Enlarge (credit: shodan.io)
One of the benefits of the next-generation Internet protocol known as IPv6 is the enhanced privacy it offers over its IPv4 predecessor. With a staggering 2128 (or about 3.4×1038) theoretical addresses available, its IP pool is immune to the types of systematic scans that criminal hackers and researchers routinely perform to locate vulnerable devices and networks with IPv4 addresses. What's more, IPv6 addresses can contain regularly changing, partially randomized extensions. Together, the IPv6 features cloak devices in a quasi anonymity that's not possible with IPv4.
Now, network administrators have discovered a clever way that scanners are piercing the IPv6 cloak of obscurity. By setting up an IPv6-based network time protocol service most Internet-connected devices rely on to keep their internal clocks accurate, the operators can harvest huge numbers of IPv6 addresses that would otherwise remain unknown. The server operators can then scan hundreds or thousands of ports attached to each address to identify publicly available surveillance cameras, unpatched servers, and similar vulnerabilities.
Shodan—the vulnerability search engine that indexes Internet-connected devices—has been quietly contributing NTP services for months to the cluster of volunteer time servers known as the NTP Pool Project. To increase the number of connections to three recently identified Shodan-run servers, each one had 15 virtual IP addresses. The added addresses effectively multiplied the volume of traffic they received by 15-fold, increasing the odds that Shodan would see new devices. Within seconds of one of the Shodan's NTP servers receiving a query from an IPv6 device, Shodan's main scanning engine would scan more than 100 ports belonging to the device. The Shodan scanner would then revisit the device roughly once a day.