Hello and welcome to the Monday, December 11, 2023 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich and I'm recording from Washington, D.C. Let's take a look

at diaries from this weekend. D.D.A. published a diary with a URL we received from a reader that

showed a somewhat interesting host name, starting with colon, colon, ff, ff, and then an IPV4 address.

This particular notation does show up if IPV4 addresses are mapped into the IPV6 address space,

starting with colon-cole, which means all zeros, then the 4Fs, and the last 32 bits of the IP

address are the IPV-4 address, which is then displayed for convenience in the decimal

notation, not hexadecimal as you usually see with IPV6 addresses. This format, I've really only

seen being used in some Linux distributions, for example, if you're running NetStat,

and the purpose of this is if your operating system, or really the software that accepts

the connection, is essentially using IPV6 only.

And that way, the operating system sort of rewrites IP addresses into this pseudo IPV6 format.

These are not addresses that you ever should see on the network.

And I'm actually a little bit doubtful if this will work in the URL like this.

Typically there should be at least like square brackets around it for an IPV6 address,

but it isn't really an IPV6 address because the last four bytes are in decimal.

I tried it here on my Mac quickly and didn't really seem to work.

It basically thought it was a host name and, of course, it didn't resolve it.

This could very much be just a bug actually in the

attack script that somehow creates these malformed IP addresses, for example by pulling them out

of a net stat to kind of figure out what the other side's IP address is or what the local IP address is.

So maybe a buggy piece of software.

...