Re: Interesting paper by Steve Bellovin - Worm propagation in a v6 internet

Tue, 14 Feb 2006 18:14:04 -0800 


> On Wed, 15 Feb 2006, Mark Andrews wrote:
> 
> >     One of method missing is doing top down random walks of ip6.arpa.
> 
> That's only easy if delegation were on a per-nybble basis, which is commonly
> not the case.  Because there are not typically NS's at every nybble level,
> you have to do more than one hex digit's worth of randomness in the scan in
> order to find a next-level delegation, increasing the cost of scanning that
> namespace quite a bit.
> 
> (Having delegations at every nybble level would be ... alarming at best,
> given the amount of PTR redirection that implies.  :)
> 
> -- 
> -- Todd Vierling <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>

        I suggest that you re-read RFC 1034 and RFC 1035.  A empty
        node returns NOERROR.  A non-existant node returns NXDOMAIN
        (Name Error).

e.a.e.e.f.9.e.f.f.f.4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa PTR 
drugs.dv.isc.org

        causes all of the following to exist.

        a.e.e.f.9.e.f.f.f.4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        e.e.f.9.e.f.f.f.4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        e.f.9.e.f.f.f.4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        f.9.e.f.f.f.4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        9.e.f.f.f.4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        e.f.f.f.4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        f.f.f.4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        f.f.4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        f.4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        4.7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        7.8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        8.0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        0.2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        2.0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        0.0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        0.2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        2.8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        8.0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        0.0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        0.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
        f.1.0.7.4.0.1.0.0.2.ip6.arpa
        1.0.7.4.0.1.0.0.2.ip6.arpa
        0.7.4.0.1.0.0.2.ip6.arpa
        7.4.0.1.0.0.2.ip6.arpa
        4.0.1.0.0.2.ip6.arpa
        0.1.0.0.2.ip6.arpa
        1.0.0.2.ip6.arpa
        0.0.2.ip6.arpa
        0.2.ip6.arpa
        2.ip6.arpa
        ip6.arpa
        arpa
        .

        A query for any of them regardless of type should return something
        other than NXDOMAIN.

        Also wildcards won't save you as it is possible to detect them.

        Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]

Reply via email to