Comment by Dagger2

4 days ago

v4 networks commonly only get one IP for the whole network, and people use NAT with port forwarding to make inbound connections work. With this setup, an attacker only needs to scan the 65536 ports on the router to exhaustively enumerate every single publicly accessible server on your entire network, which is about 3 megabytes of traffic and takes approximately no seconds.

On v6, you don't use NAT and networks are /64. Finding every server requires scanning 65536 ports on all 2^64 IPs, which is about 72 billion petabytes of traffic. There are ways to prune this down somewhat, but however you do it the search space is still far larger.

If you want attackers to not know what's behind your router, you want v6.

4 comments

Dagger2

Reply
nottorp  3 days ago

> to exhaustively enumerate every single publicly accessible server on your entire network

Enterprise thinking. It's not the publicly accessible servers i worry about, it's the other boxes that shouldn't be publicly accessible...

  • Dagger2  3 days ago

    That's what I meant. On v4, it's trivial to find every server that can be reached from the Internet, whether it was intentional or not. It's not so trivial on v6.

    • immibis  2 days ago

      Note that V6 is easier to scan than some people assume. You don't have to scan all 2^128 addresses - you can look at provider address blocks in the registry, and make an assumption (or try it and see) what size block that provider assigns to each server, and then guess the server is ::1 or ::2 in each block. This isn't an exhaustive scan, but you'll find a lot of services this way anyway.

      1 reply →