opportunistic ipv6 insight via abusive traffic
play

Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, - PowerPoint PPT Presentation

Sep 14, 2023 •223 likes •568 views

Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate School {rbeverly,xie}@nps.edu February 8, 2012 CAIDA Workshop on Active Internet Measurements R. Beverly et al. (NPS) Opportunistic IPv6 Insight

  1. Opportunistic IPv6 Insight via Abusive Traffic Robert Beverly, Geoffrey Xie Naval Postgraduate School {rbeverly,xie}@nps.edu February 8, 2012 CAIDA Workshop on Active Internet Measurements R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 1 / 31

  2. Introduction Outline Introduction 1 IPv6 as Abusive Traffic Enabler 2 Methodology 3 Results 4 5 Summary R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 2 / 31

  3. Introduction What we can all (sort of) agree on Crying Wolf Again? (U.S. perspective) Exhaustion of v4 addresses finally exerting (economic) pressure on providers to use IPv6 More and more devices (e.g. mobile) Widespread OS support, auto-tunneling Carrier-grade NAT is bad (viz. E2E) U.S. government mandates Err.... ; <<>> DiG 9.8.1 <<>> AAAA www.disa.mil ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63718 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.disa.mil. IN AAAA R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 3 / 31

  4. Introduction What we can all (sort of) agree on Crying Wolf Again? (U.S. perspective) Exhaustion of v4 addresses finally exerting (economic) pressure on providers to use IPv6 More and more devices (e.g. mobile) Widespread OS support, auto-tunneling Carrier-grade NAT is bad (viz. E2E) U.S. government mandates Err.... ; <<>> DiG 9.8.1 <<>> AAAA www.disa.mil ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63718 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.disa.mil. IN AAAA R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 3 / 31

  5. Introduction IPv6 Measurements Many independent IPv6 measurement efforts: Multiple web-bug / javascript Passive traffic analysis Active probing Dark/Grey nets R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 4 / 31

  6. Introduction Our Hypothesis: Our Hypothesis: Opportunistically utilize abusive IPv6 traffic Abusive traffic has been productive in other measurement efforts Suggests at a means to obtain (a large number of) samples from the IPv6 edge, with different sample bias Additionally, reveal properties/prevalence of IPv6 as emergent attack vector This talk: initial experiments to test the opportunistic abusive IPv6 traffic hypothesis (read as: ongoing effort). R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 5 / 31

  7. IPv6 as Abusive Traffic Enabler Outline Introduction 1 IPv6 as Abusive Traffic Enabler 2 Methodology 3 Results 4 5 Summary R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 6 / 31

  8. IPv6 as Abusive Traffic Enabler IPv6 Abusive Traffic What do we mean by “abusive?” Many IPv6 protocol-specific attacks, not in scope here Instead: Traditional abusive traffic (DoS, messaging, worm propagation, etc) using IPv6 transport Why might we expect abusive IPv6 traffic? Bad guys will exploit any possible attack vector Easy: incestuous abusive/malicious code libraries permit widespread adoption e.g. THC-IPV6 Near zero cost to test for IPv6 connectivity Newly adopted protocols often rife with vulnerabilities All old security problems in IPv4 are new again... R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 7 / 31

  9. IPv6 as Abusive Traffic Enabler IPv6 Abusive Traffic Fly under the radar of monitoring, or evade blocking: Firewalls, filters, IDS, DPI, etc rarely configured to support IPv6 Tunnels and auto-tunnel mechanisms (e.g. 6to4, Teredo) subvert administrative security policies and protection/detection E.g. residential outbound TCP SMTP blocked only for IPv4 Address agility, IPv6 RBLs not as well-maintained: http://www.ipv6whitelist.eu Lots of buggy implementations: Ask us about our IDS fuzz testing where we can throw snort into infinite recursion via crafted IPv6 packets! R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 8 / 31

  10. IPv6 as Abusive Traffic Enabler IPv6 Attacks Bad stuff is IPv6 connected: Database Entries w/ A Entries w/ AAAA malwaredomainlist.com 2095 35 (1.7%) malwaredomains.com 845 10 (1.2%) phishtank.com 3318 16 (0.5%) Coincidentally or intentionally on IPv6? (Collected and probed February, 2012) R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 9 / 31

  11. IPv6 as Abusive Traffic Enabler IPv6 Attacks Unsurprisingly, bad stuff is IPv6 connected: Database Entries w/ Unique ASN RIPE ASN AAAA malwaredomainlist.com 35 10 8 malwaredomains.com 10 5 5 phishtank.com 16 10 9 Not all in one AS Mostly in Europe (none in US) (Collected and probed February, 2012) R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 10 / 31

  12. IPv6 as Abusive Traffic Enabler IPv6 Attacks Lots of anecdotal evidence: Trojans: Troj/LegMir-AT IPv6 IRC (public reference) Worms: W32/VB-DYF (public reference) Wordpress malware using IPv6 site-scraping (private conversation with CDN, 2011) Take-away: There exist sources of abusive IPv6 traffic Even if traffic is small relative to v4, still interesting Exploit abusive IPv6 traffic for measurement of the IPv6 Internet R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 11 / 31

  13. IPv6 as Abusive Traffic Enabler IPv6 Attacks Lots of anecdotal evidence: Trojans: Troj/LegMir-AT IPv6 IRC (public reference) Worms: W32/VB-DYF (public reference) Wordpress malware using IPv6 site-scraping (private conversation with CDN, 2011) Take-away: There exist sources of abusive IPv6 traffic Even if traffic is small relative to v4, still interesting Exploit abusive IPv6 traffic for measurement of the IPv6 Internet R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 11 / 31

  14. Methodology Outline Introduction 1 IPv6 as Abusive Traffic Enabler 2 Methodology 3 Results 4 5 Summary R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 12 / 31

  15. Methodology IPv6 Honeypot Initial experiment: IPv6 Spam Honeypot Easy and popular method to attract abusive traffic: spam honeypot We built and instrumented an IPv6 spam honeypot Prior Work ripe.net: Not a honeypot; 3.5% of IPv6 emails spam (2010) cert.br: Total of 6 IPv6 HTTP hits over 3 months (2009) soton.ac.uk: Not a honeypot; “roughly half of IPv6 email is spam.” (2008) Idea: run a IPv6 spam honeypot before/after World IPv6 day R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 13 / 31

  16. Methodology IPv6 Honeypot Initial experiment: IPv6 Spam Honeypot Easy and popular method to attract abusive traffic: spam honeypot We built and instrumented an IPv6 spam honeypot Prior Work ripe.net: Not a honeypot; 3.5% of IPv6 emails spam (2010) cert.br: Total of 6 IPv6 HTTP hits over 3 months (2009) soton.ac.uk: Not a honeypot; “roughly half of IPv6 email is spam.” (2008) Idea: run a IPv6 spam honeypot before/after World IPv6 day R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 13 / 31

  17. Methodology IPv6 Pot IPv6 Pot: Run instrumented NS1 NS2 authoritative name servers resolver recorder recorder and IPv6-only DB spam sink host IPv6−only MTA (RFC3974) pcap Abusive Network NPS IPv6 Honeypot R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 14 / 31

  18. Methodology IPv6 Pot IPv6 Pot: MX queries (via m o c y . e n o h s n p ? m NS1 NS2 X o M c y . IPv4 or IPv6) e n o h p s n . s m e r h e returned and resolver recorder recorder recorded to DB database host IPv6−only MTA Abusive Network R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 15 / 31

  19. Methodology IPv6 Pot IPv6 Pot: m o c y . e n o h s p n s . e m NS1 NS2 No associated A r e h D ? R A O C E R O N record (query resolver recorder recorder recorded) DB host IPv6−only MTA Abusive Network R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 16 / 31

  20. Methodology IPv6 Pot IPv6 Pot: m o c y . e n o h s p n s . e NS1 NS2 AAAA record m r 2 e : h 8 : ? 4 A : A 6 6 A 0 : A 7 4 : 1 0 0 2 available (query resolver recorder recorder recorded) DB host IPv6−only MTA Abusive Network R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 17 / 31

  21. Methodology IPv6 Pot IPv6 Pot: NS1 NS2 Spam sink catchall for any resolver recorder recorder IPv6 SMTP . DB host IPv6 SMTP IPv6−only MTA Abusive Network pcap R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 18 / 31

  22. Methodology Attracting Traffic Attracting Traffic Dynamic HTML text at bottom of our group web pages generates: nonce@npshoney.com Records: IPv4/v6 source, browser, resource to database Additionally, manually visited several spam URLs and entered our email R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 19 / 31

  23. Methodology Honeypot Analysis What can we learn: How many attempted spam SMTP connections resulted in an email? Do abusive spam (hosts/bots) use IPv6 when it’s the only transport available? Reconstruct how mined email addresses get to IPv6-capable spammers IPv6 edge: Addresses for tracing Prevalence of auto-tunneling Mapping of IPv4 to IPv6 R. Beverly et al. (NPS) Opportunistic IPv6 Insight CAIDA AIMS-4 20 / 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Diurnal and Weekly Cycles in IPv6 Traffic Stephen Strowes Yahoo sds@yahoo-inc.com Motivation

Diurnal and Weekly Cycles in IPv6 Traffic Stephen Strowes Yahoo sds@yahoo-inc.com Motivation

Diurnal and Weekly Cycles in IPv6 Traffic Stephen Strowes Yahoo sds@yahoo-inc.com Motivation Non-trivial IPv6 deployments in access networks impacts capacity planning, peering, DNS load balancing (Also, people kept asking why IPv6 is 2-3%

496 views • 8 slides
IPv6 at Yahoo IPv6 at Yahoo: growth, disparity Large content network: we see traffic from eyeball

IPv6 at Yahoo IPv6 at Yahoo: growth, disparity Large content network: we see traffic from eyeball

IPv6 at Yahoo IPv6 at Yahoo: growth, disparity Large content network: we see traffic from eyeball networks Two main datasets I watch: HTTP logging Mobile data reporting to Splunk IPv6 at Yahoo: growth, disparity Countries: Mobile:

259 views • 4 slides
IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already

IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already

IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already Here Monash IPv6 Progress Addressing End Systems Monitoring Network Address Usage Traffic Monitoring Problems IPv6 is Coming

779 views • 41 slides
Understanding the Share of IPv6 Traffic in a Dual-Stack ISP Enric Pujol, Philipp Richter, and

Understanding the Share of IPv6 Traffic in a Dual-Stack ISP Enric Pujol, Philipp Richter, and

Understanding the Share of IPv6 Traffic in a Dual-Stack ISP Enric Pujol, Philipp Richter, and Anja Feldmann PAM 2017, Sydney, Australia IPv6 adoption metrics User end hosts Server-side measurements e.g., Google reports 20% of the hosts have

869 views • 40 slides
IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
Opportunistic Composition of Human- Opportunistic composition Computer Interactions in Ambient

Opportunistic Composition of Human- Opportunistic composition Computer Interactions in Ambient

Opportunistic Composition of Human- Opportunistic composition Computer Interactions in Ambient Spaces Ambient env. Our approach Plastic HCI Augustin Degas Requirements Ergonomic criteria Sylvie Trouilhet - Jean-Paul Arcangeli, IRIT

379 views • 21 slides
Data Structures for IPv6 Network Traffic Analysis Using Sets and Bags John McHugh, Ulfar

Data Structures for IPv6 Network Traffic Analysis Using Sets and Bags John McHugh, Ulfar

Data Structures for IPv6 Network Traffic Analysis Using Sets and Bags John McHugh, Ulfar Erlingsson The nature of the problem IPv4 has 2 32 possible addresses, IPv6 has 2 128 . IPv4 sets can be realized as bit arrays. (0.5GB) IPv4

585 views • 20 slides
Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6 Global allocations by RIR APNIC 337 21% RIPENCC 737 45% ARIN 438 LACNIC AFRINIC 27% 87 37 5% 2% Unit: IPv6 pref i x 3 IPv6

603 views • 24 slides
IPv6 Ready Logo Aiding IPv6 Deployment Timothy Winters LACNIC 27 May 2017 IPv6 Forums IPv6

IPv6 Ready Logo Aiding IPv6 Deployment Timothy Winters LACNIC 27 May 2017 IPv6 Forums IPv6

IPv6 Ready Logo Aiding IPv6 Deployment Timothy Winters LACNIC 27 May 2017 IPv6 Forums IPv6 Ready Logo Goal 2001-Present: Conformance and Interoperability test program intended to increase user confidence and promote IPv6 deployment.

403 views • 11 slides
Opportunistic Computing Opportunistic Computing : A New Paradigm : A New Paradigm for Scalable

Opportunistic Computing Opportunistic Computing : A New Paradigm : A New Paradigm for Scalable

Opportunistic Computing Opportunistic Computing : A New Paradigm : A New Paradigm for Scalable Realism on Many-Cores for Scalable Realism on Many-Cores Romain Cledat, Tushar Kumar, Jaswanth Sreeram, and Santosh Pande Speedup Is Not Always the

420 views • 20 slides
Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA &lt;keiichi@iijlab.net&gt; IIJ Research Laboratory / WIDE project Contents IPv6 service in Japan How I live Example of IPv6 configuration Some news of IPv6

653 views • 16 slides
Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.121 / S-03 / N Beijar IPv6

Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.121 / S-03 / N Beijar IPv6

Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.121 / S-03 / N Beijar IPv6 addresses 128 bits long Written as eight 16-bit integers separated with colons E.g. 1080:0000:0000:0000:0000:0008:200C:417A =

617 views • 20 slides
IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6

IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6

IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6 Deployment WG Chair Takashi Arano (Intec NetCore, Inc.) IPv6 Deployment Guideline solves barriers for deployment I cant see IPv6s

319 views • 7 slides
Objectives Diagnose and manage common opportunistic infections (OIs) in HIV Know the

Objectives Diagnose and manage common opportunistic infections (OIs) in HIV Know the

Objectives Diagnose and manage common opportunistic infections (OIs) in HIV Know the indications and preferred regimens for primary Opportunistic Infections and prophylaxis for OIs Immune Reconstitution Understand the features and

593 views • 16 slides
IPv6/6LoWPAN with Wireshark March 2016 ICTP Alvaro Vives (alvaro.vives@nodo6.com) NODO6

IPv6/6LoWPAN with Wireshark March 2016 ICTP Alvaro Vives (alvaro.vives@nodo6.com) NODO6

IPv6/6LoWPAN with Wireshark March 2016 ICTP Alvaro Vives (alvaro.vives@nodo6.com) NODO6 (www.nodo6.com) Content 1 Introduction to Wireshark 2 Capturing IPv6 Traffic 3 Capturing 6Lowpan Traffic 2 Workshop on New Frontiers in IoT -

379 views • 17 slides
Introduction to IPv6 (Chapter 4 in Huitema) S-38.121 / Fall-04 / N Beijar IPv6,Mobility-1 IPv6

Introduction to IPv6 (Chapter 4 in Huitema) S-38.121 / Fall-04 / N Beijar IPv6,Mobility-1 IPv6

Introduction to IPv6 (Chapter 4 in Huitema) S-38.121 / Fall-04 / N Beijar IPv6,Mobility-1 IPv6 addresses 128 bits long Written as eight 16-bit integers separated with colons E.g. 1080:0000:0000:0000:0000:0008:200C:417A =

556 views • 20 slides
S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada

S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada

S-NFV: Securing NFV states by using SGX Ming-Wei Shih Mohan Kumar Taesoo Kim Ada Gavrilovska Georgia Institute of Technology Network Function Virtualization (NFV) Virtualized Network Functions (VNFs) NAT IDS Web Caching VNF NF OS

542 views • 16 slides
Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by:

Packet Analysis By Brian Brown NetSec Syllabus: https://ubnetdef.org/courses/netsec/ - Ran by: Chris Crawford (DoD) - @zachtenenbaum and @srini are TAs What is Packet Analysis? - Packet Analysis is the capture and interpretation of the

814 views • 22 slides
Breaking the bank Tracing defacers through a company network Judith van Stegeren After my

Breaking the bank Tracing defacers through a company network Judith van Stegeren After my

Breaking the bank Tracing defacers through a company network Judith van Stegeren After my graduation After my graduation Where I work Where I work What I do Demo Incident Response for fictional bank Zone-H: defacement registry Defacement

782 views • 39 slides
Regular Expression Matching on Graphics Hardware for Intrusion Detection Giorgos Vasiliadis,

Regular Expression Matching on Graphics Hardware for Intrusion Detection Giorgos Vasiliadis,

Regular Expression Matching on Graphics Hardware for Intrusion Detection Giorgos Vasiliadis, Michalis Polychronakis, Spiros Antonatos, Sotiris Ioannidis, Evangelos P. Markatos FORTH-ICS, Greece RAID09, 25 September 2009

225 views • 19 slides
t rt sr P

t rt sr P

r t rst Pr t r tr

653 views • 27 slides
GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The

GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The

FERMILAB-SLIDES-18-122-CD GoldenEye: stream-based network packet inspection using GPUs Qian Gong, Wenji Wu, Phil DeMar The 43nd IEEE Conference on Local Computer Networks October 4, 2018 This manuscript has been authored by Fermi Research

473 views • 24 slides
Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U.,

Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U.,

MIDeA: A Multi-Parallel Intrusion Detection Architecture Giorgos Vasiliadis, FORTH-ICS, Greece Michalis Polychronakis, Columbia U., USA Sotiris Ioannidis, FORTH-ICS, Greece CCS 2011, 19 October 2011 Network Intrusion Detection Systems

548 views • 34 slides
Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California,

Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California,

Detecting Deception in the Context of Web 2.0. Annarita Giani , EECS, University of California, Berkeley, CA Paul Thompson, CS Dept. Dartmouth College, Hanover, NH W2SP2007 Oakland, CA May 24, 2007 Outline 1.Motivation and Terminology

334 views • 30 slides

More recommend