server siblings identifying shared ipv4 ipv6
play

Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure via - PowerPoint PPT Presentation

Aug 08, 2023 •245 likes •583 views

Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure via Active Fingerprinting Robert Beverly , Arthur Berger Naval Postgraduate School MIT/Akamai March 20, 2015 PAM 2015 - 16th Passive and Active Measurement Conference

  1. Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure via Active Fingerprinting Robert Beverly ∗ , Arthur Berger † ∗ Naval Postgraduate School † MIT/Akamai March 20, 2015 PAM 2015 - 16th Passive and Active Measurement Conference R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 1 / 24

  2. What/Why Outline What/Why 1 Methodology 2 Results 3 R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 2 / 24

  3. What/Why IPv4/IPv6 Siblings IPv4/IPv6 “Siblings:” Given a candidate ( IPv 4 , IPv 6 ) address pair, determine if these addresses are assigned to the same physical machine. Related IPv6 Research: IPv6 adoption, routing, performance [DLHEA12], [CAZIOB14] Passive client IPv4/IPv6 sibling associations: e.g. web-bugs, javascript, flash [ZAAHM12] DNS server IPv4/IPv6 siblings [BWBC13] Our work: Targeted, active test: on-demand for any given pair Infrastructure: finding server siblings R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 3 / 24

  4. What/Why IPv4/IPv6 Siblings IPv4/IPv6 “Siblings:” Given a candidate ( IPv 4 , IPv 6 ) address pair, determine if these addresses are assigned to the same physical machine. Related IPv6 Research: IPv6 adoption, routing, performance [DLHEA12], [CAZIOB14] Passive client IPv4/IPv6 sibling associations: e.g. web-bugs, javascript, flash [ZAAHM12] DNS server IPv4/IPv6 siblings [BWBC13] Our work: Targeted, active test: on-demand for any given pair Infrastructure: finding server siblings R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 3 / 24

  5. What/Why Motivation Question? Is IPv6 infrastructure being deployed with separate hardware or by adding IPv6 to existing machines? Why? Adoption: Track IPv6 infrastructure evolution, how deployed Bootstrapping: IPv6 geolocation, reputation by correlating to IPv4 counterpart Security: Better understand correlated failures Lack of IPv6 security, tunnel to circumvent firewalls (e.g. an attack on IPv6 resource affecting IPv4 service) Performance: Isolate path vs. host performance when comparing IPv4 and IPv6 R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 4 / 24

  6. What/Why Motivation Question? Is IPv6 infrastructure being deployed with separate hardware or by adding IPv6 to existing machines? Why? Adoption: Track IPv6 infrastructure evolution, how deployed Bootstrapping: IPv6 geolocation, reputation by correlating to IPv4 counterpart Security: Better understand correlated failures Lack of IPv6 security, tunnel to circumvent firewalls (e.g. an attack on IPv6 resource affecting IPv4 service) Performance: Isolate path vs. host performance when comparing IPv4 and IPv6 R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 4 / 24

  7. What/Why Motivation Question? Is IPv6 infrastructure being deployed with separate hardware or by adding IPv6 to existing machines? Why? Adoption: Track IPv6 infrastructure evolution, how deployed Bootstrapping: IPv6 geolocation, reputation by correlating to IPv4 counterpart Security: Better understand correlated failures Lack of IPv6 security, tunnel to circumvent firewalls (e.g. an attack on IPv6 resource affecting IPv4 service) Performance: Isolate path vs. host performance when comparing IPv4 and IPv6 R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 4 / 24

  8. What/Why Motivation Question? Is IPv6 infrastructure being deployed with separate hardware or by adding IPv6 to existing machines? Why? Adoption: Track IPv6 infrastructure evolution, how deployed Bootstrapping: IPv6 geolocation, reputation by correlating to IPv4 counterpart Security: Better understand correlated failures Lack of IPv6 security, tunnel to circumvent firewalls (e.g. an attack on IPv6 resource affecting IPv4 service) Performance: Isolate path vs. host performance when comparing IPv4 and IPv6 R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 4 / 24

  9. What/Why Motivation Question? Is IPv6 infrastructure being deployed with separate hardware or by adding IPv6 to existing machines? Why? Adoption: Track IPv6 infrastructure evolution, how deployed Bootstrapping: IPv6 geolocation, reputation by correlating to IPv4 counterpart Security: Better understand correlated failures Lack of IPv6 security, tunnel to circumvent firewalls (e.g. an attack on IPv6 resource affecting IPv4 service) Performance: Isolate path vs. host performance when comparing IPv4 and IPv6 R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 4 / 24

  10. What/Why Contributions IPv4/IPv6 Server Sibling Inference, Contributions Develop an active IPv4/IPv6 sibling inference measurement 1 technique by extending prior fingerprinting work Validate and evaluate technique on ground-truth 2 Use technique to survey top Alexa IPv6 capable web servers 3 R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 5 / 24

  11. Methodology Outline What/Why 1 Methodology 2 Results 3 R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 6 / 24

  12. Methodology Sibling Identification Targeted, Active Sibling Identification Intuition: IPv4 and IPv6 share a common transport-layer (TCP) Combine, extend, and reappraise prior TCP fingerprinting work: Coarse-grained: TCP options signature [Nmap] Fine-grained: TCP timestamp clockskew [Kohno 2005] R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 7 / 24

  13. Methodology Course-Grained Sibling Identification Course-Grained Sibling Identification Presence of TCP options is common-case Order and packing of options is implementation dependent, e.g.: Win: <mss, nop, wscale 5, nop, nop, TS, sackOK> FreeBSD: <mss, nop, wscale 3, sackOK, TS> Linux: <mss, sackOK, TS, nop, wscale 4> We: Strip timestamp value Strip MSS value (unreliable, not just IPv4 MSS-20) Preserve order, compare between IPv4 and IPv6 R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 8 / 24

  14. Methodology Fine-Grained Sibling Identification Fine-Grained Sibling Identification TCP timestamp option: “TCP Extensions for High Performance” [RFC1323, May 1992]. Universally supported, enabled by default. Option value: 4 bytes containing current clock TS clock: Value not specified in RFC (only used to detect duplicate segments) � = system clock Frequently unaffected by system clock adjustments (e.g. NTP) Connect to remote TCP periodically over time, fetch TS Fingerprint is TS clock skew or drift R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 9 / 24

  15. Methodology Examples TCP Timestamp Clock Skew Skew-based Fingerprinting Idea: Use linear program to find 40 slope of points 30 Here, different skews (one 20 observed offset (msec) 10 negative) 0 -10 y = 0 . 0299 x skew ( ≈ -20 1.8ms/min, ≈ 15 min/year) -30 -40 Then: Host A (IPv6) -50 Host B (IPv4) α =0.029938 β =-3.519 -60 Compare IPv4 and IPv6 α =-0.058276 β =-1.139 -70 slopes 0 200 400 600 800 1000 measurement time(sec) Siblings if angle less than threshold R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 10 / 24

  16. Methodology Examples Example: Ground Truth Visualization 40 10 30 0 20 -10 observed offset (msec) 10 observed offset (msec) 0 -20 -10 -30 -20 -40 -30 -40 -50 Host A (IPv6) Host A (IPv6) -50 Host B (IPv4) Host A (IPv4) -60 α =0.029938 β =-3.519 α =-0.058253 β =-1.178 -60 α =-0.058276 β =-1.139 α =-0.058276 β =-1.139 -70 -70 0 200 400 600 800 1000 0 200 400 600 800 1000 measurement time(sec) measurement time(sec) Non-Siblings Siblings Host A IPv4 vs. Host A IPv6: identical slopes ( θ = 0 . 0098) Host A IPv6 vs. Host B IPv4: different slopes ( θ = 31 . 947) Of course, more complicated in practice! R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 11 / 24

  17. Methodology Examples Probing Outcomes No options returned: Infrequent, limits to coarse Timestamps: Not present: e.g., middlebox, limits to coarse Non-monotonic: (between connections) e.g., load-balancer Random: e.g., BSD’s random per-flow offset Monotonic: fine-grained fingerprinting For example, raw TCP timestamps: 2e+15 4.5e+09 209.85.225.160 apache.org V4 2001:4860:b007::a0 apache.org V6 0 4e+09 -2e+15 3.5e+09 -4e+15 3e+09 observed offset (msec) -6e+15 TCP Timestamp 2.5e+09 -8e+15 -1e+16 2e+09 -1.2e+16 1.5e+09 -1.4e+16 1e+09 -1.6e+16 5e+08 -1.8e+16 -2e+16 0 0 10000 20000 30000 40000 50000 60000 70000 0 50 100 150 200 measurement time(sec) TCP Packet Sample Random across connects Non-monotonic across connects R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 12 / 24

  18. Methodology Examples Methodology Server Sibling Inference Propose and evaluate two algorithms: Options signature and basic timestamp skew (Alg 1) 1 Additional, parameterized logic (Alg 2) 2 (See paper for gory algorithm details) Test against ground truth Periodically probe Alexa IPv4 and IPv6 targets once every ∼ 3.5 hours for ∼ 17 days R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 13 / 24

  19. Results Outline What/Why 1 Methodology 2 Results 3 R. Beverly & A. Berger (NPS) IPv4/IPv6 Server Siblings PAM 2015 14 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IPv6 Avanzado Introduccin Toms Lynch LACNOG WHERE ARE WE? IPv4 Yes, the IPv4 pool

IPv6 Avanzado Introduccin Toms Lynch LACNOG WHERE ARE WE? IPv4 Yes, the IPv4 pool

IPv6 Avanzado Introduccin Toms Lynch LACNOG WHERE ARE WE? IPv4 Yes, the IPv4 pool IPv4 with NAT/Tunnels But we can use IPv4 and NAT or Tunnels!!! Yeah, right IPv6 IPv6 Readiness Laptops, pads, mobile phones, dongles,

477 views • 19 slides
Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com When will IPv6-only deployment happen? Hypothesis 1 1st node is All IPv4 nodes dual-stack speak also IPv6 IPv4-only IPv4 &amp; IPv6 IPv6-only

675 views • 25 slides
IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address IPv4 allowed for 4.3 billion possible addresses, IPv6 allows for 340 undecillion addresses 3.40E38, 7.9E28 more than IPv4 addresses, ~ 4.8x10

1.07k views • 28 slides
Inferring Internet Server IPv4 and IPv6 Address Relationships Robert Beverly, Arthur Berger ,

Inferring Internet Server IPv4 and IPv6 Address Relationships Robert Beverly, Arthur Berger ,

Inferring Internet Server IPv4 and IPv6 Address Relationships Robert Beverly, Arthur Berger , Nicholas Weaver , Larry Campbell Naval Postgraduate School Akamai ICSI/UCSD rbeverly@nps.edu, awberger@mit.edu February 7, 2013

323 views • 19 slides
SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36,

SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36,

SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36, London, January 2017 Incremental IPv6 deployment in DC IPv4-only IPv4-only + IPv6 via NAT/proxy/etc Dual-stacked public frontend, IPv4 BE Full

550 views • 15 slides
Comparing IPv4 and IPv6 from the perspec7ve of BGP dynamic

Comparing IPv4 and IPv6 from the perspec7ve of BGP dynamic

Comparing IPv4 and IPv6 from the perspec7ve of BGP dynamic ac7vity Geoff Huston APNIC February 2012 The IPv4 Table: 2004 - now The IPv6

770 views • 47 slides
Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA &lt;keiichi@iijlab.net&gt; IIJ Research Laboratory / WIDE project Contents IPv6 service in Japan How I live Example of IPv6 configuration Some news of IPv6

653 views • 16 slides
IPv6 Presentation Template (Make this title your own!) Whats happening with IPv4? IPv4

IPv6 Presentation Template (Make this title your own!) Whats happening with IPv4? IPv4

IPv6 Presentation Template (Make this title your own!) Whats happening with IPv4? IPv4 exhaustion (link to RIRs and highlight relevant trends for your region) Regional Internet Authorities are in various phases of IPv4 exhaustion

486 views • 13 slides
Large-scale introduction of IPv6 system - 280 sites all over Japan VoIP carrier IPv4 - IPv6 Node

Large-scale introduction of IPv6 system - 280 sites all over Japan VoIP carrier IPv4 - IPv6 Node

Large-scale introduction of IPv6 system - 280 sites all over Japan VoIP carrier IPv4 - IPv6 Node as many as 20,000 IPv6/IPv4 The IP Centrex service, &quot;IP Business Phone&quot;, Translator developed by FreeBit, has got a major contract with

752 views • 5 slides
Dual-stack IPv4+IPv6 monitoring with Nagios Teemu Kiviniemi, CSC/Funet 6th June 2012 6th TF-NOC

Dual-stack IPv4+IPv6 monitoring with Nagios Teemu Kiviniemi, CSC/Funet 6th June 2012 6th TF-NOC

Dual-stack IPv4+IPv6 monitoring with Nagios Teemu Kiviniemi, CSC/Funet 6th June 2012 6th TF-NOC meeting Dublin, Ireland Introduction World IPv6 Launch is today! When enabling IPv6 support in services, it is crucial to monitor with both IPv4

1.09k views • 27 slides
1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion

1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion

1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion practice) 3. IPv6 advantages over IPv4 4. IPv4 address structure 5. IPv6 address structure IPv4 Address 32 bit address (computer stores information

655 views • 53 slides
IPv6 Only Hosting Pete Stevens Mythic Beasts Ltd mythic beasts What's wrong with IPv4?

IPv6 Only Hosting Pete Stevens Mythic Beasts Ltd mythic beasts What's wrong with IPv4?

IPv6 Only Hosting Pete Stevens Mythic Beasts Ltd mythic beasts What's wrong with IPv4? 2005: One IP per server. 2010: One IP per VM. Single server now requires ~ 50 IPs. 2015: Ideally one IP per container. Single VM now requires

593 views • 24 slides
IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net Australia's Academic and Research Network IPv6 policy Going forward, we seek to support IPv6 to the same extent as we support IPv4. Exceptions require

631 views • 52 slides
Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4

Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4

Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4 addresses have 32 bits only not enough for 1 IP address per person dynamic IPs, NAT, Manual configuration time consuming (in larger

655 views • 16 slides
IPv4 Exhaus,on And IPv6 Deployment Carlos Mar)nez @Sint-Maarten Internet Week IPv4 There

IPv4 Exhaus,on And IPv6 Deployment Carlos Mar)nez @Sint-Maarten Internet Week IPv4 There

IPv4 Exhaus,on And IPv6 Deployment Carlos Mar)nez @Sint-Maarten Internet Week IPv4 There are 4,294,967,296 IPv4 addresses (32 bits long) but not all of them can be used Looks like a lot, right? But... World popula)on currently stands

501 views • 27 slides
Transicin a IPv6 rea de Ingeniera Telemtica Dpto. Automtica y Computacin

Transicin a IPv6 rea de Ingeniera Telemtica Dpto. Automtica y Computacin

Transicin a IPv6 rea de Ingeniera Telemtica Dpto. Automtica y Computacin http://www.tlm.unavarra.es/ Soluciones Doble pila Dispositivos con IPv4 e IPv6 Tneles Comunicar IPv6 a travs de zonas IPv4 Traduccin

631 views • 24 slides
Direct Numerical Simulation of Fully Resolved Liquid Droplets in a Turbulent Flow Michele Rosso

Direct Numerical Simulation of Fully Resolved Liquid Droplets in a Turbulent Flow Michele Rosso

Direct Numerical Simulation of Fully Resolved Liquid Droplets in a Turbulent Flow Michele Rosso &amp; Said Elghobashi Department of Mechanical and Aerospace Engineering University of California, Irvine NCSA Blue Waters Symposium for Petascale

558 views • 31 slides
Offsets and the Coastal Zone Act The law passed in June 1971, but lobbyists fought efforts to adopt

Offsets and the Coastal Zone Act The law passed in June 1971, but lobbyists fought efforts to adopt

Offsets and the Coastal Zone Act The law passed in June 1971, but lobbyists fought efforts to adopt regulations The first regulations were developed under Secretary Toby Clarks watch and adopted in 1993, but were challenged and overturned by

145 views • 13 slides
Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis Powered by RIPS Technologies High-tech company based in Bochum, Germany Supports the full feature stack of the PHP language Detects

1.06k views • 47 slides
D&amp;D of malware with exotic C&amp;C D&amp;D = Description &amp; Detection C&amp;C = Command

D&amp;D of malware with exotic C&amp;C D&amp;D = Description &amp; Detection C&amp;C = Command

D&amp;D of malware with exotic C&amp;C D&amp;D = Description &amp; Detection C&amp;C = Command &amp; Control Automotive Consumer Energy &amp; Chemicals Paul Rascagneres - @r00tbsd Eric Leblond - @Regiteric D&amp;D of malware with exotic C&amp;C

781 views • 34 slides
Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat

Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat

Security Everywhere Extended Jatinder Shetra Consulting Security Engineer Dynamic Threat Landscape Customers Biggest Security Challenges Changing Dynamic Complexity Business Models Threat Landscape and Fragmentation A

550 views • 13 slides
DNS Conformance Tester &amp; Test Event Report dnsext WG@65th IETF 2006/03/21(Tues.) Yukiyo

DNS Conformance Tester &amp; Test Event Report dnsext WG@65th IETF 2006/03/21(Tues.) Yukiyo

DNS Conformance Tester &amp; Test Event Report dnsext WG@65th IETF 2006/03/21(Tues.) Yukiyo Akisada@Yokogawa Electric Corporation, TAHI Project TOC Status of DNS Conformance Tester Introduction of DNS Conformance Tester Test Event

459 views • 24 slides
Computers use IP addresses. Why DNS Session 1: Fundamentals Old solution: hosts.txt do we need

Computers use IP addresses. Why DNS Session 1: Fundamentals Old solution: hosts.txt do we need

Computers use IP addresses. Why DNS Session 1: Fundamentals Old solution: hosts.txt do we need names? Easier for people to remember A centrally-maintained file, distributed to all hosts Computers may be moved between networks, in on

689 views • 5 slides
Comparison of communications options Examples of Communications Options Type Capacity From/To

Comparison of communications options Examples of Communications Options Type Capacity From/To

Comparison of communications options Examples of Communications Options Type Capacity From/To Initial Cost Annual Cost ADSL 10MB 100 miles within GB c.1000 c.1500 MPLS 10MB 100 miles within GB c.3100 c.14700 GB to/from MPLS

267 views • 15 slides

More recommend