• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

I reached a very "bad" milestone today with IPv6 and my web server.

Started by snarked, June 12, 2010, 05:35:17 PM

Previous topic - Next topic

snarked

I found it necessary to ban in my firewall the first malicious webbot that hit my site using IPv6.  The webbot in question disobeyed "/robots.txt", so it got autolisted.  However, when reviewing my logs further, I found it was using multiple IPv6 addresses in the same /64.  4 addresses fell into the malicious spider trap (autolisted), and others from the same network are crawling.  Therefore, I've instituted my first firewall level ban of an IPv6 network (other than 2001:DB8::/32, "doc net").

  2001:250:3000:4004::/64  cernet.edu.cn  (Tsinghua University, Beijing, 100084, China)

Doesn't surprise me it's from China.  Maybe I should ban the entire /32, but so far, the bots are only on that particular /64.

jimb

Yeh that's one thing that's a bit of a problem with IPv6.  It'll be super easy to hide in a /64, forcing one to ban an entire /64 which could affect a bunch of users who weren't at fault, resulting in a potential "unfair" ban.  But there's really nothing else to do.  The RBLs are probably going to do something similar.  Once enough IIDs in a particular /64 start abusing, the whole /64 will get nuked, and then perhaps a /48 if things continue from that block, etc.

I have a feeling that there will be some "heavy handed" IPv6 bans in the future.

PatrickDickey

Is there a list of "bad" IPv6 addresses being compiled?

More or less so people could deny them right away, without having to learn about them the hard way?  Something that could be done with the understanding that you're cutting off the head to stop a headache type of thing (or major surgery for a minor cut).  In other words, the understanding that you're blocking out an entire range of IPv6 addresses for the actions of a few.

Of course someone would have to monitor the list and modify it appropriately.  If a /48 or /32 would cover a bunch of /64's in the list, they'd have to replace the /64's with the right address/prefix.

As for me, right now, I'm creating an ACL that blocks the 2001:DB8::/32 and the 2001:250:3000:4004::/64  outright.  Especially since my server is a "Home Server" so I'm the only person who really should be accessing it outside of my network (and I'm not going to China anytime soon), I figure it's a safe bet to block the entire ranges.

Have a great day:)
Patrick.

PS If there are ways of blocking (or allowing) only ranges for a certain nation, I'd love that too.  That way I'd only have to allow the IPv6 addresses from inside the US/Canada (as most likely that will be my traveling extent).

jimb

There are things like Cyrmu's IPv6 bogon list:  http://www.team-cymru.org/Services/Bogons/dns.html

I'm not sure if there are IPv6 based email RBLs out there yet (like spamhaus, etc).

I believe there are IPv6 lists out there that show the prefixes by country, although I can't recall where I saw 'em.  If you look on the iana.org site, it has lists of IPv6 allocations to the RIRs IIRC which could probably be used as a starting point.

snarked

As more and more people migrate to IPv6, so will the problems.  However, random or sequential scanning of IPs is about the only abuse that doesn't scale over.

As for as cernet.edu.cn was concerned, all their offending addresses were on the same /124 but I wasn't going to wait for the abuse to grow.

CYMRU's list is the v6.fullbogons.cymru.com, and other than a few, privately used blacklists, is really the only public list in use.  They only list unallocated blocks.

As for allocations:  http://www.iana.org/assignments/ipv6-unicast-address-assignments/

jimb

Yeah.  Scanning ~18.4 billion billion hosts per LAN will be difficult.  But the opposite side of the coin is that blocking infected/compromised machines in that large of a space where they can add and use additional IPv6 addresses randomly will also be difficult. 

The RBLs that emerge will probably either mark whole 64s as bad, or come up with a less memory/storage intensive way of marking individual IPv6s as bad, and serving up the DNS RBL responses dynamically.

PatrickDickey

I stumbled on this today from  http://ipv6info.wordpress.com/2010/06/10/global-ipv6-address-format/

Under the current guidelines IANA assigns /12 prefixes to each of the five Regional Internet Registries (RIRs).  The five RIRs are the Asia-Pacific Network Information Centre (APNIC – 2400::/12), the African Network Information Center (AfriNIC – 2C00::/12), the American Registry for Internet Numbers (ARIN – 2600::/12), the Latin American and Caribbean Internet Addresses Registry (LACNIC – 2800::/12), and the Reseaux IP Europeens Network Coordination Centre (RIPE NCC – 2A00::/12).  All of these RIRs, with the exception of AfriNIC, have been assigned prefixes up to /23  but for the purpose of this document I have only identified the /12 assignments.

So, now I just have to create the access-lists to block anything from the 2400:, 2C00:, 2800:, and 2A00: /12's and I should be set...  Of course the question stands that the IPv6 Addresses you listed in the original post were 2001: ones, so would they be blocked using the /12's or not?

And after looking at the link you provided, I see I'm going to have to ban a lot more than just the /12's....  Time to start figuring access-lists... lol

Have a great day:)
Patrick.

(Edited because I forgot to add the IP address where I found that information...)

jimb

BTW, I came across a post today that reminded me of the IPv6 enabled DNS RBL which I vaguely recalled reading about before:  https://virbl.bit.nl/

It appears that at present, there's no IPv6 addresses in the RBL.

FWIW. 

-Jim

snarked