Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IPv6 and isc.sans.org

Published: 2010-01-12
Last Updated: 2010-01-12 17:10:33 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

I spent some time last week to analyze the IPv6 traffic isc.sans.org receives. To do so, I considered the last 90 days worth of logs. The full report can be found here.

A quick summary: IPv6 is still used by only 1.3% of hosts connecting to isc.sans.org. This is a considerable increase from about a year ago, which was about 0.5%. But the number of hits is still small. I am not able to proof this in every single case, but the overwhelming use of tunnels suggests that most if not all of these users would be able to reach isc.sans.org via IPv4. The connection speed via IPv4 would probably be faster. For myself, the latency to isc.sans.org via IPv6 is about double what it is via IPv4. Most of the overhead comes from the latency of my tunnel connection at home. The round-trip time from isc.sans.org to our tunnel broker is only 12ms.

One of the important lessons from this analysis: A large number of hosts connecting to us appears to use automatically configured tunnels like 6to4 or Teredo. These tunnels are sometimes not managed, resulting in hosts unintentionally exposed to IPv6. Many firewalls are not configured to limit IPv6 or associated tunneling protocols, or don't even have the ability to do so. These hosts may be "naked" when it comes to IPv6.

Highlights:

  • We had IPv6 connections from about 13 thousand hosts.
  • about 2,500 of these used 6to4 (2002::/16 addresses) and 550 used Teredo.
  • only a very small fraction (815) of the IPs had PTR records configured for reverse DNS resolution.

 Full report: http://isc.sans.org/presentations/ipv6q42009.pdf (PGP Signature)

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ipv6
2 comment(s)
Diary Archives