Abstract
The starting point of securing a network is having a concise overview of it. As networks are becoming more and more complex both in general and with the introduction of IoT technology and their topological peculiarities in particular, this is increasingly difficult to achieve. Especially, in cyber-physical environments, such as smart factories, gaining a reliable picture of the network can be, due to intertwining of a vast amount of devices and different protocols, a tedious task. Nevertheless, this work is necessary to conduct security audits, compare documentation with actual conditions or find vulnerabilities using an attacker’s view, for all of which a reliable topology overview is pivotal. For security auditors; however, there might not much information, such as asset management access, be available beforehand, which is why this paper assumes network to audit as a complete black box. The goal is, therefore, to set security auditors in a condition of, without having any a priori knowledge at all, automatically gaining a topology oversight. This paper describes, in the context of a bigger system that uses active scanning to determine the network topology, an approach to automate the first steps of this procedure: passively scanning the network and determining the network’s scope, as well as gaining a valid address to perform the active scanning. This allows for bootstrapping an automatic network discovery process without prior knowledge.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This way, it can be prevented to assume a remote network (with more than one hop away) as current network.
- 2.
3 of which were detected additionally through the still active-passive scanners (represented by the disjunct bubble in Fig. 4). This indicates that the hosts were not online at the very moment of the Nmap scan.
- 3.
For instance with nmap -sn -Pn [network_portion]. This ensures traceroutes to be carried out, even when no active host resides in the network to be examined.
- 4.
A possibility would be to compare the most distant addresses and, by binary splitting the set, keep comparing until the traceroutes are equal to yield actual subnetworks.
References
Aboba, B.: Detecting Network Attachment (DNA) in IPv4. RFC Draft, Internet Engineering Task Force. https://tools.ietf.org/html/draft-ietf-dhc-dna-ipv4-15 (2005)
Aboba, B., Carlson, J., Cheshire, S.: Detecting Network Attachment in IPv4 (DNAv4). RFC 4436, Internet Engineering Task Force (2006)
Adat, V., Gupta, B.B.: A DDoS attack mitigation framework for internet of things. In: 2017 International Conference on Communication and Signal Processing (ICCSP), pp. 2036–2041 (2017). https://doi.org/10.1109/ICCSP.2017.8286761
Baker, F.: Requirements for IP Version 4 Routers. RFC 1812, Internet Engineering Task Force (1995)
Bonica, R., Cotton, M., Haberman, B., Vegoda, L.: Updates to the Special-Purpose IP Address Registries. RFC 8190, Internet Engineering Task Force (2017)
Braden, R.: Requirements for Internet Hosts—Communication Layers. RFC 1122, Internet Engineering Task Force (1989)
Cheshire, S., Aboba, B., Guttman, E.: Dynamic Configuration of IPv4 Link-Local Addresses. RFC 3927, Internet Engineering Task Force (2005)
Droms, R.: Dynamic Host Configuration Protocol. RFC 2131, Internet Engineering Task Force (1997)
Eastlake, D.E. (eds.): ICMP Router Discovery Messages. RFC 1256, Internet Engineering Task Force (1991)
Gont, F., Pignataro, C.: Formally Deprecating Some ICMPv4 Message Types. RFC 6918, Internet Engineering Task Force (2013)
Guttman, E.: Zero configuration networking. In: INET 2000 Proceedings. Yokohama, Japan. https://www.isoc.org/inet2000/cdproceedings/3c/3c_3.htm (2000)
Marksteiner, S., Expósito Jiménez, V.J., Vallant, H., Zeiner, H.: An overview of wireless iot protocol security in the smart home domain. In: Proceedings of 2017 Internet of Things Business Models, Users, and Networks Conference (CTTE), pp. 1–8. IEEE, New York, NY, USA (2017). https://doi.org/10.1109/CTTE.2017.8260940
Marksteiner, S., Lernbeiß, H., Jandl-Scherf, B.: An iterative and toolchain-based approach to automate scanning and mapping computer networks. In: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense, SafeConfig’16, pp. 37–43. ACM, New York, NY, USA (2016). https://doi.org/10.1145/2994475.2994479. https://doi.org/10.1145/2994475.2994479
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
Mogul, J.: Internet Subnets. RFC 917, Internet Engineering Task Force (1984)
Mogul, J., Postel, J.: Internet Standard Subnetting Procedure. RFC 950, Internet Engineering Task Force (1985)
Muelder, C., Ma, K.L., Bartoletti, T.: Interactive visualization for network and port scan detection. In: Recent Advances in Intrusion Detection, pp. 265–283. Springer (2005)
Pickett, G.: Port scanning without sending packets. Presentation at DEF CON 19. https://defcon.org/images/defcon-19/dc-19-presentations/Pickett/DEFCON-19-Pickett-Port-Scanning-Without-Packets.pdf (2011)
Postel, J.: Internet Control Message Protocol. RFC 792, Internet Engineering Task Force (1981)
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.J., Lear, E.: Address Allocation for Private Internets. RFC 1918, Internet Engineering Task Force (1996)
Siby, S.: Default TTL (time to live) values of different OS. http://subinsb.com/default-device-ttl-values/ (2014). Retrieved 06 Nov 2018
Straka, K., Manes, G.: Passive detection of nat routers and client counting. In: Olivier, M.S., Shenoi, S. (eds.) Advances in Digital Forensics II, pp. 239–246. Springer, US, Boston, MA (2006)
Williams, A.: Requirements for Automatic Configuration of IP Hosts. Internet-Draft, IETF Zeroconf Working Group. http://files.zeroconf.org/draft-ietf-zeroconf-reqts-12.txt (2002)
Williams L.F., Jr.: A modification to the half-interval search (binary search) method. In: Proceedings of the 14th Annual Southeast Regional Conference, ACM-SE 14, pp. 95–101. ACM, New York, NY, USA. https://doi.org/10.1145/503561.503582 (1976). https://doi.org/10.1145/503561.503582
Acknowledgements
This work was partly supported by the Austrian Research Promotion Agency (FFG) within the ICT of the future grants program, grant nb. 863129 (project IoT4CPS), of the Federal Ministry for Transport, Innovation and Technology (BMVIT) and by the Federal Ministry of Defence (BMLV).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Marksteiner, S., Jandl-Scherf, B., Lernbeiß, H. (2020). Automatically Determining a Network Reconnaissance Scope Using Passive Scanning Techniques. In: Yang, XS., Sherratt, S., Dey, N., Joshi, A. (eds) Fourth International Congress on Information and Communication Technology. Advances in Intelligent Systems and Computing, vol 1027. Springer, Singapore. https://doi.org/10.1007/978-981-32-9343-4_11
Download citation
DOI: https://doi.org/10.1007/978-981-32-9343-4_11
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-32-9342-7
Online ISBN: 978-981-32-9343-4
eBook Packages: EngineeringEngineering (R0)