Hack Glasgow 2026

login

Vi
.ical

I'm a PhD student studying IPv6 at University of Glasgow. I also worked as a SOC analyst then as a threat hunter in industry alongside my studies.

The speaker's profile picture

Session

08-15
10:30
55min
Six Years of IPv6
Vi

After six long years, I'll (hopefully) have submitted my PhD thesis looking at IPv6 scanning. I'd love to share a few highlights of stuff I've learnt in that time, focusing on these themes:
- 'Ethical scanning of IPv6 scanning is difficult (but important!)': a short tour of my experimental setup I used to run IPv6 scans (rough around the edges, but lovingly crafted), and a few papers which were very important to my work over the past few years. Very happy to bring my printed copies of these to the talk as props, they're covered in all sorts of post-it notes and handwritten notes at this point.
- 'Rate-limiting is vital': sounds like obvious advice, but IPv6 defences are often not up to the standard of IPv4. Rate-limiting at the recipient end of unsolicited IPv6 scans does a lot to limit reconnaissance - it's no longer enough to assume we're safe because it's a large address space, it's a niche protocol, we have network address translation (NAT), etc. I have some scans that show how we can detect rate-limiting thresholds and address allocation patterns in different networks with no prior info.
- 'IoT devices are IPv6 capable, but at what cost?': this is a more detailed look at one of the papers in the first section ('One Bad Apple Can Spoil Your IPv6 Privacy' - Saidi et al., 2022), plus additional work I did for address analysis (and, hopefully, some actual IoT scans). IPv6-enabled IoT devices can be a hazard in terms of user privacy from IPv6 addresses alone - some big name brands still embed MAC addresses in public IPv6 addresses, which can be used to track users across different networks even if every other device on their network uses IPv6 privacy addresses.
- 'One loudmouth can expose the entire operation': this section is original work, building on the previous section. An unexpected side-effect of insecure MAC-derived IPv6 addresses is that a single sign-in attempt from a suspected IoT IPv6 address can reveal botnet-like sign-in activity - we can use info from this one sign-in attempt to see many other IPv4 and IPv6 addresses attempting similar sign-ins across large numbers of accounts.
- 'IPv6 should be part of the blue team toolbox': it's no longer a niche, hobbyist protocol, (un)fortunately - it's really important for fellow blue teamers to understand that malicious behaviour is happening over IPv6, how to analyse it in logs, and how to handle IPv6 IoCs effectively. It might also be useful for red teamers to know there's probably gaps in the IPv6 fence...
- 'Conclusions': IPv6 scans are hard to run, but there's a lot of us doing them. IPv6 is still not implemented securely in IoT devices, which has positives and negatives. Evil over IPv6 is no longer theoretical and needs to be defended against.

Stage 2