IPv6 Scanning Smart address selection and comparison to legacy IP - - PowerPoint PPT Presentation

Chair of Network Architectures and Services Technical University of Munich

IPv6 Scanning

Smart address selection and comparison to legacy IP Sebastian Gebhard

Final Talk on Master’s Thesis in Electrical Engineering and Information Technology Supervisors: Oliver Gasser, Quirin Scheitle March 23, 2016 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Sebastian Gebhard – IPv6 Scanning 1

Chair of Network Architectures and Services Technical University of Munich

Motivation Related Work Approach Evaluation

→ Additional Statistics → Detecting Further Addresses → SSL Scans

Automated Hitlist Service Conclusion / Future Work

Sebastian Gebhard – IPv6 Scanning 2

Chair of Network Architectures and Services Technical University of Munich

Motivation

◮ zmap1: large scale IPv4 scanning feasible ◮ IPv6 address space is vastly larger: not feasible ◮ Evaluate security of IPv6 enabled hosts

1Adrian et al., ”Zippier ZMap: Internet-Wide Scanning at 10 Gbps“.

Sebastian Gebhard – IPv6 Scanning 3

Chair of Network Architectures and Services Technical University of Munich

Motivation

◮ zmap1: large scale IPv4 scanning feasible ◮ IPv6 address space is vastly larger: not feasible ◮ Evaluate security of IPv6 enabled hosts

Proposed solution

◮ Smart address selection

◮ Gather addresses from data sources ◮ Extend address lists through pattern recognition

◮ Possible application: Security scans to compare IPv4

and IPv6

1Adrian et al., ”Zippier ZMap: Internet-Wide Scanning at 10 Gbps“.

Sebastian Gebhard – IPv6 Scanning 3

Chair of Network Architectures and Services Technical University of Munich

Related Work

◮ Czyz et al.2

◮ Security evaluation of IPv6 based on firewall policies ◮ Find that firewall policies on IPv6 are more open than on

IPv4

2Czyz et al., ”Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy“. 3Plonka and Berger, ”Temporal and Spatial Classification of Active IPv6 Addresses“.

Sebastian Gebhard – IPv6 Scanning 4

Chair of Network Architectures and Services Technical University of Munich

Related Work

◮ Czyz et al.2

◮ Security evaluation of IPv6 based on firewall policies ◮ Find that firewall policies on IPv6 are more open than on

IPv4

◮ Plonka and Berger3

◮ IPv6 address gathering at webservers of Akamai CDN ◮ Probably high number of client IPs

2Czyz et al., ”Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy“. 3Plonka and Berger, ”Temporal and Spatial Classification of Active IPv6 Addresses“.

Sebastian Gebhard – IPv6 Scanning 4

Chair of Network Architectures and Services Technical University of Munich

Approach

Hitlists Filter DNS grep Rapid7 rDNS Alexa TOP 1M DNS Zonefiles Rapid7 DNS ANY CAIDA DNS names Sebastian Gebhard – IPv6 Scanning 5

Chair of Network Architectures and Services Technical University of Munich

Evaluation

AS and Prefix Uniqueness and Normalization

Uniqueness ASes and prefixes only occur in one data source. Normalization Weighted AS and prefix count. Weight: 1

n with n = number of occurences.

Sebastian Gebhard – IPv6 Scanning 6

Chair of Network Architectures and Services Technical University of Munich

Evaluation

AS and Prefix Uniqueness and Normalization

Uniqueness ASes and prefixes only occur in one data source. Normalization Weighted AS and prefix count. Weight: 1

n with n = number of occurences.

Alexa rDNS DNS ANY CAIDA dnsnames Zonefiles ASes 1,424 4,795 5,708 5,488 2,371 Prefixes 1,695 6,749 8,506 9,269 2,995 Unique ASes 16 328 1,581 3

• Norm. ASes

334.9 1,531.9 2,112.4 2,747.6 604.1 Unique prefixes 4 48 780 4,252 6

• Norm. prefixes

420.6 2,305.6 3,503.4 5,819.1 805.4

Sebastian Gebhard – IPv6 Scanning 6

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Additional Statistics: Hamming weights

◮ Host portion: last 64 bits of IPv6 address Alexa Top 1M Rapid7 DNS ANY CAIDA DNS names DNS zone files

Sebastian Gebhard – IPv6 Scanning 7

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Additional Statistics: Hamming weights

DNS zonefiles

Peak at 1 Only one bit set in host portion: 2001:db8::1

Sebastian Gebhard – IPv6 Scanning 8

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Additional Statistics: Hamming weights

DNS zonefiles

Peak at 1 Only one bit set in host portion: 2001:db8::1 Peak at 4 Small number of bits set in host portion: 2001:db8::10:20

Sebastian Gebhard – IPv6 Scanning 8

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Additional Statistics: Hamming weights

DNS zonefiles

Peak at 1 Only one bit set in host portion: 2001:db8::1 Peak at 4 Small number of bits set in host portion: 2001:db8::10:20 Peak at 16

◮ IPv4 addresses directly in IPv6 addresses2

◮ 2001:db8::198:51:100:89

◮ Only 2 out of 4 blocks are used3

◮ 2001:db8::681b:9105

2e.g. OVH, green.CH 3e.g. CloudFlare, HE.net

Sebastian Gebhard – IPv6 Scanning 8

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Additional Statistics: Hamming weights

DNS zonefiles

Peak at 1 Only one bit set in host portion: 2001:db8::1 Peak at 4 Small number of bits set in host portion: 2001:db8::10:20 Peak at 16

◮ IPv4 addresses directly in IPv6 addresses2

◮ 2001:db8::198:51:100:89

◮ Only 2 out of 4 blocks are used3

◮ 2001:db8::681b:9105

Peak at 32 Expected value for randomizing the host portion (Privacy Extensions, SLAAC)

2e.g. OVH, green.CH 3e.g. CloudFlare, HE.net

Sebastian Gebhard – IPv6 Scanning 8

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Additional Statistics: AS / Prefix Coverage

Plonka Plonka My results Our TMA paper Mar 2014 Mar 2015 Oct 2015 Jul - Sep 2015 Prefixes 5,531 6,872 12,854 18,502 Prefixes [%] — — 49.8 % 71.77 % ASes 3,842 4,420 7,331 8,531 ASes [%] 40 % 46 % 71.9 % 83.77 %

Sebastian Gebhard – IPv6 Scanning 9

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Additional Statistics: AS / Prefix Coverage

Plonka Plonka My results Our TMA paper Mar 2014 Mar 2015 Oct 2015 Jul - Sep 2015 Prefixes 5,531 6,872 12,854 18,502 Prefixes [%] — — 49.8 % 71.77 % ASes 3,842 4,420 7,331 8,531 ASes [%] 40 % 46 % 71.9 % 83.77 %

◮ Found more ASes and prefixes than Plonka and Bergera ◮ Even more ASes and prefixes can be gathered through

passive measurements

◮ See our TMA paperb

aPlonka and Berger, ”Temporal and Spatial Classification of Active IPv6 Addresses“. bGasser et al., ”Scanning the IPv6 Internet: Towards a Comprehensive Hitlist“.

Sebastian Gebhard – IPv6 Scanning 9

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Detecting Further Addresses: via traceroute

◮ Traceroute scans using scamper4 to discover new

addresses, tested with Rapid7 rDNS. Input addresses 462,185 Resulting addresses 108,601 Already known addresses 46,698 New addresses 61,903

Table: Results from scamper scan

4Luckie, ”Scamper a Scalable and Extensible Packet Prober for Active Measurement of the Internet“.

Sebastian Gebhard – IPv6 Scanning 10

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Detecting Further Addresses: via traceroute

◮ Traceroute scans using scamper4 to discover new

addresses, tested with Rapid7 rDNS. Input addresses 462,185 Resulting addresses 108,601 Already known addresses 46,698 New addresses 61,903

Table: Results from scamper scan

◮ 61,903 new IPv6 addresses, 28 new ASes, 88 new

prefixes

◮ Classification: Routers

4Luckie, ”Scamper a Scalable and Extensible Packet Prober for Active Measurement of the Internet“.

Sebastian Gebhard – IPv6 Scanning 10

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Detecting Further Addresses: via pattern recognition

Detecting neighbouring addresses:

◮ Detected addresses:

[’2001:db8::5’, ’2001:db8::12’, ’2001:db8::14’]

Sebastian Gebhard – IPv6 Scanning 11

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Detecting Further Addresses: via pattern recognition

Detecting neighbouring addresses:

◮ Detected addresses:

[’2001:db8::5’, ’2001:db8::12’, ’2001:db8::14’]

◮ Host portions (decimal): [5, 18, 20]

Sebastian Gebhard – IPv6 Scanning 11

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Detecting Further Addresses: via pattern recognition

Detecting neighbouring addresses:

◮ Detected addresses:

[’2001:db8::5’, ’2001:db8::12’, ’2001:db8::14’]

◮ Host portions (decimal): [5, 18, 20] ◮ Average distance: dist = (ipmax − ipmin)/nips

dist = (20 − 5)/3 = 5

Sebastian Gebhard – IPv6 Scanning 11

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Detecting Further Addresses: via pattern recognition

Detecting neighbouring addresses:

◮ Detected addresses:

[’2001:db8::5’, ’2001:db8::12’, ’2001:db8::14’]

◮ Host portions (decimal): [5, 18, 20] ◮ Average distance: dist = (ipmax − ipmin)/nips

dist = (20 − 5)/3 = 5

◮ dist ≤ 10: dense subnet, dist > 10: sparse subnet

Sebastian Gebhard – IPv6 Scanning 11

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Detecting Further Addresses: via pattern recognition

Detecting neighbouring addresses:

◮ Detected addresses:

[’2001:db8::5’, ’2001:db8::12’, ’2001:db8::14’]

◮ Host portions (decimal): [5, 18, 20] ◮ Average distance: dist = (ipmax − ipmin)/nips

dist = (20 − 5)/3 = 5

◮ dist ≤ 10: dense subnet, dist > 10: sparse subnet ◮ Include all IPs in range [ipmin − 3 · dist, ipmax + 3 · dist] while

preserving subnet boundaries: [0, 35]

Sebastian Gebhard – IPv6 Scanning 11

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Detecting Further Addresses: via pattern recognition

Detecting neighbouring addresses:

◮ Detected addresses:

[’2001:db8::5’, ’2001:db8::12’, ’2001:db8::14’]

◮ Host portions (decimal): [5, 18, 20] ◮ Average distance: dist = (ipmax − ipmin)/nips

dist = (20 − 5)/3 = 5

◮ dist ≤ 10: dense subnet, dist > 10: sparse subnet ◮ Include all IPs in range [ipmin − 3 · dist, ipmax + 3 · dist] while

preserving subnet boundaries: [0, 35]

◮ Add every IP from ’2001:db8::0’ to ’2001:db8::23’ to the

target list, excluding already known addresses.

◮ 33 new addresses guessed Sebastian Gebhard – IPv6 Scanning 11

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Detecting Further Addresses: via pattern recognition

Resulting IPs Input addresses 462,185 (100%)

• Predicted addresses

2,618,055 (566.5%)

• Responsive addresses5

436,639 (94.5%)

Table: Extending hitlist using neighbouring IPs approach, tested

• n Rapid7 rDNS

5Hosts that responded to ICMPv6 Echo Requests using zmap

Sebastian Gebhard – IPv6 Scanning 12

Chair of Network Architectures and Services Technical University of Munich

Evaluation

Detecting Further Addresses: via pattern recognition

Resulting IPs Input addresses 462,185 (100%)

• Predicted addresses

2,618,055 (566.5%)

• Responsive addresses5

436,639 (94.5%)

Table: Extending hitlist using neighbouring IPs approach, tested

• n Rapid7 rDNS

◮ Neighbouring addresses is a good approach towards

detecting new addresses.

5Hosts that responded to ICMPv6 Echo Requests using zmap

Sebastian Gebhard – IPv6 Scanning 12

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: Host classification IPv4 All scanned IPv4 addresses. IPv6 All scanned IPv6 addresses. v4 - DS Dual-stack hosts, scanned via IPv4. v6 - DS Dual-stack hosts, scanned via IPv6. v4 only Hosts only reached via IPv4. v6 only Hosts only reached via IPv6.

IPv4 IPv6 Dual-Stack

Figure: IPv4 and IPv6 hosts with overlapping dual-stack hosts

Sebastian Gebhard – IPv6 Scanning 13

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: Host classification

◮ Based on Alexa Top 1M from 2016-02-29, used for all

following scans. IPv4 IPv6 Total addresses 959,115 43,949

• HTTPS enabled

358,315 15,530

• Dual-Stack

11,363 13,779

• Non Dual-Stack

346,952 1,751

Table: Number of hosts per group

Sebastian Gebhard – IPv6 Scanning 14

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: Host classification

◮ Based on Alexa Top 1M from 2016-02-29, used for all

following scans. IPv4 IPv6 Total addresses 959,115 43,949

• HTTPS enabled

358,315 15,530

• Dual-Stack

11,363 13,779

• Non Dual-Stack

346,952 1,751

Table: Number of hosts per group

◮ Difference in dual-stack enabled numbers

◮ Average A records per Domain: 1.0 ◮ Average AAAA records per Domain: 1.39 Sebastian Gebhard – IPv6 Scanning 14

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: SSL versions

IPv4

TLSv1 TLSv1.1 TLSv1.2 20 40 60 80 100

21.9 0.2 77.9 11.5 0.1 88.5 22.3 0.2 77.5

% of hosts IPv4 IPv4 dual-stack IPv4 no dualstack

IPv6

TLSv1 TLSv1.1 TLSv1.2 20 40 60 80 100

7.2 92.8 7.7 92.2 2.9 97.1

% of hosts IPv6 IPv6 dual-stack IPv6 no dualstack

Sebastian Gebhard – IPv6 Scanning 15

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: SSL versions

IPv4

TLSv1 TLSv1.1 TLSv1.2 20 40 60 80 100

21.9 0.2 77.9 11.5 0.1 88.5 22.3 0.2 77.5

% of hosts IPv4 IPv4 dual-stack IPv4 no dualstack

IPv6

TLSv1 TLSv1.1 TLSv1.2 20 40 60 80 100

7.2 92.8 7.7 92.2 2.9 97.1

% of hosts IPv6 IPv6 dual-stack IPv6 no dualstack

◮ TLSv1.2 usage is higher for:

◮ IPv6 compared to IPv4 ◮ IPv4 hosts with dual-stack compared to IPv4 average

◮ No hosts with SSLv3 as highest versions

Sebastian Gebhard – IPv6 Scanning 15

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: SSL cipher suites

◮ Focus only on

◮ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ◮ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ◮ TLS_RSA_WITH_3DES_EDE_CBC_SHA Sebastian Gebhard – IPv6 Scanning 16

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: SSL cipher suites

IPv4

RSA-3DES ECDHE-RSA ECDHE-ECDSA 20 40 60

2 38 2.3 0.4 41.7 22.2 2 37.9 1.7

% of hosts IPv4 IPv4 dual-stack IPv4 no dualstack

IPv6

RSA-3DES ECDHE-RSA ECDHE-ECDSA 20 40 60

0.2 32.7 41.4 0.2 33.9 39.6 0.1 23.1 55.7

% of hosts IPv6 IPv6 dual-stack IPv6 no dualstack Sebastian Gebhard – IPv6 Scanning 17

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: SSL cipher suites

IPv4

RSA-3DES ECDHE-RSA ECDHE-ECDSA 20 40 60

2 38 2.3 0.4 41.7 22.2 2 37.9 1.7

% of hosts IPv4 IPv4 dual-stack IPv4 no dualstack

IPv6

RSA-3DES ECDHE-RSA ECDHE-ECDSA 20 40 60

0.2 32.7 41.4 0.2 33.9 39.6 0.1 23.1 55.7

% of hosts IPv6 IPv6 dual-stack IPv6 no dualstack

◮ IPv6 uses newer / better algorithms

◮ Higher ECDSA usage in on IPv6 hosts ◮ Nearly no 3DES usage in on IPv6 hosts Sebastian Gebhard – IPv6 Scanning 17

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: DROWN

DROWN6 attack — picture taken from https://drownattack.com/

6Aviram et al., DROWN: Breaking TLS using SSLv2.

Sebastian Gebhard – IPv6 Scanning 18

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: DROWN: Total Vulnerability

IPv4 IPv6 Input addresses 959,115 43,949

• HTTPS enabled

358,315 15,530

• SSLv2 enabled

24,206 (6.76%) 85 (0.54%)

Table: SSLv2 statistics for DROWN vulnerability on Alexa Top 1M list — Initial scan on 2016-03-04

Sebastian Gebhard – IPv6 Scanning 19

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: DROWN: Vulnerability Dual-Stack

avg DS no-DS 2 4 6

6.76 1.14 6.87 0.54 0.54 0.57

% of hosts IPv4 IPv6

Sebastian Gebhard – IPv6 Scanning 20

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: DROWN: Vulnerability Dual-Stack

avg DS no-DS 2 4 6

6.76 1.14 6.87 0.54 0.54 0.57

% of hosts IPv4 IPv6 ◮ Vulnerability of IPv4 hosts lower, if dual-stack

Sebastian Gebhard – IPv6 Scanning 20

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: DROWN: Vulnerability over time

◮ Ongoing DROWN scans,

analyzed over time

2 1 6

• 3
• 4

2 1 6

• 3
• 9

2 1 6

• 3
• 1

3 2 1 6

• 3
• 1

8 2 1 6

• 3
• 2

2 2 4 6 8 2 1 6

• 3
• 1

4 DROWN Vulnerability Ratio % IPv4 IPv6

Sebastian Gebhard – IPv6 Scanning 21

Chair of Network Architectures and Services Technical University of Munich

Evaluation

SSL Scans: DROWN: Vulnerability over time

◮ Ongoing DROWN scans,

analyzed over time

◮ Vulnerability of IPv4 hosts

slowly decreases

◮ Still higher than vulnerability

• f IPv6 hosts

2 1 6

• 3
• 4

2 1 6

• 3
• 9

2 1 6

• 3
• 1

3 2 1 6

• 3
• 1

8 2 1 6

• 3
• 2

2 2 4 6 8 2 1 6

• 3
• 1

4 DROWN Vulnerability Ratio % IPv4 IPv6

Sebastian Gebhard – IPv6 Scanning 21

Chair of Network Architectures and Services Technical University of Munich

Automated Hitlist Service

◮ Automated processing of data sources

Cron Download Process single source Create single hitlist Create combined hitlist

Download input and filter data Process  Resolve  grep Filter output files to hitlists Aggregate  Weekly  Monthly  All-time

Daily Once for all files Once for all files Once a week

Sebastian Gebhard – IPv6 Scanning 22

Chair of Network Architectures and Services Technical University of Munich

Automated Hitlist Service

◮ Automated processing of data sources

Cron Download Process single source Create single hitlist Create combined hitlist

Download input and filter data Process  Resolve  grep Filter output files to hitlists Aggregate  Weekly  Monthly  All-time

Daily Once for all files Once for all files Once a week

◮ Automated aggregation of hitlists (daily)

◮ Weekly, Monthly, All-time, Latest, 30 day sliding window Sebastian Gebhard – IPv6 Scanning 22

Chair of Network Architectures and Services Technical University of Munich

Conclusion

◮ Hitlist generation

◮ 1.9 million IPv6 addresses were gathered covering 49.8 %

• f ASes and 71.9 % of prefixes

◮ Process is automated ◮ New IP addresses can be generated from traceroute scans

and pattern recognition

Sebastian Gebhard – IPv6 Scanning 23

Chair of Network Architectures and Services Technical University of Munich

Conclusion

◮ Hitlist generation

◮ 1.9 million IPv6 addresses were gathered covering 49.8 %

• f ASes and 71.9 % of prefixes

◮ Process is automated ◮ New IP addresses can be generated from traceroute scans

and pattern recognition

◮ Security evaluation

◮ SSL is configured more securely on hosts with IPv6 than on

IPv4 hosts

◮ IPv6 enable hosts are less vulnerable to the DROWN attack Sebastian Gebhard – IPv6 Scanning 23

Chair of Network Architectures and Services Technical University of Munich

Future Work

◮ Extending the hitlist generation service

◮ Additional data sources ◮ Automated scans to generate hitlists for certain criteria Sebastian Gebhard – IPv6 Scanning 24

Chair of Network Architectures and Services Technical University of Munich

Future Work

◮ Extending the hitlist generation service

◮ Additional data sources ◮ Automated scans to generate hitlists for certain criteria

◮ Extending the pattern recognition

◮ Cover sparse subnets ◮ Apply detected patterns to other subnets Sebastian Gebhard – IPv6 Scanning 24

Chair of Network Architectures and Services Technical University of Munich

Future Work

◮ Extending the hitlist generation service

◮ Additional data sources ◮ Automated scans to generate hitlists for certain criteria

◮ Extending the pattern recognition

◮ Cover sparse subnets ◮ Apply detected patterns to other subnets

◮ Data analysis over time

Sebastian Gebhard – IPv6 Scanning 24

Chair of Network Architectures and Services Technical University of Munich

Future Work

Thank you for your attention!

Sebastian Gebhard – IPv6 Scanning 25

Chair of Network Architectures and Services Technical University of Munich

Bibliography Adrian, David et al. ”Zippier ZMap: Internet-Wide Scanning at 10 Gbps“. In: Proceedings of the 8th USENIX Workshop on Offensive Technologies. 2014. Aviram, Nimrod et al. DROWN: Breaking TLS using SSLv2.

• Tech. rep. Mar. 2016.

Czyz, Jakub et al. ”Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy“. In: 2016.

URL: http://benign-research-

probe2.eecs.umich.edu/ndss16_ipv6_final.pdf. Gasser, Oliver et al. ”Scanning the IPv6 Internet: Towards a Comprehensive Hitlist“. In: International Workshop on Traffic Monitoring and Analysis. TMA. 2016.

Sebastian Gebhard – IPv6 Scanning 26

Chair of Network Architectures and Services Technical University of Munich

Bibliography Luckie, Matthew. ”Scamper a Scalable and Extensible Packet Prober for Active Measurement of the Internet“. In: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. ACM. 2010, pp. 239–245. URL: https://www.caida.org/tools/measurement/ scamper/scamper.pdf. Plonka, David and Arthur Berger. ”Temporal and Spatial Classification of Active IPv6 Addresses“. In: Proceedings of the 2015 ACM Conference on Internet Measurement

• Conference. ACM. 2015, pp. 509–522.

Sebastian Gebhard – IPv6 Scanning 27

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

Backup slides

Sebastian Gebhard – IPv6 Scanning 28

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

sort -u bogon? IANAspecial? pfx2as? blacklist? raw final duplicates bogons IANAspecial unnanounced blacklisted

Remove duplicates Remove bogons Remove special prefixes Remove unannounced prefixes Remove blacklisted prefixes

Sebastian Gebhard – IPv6 Scanning 29

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

sort -u bogon? IANAspecial? pfx2as? blacklist? raw final duplicates bogons IANAspecial unnanounced blacklisted

Remove duplicates Remove bogons Remove special prefixes Remove unannounced prefixes Remove blacklisted prefixes

Figure: Filter output on Rapid7 DNS ANY

Sebastian Gebhard – IPv6 Scanning 29

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

◮ Scanning for highest supported SSL version using

goscanner

◮ IPv6 uses more TLSv1.2 than IPv4 ◮ Nobody uses TLSv1.1

Sebastian Gebhard – IPv6 Scanning 30

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

Sebastian Gebhard – IPv6 Scanning 31

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

Sebastian Gebhard – IPv6 Scanning 32

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

SSL cipher suites

Sebastian Gebhard – IPv6 Scanning 33

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

SSL cipher suites

Sebastian Gebhard – IPv6 Scanning 34

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

SSL cipher suites

Dual-Stack

Sebastian Gebhard – IPv6 Scanning 35

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

SSL cipher suites

Dual-Stack

Sebastian Gebhard – IPv6 Scanning 36

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

SSL cipher suites

Non Dual-Stack

Sebastian Gebhard – IPv6 Scanning 37

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

SSL cipher suites

Non Dual-Stack

Sebastian Gebhard – IPv6 Scanning 38

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

DROWN analysis over Dual-Stack

◮ Data from DROWN analysis

◮ analyzed for dual-stack

IPv4 IPv6 HTTPS enabled total 358,315 15,530 Vulnerable total 24,206 (6.76%) 85 (0.54%) HTTPS enabled dual-stack 11,363 13,779 Vulnerable dual-stack 129 (1.14%) 75 (0.54%) HTTPS enabled non dual-stack 346,952 1,751 Vulnerable non dual-stack 23,839 (6.87%) 10 (0.57%)

Table: SSLv2 statistics for DROWN vulnerability on Alexa Top 1M — dual-stack versus non dual-stack on 2016-03-04

Sebastian Gebhard – IPv6 Scanning 39

Chair of Network Architectures and Services Technical University of Munich

Backup Slides

DROWN analysis over time

◮ Data from ongoing DROWN scans

◮ analyzed over time

IPv4 IPv6 Initial scan 2016-03-04 24,206 (6.76%) 85 (0.54%) 2016-03-09 23,394 (6.53%) 83 (0.53%) 2016-03-13 23,093 (6.44%) 79 (0.51%) 2016-03-14 23,001 (6.42%) 80 (0.51%) 2016-03-18 22,681 (6.33%) 80 (0.51%) 2016-03-22 22,449 (6.27%) 79 (0.51%)

Table: SSLv2 statistics for DROWN vulnerability on Alexa Top 1M —

• ver time

Sebastian Gebhard – IPv6 Scanning 40