Question

1. If an attacker sends a large number of probe packets via IPv4, you can block them by blocking the attacker’s IP address. Now suppose the attacker uses IPv6 to launch the probes; for each probe, the attacker changes the low-order 64 bits of the address. Can these probes be blocked efficiently? If so, what do you have to block? Might you also be blocking other users? 2. Suppose someone tried to implement ping6 so that, if the address was a link-local address and no interface was specified, the ICMPv6 Echo Request was sent out all non-loopback interfaces. Could the end result be different than conventional ping6 with the correct interface supplied? If so, how likely is this?

Answer 1

Below image illustrates the format of IPV6 Global Unicast Address:

The Global Unicast Address is provided by the large ISP, the subnet id is created to segment the organizational network into different subnets, the Interface Id is assigned to find out the network interface in a current subnet. There are some options available that can be used to identify the Interface ID such as using a wordy or temporary address etc. Such options enables the lack of use of search space thus causing the IPv6 host attacks easily.

The probes can be blocked by the use of network based Intrusion Prevention System(IPS) designed to take action against host scanning activity especially if the target addresses are unreal. Other steps include the use of DHCPv6 based and manually configured systems for configuring non-existing addresses.

Ping Sweep which is a traditional technique used for address scanning when apply to IPv6 network. When unknown address or host is identified then the host is not allowed to access the information further through the protocol. The technique is used to send ICMPv6 echo request and then it collects the reply. In the above case, ping will help to identify the unknown address and thus do not allow transmission further.