This reminds me of AWS's solution for everybody selecting the first 2 availability zones which made the 3rd one to be under-used, and the first 2 over-used.
And it's logical that we do so. We clean up, we put things in corners, we sort things. So I suppose many people set static IPv6 addresses at the bottom of their /64?
> One of the things that I take away from this is that I may not want to put servers on these low IPv6 addresses in the future. Certainly one should have firewalls and so on, even on IPv6, but even then you may want to be a little less obvious and easily found
And my takeaway here is that "Security through Obscurity" isn't actually that secure is it?
> Certainly one should have firewalls and so on
Just because every device has a public IP doesn't mean every device is available publicly. Your public little IPv6 network still goes through a router and that device can control the flow of traffic, through routing and firewalling.
This whole read really just feels like someone discovering IPv6 for the first time and fundamentally not understanding basic networking.
The idea of IPv6 is that every few hours or so my iPhone gets a new set of IPv6 addresses (usually 4 at a time I don't exactly know my currently config but they keep changing always). So the obscurity is from the fact that you have ipv6 ips shuffling all the time. Since the /64 address space is so vast for a home network you will ideally not notice someone targeting your IP because it may not be worth the effort for those targeting it.
Now if you pin a ::1/64 to a machine or lets say some low addresses that you did because you remember them easily (or even if you pin any address lets say thats /64) you are now no longer using the obscurity part. This means your IPv6 /64 is basically just IPv4 now for that one machine.
The whole problem here is that you got a public IP (because now thats hard for home networks with ipv4). It's going to behave like any public IP, get targeted by attackers to see if some port is open or if there are any issues with security. IPv6 doesn't bring any advantage here unless you actually use its features like SLAAC and rotating IPs.
> The idea of IPv6 is that every few hours or so my iPhone gets a new set of IPv6 addresses (usually 4 at a time I don't exactly know my currently config but they keep changing always). So the obscurity is from the fact that you have ipv6 ips shuffling all the time. Since the /64 address space is so vast for a home network you will ideally not notice someone targeting your IP because it may not be worth the effort for those targeting it.
This is fundamentally not a part of IPv6. It was an extension added later for privacy, but doesn't really accomplish too much in that regard except for the simplest of detection. My home address space is a /48. And when do some really simple subnet math on my IPs, you can easily identify my addresses.
And again, the point is, just because you live out in the country, doesn't mean you shouldn't lock your doors.
Even though right now it's impossible to feasibly to even really scan a /64, that may not be true in a week.
> It was an extension added later for privacy, but doesn't really accomplish too much in that regard except for the simplest of detection.
Not quite true. The original braindead design embedded your MAC address into your public IPv6. So that all those nice companies can uniquely identify you _everywhere_.
Nobody is tracking 48 bits out of 128 bits and tying that to a specific user.
Pretty simple browser fingerprinting will get you much closer.
Not to mention that you know MAC addresses aren’t unique right. They only have to be unique on the same L2. And with some shipping logistics, you can make sure this is usually true.
I say this as a person who received a case of Intel NICs back in the day and every MAC was the same.
How do defenses against attackers work with rotating IPs etc? Could you still identify and block problematic traffic? Sorry if this is a naive question.
You don't consider an IP address when blocking traffic.
Whether IPv4 or IPv6, it's trivially easy to grab a new one. And unless you are willing to start blocking huge swathes of the world and ultimately legitimate traffic, you do other things.
It's more of an accidental side effect than an intentional feature. The actual reason the customer gets 2^64 addresses is to make sure they have enough addresses and don't need NAT. And SLAAC (also an accidental feature) ossified it at 2^64 - a good ossification, for once. And then, if you have so many addresses, may as well rotate through them so it's hard for anyone to observe how many separate devices from your network are accessing their server.
I also thought that, but the discoverability of internal addresses used to open up new attack vectors like having the users in the same network click to URLs pointing to those internal addresses to exploit them, so, hiding the network topology may not always be solely for obscurity, but for security to some degree too.
To be fair, changing the SSH port does MASSIVELY cut down on the amount of log spam from low-effort scans.
Obscurity isn't security, but hiding still makes you harder to find. In other words the lock is just as good or bad as it always was but a lot less people are going to jiggle the handle.
Changing default service ports is a good thing and is one of the reasons everyone should be in favor of software supporting SRV/SVCB records so services can be hosted on arbitrary ports while still being accessible with a plain DNS name everyone's used to using.
That shouldn't be lumped in with pure idiocy like disabling SSID broadcast or believing that IPv6 inherently exposes your network to the world.
Ironically disabling SSID beaconing on wireless APs actually results in clients configured to use those networks broadcasting looking for them wherever they go, for those who want to hide a network it's the literal opposite of their desired result.
I don’t agree. Because the minute you change the port, you just become of more interest.
As you said, only the low effort bots scan the standard ports.
But venture anywhere off the beaten path, and a place like shodan is the most benevolent of those kind of places, and it still takes about an hour for your IP and newly opened SSH port to be indexed.
> I don’t agree. Because the minute you change the port, you just become of more interest.
How does anyone know I changed the port to find me more interesting?
> But venture anywhere off the beaten path, and a place like shodan is the most benevolent of those kind of places, and it still takes about an hour for your IP and newly opened SSH port to be indexed.
I just checked the first VoIP server I ever deployed with a non-standard SIP port. It's been up for a decade and provides public facing services so its accessible to the global internet minus whatever systems have found their way in to our denylist over the years. It's not listening on the standard port 5060, but the port we chose is not particularly uncommon as it's a recommended alternative in the documentation of the platform we're using. Shodan has found this server and scanned it repeatedly over the years, but it still has no idea what port SIP is listening on. It only sees 80/443 for the public-facing web UI.
The thing about non-standard ports is that unless your service identifies itself with a banner or similar upon connection the attacker has to open with a valid request to receive a response. If someone connects to my SIP server and sends a HTTP GET, they're not going to get a response despite how similar SIP and HTTP are. They have to connect to the non-standard SIP port and then send a valid SIP message to identify my service.
> How does anyone know I changed the port to find me more interesting?
I responded to this elsewhere.
> I just checked the first VoIP server I ever deployed with a non-standard SIP port. It's been up for a decade and provides public facing services so its accessible to the global internet minus whatever systems have found their way in to our denylist over the years.
And that is what is called “UDP”. Also the “spray and pray” of the networking world. Meaning, you literally don’t get a response.
Fundamental difference.
> The thing about non-standard ports is that unless your service identifies itself with a banner or similar upon connection the attacker has to open with a valid request to receive a response.
Which is exactly what ssh does and the point of why comparing the two and obscuring the port/IP makes no difference.
More interest to who? This comes across like you're telling a spooky story at a campfire. Being 2% more interesting than the average server is not going to get you hacked by some elite crew.
You want to talk about spooky campfire stories? Let’s have another OpenSSL/ssl zero day.
The point is it takes a script kiddy about 5 minutes to scan the whole 4 billion IPs for your port 22 server.
It takes about 90 seconds for the fact that you opened up a random high numbered port that is an SSH service to show up on the list of people that are probably exponentially more intelligent than the normal script kiddy scanning the internet
This does not make you more or less likely to be hacked just for having SSH open. But hey,go go gadget whatever.
> This does not make you more or less likely to be hacked just for having SSH open.
A) The comment you responded to didn't claim you're less likely to be hacked, they said it cuts down on log spam.
B) When you talked about just becoming of more interest to non-benevolent places, was that not a suggestion you're more likely to be hacked? Then I think you phrased that pretty badly.
It was your comment. Not to mention the blog post to which I originally responded to said “ you might not want to put your servers on low numbered IPs “
Step 1, know the difference between UDP and TCP and even a few of the implications
I did say those words. And I said them after the comment I'm asking about. They are irrelevant to my question, because I'm asking what the comment I originally replied to meant.
You said "the minute you change the port, you just become of more interest" and then talked about places that are less "benevolent" than shodan.
Is being of "more interest" to less "benevolent" places supposed to imply an increased risk of being hacked, or not?
If you change your SSH port on your Linux machine you might be misidentified as Windows machine, because these usually does not have SSH, thus next step will go for RDP. Nothing there either.
Sure next step can be going for a port scan, but how big scan do you want to do before fail2ban or similar will lock you out?
Exactly the opposite. If you did change the default than it can signal what you are harder to break. Malware owners aren't interested in 'more interesting' addresses or machines, they are interested in machines which can be easily identified to be susceptible for exploiting. In the end their ware is a cheap computing resources.
If you ever run machines in a diverse environments then you could had seen by just a simple 'There were N failed attempts since last logon' what the machines with a non-standard SSH port receive way less attention than the machines on the defaults.
Yeah, I changed my SSH port for the same reason. I don't feel any more secure as a result, but now I can just watch the raw logs to see the incoming probes. They trickle in slowly, rather than being a constant flood, so I can watch the raw log for other purposes without it being inundated with noise that I have to filter out in order to be able to pay attention to anything else. That, and the logs use less space on disk.
ISP gives me /24 and I configure my router at .1: I do nothing.
ISP gives me /64 and I configure my router at ::1: in WarCraft I orcs voice We are under attack!
There is really no difference between setting anything on "::3, ::5, ::7, ::a, ::b, ::c, ::f" for IPv6 and for .1, .2, .3, .10, .11 on IPv4. Using these addresses do not lower you security in any way compared to IPv4.
The real difference is what with IPv4 you can just scan the whole /24 in seconds, while with IPv6... it's not seconds at least.
This reminds me of AWS's solution for everybody selecting the first 2 availability zones which made the 3rd one to be under-used, and the first 2 over-used.
So they introduced AZ IDs https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-re... which create a per-account randomized mapping of region to actual availability zone.
And it's logical that we do so. We clean up, we put things in corners, we sort things. So I suppose many people set static IPv6 addresses at the bottom of their /64?
> One of the things that I take away from this is that I may not want to put servers on these low IPv6 addresses in the future. Certainly one should have firewalls and so on, even on IPv6, but even then you may want to be a little less obvious and easily found
And my takeaway here is that "Security through Obscurity" isn't actually that secure is it?
> Certainly one should have firewalls and so on
Just because every device has a public IP doesn't mean every device is available publicly. Your public little IPv6 network still goes through a router and that device can control the flow of traffic, through routing and firewalling.
This whole read really just feels like someone discovering IPv6 for the first time and fundamentally not understanding basic networking.
The idea of IPv6 is that every few hours or so my iPhone gets a new set of IPv6 addresses (usually 4 at a time I don't exactly know my currently config but they keep changing always). So the obscurity is from the fact that you have ipv6 ips shuffling all the time. Since the /64 address space is so vast for a home network you will ideally not notice someone targeting your IP because it may not be worth the effort for those targeting it.
Now if you pin a ::1/64 to a machine or lets say some low addresses that you did because you remember them easily (or even if you pin any address lets say thats /64) you are now no longer using the obscurity part. This means your IPv6 /64 is basically just IPv4 now for that one machine.
The whole problem here is that you got a public IP (because now thats hard for home networks with ipv4). It's going to behave like any public IP, get targeted by attackers to see if some port is open or if there are any issues with security. IPv6 doesn't bring any advantage here unless you actually use its features like SLAAC and rotating IPs.
> The idea of IPv6 is that every few hours or so my iPhone gets a new set of IPv6 addresses (usually 4 at a time I don't exactly know my currently config but they keep changing always). So the obscurity is from the fact that you have ipv6 ips shuffling all the time. Since the /64 address space is so vast for a home network you will ideally not notice someone targeting your IP because it may not be worth the effort for those targeting it.
This is fundamentally not a part of IPv6. It was an extension added later for privacy, but doesn't really accomplish too much in that regard except for the simplest of detection. My home address space is a /48. And when do some really simple subnet math on my IPs, you can easily identify my addresses.
And again, the point is, just because you live out in the country, doesn't mean you shouldn't lock your doors.
Even though right now it's impossible to feasibly to even really scan a /64, that may not be true in a week.
> It was an extension added later for privacy, but doesn't really accomplish too much in that regard except for the simplest of detection.
Not quite true. The original braindead design embedded your MAC address into your public IPv6. So that all those nice companies can uniquely identify you _everywhere_.
What part isn't quite true?
What you are talking about is RFC 4862. The SLAAC part of ipv6, which is auto-configuration.
What I am talking about is RFC 4941:
Privacy Extensions for Stateless Address Autoconfiguration in IPv6
Which is pretty close to:
"extension added later for privacy"
4862 < 4941
I'm just saying that the IPv6 privacy extension is far from useless. Without it, advertisers can track your device everywhere.
It’s a nice thought but…
Nobody is tracking 48 bits out of 128 bits and tying that to a specific user.
Pretty simple browser fingerprinting will get you much closer.
Not to mention that you know MAC addresses aren’t unique right. They only have to be unique on the same L2. And with some shipping logistics, you can make sure this is usually true.
I say this as a person who received a case of Intel NICs back in the day and every MAC was the same.
> Nobody is tracking 48 bits out of 128 bits and tying that to a specific user.
Of course they would, if it was how everyone still did addresses! It's a super easy to access permanent ID.
> aren’t unique
Rarely. That's hardly enough trouble to make trackers not use it.
How do defenses against attackers work with rotating IPs etc? Could you still identify and block problematic traffic? Sorry if this is a naive question.
You don't consider an IP address when blocking traffic.
Whether IPv4 or IPv6, it's trivially easy to grab a new one. And unless you are willing to start blocking huge swathes of the world and ultimately legitimate traffic, you do other things.
It's more of an accidental side effect than an intentional feature. The actual reason the customer gets 2^64 addresses is to make sure they have enough addresses and don't need NAT. And SLAAC (also an accidental feature) ossified it at 2^64 - a good ossification, for once. And then, if you have so many addresses, may as well rotate through them so it's hard for anyone to observe how many separate devices from your network are accessing their server.
not at all an "accidental side effect" though.
By any stretch of the imagination.
Very purposeful
I also thought that, but the discoverability of internal addresses used to open up new attack vectors like having the users in the same network click to URLs pointing to those internal addresses to exploit them, so, hiding the network topology may not always be solely for obscurity, but for security to some degree too.
again though, the fallacy that's repeated over and over again with IPv6 is that just because you have a public IP, suddenly everything is exploitable.
If you have an IPv4-only network, you still have firewall and routing. This is what protects your router, allows ports to be forwarded, etc.
Literally nothing changes. You still need routing, just not the NAT/PAT part of it. You still need a firewall.
Yeah, no arguments about that. But, maybe, still, don't give your IPv6 devices predictable addresses?
Thank you. The whole read indeed feels like not understanding IPv6.
Just like people advertising not broadcasting SSID, or changing the SSH port, this is just a false sense of security.
To be fair, changing the SSH port does MASSIVELY cut down on the amount of log spam from low-effort scans.
Obscurity isn't security, but hiding still makes you harder to find. In other words the lock is just as good or bad as it always was but a lot less people are going to jiggle the handle.
Changing default service ports is a good thing and is one of the reasons everyone should be in favor of software supporting SRV/SVCB records so services can be hosted on arbitrary ports while still being accessible with a plain DNS name everyone's used to using.
That shouldn't be lumped in with pure idiocy like disabling SSID broadcast or believing that IPv6 inherently exposes your network to the world.
Ironically disabling SSID beaconing on wireless APs actually results in clients configured to use those networks broadcasting looking for them wherever they go, for those who want to hide a network it's the literal opposite of their desired result.
I don’t agree. Because the minute you change the port, you just become of more interest.
As you said, only the low effort bots scan the standard ports.
But venture anywhere off the beaten path, and a place like shodan is the most benevolent of those kind of places, and it still takes about an hour for your IP and newly opened SSH port to be indexed.
> I don’t agree. Because the minute you change the port, you just become of more interest.
How does anyone know I changed the port to find me more interesting?
> But venture anywhere off the beaten path, and a place like shodan is the most benevolent of those kind of places, and it still takes about an hour for your IP and newly opened SSH port to be indexed.
I just checked the first VoIP server I ever deployed with a non-standard SIP port. It's been up for a decade and provides public facing services so its accessible to the global internet minus whatever systems have found their way in to our denylist over the years. It's not listening on the standard port 5060, but the port we chose is not particularly uncommon as it's a recommended alternative in the documentation of the platform we're using. Shodan has found this server and scanned it repeatedly over the years, but it still has no idea what port SIP is listening on. It only sees 80/443 for the public-facing web UI.
The thing about non-standard ports is that unless your service identifies itself with a banner or similar upon connection the attacker has to open with a valid request to receive a response. If someone connects to my SIP server and sends a HTTP GET, they're not going to get a response despite how similar SIP and HTTP are. They have to connect to the non-standard SIP port and then send a valid SIP message to identify my service.
> How does anyone know I changed the port to find me more interesting?
I responded to this elsewhere.
> I just checked the first VoIP server I ever deployed with a non-standard SIP port. It's been up for a decade and provides public facing services so its accessible to the global internet minus whatever systems have found their way in to our denylist over the years.
And that is what is called “UDP”. Also the “spray and pray” of the networking world. Meaning, you literally don’t get a response.
Fundamental difference.
> The thing about non-standard ports is that unless your service identifies itself with a banner or similar upon connection the attacker has to open with a valid request to receive a response.
Which is exactly what ssh does and the point of why comparing the two and obscuring the port/IP makes no difference.
One could always arrange for the SSH server to start its announce as follows:
and see how probers react, especially if one has the server listening on port 25, or even port 587More interest to who? This comes across like you're telling a spooky story at a campfire. Being 2% more interesting than the average server is not going to get you hacked by some elite crew.
You want to talk about spooky campfire stories? Let’s have another OpenSSL/ssl zero day.
The point is it takes a script kiddy about 5 minutes to scan the whole 4 billion IPs for your port 22 server.
It takes about 90 seconds for the fact that you opened up a random high numbered port that is an SSH service to show up on the list of people that are probably exponentially more intelligent than the normal script kiddy scanning the internet
This does not make you more or less likely to be hacked just for having SSH open. But hey,go go gadget whatever.
> This does not make you more or less likely to be hacked just for having SSH open.
A) The comment you responded to didn't claim you're less likely to be hacked, they said it cuts down on log spam.
B) When you talked about just becoming of more interest to non-benevolent places, was that not a suggestion you're more likely to be hacked? Then I think you phrased that pretty badly.
> “ More interest to who?”
And
> elite hacking crew
It was your comment. Not to mention the blog post to which I originally responded to said “ you might not want to put your servers on low numbered IPs “
Step 1, know the difference between UDP and TCP and even a few of the implications
Yep. Party on
I did say those words. And I said them after the comment I'm asking about. They are irrelevant to my question, because I'm asking what the comment I originally replied to meant.
You said "the minute you change the port, you just become of more interest" and then talked about places that are less "benevolent" than shodan.
Is being of "more interest" to less "benevolent" places supposed to imply an increased risk of being hacked, or not?
If you change your SSH port on your Linux machine you might be misidentified as Windows machine, because these usually does not have SSH, thus next step will go for RDP. Nothing there either.
Sure next step can be going for a port scan, but how big scan do you want to do before fail2ban or similar will lock you out?
> you just become of more interest
Exactly the opposite. If you did change the default than it can signal what you are harder to break. Malware owners aren't interested in 'more interesting' addresses or machines, they are interested in machines which can be easily identified to be susceptible for exploiting. In the end their ware is a cheap computing resources.
If you ever run machines in a diverse environments then you could had seen by just a simple 'There were N failed attempts since last logon' what the machines with a non-standard SSH port receive way less attention than the machines on the defaults.
Yep. Because targeting 5k IPs is way harder than targeting all 4 billion
Guess you forgot what you was talking (and I was responding to) about the ports not addresses.
Yeah, I changed my SSH port for the same reason. I don't feel any more secure as a result, but now I can just watch the raw logs to see the incoming probes. They trickle in slowly, rather than being a constant flood, so I can watch the raw log for other purposes without it being inundated with noise that I have to filter out in order to be able to pay attention to anything else. That, and the logs use less space on disk.
Not if you disable your IPv6 stack.
Or you can be smart and "easily" address such probing attacks in your FW rules... https://nvd.nist.gov/vuln/detail/CVE-2024-50252
> Not if you disable your IPv6 stack.
The same technique can be used for IPv4. Disable both and become invulnerable to probing!
Why stop there? Probes traverse the whole TCP/IP stack, best to stop them early at layer 1: https://www.bit.nl/news/115/88/Cut-here-to-activate-firewall...
Here’s an RFC on the topic: https://datatracker.ietf.org/doc/html/rfc7707
ISP gives me /24 and I configure my router at .1: I do nothing.
ISP gives me /64 and I configure my router at ::1: in WarCraft I orcs voice We are under attack!
There is really no difference between setting anything on "::3, ::5, ::7, ::a, ::b, ::c, ::f" for IPv6 and for .1, .2, .3, .10, .11 on IPv4. Using these addresses do not lower you security in any way compared to IPv4.
The real difference is what with IPv4 you can just scan the whole /24 in seconds, while with IPv6... it's not seconds at least.
isp gives you a /24?
I'm paying out of my nose for a /17