FYI
It would be a very fast dictionary attack 
accede
bade
dad
decade
face
axed
babe
deaf
bed
Abe
bee
Decca
exec
fade
bead
bedded
deed
exceed
Abba
deface
efface
feed
exec ?
exceed ?
exec ?
exceed ?
Not a lot of x's in hexidecimal numbers outside of C-style formatting (0xnnnn).
IPv6 addresses are not generally notated in said style and certainly don't include said x in a suitable context for that to be part of a dictionary attack.
However, he also left out the common use of 7(t), 6/9(g), 1/7(I/L/T), 2(Z), 5(S), and 0(O).
c is also often substituted for k (as in face:b00c).
Owen
Also see https://www.cs.columbia.edu/~smb/papers/v6worms.pdf
(Worm propagation strategies in an IPv6 Internet. ;login:,
pages 70-76, February 2006.)
For certain definitions of "host scanning" it is possible to achieve
some level of that in IPv6.
But massively far less efficient and far more limited than the brute
force option that is available in IPv4.
The mathematical argument in the draft doesn't really work, because
it's too focused on there being "one specific site" that can be
scanned.
You can't just "pick a random 120 bit number" and have a good chance
of that random IP happening to be a live host address. You can't
just pick a random /64 and have a good chance of that random /64
happening to be part of a live site.
How useful more informed attacks are, remains to be seen. For worm
authors it will seem like a lot of sugar for a dime.
Malware propagation against open ports doesn't work so well if your
nodes can't effect wide scans efficiently. If you are so misguided
as to not have a firewall preventing access to vulnerable services.
The draft is unconvincing. The expected result is there will be very
little preference for scanning, and those that will be launching
attacks against networks will be utilizing simpler techniques that
are still highly effective and do not require scanning.
Such as the exploit of vulnerable HTTP clients who _navigate to the
attacker controlled web page_, walking directly into their hands,
instead of worms "searching for needles in haystacks".
Any worms searching for needles in haystacks are likely to be
utilizing a combination of search engines, common dictionary name
lookups, and DNS to discover IP addresses of potential target web
servers.
Hi, Jimmy,
The mathematical argument in the draft doesn't really work, because
it's too focused on there being "one specific site" that can be
scanned.
Not sure what you mean. Clearly, in the IPv6 world you'd target specific
networks.
How could you know which networks to scan? -- Easy: the attacker is
targeting a specific organization, are you gather possible target
networks as this information leaks out all too often (e-mail headers, etc.).
You can't just "pick a random 120 bit number" and have a good chance
of that random IP happening to be a live host address.
That would be pretty much a "brute force" attack, and the argument in
this paper is that IPv6 host-scanning attacks will not be brute force
(as we know them).
The draft is unconvincing. The expected result is there will be very
little preference for scanning, and those that will be launching
attacks against networks will be utilizing simpler techniques that
are still highly effective and do not require scanning.
Not sure what you mean. Could you please clarify?
Such as the exploit of vulnerable HTTP clients who _navigate to the
attacker controlled web page_, walking directly into their hands,
instead of worms "searching for needles in haystacks".
Well, this is part of alternative scanning techniques, which so far are
not the subject of this draft.
Thanks,
Sorry. I did a quick filter of the openoffice dictionary file. seems
that I made a ugly mistake :-/
postdata:
I have made a [0-9] to [aeioutnshrdlcmwf] conversor.
http://jsbin.com/ibepup/
This convert a decimal number into a "hexadecimal" number not using
the [0-9A-F] table, but the [aeioutnshrdlcmwf] table. The
aeioutnshrdlcmwf table may allow a big number of numbers have a
existing word of expression.
postdata2:
Using this conversor, 123442553445523 is the word NaouuScuch.