| ▲ | Dagger2 17 hours ago | |
v4 networks commonly only get one IP for the whole network, and people use NAT with port forwarding to make inbound connections work. With this setup, an attacker only needs to scan the 65536 ports on the router to exhaustively enumerate every single publicly accessible server on your entire network, which is about 3 megabytes of traffic and takes approximately no seconds. On v6, you don't use NAT and networks are /64. Finding every server requires scanning 65536 ports on all 2^64 IPs, which is about 72 billion petabytes of traffic. There are ways to prune this down somewhat, but however you do it the search space is still far larger. If you want attackers to not know what's behind your router, you want v6. | ||
| ▲ | nottorp 9 hours ago | parent [-] | |
> to exhaustively enumerate every single publicly accessible server on your entire network Enterprise thinking. It's not the publicly accessible servers i worry about, it's the other boxes that shouldn't be publicly accessible... | ||