Mastodawn

mushroom 🍄Sep 7, 2022

how to keep your server safe from internet bots: use only IPv6

Kaze Sep 7, 2022

@duponin still not safe from bots.

proto TCP (SYN), [2400:6180:0:d0::1044:6001]:38071->[xxx]:22, len 24
proto TCP (SYN), [2400:6180:0:d0::1044:6001]:44115->[xxx1]:22, len 24
proto TCP (SYN), [2400:6180:0:d0::1044:6001]:45925->[xxx2]:22, len 24
proto TCP (SYN), [2a01:7e00::f03c:93ff:feb0:193a]:35162->[router]:8291, len 32

A interesting pattern that I found, these bots try the last 2 hops that are address that don't have AAAA record, but most tries are for address with AAAA recods.

ShadowServers is another one that keep scanning besides a german Uni and chinese botnets.

Show thread

mushroom 🍄Sep 7, 2022

@null31 interesting
(don’t fully understand it

)

at least I’m safe against most bots that tries connecting to my SSH server

Show thread

Kaze Sep 8, 2022

@duponin if you want a more detailed explanation, I can do later.

Currently I drop connections to certain ports at border router using raw table and only allow from address list.

Do you use pubkey auth only?

Show thread

mushroom 🍄Sep 8, 2022

@null31 yes please

not yet pubkey only, but would be on restricted network later

Show thread

Kaze

@duponin
origin_net 2001:db8:9::/64
server_net 404:200:386::/56

opn.haj.net AAAA 404:200:386:d::301
pl.haj.net AAAA 404:200:386:f:1:2:3:c
s3.haj.net AAAA 404:200:386:d::450

hop hop_address
1. 2001:db8:9::1 [router (CPE)]
2. 2001:db8:79::f4 [ISP]
[...] [IP transit, many ASes]
9. 404:100:1::1 [ISP]
10. 404:100:386::200 [router (CPE)]
11. 404:100:386:d::301 [bare metal/vm/container]
12. 404:100:386:f:1:2:3:c [vm/container]
Let's say that you know that exists a service with name "pl.haj.net" and then want to scan it, but isn't enough and I want more hosts from that network.
By common knowledge, you know that's 99% certainly that network is at least /64, so you can start to do "lateral scan" and try common addresses based in the prefix of "pl.haj.net" or random address. Common address e.g. ::1 ~ ::f, ::cafe, ::deef, ::dead, ::1337.

Also, how is a e2e communication, you know that the previous hops are routers, L3 switches or some kind of device that can do IPv6 forwarding (hops 10 and 11), so it's worth to try scan them too since you already have their address from a traceroute.
Now you have a hint that network is possible to be at least a /60 prefix, so you can now try a new lateral scan at 404:100:386:0::/60 using ::1 and ::2 as suffix to guess new or same hosts. Then you have (16^1)*2 possibilities for /60 and (16^2)*2 for /56 where suffix is ::1 and ::2.
Still many address to try but they have a nice probability to guess right instead of random address.

Another method is to search prefixes that have at least one AAAA record (not PTR) like this: https://bgp.he.net/net/2001:67c:1be8::/48#_dns
You have many AAAA records with same address within a /48 and now you know more domains that you can follow links to try find new DNS records of that domain.

That's why you shall apply firewall rules at your border router and accept certain destination ports/protocols and allow access to management services from a address list.
About ICMPv6¹, you shall allow only type 1 and 2+code 0 [Packet too big] from WAN to not break PMTUD. Or more simple, drop packets with ICMPv6 type 3 that go to WAN (output and forward), so this helps to hide middle hops and will show only the last one.

¹ https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml

#ipv6 #icmpv6 #mtr #traceroute #tracepath