Who Knocks at the IPv6 Door? Detecting IPv6 Scanning

Who Knocks at the IPv6 Door? Detecting IPv6 Scanning

Fukuda, Kensuke and Heidemann, John
USC/Information Sciences Institute

Kensuke Fukuda and John Heidemann 2018. Who Knocks at the IPv6 Door? Detecting IPv6 Scanning. Proceedings of the ACM Internet Measurement Conference (2018, Oct. 2018).

Abstract

DNS backscatter detects internet-wide activity by looking for common reverse DNS lookups at authoritative DNS servers that are high in the DNS hierarchy. Both DNS backscatter and monitoring unused address space (darknets or network telescopes) can detect scanning in IPv4, but with IPv6’s vastly larger address space, darknets become much less effective. This paper shows how to adapt DNS backscatter to IPv6. IPv6 requires new classification rules, but these reveal large network services, from cloud providers and CDNs to specific services such as NTP and mail. DNS backscatter also identifies router interfaces suggesting traceroute-based topology studies. We identify 16 scanners per week from DNS backscatter using observations from the B-root DNS server, with confirmation from backbone traffic observations or blacklists. After eliminating benign services, we classify another 95 originators in DNS backscatter as potential abuse. Our work also confirms that IPv6 appears to be less carefully monitored than IPv4.

Reference

@inproceedings{Fukuda18a,
  author = {Fukuda, Kensuke and Heidemann, John},
  title = {Who Knocks at the IPv6 Door? Detecting IPv6 Scanning},
  booktitle = {Proceedings of the ACM Internet Measurement Conference},
  year = {2018},
  sortdate = {2018-10-31},
  project = {ant, divoice, lacanic, nipet, researchroot, pinest},
  jsubject = {dns},
  location = {johnh: pafile},
  xpages = {to appear},
  month = oct,
  address = {2018},
  publisher = {ACM},
  url = {https://www.isi.edu/%7ejohnh/PAPERS/Fukuda18a.html},
  pdfurl = {https://www.isi.edu/%7ejohnh/PAPERS/Fukuda18a.pdf},
  dataurl = {https://ant.isi.edu/datasets/dns_backscatter/#Fukuda18a_data},
  blogurl = {https://ant.isi.edu/blog/?p=1284},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {authors},
  keywords = {dns, backscatter},
  doi = {https://doi.org/10.1145/3278532.3278553}
}