Skip to main content
SpringerLink
Log in

Exploring the Discovery Process of Fresh IPv6 Prefixes: An Analysis of Scanning Behavior in Darknet and Honeynet

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14537))

Included in the following conference series:

  • 83 Accesses

Abstract

Internet-wide scanners can efficiently scan the expansive IPv6 network by targeting the active prefixes and responsive addresses on the hitlists. However, it is not clear enough how scanners discover fresh prefixes, which include newly assigned or deployed prefixes, as well as previously unused ones. This paper studies the whole discovery process of fresh prefixes by scanners. We implement four DNS-based address-exposing methods, analyze the arrival sequence of scans from distinct ASes, and examine the temporal and spatial scan patterns, with darknet and honeynet. Over six months, our custom-made darknet and probabilistic responsive honeynet collected 33 M packets (1.8 M sessions) of scans from 116 distinct ASes and 18.8 K unique source IP addresses. We investigate the whole process of fresh prefix discovery, including address-exposing, initial probing, hitlist registration, and large-scale scan campaigns. Furthermore, we analyze the difference in scanning behavior by ASes, and categorize the scanners into three types, honeynet-exclusive, honeynet-predominant and balanced, based on the respective ratio of scans to darknet and honeynet. Besides, we analyze the intentions of scanners, such as network reconnaissance or scanning responsive targets, and the methods they used to obtain potential targets, such as by sending DNS queries or using public hitlist. These findings bring insights into the process of fresh prefixes attracting scanners and highlight the vital role of responsive honeynet in analyzing scanner behaviors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Recall that the TUM hitlist does not provide registered darknet addresses.

References

  1. Antonakakis, M., et al.: Understanding the mirai botnet. In: Proceedings of USENIX Security 2017, Vancouver, BC, pp. 1093–1110 (2017)

    Google Scholar 

  2. Benson, K., Dainotti, A., Claffy, K., Snoeren, A.C., Kallitsis, M.: Leveraging internet background radiation for opportunistic network analysis. In: Proceedings of ACM IMC 2015, Tokyo, Japan, pp. 423–436 (2015)

    Google Scholar 

  3. Censys: OPT out of data collection. https://support.censys.io/hc/en-us/articles/360043177092-Opt-Out-of-Scanning. Accessed Jan 2024

  4. Collins, M.P., Hussain, A., Schwab, S.: Identifying and differentiating acknowledged scanners in network traffic. In: 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS &PW), pp. 567–574 (2023). https://doi.org/10.1109/EuroSPW59978.2023.00069

  5. Cui, T., Gou, G., Xiong, G.: 6GCVAE: gated convolutional variational autoencoder for IPv6 target generation. In: Proceedings of PAKDD 2020, Singapore (2020)

    Google Scholar 

  6. Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: Proceedings of USENIX Security, San Diego, CA, pp. 65–78 (2014)

    Google Scholar 

  7. Fiebig, T., Borgolte, K., Hao, S., Kruegel, C., Vigna, G.: Something from nothing (there): collecting global ipv6 datasets from DNS. In: Proceedings of PAM 2018, pp. 30–43 (2018)

    Google Scholar 

  8. Fierce: A DNS reconnaissance tool for locating non-contiguous IP space. https://github.com/mschwager/fierce. Accessed Aug 2023

  9. Foremski, P., Plonka, D., Berger, A.: Entropy/IP: uncovering structure in IPv6 addresses. In: Proceedings of ACM IMC 2016, Santa Monica, CA, pp. 167–181 (2016)

    Google Scholar 

  10. Fukuda, K., Heidemann, J.: Who knocks at the IPv6 door? Detecting IPv6 scanning. In: Proceedings of ACM IMC 2018, Boston, MA, pp. 231–237 (2018)

    Google Scholar 

  11. Gasser, O., et al.: Clusters in the expanse: understanding and unbiasing IPv6 hitlists. In: Proceedings of ACM IMC 2018, Boston, MA, pp. 364–378 (2018)

    Google Scholar 

  12. Gasser, O., Scheitle, Q., Gebhard, S., Carle, G.: Scanning the IPv6 internet: towards a comprehensive hitlist. CoRR abs/1607.05179 (2016). http://arxiv.org/abs/1607.05179

  13. Gont, F., Chown, T.: Network Reconnaissance in IPv6 Networks. Technical report, Internet Engineering Task Force (2015). RFC7707. https://tools.ietf.org/html/rfc7707

  14. Hiesgen, R., Nawrocki, M., King, A., Dainotti, A., Schmidt, T.C., Wählisch, M.: Spoki: unveiling a new wave of scanners through a reactive network telescope. In: 31st USENIX Security Symposium (USENIX Security 2022), Boston, MA, pp. 431–448. USENIX Association (2022). https://www.usenix.org/conference/usenixsecurity22/presentation/hiesgen

  15. IPv6 Hitlist Service. https://ipv6hitlist.github.io/. Accessed Aug 2023

  16. Javadpour, A., Ja’Fari, F., Taleb, T., Benzaid, C.: A mathematical model for analyzing honeynets and their cyber deception techniques. In: Proceedings of ICECCS (2023)

    Google Scholar 

  17. NLnet Labs: The NLnet labs name server daemon (NSD) is an authoritative, RFC compliant DNS nameserver. https://github.com/NLnetLabs/nsd. Accessed Jan 2024

  18. Murdock, A., Li, F., Bramsen, P., Durumeric, Z., Paxson, V.: Target generation for internet-wide ipv6 scanning. In: Proceedings of ACM IMC 2017, London, UK, pp. 242–253 (2017)

    Google Scholar 

  19. Nawrocki, M., Wählisch, M., Schmidt, T.C., Keil, C., Schönfelder, J.: A survey on honeypot software and data analysis (2016). http://arxiv.org/abs/1608.06249

  20. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of ACM IMC 2004, pp. 27–40 (2004)

    Google Scholar 

  21. Richter, P., Berger, A.: Scanning the scanners: sensing the internet from a massively distributed network telescope. In: Proceedings of ACM IMC 2019, Amsterdam, Netherlands, pp. 144–157 (2019)

    Google Scholar 

  22. Richter, P., Gasser, O., Berger, A.: Illuminating large-scale ipv6 scanning in the internet. In: Proceedings of ACM IMC 2022, Nice, France, pp. 410–418 (2022)

    Google Scholar 

  23. Rye, E., Levin, D.: Ipv6 hitlists at scale: Be careful what you wish for. In: Proceedings of ACM SIGCOMM 2023, pp. 904–916 (2023)

    Google Scholar 

  24. Song, G., et al.: DET: enabling efficient probing of ipv6 active addresses. IEEE/ACM Trans. Networking 30(4), 1629–1643 (2022). https://doi.org/10.1109/TNET.2022.3145040

    Article  Google Scholar 

  25. Spitzner, L.: The honeynet project: trapping the hackers. IEEE Secur. Priv. 1(2), 15–23 (2003)

    Article  Google Scholar 

  26. Steger, L., Kuang, L., Zirngibl, J., Carle, G., Gasser, O.: Target acquired? Evaluating target generation algorithms for IPv6. In: Proceedings of TMA 2023 (2023)

    Google Scholar 

  27. Strowes, S.D., Aben, E., Wilhelm, R., Obser, F., Stagni, R., Formoso, A.: Debogonising 2a10::/12: analysis of one week’s visibility of a new /12. In: Proceedings of TMA 2020 (2020)

    Google Scholar 

  28. Tanveer, H.B., Singh, R., Pearce, P., Nithyanand, R.: Glowing in the dark uncovering IPv6 address discovery and scanning strategies in the wild. In: Proceedings of USENIX Security 2023, pp. 6221–6237 (2023)

    Google Scholar 

  29. Yang, T., Hou, B., Cai, Z., Wu, K., Zhou, T., Wang, C.: 6Graph: a graph-theoretic approach to address pattern mining for internet-wide IPv6 scanning. Comput. Netw. 203, 108666 (2022)

    Article  Google Scholar 

  30. Zirngibl, J., Steger, L., Sattler, P., Gasser, O., Carle, G.: Rusty clusters? Dusting an IPv6 research foundation. In: Proceedings of ACM IMC 2022, Nice, France, pp. 395–409 (2022)

    Google Scholar 

Download references

Acknowledgments

We thank our shepherd, Pawel Foremski, and anonymous reviewers for their valuable feedback and suggestions, which greatly improved the quality of our manuscript. This work is financially supported by JSPS 21H03438.

Author information

Authors and Affiliations

  1. Sokendai, Tokyo, Japan

    Liang Zhao

  2. Okayama University, Okayama, Japan

    Satoru Kobayashi

  3. NII/Sokendai, Tokyo, Japan

    Kensuke Fukuda

Authors
  1. Liang Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Satoru Kobayashi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kensuke Fukuda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Liang Zhao .

Editor information

Editors and Affiliations

  1. Akamai Technologies, Cambridge, MA, USA

    Philipp Richter

  2. Hasso Plattner Institute, Potsdam, Germany

    Vaibhav Bajpai

  3. Northwestern University, Evanston, IL, USA

    Esteban Carisimo

Appendices

A ASes Information

We list information about a sample of the ASes of IPv6 scanners we confirmed in Table 3.

Table 3. The Description, ASN Type, Country, and Scanner Type of ASes
Full size table
Table 4. Primary ports of scans towards the Darknet. (Percentage) is the portion of scans to a certain port among all scans. Unique is the number of unique dest ports.
Full size table

B Port Information

Here, we provide the details of destination ports for darknet (Table 4) and honeynet (Table 5).

Table 5. Primary ports of scans towards the Honeynet
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhao, L., Kobayashi, S., Fukuda, K. (2024). Exploring the Discovery Process of Fresh IPv6 Prefixes: An Analysis of Scanning Behavior in Darknet and Honeynet. In: Richter, P., Bajpai, V., Carisimo, E. (eds) Passive and Active Measurement. PAM 2024. Lecture Notes in Computer Science, vol 14537. Springer, Cham. https://doi.org/10.1007/978-3-031-56249-5_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-56249-5_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-56248-8

  • Online ISBN: 978-3-031-56249-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation