Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

August 25, 2022

Why It’s Impossible to Scan the Entire Internet

By: Keegan Henckel-Miller

Share on facebook
Share on twitter
Share on linkedin

IPv6 is big. Very big. Thanks to a 128-bit address format, there are 2^128 possible IPv6 IP addresses. To put this in perspective, astronomers reckon that there are around 10^24 stars in the universe. Comparing these two numbers, IPv6 allows for roughly a million billion times more addresses than the number of stars calculated to exist. If you had to summarise the IPv6 internet in one word, “vast” would be an understatement.

This vastness presents a serious problem for attack surface management. The tools you use to scan IPv4 activity do not work for IPv6. With over a third of the world’s internet activity now happening on IPv6, your attack surface is getting much larger, just as your ability to see it gets smaller.

Randori’s approach helps security teams overcome this problem by enriching vulnerability management data with hacker logic to prioritize risks, as well as showing teams the IPv6 assets other solutions miss. 



You Can Scan IPv4 Addresses for Vulnerabilities 

Security scanning tools work like search engines. They index blocks of IPv4 addresses to figure out what machines are associated with each IP address. On the level of individual subnets or private networks, this ability helps you figure out what nodes are associated with which IP addresses connected to your network and whether or not you have internet-facing assets that third parties can access through open ports. 

IPv4 has 4.2 billion address combinations. This means scanning tools can systematically scan one IPv4/8 block (roughly 16 million addresses) in a few days. Some highly optimized tools and processes like Zmap can scan the entire IPv4 address book in just 45 minutes. 

Although IPv4 is big, defenders (and attackers) can do a “brute force” scan for IPv4-connected assets reasonably fast. As a result, defenders can get regular snapshots of their attack surface and reduce their shadow IT risk.  

However, as our previous blog post outlined, scanning IPv4 does not give you a complete picture of your attack surface. In many cases, like if most of your IT network is located in the US, scanning IPv4 only shows you less than half of your connected assets. At a time when 69% of companies admit experiencing an attack that started via an asset they didn’t know they had, this is a significant problem for defenders. 

But IPv6 Requires a Different Approach 

Scanning tools can’t scan IPv6 assets in the same way they do with IPv4. The data set IPv6 creates is simply much too large. Aside from the impossibility of scanning the entire address book, IPv6 subnets also present new levels of complexity. 

A typical IPv4 LAN subnet of /24 has a maximum allocation of 256 host addresses. With IPv6, the minimum LAN subnet size is /64, which means that there are over 18 quintillion addresses. If you could somehow scan two million addresses each second, it would take you just under three hundred thousand years to finish scanning one IPv6 subnet. There may be theoretically faster ways to scan parts of an IPv6 subnet or block, but brute force scanning is impossible. 

Following IPv4 scanning methodologies means genuine asset discovery on IPv6 is almost impossible for defenders to do with brute force tools. Some vendors attempt to get around this problem by using IPv4 to find IPv6 (some assets function across both protocols) or getting their clients to add in the addresses of their IPv6 assets themselves. 

However, these methods are only stop-gap solutions. The number of IPv6-only assets is growing fast. When security protocols only scan IPv4 assets, not only does shadow IT remain out of sight, but defenders proceed with a false sense of confidence and ignore real threats from IPv6 assets. Unguarded assets are where attackers target most. In order to reduce attacks shadow IT, IPv6 assets must be scanned like any other asset and patched when they are dangerous. 

How Randori Discovers Your IPv6 Assets

At Randori, we help our customers find unknown IPv6 assets by taking an inside-out approach to enterprise attack surfaces. Our discovery engine doesn’t look at your attack surface as being in a box of IPv4 or IPv6. 

Instead, Randori uses your seed domain to find breadcrumbs of information that point elsewhere. When you have a breadcrumb that points to an IPv6 asset, we will find it. 

Breadcrumbs can be things like a hostname or certificate record. When we find these indicators, we investigate them further, joining the dots between them and any connected IP addresses, regardless of whether they are IPv4 or IPv6. Randori keeps repeating this process until we catalog your entire attack surface. 

In this way, Randori can find the internet-facing assets that vulnerabilities scanners miss, giving you a genuine look at your attack surface.

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.