Hyper-weaponization
of an IPv6-based Internet |
The quantity of address space under Internet Protocol Version 4 (IPv4) is "only" 256^4 discrete addresses in the four-octet notation, but IPv6 is unimaginably bigger at 256^16 in its eight-hextet notation. Sadly, the various international assigned-numbers authorities such as IANA (International Assigned Numbers Authority) or ARIN (American Registry for Internet Numbers) do not care what is actually stored on the numbered servers. Domain names stored at the various addresses are registered with companies such as Network Solutions, and Internet Service Providers (such as my own InMotion Hosting, Inc.) do care whether the authors of the material stored under their domains behave themselves, lest the reputation of the service provider be sullied by reports of malware, ransomware, spam, harrassment, etc. Bear in mind that every packet of digital data transmitted over the Internet is identified by the IPv4 or IPv6 addresss of its sender and verified by a count of the number of bits in the packet, i.e., its checksum. An Internet Service Provider or the receiving server can accept or block each packet, based on the reputation of the sender of the packet. Internet service providerscarefully protect their reputations and the safety of their clients. |
Lately, the IPv4 address space is running out of its limited supply of four-octet addresses, partly as the result of hoarding of address space by nation-states, large companies and othe actors who anonimize many servers by assigning them identical names. The exponentially larger number of addresses in IPv6 allow the practice of hoarding address space to be disproportionately increased, as documented below for the IPv6 addresses found in my analysis dated January, 2020, based on published Current Visitor data gathered by the Webalizer statistics service. |
The practice of assigning the same hostname (a.k.a. Pointer, or PTR) to all its IPv6 addresses is at its most extreme in the example of dynamic.wline.6rd.res.cust.swisscom.ch below; I have documented over seventy-five million IPv6 addresses for this hostname. The WhoIs record for these addresses states, "This range is used for dynamic customer pools..." meaning that the Service Provider's nameserver replies with the same name to every request for domain name service (DNS) applied to an IPv6 address, i.e., dynamic.wline.6rd.res.cust.swisscom.ch. |
The WhoIs response for the IPv6 address space within which the addresses of this hostname are applied is 2a02:1200::/28, meaning that there are 2^100 possible addresses to which the hostname, dynamic.wline.6rd.res.cust.swisscom.ch, can be attached. There are a million /48 addresses spaces in the /28 address space, each /48 address space has 65,536 /64 subnets, with each one of those encompassing 18,446,744,073,709,551,616 addresses. No one can check every one of those, but we can use a random sampling to demonstrate what's going on. |
The
/28 address space has eight /32 address spaces. Magic
Banana on the trisquel.info discussion forum wrote the
randomization command: |
There are two hundred more examples of multi-addressed hostnames below that were found associated with the Current Visitors data. Essentially none of these hostnames can be resolved; even the last in the list at lower right, ppp2a02085fff06.access.hol.gr, returns a generic address with nslookup and nothing at all with dig. |
The numbers to the right of each hostname (with the exception of the first, dynamic.wline.6rd.res.cust.swisscom.ch, are linked to text files containing the stated number of IPv6 addresses found for the hostname. The ones in the millions will take several minutes to download to your browser. If you wish to prevent one of these names from accessing your sysytem, you will have to perform something like my analysis of dynamic.wline.6rd.res.cust.swisscom.ch so that you can find the actual range of the addresses of the chosen hostname to be blocked. These numbers are by no means all-encompassing. |
A simpler method than the use of wide-ranging block lists should be for server software to perform double lookups on each received packet: First, perform hostname lookup; and Second, perform a reverse of that lookup. If the results do not match, reject the packet. Who knows that is hidden in these incalculable numbers of addresses ? |
There's an intermediate state of some hostnames that have been written all to be different by having their actual addresses incorporated into the name. See the Ipv6-hyphenated inf6.spectrum.com, with names like these, selected in consecutive order in the list of 1,278,459 addresses, but belonging to different /48 address blocks: 2603-9000-000e-e1cd-6da8-618c-2bb1-e471.inf6.spectrum.com
2603:9000:e:e1cd:6da8:618c:2bb1:e471 None of the three hostnames is resolvable, and only the third IPv6 address returns the original hostaname. Sometimes, the IPv6-derived hostname can be deciphered by replacing the dashes with colons appropriately, but if the hextets have been shuffled one for another, be warned that there are eight-factorial (40,320) permutations of the eight hextets. |
Another less populous hostname is the IPv6-collapsed dip.versatel-1u1.de, with "only" 71 addresses; again, here are three examples as above: 200116b82c94ba6fc73771768e2b887f.dip.versatel-1u1.de
2001:16b8:2c94:ba6f:c737:7176:8e2b:887f As
above, none of the three hostnames resolves with dig, but all of
the IPv6 addresses do resolve to theiir original hostnames with
dig -x. |
The colored backgrounds of the Country-of-Origin columns indicate pointers (PTR’s, hostnames) served from the same CIDR block, usually /32. Some colored CIDR blocks have all the same Country Code; others are scattered over multiple countries. The former might be considered nation-state actors; the latter suggest international actors. The most prolific actors are those on the HE.net tunnel-broker (2001:470::/32) block, which encompass nearly half of the 201 hostnames in the Ipv6 Internet-address category listed on this page. Several other groups of hostnames exist here, and they encompass nearly all the 201 multi-address names in this list, suggesting that concerted activities are the rule in the IPv6 address space. The WhoIs data for each hostname’s Ipv6 address(es) are in the linked text files, most of which have a /48 address block for the particular Ipv6 address submitted to WhoIs. A randomized search of each linked /48 address space will probably reveal nearly 100% the same PTR name for each such address, indicating that the responsible actor commands nearly uncountable different IPv6 addresses for the reported hostname. |
“How do they do that ?” one might ask. IPv6 addresses of hostnames are assigned dynamically, as explained in this link, so it should be no surprise that most of the hostnames listed here all have different addresses no matter how many times their Ipv6/48 server is queried. For the recipient, the underlying IPv6 address(es) for these hostnames are inaccessible and unblockable. |
|
|
|
|
|
|
|
|
|
|
Switzerland |
|
Table continued from bottom left. |
|
|
|
||
|
Sweden |
|
Mexico |
|
||||
|
Switzerland |
|
United States |
|
||||
|
Switzerland |
|
Canada |
|
||||
|
92.7% FR, 7.3% IN |
|
Germany |
|
||||
|
Belgium |
|
France |
|
||||
|
Germany |
|
Russia |
|
||||
|
United States |
|
United States |
|
||||
|
Sweden |
|
United States |
|
||||
|
New Zealand |
|
United States |
|
||||
|
France |
|
Costa Rica |
|
||||
|
Israel |
|
United States |
|
||||
|
China |
|
United States |
|
||||
|
China |
|
China |
|
||||
|
Denmark |
|
Netherlands |
|
||||
|
China |
|
Russia |
|
||||
|
Israel |
|
Canada |
|
||||
|
Israel |
|
Spain |
|
||||
|
Greece |
|
United States |
|
||||
|
France |
|
Switzerland |
|
||||
|
France |
|
Afghanistan |
|
||||
|
France |
|
United States |
|
||||
|
France |
|
Mexico |
|
||||
|
India |
|
China |
|
||||
|
France |
|
United States |
|
||||
|
France |
|
United Kingdom |
|
||||
|
France |
|
United States |
|
||||
|
Israel |
|
Czech Republic |
|
||||
|
Finland |
|
United States |
|
||||
|
Germany |
|
United States |
|
||||
|
France |
|
United States |
|
||||
|
France |
|
United States |
|
||||
|
Greece |
|
China |
|
||||
|
Israel |
|
Russia |
|
||||
|
China |
|
United States |
|
||||
|
Thailand |
|
Russia |
|
||||
|
Netherlands; RO; FR |
|
United States |
|
||||
|
France |
|
United States |
|
||||
|
Thailand |
|
United States |
|
||||
|
Thailand |
|
Germany |
|
||||
|
Thailand |
|
Mexico |
|
||||
|
Belgium |
|
Czech Republic |
|
||||
|
Poland |
|
Albania |
|
||||
|
Thailand |
|
United States |
|
||||
|
Thailand |
|
Czech Republic |
|
||||
|
Thailand |
|
Hungary |
|
||||
|
Thailand |
|
Germany |
|
||||
|
Thailand |
|
United States |
|
||||
|
Thailand |
|
United Kingdom |
|
||||
|
Thailand |
|
United States |
|
||||
|
Thailand |
|
United States |
|
||||
|
Thailand |
|
United States |
|
||||
|
Thailand |
|
United States |
|
||||
|
Thailand |
|
Brazil |
|
||||
|
Netherlands |
|
Poland |
|
||||
|
Germany |
|
Russia |
|
||||
|
Netherlands |
|
Netherlands |
|
||||
|
Austria |
|
Russia |
|
||||
|
Russia |
|
Switzerland |
|
||||
|
Great Britain |
|
Netherlands |
|
||||
|
China |
|
Ukraine |
|
||||
|
China |
|
Czech Republic |
|
||||
|
China |
|
Russia |
|
||||
|
China |
|
Brazil |
|
||||
|
China |
|
Russia |
|
||||
|
China |
|
Russia |
|
||||
|
China |
|
United States |
|
||||
|
China |
|
Russia |
|
||||
|
China |
|
Russia |
|
||||
|
Japan |
|
Germany |
|
||||
|
China |
|
Switzerland |
|
||||
|
China |
|
Switzerland |
|
||||
|
Hungary |
|
Germany |
|
||||
|
Israel |
|
Switzerland |
|
||||
|
Sweden |
|
Switzerland |
|
||||
|
United States |
|
Finland |
|
||||
|
United States |
|
Germany |
|
||||
|
United Kingdom |
|
Israel |
|
||||
|
No objects found; Hong Kong |
|
Greece |
|
||||
|
HE.net, USA; Germany |
|
Greece |
|
||||
|
United States |
|
Greece |
|
||||
|
Germany; No objects found |
|
Greece |
|
||||
|
Romania |
|
Greece |
|
||||
|
India; Netherlands |
|
Greece |
|
||||
|
Russia |
|
Greece |
|
||||
|
United Kingdom |
|
Greece |
|
||||
|
Guam |
|
Greece |
|
||||
|
Sweden |
|
Greece |
|
||||
|
United States |
|
Greece |
|
||||
|
United States |
|
Greece |
|
||||
|
Switzerland |
|
Greece |
|
||||
|
Mexico |
|
Ukraine |
|
||||
|
United Kingdom |
|
Greece |
|
||||
|
United Kingdom |
|
Greece |
|
||||
|
United Kingdom |
|
Greece |
|
||||
|
Estonia |
|
Greece |
|
||||
|
Mexico |
|
Greece |
|
||||
|
Netherlands |
|
Greece |
|
||||
|
Slovakia |
|
Greece |
|
||||
|
United States |
|
Greece |
|
||||
|
United States |
|
Greece |
|
||||
|
|
|
|
|
|
|
|
|