TL;DR: Managing the online exposure of systems can be difficult. Sometimes IPv6 network configurations get forgotten, leading to services unknowingly connected to the internet.
We’ve been (very) slowly adopting IPv6 since its introduction in 1995. This added protocol version allows computer systems to be available in two different address spaces (IPv4 and IPv6). This could possibly expand the attack surface of a system if it’s not managed properly. Fortunately, most firewalls will update user-defined rules for both versions simultaneously. This blog post goes further into finding exposed online services in the IPv6 space, which aren’t reachable via their IPv4 counterpart.
I’ve scanned a subset of the public IP space to get an idea of how many firewalls/systems actually have different configurations in the two address spaces. I was able to match these using DNS lookups and validating them by looking for exposed services that make use of certificates.
The experiment started with a sample group of 18 710 IPv4/6 address pairs. Of these, 10 683 (~57.1%) address couples had matching certs and 8 027 (~42.9%) did not (mostly due to incorrect DNS records). The non-matching pairs were disregarded.
A suspiciously overwhelming amount of 5 055 (~47.3% of 10 683) systems returned having discrepancies between the services exposed on the different addresses (according to Nmap).
4 510 (~42.2% of 10 683 total) of the systems in this dataset had more ports open on IPv4 than IPv6. This could be due to sysadmins disabling specific services for IPv6.
The amount of exposed IPv4 only services here is interesting, knowing that there are “just” 4 510 servers with more IPv4 than IPv6 services in the dataset. Looking at the top domains with discrepancies shows us that there’s probably one network exposing the bulk of these endpoints:
Home.pl is a Polish internet provider that apparently doesn’t expose some services in the IPv6 space, explaining the huge amount of xxx.home.pl servers with this specific discrepancy. The data explains why we have so many xxx.home.pl systems in there. It’s because of the validation step requiring a system to expose at least one service using certificates on both IPv4 and IPv6. The system administrators / architects have probably decided to only support IPv4 for some specific services resulting in the above graph.
Here is where it starts to become interesting…
The amount of servers with specific services only exposed on IPv6 came out to be 422 (~4.0% of 10 683 total)*. Let’s have a closer look the exposed services on these machines.
In this dataset there are 132 systems that only expose SSH on IPv6 and 133 systems that have this for rpcbind as well. 27 HTTP servers were also found to not be exposed on IPv4.
Having services like SSH run only on IPv6 could be a “security” measure (security through obscurity), but is more likely due a mis- or unmanaged system. This would especially be likely for services as HTTP or MySQL.
Some examples of possible misconfiguration
A university in Germany running a switch where the telnet access is still enabled for IPv6 allowing anyone on the internet to connect (not authenticate).
A website promoting IT certifications running an SSH service accessible via IPv6, but not IPv4.
A content delivery network or CDN exposing an FTP service via their IPv6 address.
These are all examples of systems where you’d expect to have access or none at all. Having access, but only through IPv6 suggests (but doesn’t confirm) that something went wrong in the network configuration of their respective servers.
There are quite a bit of server running services only in the IPv6 space. Not keeping track of how your firewall and network settings are configured could lead to unwanted exposed services on the internet. This is especially harmful when the service itself lacks authentication or is vulnerable to exploitation. Unfortunately, there are a lot of publicly accessible systems that still are only reachable through IPv6, suggesting misconfiguration**.
- Datasets have been generated in February of 2021
- This does not, in any way, shape, or form, quality as scientific research. This is just a result of an interest in firewall discrepancies and a few free evenings.
* A number that would be higher if the certificate validation wasn’t needed on both IPv4 and IPv6 to ensure a valid match.
** In an ideal world we would only use IPv6, but we still have a long way to go to get there. Currently, IPv4 is still the de facto as it’s more widely supported.
Source: Stefan Grimminck