I'm dealing with ongoing intrusion attempts from a specific IPv6 address range. These attacks target certain devices on my network and occur every 15 minutes or so during set times each day before stopping for a few days and then coming back. The attacks are originating from the address range 2600:1900:4020:49c:0:xxx, where the 'xxx' could be variations like 51b::, 4fe::, and 3f::. I want to implement a block at my firewall to prevent any connection attempts from this range, assuming my router might not do the job completely. I'm uncertain about the technical details, specifically how to define the block range properly: should it be 2600:1900:4020:49c:0::/32, or should I consider a /48, /64, or even /128? Also, I should note that I'm with Spectrum, and my address range starts with 2603, so the issues are definitely coming from outside my network.
4 Answers
If you're looking to block a significant portion of traffic, you might want to start with a /31 block, which can cover a good chunk of Google's IPs. If you're only interested in a smaller range, trying a /44 will still block some of the traffic you mentioned.
Honestly, I'd suggest against blocking arbitrary ranges altogether. You'll just end up playing a game of whack-a-mole with intruders. Let your firewall manage the details and handle those connections as they come without drastic blocks.
Starting with a /64 block is usually a good idea since most local area networks are configured that way. In the bigger picture, you can scale up to a /48 in certain contexts, especially for larger setups or when dealing with specific security rules. Just be cautious about what you're blocking!
Quick question: is it actually possible to block all incoming IPv6 traffic?
You could block incoming SYN packets, but be careful—it's important not to block established connections. If you did that, you wouldn't be able to receive data from any IPv6 websites you want to access.
I did a bit of searching and found out those IPs are associated with Google Cloud, which is known for scanning attacks. It seems like what you're facing happens mostly overnight and affects various devices on your network. Have you considered using a more targeted block just for the :49c:0 subnet rather than a broad one?