Glowing in the Dark Uncovering IPv6 Address Discovery and Scanning Strategies in the Wild

TL;DR

This paper investigates how IPv6 scanners operate in the wild by conducting controlled experiments on a large unused subnet, revealing their scanning behaviors and the influence of host activities.

Contribution

It introduces a novel experimental methodology to analyze IPv6 scanning strategies and uncovers how different host activities affect scanner behavior.

Findings

Web browsing and membership in online services increase scanner activity

DNS scanners focus on specific address regions, while IP scanners scan broadly

Persistent residual scanning occurs after host activities cease

Abstract

In this work we identify scanning strategies of IPv6 scanners on the Internet. We offer a unique perspective on the behavior of IPv6 scanners by conducting controlled experiments leveraging a large and unused /56 IPv6 subnet. We selectively make parts of the subnet visible to scanners by hosting applications that make direct or indirect contact with IPv6- capable servers on the Internet. By careful experiment design, we mitigate the effects of hidden variables on scans sent to our /56 subnet and establish causal relationships between IPv6 host activity types and the scanner attention they evoke. We show that IPv6 host activities e.g., Web browsing, membership in the NTP pool and Tor network, cause scanners to send a magnitude higher number of unsolicited IP scans and reverse DNS queries to our subnet than before. DNS scanners focus their scans in narrow regions of the address space where our applications are hosted whereas IP scanners broadly scan the entire subnet. Even after the host activity from our subnet subsides, we observe persistent residual scanning to portions of the address space that previously hosted applications