A Detailed Measurement View on IPv6 Scanners and Their Adaption to BGP Signals

TL;DR

This paper provides an in-depth analysis of IPv6 scanning behaviors over eleven months, revealing how BGP signals influence scanner activity and offering guidance to improve detection strategies.

Contribution

It offers a comprehensive characterization of IPv6 scanner behaviors and their response to BGP signals, which is a novel contribution to understanding IPv6 network security.

Findings

BGP prefix announcements attract scanners quickly.

Silent subnets of larger prefixes remain largely invisible.

Operational guidance for deploying network telescopes effectively.

Abstract

Scanners are daily visitors of public IPv4 hosts. Scanning IPv6 nodes successfully is still a challenge, which an increasing crowd of actors tries to master. In this paper, we analyze current IPv6 scanning under various network conditions. We observe scanner behavior during eleven months in four network telescopes, one of which is periodically reconfigured by changing BGP announcements. We analyze and classify the observed scanners w.r.t. their temporal behavior, their target, and network selection strategy, as well as their individual tools, fingerprints, and correlations across categories. We find that silent subnets of larger prefixes remain invisible, whereas BGP prefix announcements quickly attract attention by scanners. Based on our findings, we derive operational guidance on how to deploy network telescopes to increase visibility of IPv6 scanners.