Mailing List Archive

IPv6 port scanning observed
Just to register that these things actually exist...

Got lucky and logged 15000 probes from a single IPv6 source address in a
couple of seconds.

Looks like it is targeted at two of the /64s I am using (could easily be
picked up from mail, web server logs etc). Not all of the /64s in use
were targetted, but those missing have probably never been used as
source addresses outside my network. But I may have missed a lot of
destinations as most of the prefix is null routed without any logging at

Anyway, the destination protocols/ports logged are 22/tcp, 25/tcp,
53/udp, 443/tcp and 9511/tcp, and one I must admit I'm quite clueless
about: protocol 128. This is listed as "sscopmce" by IANA, without that
helping me a lot. Anyone? I'm wondering whether this is merely a
scanning bug, or if there could be something interesting around
processing such packets?

The destination interface id's look like they've been chosen to maximise
the chance of hitting manually configured boxes (possibly with some
holes - I've not scripted this list):

:: to ::2ff
::1000 to ::10ac
::2000 to ::2111
::1:0 to ::1:1ff

Re: IPv6 port scanning observed [ In reply to ]

On Thu, Nov 18, 2010 at 10:29:06AM +0100, Bjørn Mork wrote:
> Just to register that these things actually exist...

Yep, I have also seen this one. Single IPv6 source, so far...

Gert Doering
-- NetMaster
did you enable IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279