Who Knocks at the IPv6 Door?

Fukuda, Kensuke; Heidemann, John

doi:10.1145/3278532.3278553

Cited by 15 publications

(11 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Despite their large vantage point into IPv6 scanning behavior, their study also only identified trace amounts of IPv6 scanning. More recently, in 2018, Fukuda and Heidemann [36] proposed using DNS backscatter to identify IPv6 scanning activity. Of note is the fact that this was the first study to find evidence of widespread IPv6 scanning activity.…”

Section: Related Workmentioning

confidence: 99%

“…Previous work with similar goals performed observational studies using passive measurements of unsolicited traffic. While observational studies provide useful insights they (1) do not identify address discovery strategies leveraged by scanners and (2) may not be representative of the real scanning activity observed by actively in-use IPv6 networks [26,34,36,46] ( §2). In contrast, we take an active approach by conducting controlled experiments to evaluate the impact of IPv6 host activity on scanner behavior.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Glowing in the Dark Uncovering IPv6 Address Discovery and Scanning Strategies in the Wild

Bin¹,

Singh²,

Pearce³

et al. 2022

Preprint

View full text Add to dashboard Cite

In this work we identify scanning strategies of IPv6 scanners on the Internet. We offer a unique perspective on the behavior of IPv6 scanners by conducting controlled experiments leveraging a large and unused /56 IPv6 subnet. We selectively make parts of the subnet visible to scanners by hosting applications that make direct or indirect contact with IPv6capable servers on the Internet. By careful experiment design, we mitigate the effects of hidden variables on scans sent to our /56 subnet and establish causal relationships between IPv6 host activity types and the scanner attention they evoke. We show that IPv6 host activities e.g., Web browsing, membership in the NTP pool and Tor network, cause scanners to send a magnitude higher number of unsolicited IP scans and reverse DNS queries to our subnet than before. DNS scanners focus their scans in narrow regions of the address space where our applications are hosted whereas IP scanners broadly scan the entire subnet. Even after the host activity from our subnet subsides, we observe persistent residual scanning to portions of the address space that previously hosted applications.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Glowing in the Dark Uncovering IPv6 Address Discovery and Scanning Strategies in the Wild

Bin¹,

Singh²,

Pearce³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Here, we use a similar threshold to previous work in IPv4 [22]. We point out that other works have used less strict definitions of a scan, e.g., requiring a source to target fewer addresses, such as 25 [5] or only 5 [12]. We acknowledge that our strict large-scale definition may miss smallscale scans, but at the same time greatly reduces the number of CDN connection artifacts that we otherwise may mis-classify as scanning activity.…”

Section: Scan Detectionmentioning

confidence: 99%

Illuminating large-scale IPv6 scanning in the internet

Richter

Gasser

Berger

2022

Proceedings of the 22nd ACM Internet Measurement Conference

View full text Add to dashboard Cite

While scans of the IPv4 space are ubiquitous, today little is known about scanning activity in the IPv6 Internet. In this work, we present a longitudinal and detailed empirical study on large-scale IPv6 scanning behavior in the Internet, based on firewall logs captured at some 230,000 hosts of a major Content Distribution Network (CDN). We develop methods to identify IPv6 scans, assess current and past levels of IPv6 scanning activity, and study dominant characteristics of scans, including scanner origins, targeted services, and insights on how scanners find target IPv6 addresses. Where possible, we compare our findings to what can be assessed from publicly available traces. Our work identifies and highlights new challenges to detect scanning activity in the IPv6 Internet, and uncovers that today's scans of the IPv6 space show widely different characteristics when compared to the more well-known IPv4 scans. CCS CONCEPTS• Networks → Network security; Network measurement.

show abstract

“…There are also a few works focused on the detection and defense of IPv6 scanning. Fukuda et al [56] introduce an approach to detect IPv6 scanning and evaluate relevant severity. Plonka et al [57] introduce kIP, a new approach to increase the anonymity of IPv6 addresses.…”

Section: Ipv6 Address Space Securitymentioning

confidence: 99%

Addressless: A new internet server model to prevent network scanning

et al. 2021

View full text Add to dashboard Cite

Eliminating unnecessary exposure is a principle of server security. The huge IPv6 address space enhances security by making scanning infeasible, however, with recent advances of IPv6 scanning technologies, network scanning is again threatening server security. In this paper, we propose a new model named addressless server, which separates the server into an entrance module and a main service module, and assigns an IPv6 prefix instead of an IPv6 address to the main service module. The entrance module generates a legitimate IPv6 address under this prefix by encrypting the client address, so that the client can access the main server on a destination address that is different in each connection. In this way, the model provides isolation to the main server, prevents network scanning, and minimizes exposure. Moreover it provides a novel framework that supports flexible load balancing, high-availability, and other desirable features. The model is simple and does not require any modification to the client or the network. We implement a prototype and experiments show that our model can prevent the main server from being scanned at a slight performance cost.

show abstract

Who Knocks at the IPv6 Door?

Cited by 15 publications

References 15 publications

Glowing in the Dark Uncovering IPv6 Address Discovery and Scanning Strategies in the Wild

Glowing in the Dark Uncovering IPv6 Address Discovery and Scanning Strategies in the Wild

Illuminating large-scale IPv6 scanning in the internet

Addressless: A new internet server model to prevent network scanning

Contact Info

Product

Resources

About