Network Reconnaissance in IPv6-based Residential Broadband Networks

TL;DR

This paper explores methods for IPv6 network reconnaissance in residential broadband networks, focusing on client hosts and smart devices, and evaluates new scanning techniques and hitlist sources for better coverage.

Contribution

It introduces a visualization method for IPv6 address space, utilizes the NTP Pool Project as a hitlist source, and presents a new scanning technique for ISP networks.

Findings

NTP Pool Project effectively detects client hosts and smart devices.

IPv6 address space visualization aids in understanding address distribution.

New scanning technique improves detection in residential broadband networks.

Abstract

Network scanning has been a widely used technique to gather information on the Internet as a whole. The transition from IPv4 to IPv6 causes traditional network scanning to become less useful. An increasing number of hosts is either IPv6-only or not publicly addressable via IPv4 due to the use of NAT, prompting a need for network scanning techniques for the IPv6-based Internet. All current approaches to IPv6 network scanning make use of hitlists (lists of IPv6 addresses to be scanned). A variety of methods for compiling hitlists have been presented, but they have a strong bias towards server hosts, and do not find addresses of client hosts -- smartphones, tablets, PCs, 'smart home' devices, etc. -- in a significant amount. Client hosts are the majority of devices connected to the Internet. Furthermore, when connected to a residential broadband connection, they can exchange data at substantial speeds, making them attractive targets for botnets. Scanning residential broadband networks is challenging because the active addresses are changing much more frequently than addresses of server hosts. This master's thesis aims to adapt prior IPv6 network scanning techniques to residential broadband networks. To this end, the following contributions are made: Description and evaluation of an IPv6 address space visualization method, Introduction of the NTP Pool Project as a public and passive IPv6 hitlist source detecting mostly client hosts, 'Smart Home' devices and CPEs, Description of a scanning technique for Internet access provider networks, Case study on the three major German residential broadband networks.