• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Active scan of my tunnel

Started by HQuest, June 02, 2022, 10:34:47 AM

Previous topic - Next topic

HQuest

For the past 6 months (!!!), I noticed an IPv6 source scanning my /56 subnet and it is still going strong. While I do have this source blocked on my inbound firewall, I'm starting to think it would be better if I could ask my upstream provider if any actions could be taken from their end. Traffic is minor and only a few TCP SYNs every second or so. Minor for my inbound pipe but still an annoyance. I tried multiple times to reach out to the abuse address owner of that network. Nothing happened - maybe because the operator in question is from a "questionable" country...

Anything HE can (or is willing to) do in here?

snarked

There are a lot of scanners out here.  It may help if you identify the one you're having issues with if you expect other forum participants to comment further.

I actually tcp tarpit anyone that attempts to scan any unused port on my system (as well as certain other misbehaviors), with certain sources exempted of course.

NewtonNet

Quote from: HQuest on June 02, 2022, 10:34:47 AMMinor for my inbound pipe but still an annoyance.

I totally understand where you are coming from but if it is just an annoyance (i.e. the threats arising from the scans are not being realised) then it is entirely within your gift to deal with the annoyance aspect yourself and just learn to ignore them. It's the Wild West out there and you'll be fighting a never-ending battle if you try and manually deal with behaviours you don't like, and the number of IPv6-enabled 'bad guys' is only going to increase.

Configure your setup securely, use whatever tools you see fit to maintain active defence, filter your logs and get on with life. It's the same with attacks on SSH; you risk becoming very paranoid if you're not careful.