Shodan collected IPv6 addresses of NTP clients and scanned them in response
It would seem that the likelihood of scanning your single-player, which does not access external resources, is extremely low. However, there is one thing that is configured on almost every computer - periodic time synchronization via NTP.
NTP
The vast majority of Linux distributions are installed with configured automatic time synchronization via NTP using pool.ntp.org servers. As it turned out, becoming a part of pool.ntp.org is quite simple, which is what Shodan took advantage of using 5 NTP servers in different parts of the world, for the sake of accuracy, using several IP addresses on one server, so that the probability of a client request getting to their server was higher . Thus, in the ntp.org pool there were 45 IPv6 addresses of Shodan machines that scan any IPv6 address that connects to them in response.I discovered the fact of scanning and calculated all Shodan Brad Hein servers. Manually calculating all the scanning NTP servers is rather difficult. The NTP daemon accesses many NTP servers sequentially for more accurate time synchronization. To automate the process, a script was written that processes the firewall log and connects to suspicious hosts again to make sure that they really scan in response using a fresh temporary IPv6 address.
Confirming the ownership of the Shodan hosts was pretty easy - almost all the servers used the real hostnames in the PTR record, like * .scan6.shodan.io
At the moment, Shodan servers were excluded from the ntp.org pool.
How to protect yourself?
SANS recommends setting up your own NTP server on the local network, which will be synchronized with trusted NTP servers, either using GPS satellites or the time of operator base stations via GSM. It is immediately safe to configure the NTP server, following, for example, special instructions . It must be remembered that in the NTP protocol there is a MONLIST command that issues the addresses of all clients that have recently updated the time, so be careful when choosing a trusted server - choose the one where it is disabled.Conclusion
Bjørn Hansen believes that services may soon appear that collect active IPv6 addresses and sell lists to third parties. “Choose the websites you visit with caution.”References
arstechnica.com/security/2016/02/using-ipv6-with-linux-youve-likely-been-visited-by-shodan-and-other-scannersnetpatterns.blogspot.de/2016/01/the-rising-sophistication -of-network.html
isc.sans.edu/forums/diary/Targeted+IPv6+Scans+Using+poolntporg/20681