WingNews logo WingNews
top | item 36857592

(no title)

bcook | 2 years ago

The scenerio I commonly see is a dual-stack (IPv4 & IPv6) router blocking all unsolicited incoming IPv4 packets (because of NAT), while all IPv6 LAN hosts will unintentionally be globally accessible through the internet.

This is why I worry about more IPv6 deployment. Too many people are ignorantly relying on IPv4 NAT as a layer of protection.

discuss

order

justsomehnguy|2 years ago

> Too many people are ignorantly relying on IPv4 NAT as a layer of protection.

Too many people think pulling out works every time, too many people think what not using the seat belts because they aren't going far or fast is safe, yada, yada.

What the attack scenario? For the most part the machine is firewalled anyway by built-in firewall (if we talking about any modern Windows and Linux) by default. Most attacks need the actual vulnerable software and this is the browser nowadays => it's client initiated anyway.

Sure, a properly configured router would block the incoming traffic (with or without NAT, there are routed IPv4 too, you know? I have five /24 there and a bunch of smaller ones, no NAT on them), but again, the onus here on the default configuration of the router. There are still 'DMZ' buttons in some routers what would DNAT everything to the machine, there are people who do that without understanding what this opens up their machine (despite being behind the NAT) ie 'make it globally routable'..

I didn't touch home/soho routers for almost a decade so I can't say anything about that, except what Zyxels have the sane defaults and what Mikrotik is shipped with IPv6 disabled altogether.

Don't forget, most of the 'hacks' are happening by scanning the IPv4 subnet and then meticulously probing everything. It's easy with IPv4 (hell, /16 is only 65k hosts), with IPv6 this is...

Here: 2a10:1fc0:6::/48

I have a machine there, go, find it.

The only feasible way for someone to find your globally addressable machine is for the 'victim' is to first trigger something, eg by accessing some website. Yes, in this case the owner of the site (or the malware which infected the site) would know your IP. But same applies to IPv4 and in both cases you need something which is:

  vulnerable
  accepting packets from anywhere
  not firewalled
And you still need to lure the victim to your site first.

You would have more chances with sending Nigerian prince letters and you would be way more profitable.

avidiax|2 years ago

> And you still need to lure the victim to your site first.

You don't need to lure anything. Hack some websites. Plenty have publicly accessible analytics or logs. That gives you full IPv6 addresses to target. Ideally, it might give you a username as well.

What if someone gets the logs of an IOT cloud provider with IPv6 enabled IOT devices?

How many of those addresses have SSH, Samba, APFS, Telnet, or a DNS server running? How many have a username + password combo that's in a leak? How many have an IOT Restful API endpoint with unpatched vulnerabilities?

IPv4 NAT allows people to have quite weak security internally in a network, and not get compromised. Device firewalls don't work where the devices themselves provide services, which is increasingly common.