{"id":1963,"date":"2026-03-17T13:04:36","date_gmt":"2026-03-17T13:04:36","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/"},"modified":"2026-03-17T13:04:36","modified_gmt":"2026-03-17T13:04:36","slug":"ipv4-mapped-ipv6-addresses-tue-mar-17th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/","title":{"rendered":"IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th)"},"content":{"rendered":"<div>\n<p>Yesterday, in my diary about the scans for &#8220;\/proxy\/&#8221; URLs, I noted how attackers are using IPv4-mapped IPv6 addresses to possibly obfuscate their attack. These addresses are defined in\u00a0<a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc4038\">RFC 4038<\/a>. These addresses are one of the many transition mechanisms used to retain some backward compatibility as IPv6 is deployed. Many modern applications use IPv6-only networking code. IPv4-mapped IPv6 addresses can be used to represent IPv4 addresses in these cases. IPv4-mapped IPv6 addresses are not used on the network, but instead, translated to IPv4 before a packet is sent.<\/p>\n<p>To map an IPv4 address into IPv6, the prefix &#8220;::ffff:\/96&#8221; is used. This leaves the last 32 bits to represent the IPv4 address. For example, &#8220;10.5.2.1&#8221; turns into &#8220;::ffff:0a05:0201&#8221;. Many applications\u00a0display the last 4 bytes in decimal format to make it easier to read. For example, you will\u00a0see &#8220;::ffff:10.5.2.1&#8221;.\u00a0<\/p>\n<p>If IPv4-mapped IPv6 addresses can be used depends on the particular application. Here are a few examples, but feel free to experiment yourself:<\/p>\n<p>ping6 on macOS:<\/p>\n<blockquote>\n<p><tt>% ping6 ::ffff:0a05:0201<br \/>\nPING6(56=40+8+8 bytes) ::ffff:10.5.2.147 --&gt; ::ffff:10.5.2.1<br \/>\nping6: sendmsg: Invalid argument<br \/>\nping6: wrote ::ffff:0a05:0201 16 chars, ret=-1<\/tt><\/p>\n<\/blockquote>\n<p>Note that ping6 displays the\u00a0IPv4 address\u00a0in decimal format but refuses to send any packets, since they would be IPv4 packets, not IPv6.<\/p>\n<blockquote>\n<p><tt>% ping ::ffff:0a05:0201<br \/>\nping: cannot resolve ::ffff:0a05:0201: Unknown host<\/tt><\/p>\n<\/blockquote>\n<p>Regular IPv4 ping fails to recognize the format for an IP address, and instead interprets it as a hostname, which fails.<\/p>\n<p>ping6 on Linux does not return an error. It just appears to &#8220;hang,&#8221; and no packets are emitted. Running strace shows:<\/p>\n<blockquote>\n<p><code>sendto(3, \"200\u0000\u0000\u0000{263\u00004i:271i\u0000\u0000\u0000\u0000(2006\u0000\u0000\u0000\u0000\u00002021222324252627\"..., 64, 0, {sa_family=AF_INET6, sin6_port=htons(58), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, \"::ffff:10.5.2.1\", &amp;sin6_addr), sin6_scope_id=0}, 28) = -1 ENETUNREACH (Network is unreachable)<br \/>\nrecvmsg(3, {msg_namelen=28}, MSG_DONTWAIT|MSG_ERRQUEUE) = -1 EAGAIN (Resource temporarily unavailable)<\/code><\/p>\n<\/blockquote>\n<p>It attempts to set up an IPv6 connection based on the &#8220;AF_INET6&#8221; argument in the inet_pton call, but this fails for the mapped IPv4 address.<\/p>\n<p>ssh, on the other hand (on MacOS and Linux) works just fine:<\/p>\n<blockquote>\n<p><tt>$ ssh ::ffff:0a05:0201 -p 11460<br \/>\nThe authenticity of host '[::ffff:10.5.2.1]:11460 ([::ffff:10.5.2.1]:11460)' can't be established.<\/tt><\/p>\n<\/blockquote>\n<p>The traffic is sent properly as IPv4 traffic.<\/p>\n<p>curl is kind of interesting in that it uses the IPv4-mapped IPv6 address as a host header:<\/p>\n<blockquote>\n<p><tt>$ curl -i http:\/\/[::ffff:0a80:010b]<br \/>\nHTTP\/1.1 301 Moved Permanently<br \/>\nServer: nginx<br \/>\nDate: Tue, 17 Mar 2026 11:32:10 GMT<br \/>\nContent-Type: text\/html<br \/>\nContent-Length: 162<br \/>\nConnection: keep-alive<br \/>\nLocation: https:\/\/[::ffff:0a80:010b]\/<\/tt><\/p>\n<\/blockquote>\n<p>I tried a couple of different web servers, and they all acted the same way. Browsers like Safari and Chrome could also\u00a0use these addresses. In browsers, it may be possible to evade some filters by using IPv4-mapped IPv6 addresses when simple string matching is used. Note how in URLs the IPv6 address must be enclosed in square brackets to avoid &#8220;colon confusion&#8221;.\u00a0<\/p>\n<p>Any ideas what else to test or how to possibly use or abuse these addresses? Remember that on the network, you will end up with normal IPv4 traffic, not IPv6 traffic using IPv4-mapped IPv6 addresses.\u00a0<\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday, in my diary about the scans for &#8220;\/proxy\/&#8221; URLs, I noted how attackers are using IPv4-mapped IPv6 addresses to possibly obfuscate their attack. These addresses are defined in\u00a0RFC 4038. These addresses are one of the many transition mechanisms used to retain some backward compatibility as IPv6 is deployed. Many modern applications use IPv6-only networking [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-1963","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Yesterday, in my diary about the scans for &#8220;\/proxy\/&#8221; URLs, I noted how attackers are using IPv4-mapped IPv6 addresses to possibly obfuscate their attack. These addresses are defined in\u00a0RFC 4038. These addresses are one of the many transition mechanisms used to retain some backward compatibility as IPv6 is deployed. Many modern applications use IPv6-only networking [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-17T13:04:36+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th)\",\"datePublished\":\"2026-03-17T13:04:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/\"},\"wordCount\":503,\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/\",\"name\":\"IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"datePublished\":\"2026-03-17T13:04:36+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/","og_locale":"en_US","og_type":"article","og_title":"IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th) - Imperative Business Ventures Limited","og_description":"Yesterday, in my diary about the scans for &#8220;\/proxy\/&#8221; URLs, I noted how attackers are using IPv4-mapped IPv6 addresses to possibly obfuscate their attack. These addresses are defined in\u00a0RFC 4038. These addresses are one of the many transition mechanisms used to retain some backward compatibility as IPv6 is deployed. Many modern applications use IPv6-only networking [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-03-17T13:04:36+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th)","datePublished":"2026-03-17T13:04:36+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/"},"wordCount":503,"keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/","name":"IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"datePublished":"2026-03-17T13:04:36+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/17\/ipv4-mapped-ipv6-addresses-tue-mar-17th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=1963"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1963\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=1963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=1963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=1963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}