research-article

Open access

IPv6 Hitlists at Scale: Be Careful What You Wish For

Authors:

Dave LevinAuthors Info & Claims

ACM SIGCOMM '23: Proceedings of the ACM SIGCOMM 2023 Conference

Pages 904 - 916

https://doi.org/10.1145/3603269.3604829

Published: 01 September 2023 Publication History

Abstract

Today's network measurements rely heavily on Internet-wide scanning, employing tools like ZMap that are capable of quickly iterating over the entire IPv4 address space. Unfortunately, IPv6's vast address space poses an existential threat for Internet-wide scans and traditional network measurement techniques. To address this reality, efforts are underway to develop "hitlists" of known-active IPv6 addresses to reduce the search space for would-be scanners. As a result, there is an inexorable push for constructing as large and complete a hitlist as possible.

This paper asks: what are the potential benefits and harms when IPv6 hitlists grow larger? To answer this question, we obtain the largest IPv6 active-address list to date: 7.9 billion addresses, 898 times larger than the current state-of-the-art hitlist. Although our list is not comprehensive, it is a significant step forward and provides a glimpse into the type of analyses possible with more complete hitlists.

We compare our dataset to prior IPv6 hitlists and show both benefits and dangers. The benefits include improved insight into client devices (prior datasets consist primarily of routers), outage detection, IPv6 roll-out, previously unknown aliased networks, and address assignment strategies. The dangers, unfortunately, are severe: we expose widespread instances of addresses that permit user tracking and device geolocation, and a dearth of firewalls in home networks. We discuss ethics and security guidelines to ensure a safe path towards more complete hitlists.

References

[1]

2023. IPv6 Hitlist Service. https://ipv6hitlist.github.io/.

[2]

2023. Prolific Academic. https://www.prolific.co/.

[3]

2023. The NTP Pool Project. https://www.ntppool.org/en/.

[4]

David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, et al. 2015. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[5]

S Alexander and R Droms. 1997. DHCP Options and BOOTP Vendor Extensions. RFC 2132. http://www.ietf.org/rfc/rfc2132.txt

[6]

Amazon. 2023. Mechanical Turk (MTurk). https://www.mturk.com/.

[7]

Apple. 2023. Location Services and Privacy. https://support.apple.com/en-us/HT207056.

[8]

Genevieve Bartlett, John Heidemann, and Christos Papadopoulos. 2007. Understanding Passive and Active Service Discovery. In ACM Internet Measurement Conference (IMC) (San Diego, California, USA) (IMC '07).

Digital Library

[9]

Robert Beverly. 2016. Yarrp'ing the Internet: Randomized High-Speed Active Topology Discovery. In ACM Internet Measurement Conference (IMC).

Digital Library

[10]

Robert Beverly and Arthur Berger. 2015. Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure via Active Fingerprinting. In Passive and Active Network Measurement Conference (PAM).

[11]

Robert Beverly, Ramakrishnan Durairajan, David Plonka, and Justin P. Rohrer. 2018. In the IP of the Beholder: Strategies for Active IPv6 Topology Discovery. In ACM Internet Measurement Conference (IMC).

[12]

Kevin Bock, Abdulrahman Alaraj, Yair Fax, Kyle Hurley, Eric Wustrow, and Dave Levin. 2021. Weaponizing Middleboxes for TCP Reflected Amplification. In USENIX Security Symposium.

[13]

Kevin Borgolte, Shuang Hao, Tobias Fiebig, and Giovanni Vigna. 2018. Enumerating Active IPv6 Hosts for Large-scale Security Scans via DNSSEC-signed Reverse Zones. In IEEE Symposium on Security and Privacy.

[14]

CAIDA. 2019. The CAIDA UCSD IPv6 Routed /48 Topology Dataset. https://www.caida.org/data/active/ipv6_routed_48_topology_dataset.xml.

[15]

Costin, Andrei and Zaddach, Jonas and Francillon, Aurélien and Balzarotti, Davide. 2014. A Large-Scale Analysis of the Security of Embedded Firmwares. In USENIX Security Symposium.

[16]

Tianyu Cui, Gaopeng Gou, Gang Xiong, Chang Liu, Peipei Fu, and Zhen Li. 2021. 6GAN: IPv6 Multi-Pattern Target Generation via Generative Adversarial Nets with Reinforcement Learning. In IEEE Conference on Computer Communications (INFOCOM).

Digital Library

[17]

Jakub Czyz, Mark Allman, Jing Zhang, Scott Iekel-Johnson, Eric Osterweil, and Michael Bailey. 2014. Measuring IPv6 Adoption. ACM SIGCOMM Computer Communication Review (CCR) 44, 4 (Aug. 2014).

[18]

Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, et al. 2014. The Matter of Heartbleed. In ACM Internet Measurement Conference (IMC).

[19]

Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internetwide Scanning and its Security Applications. In USENIX Security Symposium.

[20]

Asma Enayet and John Heidemann. 2022. Internet Outage Detection Using Passive Analysis. In ACM Internet Measurement Conference (IMC).

[21]

Tobias Fiebig, Kevin Borgolte, Shuang Hao, Christopher Kruegel, and Giovanni Vigna. 2017. Something From Nothing (There): Collecting Global IPv6 Datasets From DNS. In Passive and Active Network Measurement Conference (PAM).

[22]

Pawel Foremski, David Plonka, and Arthur Berger. 2016. Entropy/IP: Uncovering Structure in IPv6 Addresses. In ACM Internet Measurement Conference (IMC).

Digital Library

[23]

Kensuke Fukuda and John Heidemann. 2018. Who Knocks at the IPv6 Door? Detecting IPv6 Scanning. In ACM Internet Measurement Conference (IMC).

Digital Library

[24]

Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczyński, Stephen D. Strowes, Luuk Hendriks, and Georg Carle. 2018. Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists. In ACM Internet Measurement Conference (IMC).

Digital Library

[25]

Oliver Gasser, Quirin Scheitle, Sebastian Gebhard, and Georg Carle. 2016. Scanning the IPv6 Internet: Towards a Comprehensive Hitlist. CoRR abs/1607.05179 (2016). arXiv:1607.05179 http://arxiv.org/abs/1607.05179

[26]

R Gayraud and B Lourdelet. 2010. Network Time Protocol (NTP) Server Option for DHCPv6. RFC 5908. http://www.ietf.org/rfc/rfc5908.txt

[27]

Google Git. 2016. Android. https://android.googlesource.com/platform/frameworks/base/+/d3f689bf14a05de735b5cc92dcf20e7226c78690%5E%21/core/res/res/values/config.xml.

[28]

F. Gont. 2014. A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC). RFC 7217 (Proposed Standard).

Digital Library

[29]

Google. 2023. Geolocation API. https://developers.google.com/maps/documentation/geolocation/overview.

[30]

Hang Guo and John Heidemann. 2020. Detecting IoT Devices in the Internet. IEEE/ACM Transactions on Networking 28, 5 (Oct. 2020).

Digital Library

[31]

John Heidemann, Yuri Pradkin, Ramesh Govindan, Christos Papadopoulos, Genevieve Bartlett, and Joseph Bannister. 2008. Census and Survey of the Visible Internet. In ACM Internet Measurement Conference (IMC).

[32]

Bingnan Hou, Zhiping Cai, Kui Wu, Jinshu Su, and Yinqiao Xiong. 2021. 6Hit: A Reinforcement Learning-Based Approach to Target Generation for Internet-Wide IPv6 Scanning. In IEEE Conference on Computer Communications (INFOCOM).

Digital Library

[33]

Gokay Huz, Steven Bauer, KC Claffy, and Robert Beverly. 2015. Experience in Using MTurk for Network Measurement. In ACM SIGCOMM Workshop on Crowdsourcing and Crowdsharing of Big (Internet) Data.

[34]

Young Hyun and k. claffy. 2022. Archipelago Measurement Infrastructure. http://www.caida.org/projects/ark/.

[35]

John Kohl, Clifford Neuman, et al. 1993. The Kerberos network authentication service (V5). Technical Report. RFC 1510, september.

[36]

Frank Li and David Freeman. 2020. Towards A User-Level Understanding of IPv6 Behavior. In ACM Internet Measurement Conference (IMC).

Digital Library

[37]

Zhizhu Liu, Yinqiao Xiong, Xin Liu, Wei Xie, and Peidong Zhu. 2019. 6Tree: Efficient Dynamic Discovery of Active Addresses in the IPv6 Address Space. Computer Networks 155 (2019), 31--46.

Digital Library

[38]

Matthew Luckie. 2010. Scamper: a Scalable and Extensible Packet Prober for Active Measurement of the Internet. In ACM Internet Measurement Conference (IMC).

Digital Library

[39]

Matthew Luckie and Robert Beverly. 2017. The Impact of Router Outages on the AS-level Internet. In ACM SIGCOMM.

[40]

Aanchal Malhotra, Isaac E. Cohen, Erik Brakke, and Sharon Goldberg. 2016. Attacking the Network Time Protocol. Network and Distributed System Security Symposium (NDSS) (2016).

[41]

Linda Markowsky and George Markowsky. 2015. Scanning for vulnerable devices in the Internet of Things. In 2015 IEEE 8th International conference on intelligent data acquisition and advanced computing systems: technology and applications (IDAACS), Vol. 1.

Digital Library

[42]

MaxMind Inc. 2022. MaxMind GeoLite Databases. https://dev.maxmind.com/geoip/geoip2/geolite2/.

[43]

Microsoft. 2021. How the Windows Time Service Works. https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/how-the-windows-time-service-works.

[44]

D. Mills. 1985. Network Time Protocol (NTP). RFC 958. http://www.ietf.org/rfc/rfc958.txt

[45]

M Morowczynski. 2012. Did your active directory domain time just jump to the year 2000. Microsoft Server & Tools Blogs http://blogs.tech-net.com/b/askpfeplat/archive/2012/11/19/did-your-active-directory-domain-time-just-jump-to-the-year-2000.aspx (2012).

[46]

T. Mrugalski, M. Siodelski, B. Volz, A. Yourtchenko, M. Richardson, S. Jiang, T. Lemon, and T. Winters. 2018. Dynamic Host Configuration Protocol for IPv6 (DHCPv6). RFC 8415 (Proposed Standard).

Digital Library

[47]

Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, and Vern Paxson. 2017. Target Generation for Internet-Wide IPv6 Scanning. In ACM Internet Measurement Conference (IMC).

Digital Library

[48]

Alexander Mylnikov. 2023. Geo-Location API Download Section. https://www.mylnikov.org/download.

[49]

Dr. Thomas Narten and Dr. Susan Thomson. 1998. IPv6 Stateless Address Auto-configuration. RFC 2462.

Digital Library

[50]

T. Narten and R. Draves. 2001. Privacy Extensions for Stateless Address Auto-configuration in IPv6. RFC 3041. http://www.ietf.org/rfc/rfc3041.txt

[51]

openwifi.su. 2023. OpenWifi.su Dataset. http://openwifi.su/db/.

[52]

Ramakrishna Padmanabhan, Amogh Dhamdhere, Emile Aben, kc claffy, and Neil Spring. 2016. Reasons Dynamic Addresses Change. In ACM Internet Measurement Conference (IMC).

[53]

Ramakrishna Padmanabhan, Patrick Owen, Aaron Schulman, and Neil Spring. 2015. Timeouts: Beware Surprisingly High Delay. In ACM Internet Measurement Conference (IMC).

Digital Library

[54]

Ramakrishna Padmanabhan, Aaron Schulman, Alberto Dainotti, Dave Levin, and Neil Spring. 2019. How to Find Correlated Internet Failures. In Passive and Active Network Measurement Conference (PAM), David Choffnes and Marinho Barcellos (Eds.).

[55]

Paul Pearce, Ben Jones, Frank Li, Roya Ensafi, Nick Feamster, Nick Weaver, and Vern Paxson. 2017. Global Measurement of DNS Manipulation. In USENIX Security Symposium.

[56]

David Plonka and Arthur Berger. 2015. Temporal and Spatial Classification of Active IPv6 Addresses. In ACM Internet Measurement Conference (IMC).

Digital Library

[57]

radiocells.org. 2023. OpenBMap Dataset. https://radiocells.org/.

[58]

Philipp Richter, Oliver Gasser, and Arthur Berger. 2022. Illuminating Large-Scale IPv6 Scanning in the Internet. In ACM Internet Measurement Conference (IMC).

Digital Library

[59]

Philipp Richter, Ramakrishna Padmanabhan, Neil Spring, Arthur Berger, and David Clark. 2018. Advancing the art of internet edge outage detection. In ACM Internet Measurement Conference (IMC).

Digital Library

[60]

Philipp Richter, Florian Wohlfart, Narseo Vallina-Rodriguez, Mark Allman, Randy Bush, Anja Feldmann, Christian Kreibich, Nicholas Weaver, and Vern Paxson. 2016. A Multi-perspective Analysis of Carrier-Grade NAT Deployment. In ACM Internet Measurement Conference (IMC).

Digital Library

[61]

RIPE. 2017. Best Current Operational Practice for Operators: IPv6 Prefix Assignment for End-Users - Persistent vs Non-Persistent, and What Size to Choose. https://www.ripe.net/publications/docs/ripe-690.

[62]

Justin P. Rohrer, Blake LaFever, and Robert Beverly. 2016. Empirical Study of Router IPv6 Interface Address Distributions. IEEE Internet Computing (Aug. 2016).

Digital Library

[63]

Erik Rye and Robert Beverly. 2023. IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation. In IEEE Symposium on Security and Privacy.

[64]

Erik Rye, Robert Beverly, and kc claffy. 2021. Follow the Scent: Defeating IPv6 Prefix Rotation Privacy. In ACM Internet Measurement Conference (IMC).

[65]

Erik C Rye and Robert Beverly. 2020. Discovering the IPv6 Network Periphery. In Passive and Active Network Measurement Conference (PAM).

[66]

Said Jawad Saidi, Oliver Gasser, and Georgios Smaragdakis. 2022. One Bad Apple Can Spoil Your IPv6 Privacy. ACM SIGCOMM Computer Communication Review 52, 2 (2022).

Digital Library

[67]

Aaron Schulman and Neil Spring. 2011. Pingin'in the rain. In ACM Internet Measurement Conference (IMC).

Digital Library

[68]

Lion Steger, Liming Kuang, Johannes Zirngibl, Georg Carle, and Oliver Gasser. 2023. Target Acquired? Evaluating Target Generation Algorithms for IPv6. In Network Traffic Measurement and Analysis.

[69]

Stephen D Strowes. 2017. Bootstrapping active IPv6 measurement with IPv4 and public DNS. arXiv preprint arXiv:1710.08536 (2017).

[70]

tumi8. 2022. ZMapv6: Internet Scanner with IPv6 Capabilities. https://github.com/tumi8/zmap.

[71]

WiGLE - All the Networks. Found by Everyone. 2023. WiGLE- All the Networks. Found by Everyone. https://wigle.net.

[72]

Tao Yang, Zhiping Cai, Bingnan Hou, and Tongqing Zhou. 2022. 6Forest: An Ensemble Learning-Based Approach to Target Generation for Internet-Wide IPv6 Scanning. In IEEE Conference on Computer Communications (INFOCOM).

Digital Library

[73]

Sebastian Zander, Lachlan LH Andrew, and Grenville Armitage. 2014. Capturing Ghosts: Predicting the Used IPv4 Space by Inferring Unobserved Addresses. In ACM Internet Measurement Conference (IMC).

Digital Library

[74]

Liang Zhang, David Choffnes, Dave Levin, Tudor Dumitraş, Alan Mislove, Aaron Schulman, and Christo Wilson. 2014. Analysis of SSL Certificate Reissues and Revocations in the Wake of Heartbleed. In ACM Internet Measurement Conference (IMC).

[75]

Johannes Zirngibl, Lion Steger, Patrick Sattler, Oliver Gasser, and Georg Carle. 2022. Rusty Clusters? Dusting an IPv6 Research Foundation. In ACM Internet Measurement Conference (IMC).

Digital Library

[76]

Maya Ziv, Liz Izhikevich, Kimberly Ruth, Katherine Izhikevich, and Zakir Durumeric. 2021. ASdb: A System for Classifying Owners of Autonomous Systems. In ACM Internet Measurement Conference (IMC).

Digital Library

Cited By

Hilal FSattler PVermeulen KGasser O(2024)A First Look At IPv6 Hypergiant InfrastructureProceedings of the ACM on Networking10.1145/36563002:CoNEXT2(1-25)Online publication date: 13-Jun-2024
https://dl.acm.org/doi/10.1145/3656300
Williams GPearce PVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Seeds of Scanning: Exploring the Effects of Datasets, Methods, and Metrics on IPv6 Internet ScanningProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688449(295-313)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688449
Holzbauer FMaier MUllrich JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Destination Reachable: What ICMPv6 Error Messages Reveal About Their SourcesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688420(280-294)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688420
Show More Cited By

Index Terms

IPv6 Hitlists at Scale: Be Careful What You Wish For
1. Networks
  1. Network performance evaluation
    1. Network measurement
  2. Network properties
    1. Network privacy and anonymity

Recommendations

A new worm exploiting IPv4-IPv6 dual-stack networks
WORM '07: Proceedings of the 2007 ACM workshop on Recurring malcode

It is commonly believed that the IPv6 protocol can provide good protection against network worms due to its huge address space. However, it is proved to be incorrect by our study on the new "dual-stack worm" which can spread in IPv4-IPv6 dual-stack ...
In the IP of the Beholder: Strategies for Active IPv6 Topology Discovery
IMC '18: Proceedings of the Internet Measurement Conference 2018

Existing methods for active topology discovery within the IPv6 Internet largely mirror those of IPv4. In light of the large and sparsely populated address space, in conjunction with aggressive ICMPv6 rate limiting by routers, this work develops a ...
Shellcode Detection in IPv6 Networks with HoneydV6
ICETE 2014: Proceedings of the 11th International Joint Conference on e-Business and Telecommunications - Volume 4

More and more networks and services are reachable via IPv6 and the interest for security monitoring of these IPv6 networks is increasing. Honeypots are valuable tools to monitor and analyse network attacks. HoneydV6 is a low-interaction honeypot which ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ACM SIGCOMM '23: Proceedings of the ACM SIGCOMM 2023 Conference

September 2023

1217 pages

ISBN:9798400702365

DOI:10.1145/3603269

Chairs:
Henning Schulzrinne,
Vishal Misra,
Program Chairs:
Eddie Kohler,
David Maltz

Copyright © 2023 Owner/Author(s).

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 September 2023

Check for updates

Badges

Artifacts Available / v1.1

Author Tags

Qualifiers

Research-article

Conference

ACM SIGCOMM '23

Sponsor:

SIGCOMM

ACM SIGCOMM '23: ACM SIGCOMM 2023 Conference

September 10, 2023

NY, New York, USA

Acceptance Rates

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
1,419
Total Downloads

Downloads (Last 12 months)967
Downloads (Last 6 weeks)139

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hilal FSattler PVermeulen KGasser O(2024)A First Look At IPv6 Hypergiant InfrastructureProceedings of the ACM on Networking10.1145/36563002:CoNEXT2(1-25)Online publication date: 13-Jun-2024
https://dl.acm.org/doi/10.1145/3656300
Williams GPearce PVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Seeds of Scanning: Exploring the Effects of Datasets, Methods, and Metrics on IPv6 Internet ScanningProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688449(295-313)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688449
Holzbauer FMaier MUllrich JVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Destination Reachable: What ICMPv6 Error Messages Reveal About Their SourcesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688420(280-294)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688420
Dahlmanns MWehrle K(2024)Protocol Security in the Industrial Internet of ThingsNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10575096(1-4)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10575096
Dahlmanns MHeidenreich FLohmöller JPennekamp JWehrle KHenze M(2024)Unconsidered Installations: Discovering IoT Deployments in the IPv6 InternetNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10574963(1-8)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10574963

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents