Who Knocks at the IPv6 Door? Detecting IPv6 Scanning. Fukuda, K. & Heidemann, J. In Proceedings of the ACM Internet Measurement Conference, 2018, October, 2018. ACM.
Who Knocks at the IPv6 Door? Detecting IPv6 Scanning [link]Paper  doi  abstract   bibtex   
DNS backscatter detects internet-wide activity by looking for common reverse DNS lookups at authoritative DNS servers that are high in the DNS hierarchy. Both DNS backscatter and monitoring unused address space (darknets or network telescopes) can detect scanning in IPv4, but with IPv6's vastly larger address space, darknets become much less effective. This paper shows how to adapt DNS backscatter to IPv6. IPv6 requires new classification rules, but these reveal large network services, from cloud providers and CDNs to specific services such as NTP and mail. DNS backscatter also identifies router interfaces suggesting traceroute-based topology studies. We identify 16 scanners per week from DNS backscatter using observations from the B-root DNS server, with confirmation from backbone traffic observations or blacklists. After eliminating benign services, we classify another 95 originators in DNS backscatter as potential abuse. Our work also confirms that IPv6 appears to be less carefully monitored than IPv4.
@InProceedings{Fukuda18a,
        author =        "Kensuke Fukuda and John Heidemann",
        title =         "Who Knocks at the IPv6 Door? Detecting IPv6 Scanning",
        booktitle =     "Proceedings of the " # "ACM Internet Measurement Conference",
        year =          2018,
	sortdate = "2018-10-31",
	project = "ant, divoice, lacanic, nipet, researchroot, pinest",
	jsubject = "dns",
	jlocation = 	"johnh: pafile",
        xpages =      "to appear",
        month =      oct,
        address =    2018,
        publisher =  "ACM",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda18a.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Fukuda18a.pdf",
	dataurl =	"https://ant.isi.edu/datasets/dns_backscatter/#Fukuda18a_data",
	blogurl = "https://ant.isi.edu/blog/?p=1284",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "authors",
        jlocation =   "johnh: pafile",
	keywords = 	"dns, backscatter",
        doi =        "https://doi.org/10.1145/3278532.3278553",
	abstract = "DNS backscatter detects internet-wide activity by looking for common
reverse DNS lookups at authoritative DNS servers that are high in the
DNS hierarchy.  Both DNS backscatter and monitoring unused address
space (darknets or network telescopes) can detect scanning in IPv4,
but with IPv6's vastly larger address space, darknets become much less
effective.  This paper shows how to adapt DNS backscatter to IPv6.
IPv6 requires new classification rules, but these reveal large network
services, from cloud providers and CDNs to specific services such as
NTP and mail.  DNS backscatter also identifies router interfaces
suggesting traceroute-based topology studies.  We identify 16 scanners
per week from DNS backscatter using observations from the B-root DNS
server, with confirmation from backbone traffic observations or
blacklists.  After eliminating benign services, we classify another 95
originators in DNS backscatter as potential abuse.  Our work also
confirms that IPv6 appears to be less carefully monitored than IPv4.",
}

Downloads: 0