How to better understand IPv6 to block requests

Dani

12/14/22, 9:34 PM

With IPv4, whenever I realize any strange requests coming to my server I can easily block the IPv4 from further requests (I can block on my iptablets, or in my .htaccess file...). However with IPv6 it's not that easy because it's pretty simple to change the IP address, or even worse, it's pretty easy to rotate thousands of IPv6 addresses to make thousands of requests in a short time coming all from different IP addresses.

With IPv4 this was not such a big problem because it would be very expensive to own/rotate thousands of IPv4 addresses. Even companies like Linode or Digital Ocean make lots of questions to you if you start adding more than a few IP address on your account (even if you pay for those addresses, they will make you lots of questions like if you are using those addresses to send spam, to DDoS...).

So my question is this: in the IPv6 address, is there some "part" or "substring" (that is mostly fixed) that I can reliably blacklist since the other "part" (that changes) is probably from the same person or the same network? Take for example this address:

2001:0db8:85a3:0000:0000:1111:2222:3333

Can I tell, from the address above, that if I block all the IPs containing "2001:0db8:85a3:0000:0000:1111" it will probably come from the same person/computer?

Thank you!

1 + 0

ipv6

ipv4

Score:1

Server

Michael Hampton

12/14/22, 9:44 PM

You can never be 100% sure, because various ISPs and hosting providers do things differently (and sometimes very very wrongly). But as a rule a cloud provider will assign a /64 to a virtual network, and every VM in that virtual network will get IP addresses from within that /64 in various different ways. Providers leasing bare metal ("dedicated") servers typically assign a /64 to each physical machine.

It gets a bit more complicated for home connections, but as a rule, unless the subscriber has made configuration changes (few do, as for the most part it's IT pros who want more than a /64 at home) they also will have a /64 for their entire residence.

So, as the above suggests, blocking the /64 is likely to get rid of most malicious actors who know how to rotate their IPv6 address.

You may find RFC 6177 interesting reading. Mainly as a baseline to see how various providers do it wrong.

0 + 3

Dani

12/14/22, 10:26 PM

Thank you so much! Regarding blocking the /64 address space, means that I can "discard" the last 2 `:` from the address? In the example I provided on #1 means I can discard the `2222:3333` from the address since the user can freely change/assign new addresses to that part?

Michael Hampton

12/14/22, 10:30 PM

You are not familiar with subnetting? /64 is half of the 128-bit address, not one quarter.

Dani

12/15/22, 2:27 PM

Sorry I am not familiar with subnetting. I was just assigned this task to blacklist some ipv6. So it's 128 bits long, right? 64 is half, but is the first half or the second half? In the example I provided, I should block something like `2001:0db8:85a3:0000`?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to better understand IPv6 to block requests

TH: วิธีทำความเข้าใจ IPv6 ให้ดีขึ้นเพื่อบล็อกคำขอ

RO: Cum să înțelegeți mai bine IPv6 pentru a bloca solicitările

RU: Как лучше понять IPv6 для блокировки запросов

VI: Cách hiểu rõ hơn về IPv6 để chặn yêu cầu

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.