Abstract
Internet-wide scanners can efficiently scan the expansive IPv6 network by targeting the active prefixes and responsive addresses on the hitlists. However, it is not clear enough how scanners discover fresh prefixes, which include newly assigned or deployed prefixes, as well as previously unused ones. This paper studies the whole discovery process of fresh prefixes by scanners. We implement four DNS-based address-exposing methods, analyze the arrival sequence of scans from distinct ASes, and examine the temporal and spatial scan patterns, with darknet and honeynet. Over six months, our custom-made darknet and probabilistic responsive honeynet collected 33 M packets (1.8 M sessions) of scans from 116 distinct ASes and 18.8 K unique source IP addresses. We investigate the whole process of fresh prefix discovery, including address-exposing, initial probing, hitlist registration, and large-scale scan campaigns. Furthermore, we analyze the difference in scanning behavior by ASes, and categorize the scanners into three types, honeynet-exclusive, honeynet-predominant and balanced, based on the respective ratio of scans to darknet and honeynet. Besides, we analyze the intentions of scanners, such as network reconnaissance or scanning responsive targets, and the methods they used to obtain potential targets, such as by sending DNS queries or using public hitlist. These findings bring insights into the process of fresh prefixes attracting scanners and highlight the vital role of responsive honeynet in analyzing scanner behaviors.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Recall that the TUM hitlist does not provide registered darknet addresses.
References
Antonakakis, M., et al.: Understanding the mirai botnet. In: Proceedings of USENIX Security 2017, Vancouver, BC, pp. 1093–1110 (2017)
Benson, K., Dainotti, A., Claffy, K., Snoeren, A.C., Kallitsis, M.: Leveraging internet background radiation for opportunistic network analysis. In: Proceedings of ACM IMC 2015, Tokyo, Japan, pp. 423–436 (2015)
Censys: OPT out of data collection. https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Scanning. Accessed Jan 2024
Collins, M.P., Hussain, A., Schwab, S.: Identifying and differentiating acknowledged scanners in network traffic. In: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 567–574 (2023). https://doi.org/10.1109/EuroSPW59978.2023.00069
Cui, T., Gou, G., Xiong, G.: 6GCVAE: gated convolutional variational autoencoder for IPv6 target generation. In: Proceedings of PAKDD 2020, Singapore (2020)
Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: Proceedings of USENIX Security, San Diego, CA, pp. 65–78 (2014)
Fiebig, T., Borgolte, K., Hao, S., Kruegel, C., Vigna, G.: Something from nothing (there): collecting global ipv6 datasets from DNS. In: Proceedings of PAM 2018, pp. 30–43 (2018)
Fierce: A DNS reconnaissance tool for locating non-contiguous IP space. https://github.com/mschwager/fierce. Accessed Aug 2023
Foremski, P., Plonka, D., Berger, A.: Entropy/IP: uncovering structure in IPv6 addresses. In: Proceedings of ACM IMC 2016, Santa Monica, CA, pp. 167–181 (2016)
Fukuda, K., Heidemann, J.: Who knocks at the IPv6 door? Detecting IPv6 scanning. In: Proceedings of ACM IMC 2018, Boston, MA, pp. 231–237 (2018)
Gasser, O., et al.: Clusters in the expanse: understanding and unbiasing IPv6 hitlists. In: Proceedings of ACM IMC 2018, Boston, MA, pp. 364–378 (2018)
Gasser, O., Scheitle, Q., Gebhard, S., Carle, G.: Scanning the IPv6 internet: towards a comprehensive hitlist. CoRR abs/1607.05179 (2016). http://arxiv.org/abs/1607.05179
Gont, F., Chown, T.: Network Reconnaissance in IPv6 Networks. Technical report, Internet Engineering Task Force (2015). RFC7707. https://tools.ietf.org/html/rfc7707
Hiesgen, R., Nawrocki, M., King, A., Dainotti, A., Schmidt, T.C., Wählisch, M.: Spoki: unveiling a new wave of scanners through a reactive network telescope. In: 31st USENIX Security Symposium (USENIX Security 2022), Boston, MA, pp. 431–448. USENIX Association (2022). https://www.usenix.org/conference/usenixsecurity22/presentation/hiesgen
IPv6 Hitlist Service. https://ipv6hitlist.github.io/. Accessed Aug 2023
Javadpour, A., Ja’Fari, F., Taleb, T., Benzaid, C.: A mathematical model for analyzing honeynets and their cyber deception techniques. In: Proceedings of ICECCS (2023)
NLnet Labs: The NLnet labs name server daemon (NSD) is an authoritative, RFC compliant DNS nameserver. https://github.com/NLnetLabs/nsd. Accessed Jan 2024
Murdock, A., Li, F., Bramsen, P., Durumeric, Z., Paxson, V.: Target generation for internet-wide ipv6 scanning. In: Proceedings of ACM IMC 2017, London, UK, pp. 242–253 (2017)
Nawrocki, M., Wählisch, M., Schmidt, T.C., Keil, C., Schönfelder, J.: A survey on honeypot software and data analysis (2016). http://arxiv.org/abs/1608.06249
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of ACM IMC 2004, pp. 27–40 (2004)
Richter, P., Berger, A.: Scanning the scanners: sensing the internet from a massively distributed network telescope. In: Proceedings of ACM IMC 2019, Amsterdam, Netherlands, pp. 144–157 (2019)
Richter, P., Gasser, O., Berger, A.: Illuminating large-scale ipv6 scanning in the internet. In: Proceedings of ACM IMC 2022, Nice, France, pp. 410–418 (2022)
Rye, E., Levin, D.: Ipv6 hitlists at scale: Be careful what you wish for. In: Proceedings of ACM SIGCOMM 2023, pp. 904–916 (2023)
Song, G., et al.: DET: enabling efficient probing of ipv6 active addresses. IEEE/ACM Trans. Networking 30(4), 1629–1643 (2022). https://doi.org/10.1109/TNET.2022.3145040
Spitzner, L.: The honeynet project: trapping the hackers. IEEE Secur. Priv. 1(2), 15–23 (2003)
Steger, L., Kuang, L., Zirngibl, J., Carle, G., Gasser, O.: Target acquired? Evaluating target generation algorithms for IPv6. In: Proceedings of TMA 2023 (2023)
Strowes, S.D., Aben, E., Wilhelm, R., Obser, F., Stagni, R., Formoso, A.: Debogonising 2a10::/12: analysis of one week’s visibility of a new /12. In: Proceedings of TMA 2020 (2020)
Tanveer, H.B., Singh, R., Pearce, P., Nithyanand, R.: Glowing in the dark uncovering IPv6 address discovery and scanning strategies in the wild. In: Proceedings of USENIX Security 2023, pp. 6221–6237 (2023)
Yang, T., Hou, B., Cai, Z., Wu, K., Zhou, T., Wang, C.: 6Graph: a graph-theoretic approach to address pattern mining for internet-wide IPv6 scanning. Comput. Netw. 203, 108666 (2022)
Zirngibl, J., Steger, L., Sattler, P., Gasser, O., Carle, G.: Rusty clusters? Dusting an IPv6 research foundation. In: Proceedings of ACM IMC 2022, Nice, France, pp. 395–409 (2022)
Acknowledgments
We thank our shepherd, Pawel Foremski, and anonymous reviewers for their valuable feedback and suggestions, which greatly improved the quality of our manuscript. This work is financially supported by JSPS 21H03438.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Zhao, L., Kobayashi, S., Fukuda, K. (2024). Exploring the Discovery Process of Fresh IPv6 Prefixes: An Analysis of Scanning Behavior in Darknet and Honeynet. In: Richter, P., Bajpai, V., Carisimo, E. (eds) Passive and Active Measurement. PAM 2024. Lecture Notes in Computer Science, vol 14537. Springer, Cham. https://doi.org/10.1007/978-3-031-56249-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-56249-5_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-56248-8
Online ISBN: 978-3-031-56249-5
eBook Packages: Computer ScienceComputer Science (R0)