Hi,
Currently I see day long IPv6 scans from networks of Akamai (2a02:26f0:f3::/48), Google (2a00:1450:4000::/37), Apple (2a01:110::/31), Microsoft (2a01:b740::/29), Swisscom (2001:918::/32) and Init7 (2001:1620::/32) to my Network @HOME. They all try to enumerate hosts and ports in 2a02:168:4e82:0:* that does not and never have exists.
The net is a fiber7 port.
Anybody an idea what is going on here? On request I can provide more informations like pcaps.
The scans are sourced from all over that mentioned networks above.
While I have no scruples to block Apple, Microsoft, Akamai or other bad behaving networks, I do not want to block Swisscom or Init7 if not needed.
Needless to say that I do not have any public service behind my fiber7 port.
Gruß Klaus
Hey Klaus,
I am surprised you are surprised.
Why would one *not* want to scan your particular home network?
IPv6 is on the rise and scanning networks / IPs is a standard thing in the IPv4 world. So it would be a surprise to me, why people would not want to at least try to find devices in IPv6 based networks.
Best,
Nico
Klaus Ethgen Klaus+swinog@Ethgen.de writes:
Hi,
Currently I see day long IPv6 scans from networks of Akamai (2a02:26f0:f3::/48), Google (2a00:1450:4000::/37), Apple (2a01:110::/31), Microsoft (2a01:b740::/29), Swisscom (2001:918::/32) and Init7 (2001:1620::/32) to my Network @HOME. They all try to enumerate hosts and ports in 2a02:168:4e82:0:* that does not and never have exists.
The net is a fiber7 port.
Anybody an idea what is going on here? On request I can provide more informations like pcaps.
The scans are sourced from all over that mentioned networks above.
While I have no scruples to block Apple, Microsoft, Akamai or other bad behaving networks, I do not want to block Swisscom or Init7 if not needed.
Needless to say that I do not have any public service behind my fiber7 port.
Gruß Klaus
-- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
except scanning a /64 takes a ethernity....
On 1 Dec 2019, at 19:05, Nico Schottelius nico.schottelius@ungleich.ch wrote:
Hey Klaus,
I am surprised you are surprised.
Why would one *not* want to scan your particular home network?
IPv6 is on the rise and scanning networks / IPs is a standard thing in the IPv4 world. So it would be a surprise to me, why people would not want to at least try to find devices in IPv6 based networks.
Best,
Nico
Klaus Ethgen Klaus+swinog@Ethgen.de writes:
Hi,
Currently I see day long IPv6 scans from networks of Akamai (2a02:26f0:f3::/48), Google (2a00:1450:4000::/37), Apple (2a01:110::/31), Microsoft (2a01:b740::/29), Swisscom (2001:918::/32) and Init7 (2001:1620::/32) to my Network @HOME. They all try to enumerate hosts and ports in 2a02:168:4e82:0:* that does not and never have exists.
The net is a fiber7 port.
Anybody an idea what is going on here? On request I can provide more informations like pcaps.
The scans are sourced from all over that mentioned networks above.
While I have no scruples to block Apple, Microsoft, Akamai or other bad behaving networks, I do not want to block Swisscom or Init7 if not needed.
Needless to say that I do not have any public service behind my fiber7 port.
Gruß Klaus
-- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hi Nico,
was macht die Kunst?
Am So den 1. Dez 2019 um 19:05 schrieb Nico Schottelius:
I am surprised you are surprised.
Naja, diese Scans sind mir immer noch ein Rätsel. Um so mehr als das ein kleiner Teil UDP ist und es sich bei einem größeren Teil um TCP-Reflections handelt. Alles mit SYN+ACK. Beides, die UDP, als auch die TCP-Pakete sind von Port 443 (Wer auch immer auf die Idee kommt, bei 443/UDP handele es sich um was besonderes).
Das ganze ergibt für mich keinen Sinn. Die TCP-SYN/ACK-Pakete sind nicht groß genug um auch nur irgendwelche Reflection-DDOS-Attacken mit Aussicht auf Erfolg machen zu können. Es könnte höchstens sein, daß diese als Fake-SYN/ACK gesendet werden, was wiederum die Scan-Theorie bestätigt. Aber wie kommt es, das in diesen Netzränges (mal abgesehen von Microsoft, da ist das zu erwarten) so viele Zombie-Hosts sind.
Why would one *not* want to scan your particular home network?
Andersrum, weshalb IPv6 und nicht IPv4, was eine viel größere Aussicht auf Erfolg hätte. Und dann sollte man bei IPv6 zumindest ne Idee haben welchen Teil des /48-Range sich lohnt zu scannen.
Gruß Klaus
Hallo Klaus
Sind da etwa Hosts aus dem Bereich 2001:918:ffff::/48 dabei? Falls ja, wäre ich froh um eine Liste (PM), um das untersuchen zu können.
Viele Grüsse, Martin
-
Andreas Fink -
Klaus Ethgen -
Martin.Gysi@swisscom.com -
Nico Schottelius