Malware not scanning IPv6 space

Dark traffic experiment results show next-generation IP safer than today's.

The chief scientist of a group responsible for providing a stable online infrastructure in Australia says the evolution in the internet's lingua franca is safer from web nasties than that in use today.

Geoff Huston presented research results last week into "dark traffic" in IPv6, the next iteration of internet protocol, the chief scientist for the Asia Pacific Network Information Centre concluding there was no evidence virus scanners probed its empty-address blocks.

Dark traffic was "spam, e-mail denial-of-service attacks, malformed SMTP [e-mail protocol] packets and other requests and communications unrelated to the delivery of valid email messages", according to Net Security magazine.

Huston's research was published on his blog before being shown at the AusNOG conference in Sydney last week.

He estimated there were at least 5.5 Gbps and "possible more of traffic looking around for open ports, particularly port 445" used for file and printer sharing on today's dominant IPv4 networks.

Malicious hackers were "having a field day scanning for port 445, then easily and remotely commandeering Windows machines", according to Gibson Research.

"The IPv4 internet is now heavily polluted with various scanners and probes that attempt to detect the presence of vulnerable systems," Huston wrote in his blog.

"This traffic is dark traffic in that it exists irrespective of whether it solicits a response from a remote system or not."

Huston told delegates last week: "If you get really unlucky you actually get in excess of a megabit of traffic on a [slash]-24 that you never asked for. And if you're lucky enough to own 1.1.1.0/24 you're going to get 100 megabits of traffic every second, just continuous s--t."

The slash referred to the number of internet protocol addresses in a block assigned to a regional internet registry such as APNIC and the number of bits in the network, respectively.

Huston and other researchers used a "black hole" to conduct experiments in late June.

"Traffic can enter the experimental setup, but the setup generates no packets in response. All received packets are recorded," Huston explained in his blog.

The research found almost no dark traffic in IPv6.

"There is less than one packet per second of truly moronic-ly dark traffic, traffic going to nowhere," Huston said.

"In actual fact the true dark traffic is one packet every 36 seconds for an entire /12. There is almost no traffic at all.

"As far as I can see what happens in IPv4 - which is pretty toxic, quite frankly port 445 is just a huge amount of traffic - doesn't happen in IPv6 at all.

"There's no visible evidence right now of virus scanning in IPv6. The current tools and techniques used to infect folk in IPv4 is not being translated into v6 and actually cant be translated in that way."

That did not mean IPv6 was "all sunlight, flowers and waltzes through the meadows", he said.

Malicious users will "have to reverse scan the [domain name system] or something else to try and find out where you are and infect you", Huston said.