Mathy VanhoefJan 15
The Shadowserver Foundation

Now sharing open IP tunnel hosts in a new daily Open IP-Tunnel report https://shadowserver.org/what-we-do/network-reporting/open-ip-tunnel-report/

These hosts accept tunnelling packets such as IPIP, GRE without authenticating the source IPv4 or IPv6 addr, which can be abused for DoS/other attacks

~436K GRE & ~66K IPIP vulnerable IPs found on 2025-01-14

Geo breakdown (GRE/GRE6):

https://dashboard.shadowserver.org/statistics/combined/tree/?day=2025-01-14&source=ip_tunnel&source=ip_tunnel6&tag=gre&tag=gre*&geo=all&data_set=count&scale=log

Geo breakdown (IPIP/IP6IP6):

https://dashboard.shadowserver.org/statistics/combined/tree/?day=2025-01-14&source=ip_tunnel&source=ip_tunnel6&tag=ip6ip6&tag=ipip&geo=all&data_set=count&scale=log

These vulnerabilities were discovered by Angelos Beitis and Mathy Vanhoef @vanhoefm at the DistriNet Reseach Unit at KU Leuven University in Belgium. Thank you for the collaboration!

You can find more details on the vulnerabilities at: https://github.com/vanhoefm/tunneltester

MEDIUM: Open IP-Tunnel Report | The Shadowserver Foundation

DESCRIPTION LAST UPDATED: 2025-01-28 DEFAULT SECURITY LEVEL: MEDIUM This report contains information about a vulnerability that allows new Denial-of-Service (DoS) vulnerabilities. This vulnerability originates from hosts that accept tunnelling packets such as IPIP, GRE, 6in4 and 4in6 without authenticating the source IPv4 or IPv6 address. Attackers can exploit these hosts as proxies to conceal their […]

Jan 15 at 1:36pmWeb
Show threadThe Shadowserver FoundationJan 29

Added 4in6 & 6in4 scans to our Open IP-Tunnel reporting (hosts that accepted unauthenticated packets from an arbitrary source, which can be abused for DoS/other attacks) https://shadowserver.org/what-we-do/network-reporting/open-ip-tunnel-report/

~150K 4in6 open tunnels found (most in Germany)
~1.07M 6in4 open tunnels found

4in6 open tunnel map (2025-01-28:
https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-28&source=ip_tunnel&source=ip_tunnel6&tag=4in6&geo=all&data_set=count&scale=log
6in4 open tunnel map (2025-01-28):
https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-28&source=ip_tunnel&source=ip_tunnel6&tag=6in4&geo=all&data_set=count&scale=log
4in6 open tunnel tracker:
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=ip_tunnel&source=ip_tunnel6&tag=4in6&dataset=unique_ips&style=stacked
6in4 open tunnel tracker:
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=ip_tunnel&source=ip_tunnel6&tag=6in4&dataset=unique_ips&style=stacked

Background and more details:
https://github.com/vanhoefm/tunneltester

MEDIUM: Open IP-Tunnel Report | The Shadowserver Foundation

DESCRIPTION LAST UPDATED: 2025-01-28 DEFAULT SECURITY LEVEL: MEDIUM This report contains information about a vulnerability that allows new Denial-of-Service (DoS) vulnerabilities. This vulnerability originates from hosts that accept tunnelling packets such as IPIP, GRE, 6in4 and 4in6 without authenticating the source IPv4 or IPv6 address. Attackers can exploit these hosts as proxies to conceal their […]