China- The first country to scan my IPv6 range.!!

iguanagomes

Very rarely do I see port probes on IPv6, in fact, in nearly 10 years barely any that wasn't me initiating it. [spam link removed]

But then I see a host in 240e::/18 range scanning one of my /64's. Like, LOTS and LOTS
of them. Random IP's being hit in that /64 looking for VNC/Spice (5901). Heads up, China, nothing is open on that /64.

I love IPv6, makes it easier to block an entire country or ISP, or end user. All those quintillion+ of IP's are now perpetually blocked.

Easy Rule Block to the rescue!

Kinda futile to scan a /64, it makes WAY too much noise!

Should I be surprised this is actually the first lot of IPv6 I've also blocked in 10 years....

NogBadTheBad

@iguanagomes said in China- The first country to scan my IPv6 range.!!:

hen I see a host in 240e::/18 range scanning one of my /64's. Like, LOTS and LOTS of them. Random IP's being hit in that /64 looking for VNC/Spice (5901). Heads up, China, nothing is open on that /64.
I love IPv6, makes it easier to block an entire country or ISP, or end user. All those quintillion+ of IP's are now perpetually blocked.
Easy Rule Block to the rescue!
Kinda futile to scan a /64, it makes WAY too much noise!
Should I be surprised this is actually the first lot of IPv6 I've also blocked in 10 years....

Use pfBlocker and block the whole of China by GeoIP

I've had 240e:f7:4f01:c::3 knocking on my /64 door for weeks now.

dylanpiergies

I'm seeing loads of this as well. More from 240e:f7:4f01:c::2 than 240e:f7:4f01:c::3 overall.
It's an interesting scan. I've only got 3 months data, though. Sounds like it's been going on for a while.

Sergei_Shablovsky

@dylanpiergies said in China- The first country to scan my IPv6 range.!!:

I'm seeing loads of this as well. More from 240e:f7:4f01:c::2 than 240e:f7:4f01:c::3 overall.
It's an interesting scan. I've only got 3 months data, though. Sounds like it's been going on for a while.
What You are using to build this picture?

Sergei_Shablovsky

@dylanpiergies What You are using to build this picture?

NogBadTheBad

@Sergei_Shablovsky said in China- The first country to scan my IPv6 range.!!:

What You are using to build this picture?

https://blog.polleverywhere.com/best-word-cloud-generator/

johnpoz

I don't see much ipv6 noise either... But I do see this IP quite a bit in the current logs

2001:4ca0:108:42:0:80:6:9

I don't see a pattern to their search..

Probing 80 on random IPv6 in my ranges..

dylanpiergies

@Sergei_Shablovsky It's a tag cloud in Kibana. Firewall logs are being sent to ElasticSearch.

marksin

This post is deleted!

maverick_slo

Last 60 days :)

Gertjan

Using the latest fail2ban so its IPv6 aware on a Debian web/mail/dns/whatever server.
IPv6 isn't background noise any-more. 10 % and raising.

pooperman

I find this post absolutely hilarious.
I haven't done squat with ipv6 for about the last 10 years ... and not that I needed it now I have decided that as an experiment I will provide some v6 connectivity to some of my LAN hosts cause I have a /48 from my ISP.

I was actually debugging some network issues related to NDP so was running a tcpdump on my link... as soon as my subnet become routable massive portscanning traffic started flowing in from the exact same ip:

240e:f7:4f01:c::3.53802

I find this absolutely hilarious cos this was one of the selling point of IPv6, kind of a "security through obscurity" that you cannot ( or I mean you should not be THAT DUMB TO TRY) scan address ranges and this guy is not giving up since 2 years, imagine the amount of junk traffic he generated since than and just how many ips is he scanning bruh don't have anything better to do? :D