet 
connections. But, it was once very difficult to break 128 bit 
encryption, too. As years pass by, systems get ever more powerful, and 
people get Gig-E at home (Which with E-band wireless (I'm a big 
Bridgewave fan) and FiOS, actually gets easier by the day) maybe it'll 
get a little easier. Then, let's say you have a worm that only attacks 
Sun Solaris OS boxes. You can check online MAC databases and get this.

    Search results for "Sun Microsystems"

*   MAC Address
   Prefix         Vendor*
   00007D       Sun Microsystems (was: Cray Research Superservers,Inc)
   00015D       Sun Microsystems, Inc. (was: Pirus Networks)
   0003BA       Sun Microsystems
   00144F       Sun Microsystems, Inc
   0020F2       SUN MICROSYSTEMS,
   080020       Sun Microsystems Inc.

Or, maybe you have a vulnerability that affects Directv's new MPEG-4 set 
top boxes -

00189B       Thomson Inc.

It could take a little while, but you could find mine. 00:18:9B:F0:F0:E4

Or better yet, target my Playstation 3. It is sitting here in my living 
room, on Gig-E to the Internet via my Bridgewave, Folding proteins. With 
7 blazing fast cores, and the ability to run Linux - it would be an 
excellent attack system. (I do firewall all this, btw...)

Using the MAC database could narrow the /64 considerably, by giving you 
part of the address without needing to do a blanket scan. And if you add 
a few logical assumptions, like that ISPs will start allocating at the 
beginning of their /32 first, and go up a /62 at a time, it gets easier 
and easier. Viruses and worms could in theory methodically target the 
hardware they want more efficiently. Or by using the address of a known 
server, they could determine the make / model (which for the most part 
can be done today, anyway) and find a vulnerability specifically 
designed for it. I've brainstormed this one for a few minutes. There are 
hackers out there that will spend years on the problem. A well designed 
worm that replicates, and increases it's efficiency with each new 
installation by only scanning a pre-set area per infection could be 
devastating. Imagine a million networked Playstations targeting the 
Internet's core infrastructure all at once. We wouldn't stand a chance.

Double edged sword, I guess. Much like cdp (Cisco Discovery 
Protocol)...  Using autoconfiguration is useful now for diagnostics, and 
good against non-directed general DoS attacks like slammer, but may 
speed more directed, and more dangerous attacks in the future, by giving 
away more info than system administrators would like about their systems.


William Herrin wrote:
> On 8/26/07, Jonathan Barker <jonathan at qx.net> wrote:
>> for years people have launched bots to scan the network for open
>> hosts to infect. Now - they have infinitely more space to scan, and have
>> to transmit more and larger packets to do it. With ever increasing
>> processor power... Bot scanning and the massive number of packets now
>> needed to scan for hosts could become a real problem.
> Jonathan,
> I think you have this backwards. The massive size of the subnet will
> make it impractical to scan for hosts off the local subnet, regardless
> of the available bandwidth and processor power. Its an unintended but
> useful consequence of the large subnet size. Worms will have to look
> for other cues to find addresses to infect, such as publicly posted
> http transaction logs. That will tend to blunt their spread a bit.
> On the flip side, I can remotely identify the make and model of the
> ethernet card from the MAC address encoded in the IP address which
> ought to make it much easier to target driver bugs. For example, I can
> trivially tell that 6to4.nro.net (2001:dc0:2001:7:2d0:b7ff:feb7:f7f9)
> is using a NIC made by Intel (MAC 00-d0-b7-b7-f7-f9). With a better
> MAC database than what I found in 5 minutes of searching, I could
> figure out which model Intel NIC, when it was made and what revision
> of the firmware it shipped with.
> Regards,
> Bill Herrin

More information about the ARIN-PPML mailing list