Entropy/IP: Uncovering Structure in IPv6 Addresses

TL;DR

This paper presents Entropy/IP, an automated system that models IPv6 address structure using information theory and machine learning, enabling effective visualization and probabilistic discovery of active addresses and subnets in IPv6 space.

Contribution

Introducing Entropy/IP, a novel automated system that uncovers IPv6 address structure and discovers active addresses and subnets through probabilistic modeling and analysis.

Findings

Successfully models IPv6 address structure for active address spaces.

Generates candidate addresses with up to 40% activity detection.

Discovers previously unseen subnets and hosts in IPv6 address space.

Abstract

In this paper, we introduce Entropy/IP: a system that discovers Internet address structure based on analyses of a subset of IPv6 addresses known to be active, i.e., training data, gleaned by readily available passive and active means. The system is completely automated and employs a combination of information-theoretic and machine learning techniques to probabilistically model IPv6 addresses. We present results showing that our system is effective in exposing structural characteristics of portions of the IPv6 Internet address space populated by active client, service, and router addresses. In addition to visualizing the address structure for exploration, the system uses its models to generate candidate target addresses for scanning. For each of 15 evaluated datasets, we train on 1K addresses and generate 1M candidates for scanning. We achieve some success in 14 datasets, finding up to 40% of the generated addresses to be active. In 11 of these datasets, we find active network identifiers (e.g., /64 prefixes or `subnets') not seen in training. Thus, we provide the first evidence that it is practical to discover subnets and hosts by scanning probabilistically selected areas of the IPv6 address space not known to contain active hosts a priori.