Hyper-weaponization of an IPv6-based Internet
George Langford

The quantity of address space under Internet Protocol Version 4 (IPv4) is "only" 256^4 discrete addresses in the four-octet notation, but IPv6 is unimaginably bigger at 256^16 in its eight-hextet notation. Sadly, the various international assigned-numbers authorities such as IANA (International Assigned Numbers Authority) or ARIN (American Registry for Internet Numbers) do not care what is actually stored on the numbered servers. Domain names stored at the various addresses are registered with companies such as Network Solutions, and Internet Service Providers (such as my own InMotion Hosting, Inc.) do care whether the authors of the material stored under their domains behave themselves, lest the reputation of the service provider be sullied by reports of malware, ransomware, spam, harrassment, etc. Bear in mind that every packet of digital data transmitted over the Internet is identified by the IPv4 or IPv6 addresss of its sender and verified by a count of the number of bits in the packet, i.e., its checksum. An Internet Service Provider or the receiving server can accept or block each packet, based on the reputation of the sender of the packet. Internet service providerscarefully protect their reputations and the safety of their clients.

Lately, the IPv4 address space is running out of its limited supply of four-octet addresses, partly as the result of hoarding of address space by nation-states, large companies and othe actors who anonimize many servers by assigning them identical names. The exponentially larger number of addresses in IPv6 allow the practice of hoarding address space to be disproportionately increased, as documented below for the IPv6 addresses found in my analysis dated January, 2020, based on published Current Visitor data gathered by the Webalizer statistics service.

The practice of assigning the same hostname (a.k.a. Pointer, or PTR) to all its IPv6 addresses is at its most extreme in the example of dynamic.wline.6rd.res.cust.swisscom.ch below; I have documented over seventy-five million IPv6 addresses for this hostname. The WhoIs record for these addresses states, "This range is used for dynamic customer pools..." meaning that the Service Provider's nameserver replies with the same name to every request for domain name service (DNS) applied to an IPv6 address, i.e., dynamic.wline.6rd.res.cust.swisscom.ch.

The WhoIs response for the IPv6 address space within which the addresses of this hostname are applied is 2a02:1200::/28, meaning that there are 2^100 possible addresses to which the hostname, dynamic.wline.6rd.res.cust.swisscom.ch, can be attached. There are a million /48 addresses spaces in the /28 address space, each /48 address space has 65,536 /64 subnets, with each one of those encompassing 18,446,744,073,709,551,616 addresses. No one can check every one of those, but we can use a random sampling to demonstrate what's going on.

The /28 address space has eight /32 address spaces. Magic Banana on the trisquel.info discussion forum wrote the randomization command:
prefix=2a02:1200; od -A n -N12288 -xw12 /dev/urandom | tr ' ' : | sed s/^/$prefix/ >> RandomAddresses.2a02:1200-to-2a02:1207.txt ;
prefix=2a02:1201; od -A n -N12288 -xw12 /dev/urandom | tr ' ' : | sed s/^/$prefix/ >> RandomAddresses.2a02:1200-to-2a02:1207.txt ;
prefix=2a02:1202; od -A n -N12288 -xw12 /dev/urandom | tr ' ' : | sed s/^/$prefix/ >> RandomAddresses.2a02:1200-to-2a02:1207.txt ;
prefix=2a02:1203; od -A n -N12288 -xw12 /dev/urandom | tr ' ' : | sed s/^/$prefix/ >> RandomAddresses.2a02:1200-to-2a02:1207.txt ;
prefix=2a02:1204; od -A n -N12288 -xw12 /dev/urandom | tr ' ' : | sed s/^/$prefix/ >> RandomAddresses.2a02:1200-to-2a02:1207.txt ;
prefix=2a02:1205; od -A n -N12288 -xw12 /dev/urandom | tr ' ' : | sed s/^/$prefix/ >> RandomAddresses.2a02:1200-to-2a02:1207.txt ;
prefix=2a02:1206; od -A n -N12288 -xw12 /dev/urandom | tr ' ' : | sed s/^/$prefix/ >> RandomAddresses.2a02:1200-to-2a02:1207.txt ;
prefix=2a02:1207; od -A n -N12288 -xw12 /dev/urandom | tr ' ' : | sed s/^/$prefix/ >> RandomAddresses.2a02:1200-to-2a02:1207.txt ; ...giving 8,192 addresses, followed by the final command:
sudo nmap -6 -Pn -sn -T4 --max-retries 8 -iL RandomAddresses.2a02:1200-to-2a02:1207.txt -oG - | grep "Host:" '-' | awk '{print $2,$3}' '-' | sed 's/()/(No_DNS)/g' | tr -d '()' | uniq -c | awk '{print $3"\t"$2}' '-' | sort -k 1 > RandomAddresses.2a02:1200-to-2a02:1207.nMapoG.txt ... this last command is all on one line.
The above calculation takes about a minute and produces a list of 8,190 IPv6 addresses for the hostname dynamic.wline.6rd.res.cust.swisscom.ch and only two No-DNS results of 8,192 address inquiries. Those with Windows-based operating systems can try nslookup or dig -x on any of those 8,190 addresses, with the same resulting hostname. The above eight randomization commands can be repeated over & over without repeating any addresses, and the nmap command in the last step above will overwhelmingly return very nearly the same answers.

There are two hundred more examples of multi-addressed hostnames below that were found associated with the Current Visitors data. Essentially none of these hostnames can be resolved; even the last in the list at lower right, ppp2a02085fff06.access.hol.gr, returns a generic address with nslookup and nothing at all with dig.

The numbers to the right of each hostname (with the exception of the first, dynamic.wline.6rd.res.cust.swisscom.ch, are linked to text files containing the stated number of IPv6 addresses found for the hostname. The ones in the millions will take several minutes to download to your browser. If you wish to prevent one of these names from accessing your sysytem, you will have to perform something like my analysis of dynamic.wline.6rd.res.cust.swisscom.ch so that you can find the actual range of the addresses of the chosen hostname to be blocked. These numbers are by no means all-encompassing.

A simpler method than the use of wide-ranging block lists should be for server software to perform double lookups on each received packet: First, perform hostname lookup; and Second, perform a reverse of that lookup. If the results do not match, reject the packet. Who knows that is hidden in these incalculable numbers of addresses ?

There's an intermediate state of some hostnames that have been written all to be different by having their actual addresses incorporated into the name. See the Ipv6-hyphenated inf6.spectrum.com, with names like these, selected in consecutive order in the list of 1,278,459 addresses, but belonging to different /48 address blocks:

2603-9000-000e-e1cd-6da8-618c-2bb1-e471.inf6.spectrum.com 2603:9000:e:e1cd:6da8:618c:2bb1:e471
2603-9000-000f-48e4-d517-b7b2-37bd-1cbb.inf6.spectrum.com 2603:9000:f:48e4:d517:b7b2:37bd:1cbb
2603-9000-0010-46ed-02ce-3edd-68cf-0f6f.inf6.spectrum.com 2603:9000:10:46ed:2ce:3edd:68cf:f6f

None of the three hostnames is resolvable, and only the third IPv6 address returns the original hostaname. Sometimes, the IPv6-derived hostname can be deciphered by replacing the dashes with colons appropriately, but if the hextets have been shuffled one for another, be warned that there are eight-factorial (40,320) permutations of the eight hextets.

Another less populous hostname is the IPv6-collapsed dip.versatel-1u1.de, with "only" 71 addresses; again, here are three examples as above:

200116b82c94ba6fc73771768e2b887f.dip.versatel-1u1.de 2001:16b8:2c94:ba6f:c737:7176:8e2b:887f
200116b82cb9c7477374247489d07318.dip.versatel-1u1.de 2001:16b8:2cb9:c747:7374:2474:89d0:7318
200116b84076f180073778760ecadd1a.dip.versatel-1u1.de 2001:16b8:4076:f180:737:7876:eca:dd1a

As above, none of the three hostnames resolves with dig, but all of the IPv6 addresses do resolve to theiir original hostnames with dig -x.
None of the hostname-address pairs of these two semi-obfuscated hostnames would pass the double-lookup test.

The colored backgrounds of the Country-of-Origin columns indicate pointers (PTR’s, hostnames) served from the same CIDR block, usually /32. Some colored CIDR blocks have all the same Country Code; others are scattered over multiple countries. The former might be considered nation-state actors; the latter suggest international actors. The most prolific actors are those on the HE.net tunnel-broker (2001:470::/32) block, which encompass nearly half of the 201 hostnames in the Ipv6 Internet-address category listed on this page. Several other groups of hostnames exist here, and they encompass nearly all the 201 multi-address names in this list, suggesting that concerted activities are the rule in the IPv6 address space. The WhoIs data for each hostname’s Ipv6 address(es) are in the linked text files, most of which have a /48 address block for the particular Ipv6 address submitted to WhoIs. A randomized search of each linked /48 address space will probably reveal nearly 100% the same PTR name for each such address, indicating that the responsible actor commands nearly uncountable different IPv6 addresses for the reported hostname.

“How do they do that ?” one might ask. IPv6 addresses of hostnames are assigned dynamically, as explained in this link, so it should be no surprise that most of the hostnames listed here all have different addresses no matter how many times their Ipv6/48 server is queried. For the recipient, the underlying IPv6 address(es) for these hostnames are inaccessible and unblockable.