Illuminating Large-Scale IPv6 Scanning in the Internet

TL;DR

This study provides a detailed empirical analysis of large-scale IPv6 scanning behavior on the Internet, revealing distinct characteristics and challenges compared to IPv4 scans, based on extensive firewall logs from a major CDN.

Contribution

It introduces new methods to identify IPv6 scans, assesses their prevalence and characteristics, and highlights the differences from IPv4 scanning activities.

Findings

IPv6 scans are less frequent but more targeted.

Scanners often originate from diverse geographic locations.

IPv6 scanning patterns differ significantly from IPv4 scans.

Abstract

While scans of the IPv4 space are ubiquitous, today little is known about scanning activity in the IPv6 Internet. In this work, we present a longitudinal and detailed empirical study on large-scale IPv6 scanning behavior in the Internet, based on firewall logs captured at some 230,000 hosts of a major Content Distribution Network (CDN). We develop methods to identify IPv6 scans, assess current and past levels of IPv6 scanning activity, and study dominant characteristics of scans, including scanner origins, targeted services, and insights on how scanners find target IPv6 addresses. Where possible, we compare our findings to what can be assessed from publicly available traces. Our work identifies and highlights new challenges to detect scanning activity in the IPv6 Internet, and uncovers that today's scans of the IPv6 space show widely different characteristics when compared to the more well-known IPv4 scans.