Shodan collected the IPv6 addresses of NTP clients and scanned them in response

One of the advantages of IPv6 is the lack of need for NAT due to the large number of addresses in general and the length of subnets issued to users in particular. It would seem that no one just connects to any single-server device that you just connected to your home network with IPv6 support. No one in their right mind will scan your entire subnet. If the entire IPv4 Internet can be scanned for tens of minutes, then a full / 64 scan (the minimum subnet recommended for distribution to clients) will take tens of thousands of years to scan. In addition, if somehow an attacker has learned your IPv6 address, you can always activate support for IPv6 Privacy Extensions , with which your address will be randomized once a day or more often.
It would seem that the probability of scanning your single-board device that does not access external resources is extremely low. However, there is one thing that is configured on almost every computer - periodic time synchronization via NTP.

NTP

The vast majority of Linux distributions are installed with configured automatic time synchronization via NTP using pool.ntp.org servers. As it turned out, becoming part of pool.ntp.org is quite simple, which Shodan took advantage of, using 5 NTP servers in different parts of the world, to be faithful, using several IP addresses on one server, so that the likelihood of a client request getting to their server was higher . Thus, in the pool of ntp.org there were 45 IPv6 addresses of Shodan machines, which scan any IPv6 address connecting to them in response.
I discovered the fact of scanning and calculated all the servers Shodan Brad Hein . It is rather difficult to calculate all the scanning NTP servers manually, since The NTP daemon accesses multiple NTP servers consistently for more accurate time synchronization. To automate the process, a script was written that processes the firewall log and connects to the suspicious hosts again to make sure they are actually crawling in response, using a fresh temporary IPv6 address.
It was quite easy to confirm that hosts belong to Shodan - almost all servers used real host names in PTR records, of the form * .scan6.shodan.io

At the moment, Shodan servers have been excluded from the ntp.org pool.
')

How to protect yourself?

SANS recommends setting up your own NTP server on the local network, which will be synchronized with trusted NTP servers, either using GPS satellites or the time of the base stations of operators via GSM. It is immediately safe to configure the NTP server, following, for example, a special instruction . It must be remembered that in the NTP protocol there is the MONLIST command, which gives the addresses of all clients who have recently updated their time, so be careful when choosing a trusted server - choose the one where it is disabled.

Conclusion

Bjørn Hansen believes that soon there may be services that collect active IPv6 addresses and sell lists to third parties. "Choose websites that you visit with caution."

Links

arstechnica.com/security/2016/02/using-ipv6-with-linux-youve-likely-been-visited-by-shodan-and-other-scanners
netpatterns.blogspot.de/2016/01/the-rising-sophistication-of-network.html
isc.sans.edu/forums/diary/Targeted+IPv6+Scans+Using+poolntporg/20681