Possible Change of Worms' Infection Strategies in the IPv6 Network

Monitoring malicious packets on the Internet is known to be an effective method to detect threats posed by Internet worms etc. Most of the current research on Internet monitoring and threat detection are conducted on the basis of IPv4 network.

It is assumed that most of the worms today scan their closer hosts on the Internet with higher probability than remote hosts for infection. This infection strategy is very efficient and we call this infection strategy "random local-preferential scan".

When the transition of the Internet from IPv4 to IPv6 progress, it is assumed that infection strategies of Internet worms as well as Internet monitoring methods would change, because IPv6 address space is so large that "random local-preferential scans" would not practically work any more. Since the used IP address would be located sparsely over the huge size of IPv6 space, random scans would be too inefficient.

Therefore in the age of IPv6, lists of known IP addresses would be precious information for attackers. This is a similar situation where email SPAMers consider lists of email addresses important today. So fake web sites which collect effective IP addresses would emerge or legitimate web sites would be targets of attack for obtaining IP addresses in their logs.

Furthermore, known IP addresses would be traded in the black markets. In the IPv6 Internet, worms would scan hosts using known IP addresses obtained in these ways or would propagate via direct communication methods such as P2P network or email attachments.

Masaki Ishiguro of the Information Technology Research Dept. at Mitsubishi Research Institute, will be speaking at FIRST Security Conference in Sevilla. FIRST is the premier organization and recognized global leader in incident response. For more info, visit FIRST's website at http://www.first.org.