Chair of Network Architectures and Services Technical University of Munich IPv6 Scanning Smart address selection and comparison to legacy IP Sebastian Gebhard Final Talk on Master’s Thesis in Electrical Engineering and Information Technology Supervisors: Oliver Gasser, Quirin Scheitle March 23, 2016 Chair of Network Architectures and Services Department of Informatics Technical University of Munich Sebastian Gebhard – IPv6 Scanning 1
Chair of Network Architectures and Services Technical University of Munich Motivation Related Work Approach Evaluation → Additional Statistics → Detecting Further Addresses → SSL Scans Automated Hitlist Service Conclusion / Future Work Sebastian Gebhard – IPv6 Scanning 2
Chair of Network Architectures and Services Technical University of Munich Motivation ◮ zmap 1 : large scale IPv4 scanning feasible ◮ IPv6 address space is vastly larger: not feasible ◮ Evaluate security of IPv6 enabled hosts 1 Adrian et al., ”Zippier ZMap: Internet-Wide Scanning at 10 Gbps“. Sebastian Gebhard – IPv6 Scanning 3
Chair of Network Architectures and Services Technical University of Munich Motivation ◮ zmap 1 : large scale IPv4 scanning feasible ◮ IPv6 address space is vastly larger: not feasible ◮ Evaluate security of IPv6 enabled hosts Proposed solution ◮ Smart address selection ◮ Gather addresses from data sources ◮ Extend address lists through pattern recognition ◮ Possible application: Security scans to compare IPv4 and IPv6 1 Adrian et al., ”Zippier ZMap: Internet-Wide Scanning at 10 Gbps“. Sebastian Gebhard – IPv6 Scanning 3
Chair of Network Architectures and Services Technical University of Munich Related Work ◮ Czyz et al. 2 ◮ Security evaluation of IPv6 based on firewall policies ◮ Find that firewall policies on IPv6 are more open than on IPv4 2 Czyz et al., ”Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy“. 3 Plonka and Berger, ”Temporal and Spatial Classification of Active IPv6 Addresses“. Sebastian Gebhard – IPv6 Scanning 4
Chair of Network Architectures and Services Technical University of Munich Related Work ◮ Czyz et al. 2 ◮ Security evaluation of IPv6 based on firewall policies ◮ Find that firewall policies on IPv6 are more open than on IPv4 ◮ Plonka and Berger 3 ◮ IPv6 address gathering at webservers of Akamai CDN ◮ Probably high number of client IPs 2 Czyz et al., ”Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy“. 3 Plonka and Berger, ”Temporal and Spatial Classification of Active IPv6 Addresses“. Sebastian Gebhard – IPv6 Scanning 4
Chair of Network Architectures and Services Technical University of Munich Approach Rapid7 rDNS Rapid7 DNS ANY Alexa TOP 1M DNS Zonefiles CAIDA DNS names grep DNS Filter Hitlists Sebastian Gebhard – IPv6 Scanning 5
Chair of Network Architectures and Services Technical University of Munich Evaluation AS and Prefix Uniqueness and Normalization Uniqueness ASes and prefixes only occur in one data source. Normalization Weighted AS and prefix count. Weight: 1 n with n = number of occurences. Sebastian Gebhard – IPv6 Scanning 6
Chair of Network Architectures and Services Technical University of Munich Evaluation AS and Prefix Uniqueness and Normalization Uniqueness ASes and prefixes only occur in one data source. Normalization Weighted AS and prefix count. Weight: 1 n with n = number of occurences. Alexa rDNS DNS ANY CAIDA dnsnames Zonefiles ASes 1,424 4,795 5,708 5,488 2,371 Prefixes 1,695 6,749 8,506 9,269 2,995 Unique ASes 0 16 328 1,581 3 Norm. ASes 334.9 1,531.9 2,112.4 2,747.6 604.1 Unique prefixes 4 48 780 4,252 6 Norm. prefixes 420.6 2,305.6 3,503.4 5,819.1 805.4 Sebastian Gebhard – IPv6 Scanning 6
Chair of Network Architectures and Services Technical University of Munich Evaluation Additional Statistics: Hamming weights ◮ Host portion: last 64 bits of IPv6 address Alexa Top 1M CAIDA DNS names Rapid7 DNS ANY DNS zone files Sebastian Gebhard – IPv6 Scanning 7
Chair of Network Architectures and Services Technical University of Munich DNS zonefiles Evaluation Additional Statistics: Hamming weights Peak at 1 Only one bit set in host portion: 2001:db8::1 Sebastian Gebhard – IPv6 Scanning 8
Chair of Network Architectures and Services Technical University of Munich DNS zonefiles Evaluation Additional Statistics: Hamming weights Peak at 1 Only one bit set in host portion: 2001:db8::1 Peak at 4 Small number of bits set in host portion: 2001:db8::10:20 Sebastian Gebhard – IPv6 Scanning 8
Chair of Network Architectures and Services Technical University of Munich DNS zonefiles Evaluation Additional Statistics: Hamming weights Peak at 1 Only one bit set in host portion: 2001:db8::1 Peak at 4 Small number of bits set in host portion: 2001:db8::10:20 ◮ IPv4 addresses directly in IPv6 addresses 2 Peak at 16 ◮ 2001:db8::198:51:100:89 ◮ Only 2 out of 4 blocks are used 3 ◮ 2001:db8::681b:9105 2 e.g. OVH, green.CH 3 e.g. CloudFlare, HE.net Sebastian Gebhard – IPv6 Scanning 8
Chair of Network Architectures and Services Technical University of Munich DNS zonefiles Evaluation Additional Statistics: Hamming weights Peak at 1 Only one bit set in host portion: 2001:db8::1 Peak at 4 Small number of bits set in host portion: 2001:db8::10:20 ◮ IPv4 addresses directly in IPv6 addresses 2 Peak at 16 ◮ 2001:db8::198:51:100:89 ◮ Only 2 out of 4 blocks are used 3 ◮ 2001:db8::681b:9105 Peak at 32 Expected value for randomizing the host portion (Privacy Extensions, SLAAC) 2 e.g. OVH, green.CH 3 e.g. CloudFlare, HE.net Sebastian Gebhard – IPv6 Scanning 8
Chair of Network Architectures and Services Technical University of Munich Evaluation Additional Statistics: AS / Prefix Coverage Plonka Plonka My results Our TMA paper Mar 2014 Mar 2015 Oct 2015 Jul - Sep 2015 Prefixes 5,531 6,872 12,854 18,502 Prefixes [%] — — 49.8 % 71.77 % ASes 3,842 4,420 7,331 8,531 ASes [%] 40 % 46 % 71.9 % 83.77 % Sebastian Gebhard – IPv6 Scanning 9
Chair of Network Architectures and Services Technical University of Munich Evaluation Additional Statistics: AS / Prefix Coverage Plonka Plonka My results Our TMA paper Mar 2014 Mar 2015 Oct 2015 Jul - Sep 2015 Prefixes 5,531 6,872 12,854 18,502 Prefixes [%] — — 49.8 % 71.77 % ASes 3,842 4,420 7,331 8,531 ASes [%] 40 % 46 % 71.9 % 83.77 % ◮ Found more ASes and prefixes than Plonka and Berger a ◮ Even more ASes and prefixes can be gathered through passive measurements ◮ See our TMA paper b a Plonka and Berger, ”Temporal and Spatial Classification of Active IPv6 Addresses“. b Gasser et al., ”Scanning the IPv6 Internet: Towards a Comprehensive Hitlist“. Sebastian Gebhard – IPv6 Scanning 9
Chair of Network Architectures and Services Technical University of Munich Evaluation Detecting Further Addresses: via traceroute ◮ Traceroute scans using scamper 4 to discover new addresses, tested with Rapid7 rDNS. Input addresses 462,185 Resulting addresses 108,601 Already known addresses 46,698 New addresses 61,903 Table: Results from scamper scan 4 Luckie, ”Scamper a Scalable and Extensible Packet Prober for Active Measurement of the Internet“. Sebastian Gebhard – IPv6 Scanning 10
Chair of Network Architectures and Services Technical University of Munich Evaluation Detecting Further Addresses: via traceroute ◮ Traceroute scans using scamper 4 to discover new addresses, tested with Rapid7 rDNS. Input addresses 462,185 Resulting addresses 108,601 Already known addresses 46,698 New addresses 61,903 Table: Results from scamper scan ◮ 61,903 new IPv6 addresses, 28 new ASes, 88 new prefixes ◮ Classification: Routers 4 Luckie, ”Scamper a Scalable and Extensible Packet Prober for Active Measurement of the Internet“. Sebastian Gebhard – IPv6 Scanning 10
Chair of Network Architectures and Services Technical University of Munich Evaluation Detecting Further Addresses: via pattern recognition Detecting neighbouring addresses: ◮ Detected addresses: [’2001:db8::5’, ’2001:db8::12’, ’2001:db8::14’] Sebastian Gebhard – IPv6 Scanning 11
Chair of Network Architectures and Services Technical University of Munich Evaluation Detecting Further Addresses: via pattern recognition Detecting neighbouring addresses: ◮ Detected addresses: [’2001:db8::5’, ’2001:db8::12’, ’2001:db8::14’] ◮ Host portions (decimal): [5, 18, 20] Sebastian Gebhard – IPv6 Scanning 11
Chair of Network Architectures and Services Technical University of Munich Evaluation Detecting Further Addresses: via pattern recognition Detecting neighbouring addresses: ◮ Detected addresses: [’2001:db8::5’, ’2001:db8::12’, ’2001:db8::14’] ◮ Host portions (decimal): [5, 18, 20] ◮ Average distance: dist = ( ip max − ip min ) / n ips dist = (20 − 5) / 3 = 5 Sebastian Gebhard – IPv6 Scanning 11
Chair of Network Architectures and Services Technical University of Munich Evaluation Detecting Further Addresses: via pattern recognition Detecting neighbouring addresses: ◮ Detected addresses: [’2001:db8::5’, ’2001:db8::12’, ’2001:db8::14’] ◮ Host portions (decimal): [5, 18, 20] ◮ Average distance: dist = ( ip max − ip min ) / n ips dist = (20 − 5) / 3 = 5 ◮ dist ≤ 10: dense subnet , dist > 10: sparse subnet Sebastian Gebhard – IPv6 Scanning 11
Recommend
More recommend