Targeted IPv6 Scans Using pool.ntp.org .
Last Updated: 2016-02-02 14:17:22 UTC
by Johannes Ullrich (Version: 1)
IPv6 poses a problem for systems like Shodan, who try to enumerate vulnerabilities Internet-wide. Tools like zmap can scan the IPv4 internet in minutes (or maybe hours), but for IPv6, the same approach will still fail. The smallest IPv6 subnet is a /64, or 18.4 Quintillion addresses. A tool like zmap would take about 40,000 years to scan just the smallest subnet that may be assigned to a home user, assuming 5 minutes to scan 32 bits worth of addresses.
There are a couple of methods to make IPv6 scanning somewhat feasible:
- "interesting systems," like gateways, web servers, DNS servers and the like, often use non-random IP addresses like 2001:db8::1, 2001:db8::50 or 2001:db8::35. This will narrow the scope somewhat.
- Reverse DNS records may give away some of these addresses.
- Yes, the last 64 bits may be derived from the MAC address, and not all MAC addresses are used.
- Finally: The system may be reaching out to you
Looks like Shodan started to use the last option recently. Systems using the "pool.ntp.org" NTP servers have been observed as being scanned by Shodan. It appears that the Shodan project did add one or more NTP servers to the public NTP pool to find targets for its unauthorized scans . Other scanner projects may do the same. DNS servers could of course be used in the same way, but there are no open DNS servers pools like this I am aware off (OpenDNS or Google could do similar tests, but I am not aware of them allowing 3rd parties into their pool).
So what to do about it?
Depending on how you feel about being scanned by Shodan, you may not care. But in particular with IPv6, databases like Shodan (Google and other web search engines too of course) will play a larger role in finding targets than they already do. As a first step, you probably should "fix" your NTP infrastructure. Systems in your network should only synchronize with internal NTP servers, and only these authorized NTP servers should communicate with the outside (or better, an internal standard like GPS or GSM). If you have a GPS signal in your environment, you may be able to setup a Raspberry Pi based "master clock".  In an enterprise network, buy a professional NTP server that includes a GSM or GPS module. (GSM usually works better in data centers without requiring an external rooftop antenna).
Also consider using a secure NTP configuration template  to avoid other issues, like the famous monlist problem. NTP is a bit of a "forgotten" protocol in that it "just works" without having to mess with it in many cases. But if you didn't configure it, it probably isn't configured right for you.
FWIW: Our threat feeds include lists of internet wide research scanners (IPv4 only at this point). You can get a quick machine parsable version from our API (https://isc.sans.edu/api/threatcategory/research/), or a more visually appealing version using our threat feed map.