target generation for internet wide ipv6 scanning
play

Target Generation for Internet-wide IPv6 Scanning Austin Murdock, - PowerPoint PPT Presentation

Feb 01, 2023 •230 likes •518 views

Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, Vern Paxson Background IPv4 scanning - Zmap . 2 Background 2 128 addresses => 10 30 years to scan 32 nybbles (hex

  1. Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, Vern Paxson

  2. Background IPv4 scanning - Zmap . 2

  3. Background ● 2 128 addresses => 10 30 years to scan ● 32 nybbles (hex characters), 8 groups ● 2001:0db8:0000:0001:0000:0000:22:33333 ● n bit prefix + m bit subnet + 64 bit host ID ● Before - 2001: 0 db8: 000 0: 000 1: 0000:0000 :22:33333 ● After - 2001:db8:0:1::22:3333 3

  4. Current Strategy 1 – Use Known Patterns Decouple where to scan from how to scan* Target Generation Algorithm (TGA) • Previous Work: Check Simple Patterns (2::1:0:0:0:1 … 2::f:0:0:0:f) Czyz et al. Known Patterns eg. “wordy” (2001::cafe:face) RFC7707 4

  5. Current Strategy 2 – Discover Patterns Extract patterns from “Seeds” Seeds: Previous Work: ● Network Taps Recursive Algorithms Ullrich et al. ● Traceroutes Machine Learning Pawel et al. ● DNS ○ Reverse ○ Passive ○ Forward 5

  6. New Strategy – Exploit Locality Goal: maximize number of hosts found* Hypothesis: Seed Density Hit Density ● Find address ranges local to seeds with high seed density ● Expand ranges to discover new addresses Bottom up, expand from seeds to ranges 6

  7. Motivation ● Allocation patterns can be tricky to leverage 1K seeds matching a random pattern prefix:subnet:<16 random nybbles> 16^16 possible targets 100 seeds matching a wordy pattern prefix:subnet::<word> 1,296 possible targets ● 2/3 of routed prefixes had less than 10 seeds 7

  8. Motivation 2 ● There may be different patterns in one subnet 2403:d000:0004: 0100 :0000:0000:0000:000 1 Sequential 2403:d000:0004: 0100 :0000:0000:0000:000 2 2403:d000:0004: 0100 :0 225:90ff:fe37:358b Embedded MAC 2403:d000:0004: 0100 :0 225:90ff:fe37:760f 2403:d000:0004: 0100 :0 230:48ff:fe34:fe96 2403:d000:0004: 0100 :0000:0000:0000: café Wordy (Actual Seeds) 8

  9. Motivation 3 ● Often networks do not allocate addresses using least significant nibbles 2a02:04e8:00de:1000:5b6d:0a0 3 :0000:0001 2a02:04e8:00de:1000:5b6d:0a0 7 :0000:0001 2a02:04e8:00de:1000:5b6d:0a0 8 :0000:0001 2a02:04e8:00de:1000:5b6d:0a0 9 :0000:0001 2a02:04e8:00de:1000:5b6d:0a0 a :0000:0001 2a02:04e8:00de:1000:5b6d:0a0 b :0000:0001 (Actual Seeds) Find dense ranges not dense prefixes 9

  10. Motivation 4 ● Whats going on here? 2800:0240:0001: 0021 :face:b00c:0000:00a7 2800:0240:0001: 0022 :face:b00c:0000:00a7 2800:0240:0001: 0023 :face:b00c:0000:00a7 2800:0240:0001: 0024 :face:b00c:0000:00a7 2800:0240:0001: 0026 :face:b00c:0000:00a7 2800:0240:0001: 0029 :face:b00c:0000:00a7 2800:0240:0001: 002a :face:b00c:0000:00a7 2800:0240:0001: 002d :face:b00c:0000:00a7 (Actual Seeds) | 64-bit host ID | Do not rely on domain knowledge 10

  11. What don’t we do ● Rely on known patterns or strategies ● Reverse engineer allocation patterns ● Set algorithmic parameters ○ E.g. No notion /64 is significant, ○ no “arbitrary” thresholds 11

  12. 6Gen 12

  13. Strategy ● Select ranges of addresses local to the seeds ● Target the most promising ranges first (high density) ● Expand these ranges to encourage discovery ● Sole parameter: “probe budget” 13

  14. Generating Ranges Create a range 2::a 2::b 2::[0-f] 2::? Grow a Range 2::1:? 2::2:b 2::[0-f]:[0-f] 2::?:? 14

  15. “Tight” vs “Loose” Ranges 2::3 2::5 2::9 2::[3-9] Discovery space of 4 2::? -> 2::[0-f] Discovery space of 13 Uses more probes, but increases opportunity 15

  16. Growing Ranges Grow ranges incrementally to support granular budget levels Compute change in size with Hamming distance 2::a Hamming distance 1 2::b (2::? is 16 1 times larger than 2::a) 2::1:? Hamming distance 1 2::2:b 16

  17. Example Seed Closest Dist Range Density 3/16 1 2::1 2::2 1 2::? 2::1 8/16 4 2::ffff 4 2::???? 2::2 2::3 2::1:1 2::1:2 2::a0 2::b1 2::c3 2::ffff 2::dddd 17

  18. Cost: 16 Example Seed Closest Dist Range Density Output: 3/16 1 2::1 2::2 1 2::? 2::1 2::ffff 4 2::???? - 2::? 2::2 2::1:1 2::1:2 1 2::1:? 2/16 1 2::3 2::1:1 2::a0 2::b1 2 2::?? 3/16 2 2::1:2 2/16 4 2::ffff 2::dddd 4 2::???? 2::a0 ... 2::b1 2::c3 2::ffff 2::dddd 18

  19. Example Seed Closest Dist Range Density Output: 6/16 2 2::? 2::a0 1 2::?? 2::1 2::? 5/16 2 2::1:1 1 2::?:? 2::2 2::3 2::1:1 2::1:? 2::1:2 2::a0 2::b1 2::c3 2::ffff 2::dddd 19

  20. Example Seed Closest Dist Range Density Output: 6/16 2 2::? 2::a0 1 2::?? 2::1 2::? 5/16 2 2::1:1 1 2::?:? 2::2 2::1:? 2::1 1 2::?:? 5/16 2 2::3 2::1:1 2::1:? 2::a0 2::b1 2 2::?? 3/16 2 2::1:2 2/16 4 2::ffff 2::dddd 4 2::???? 2::a0 ... 2::b1 2::c3 2::ffff 2::dddd 20

  21. Cost: 16 2 + 16 = 272 Example Seed Closest Dist Range Density Output: 6/16 2 2::? 2::a0 1 2::?? 2::1 2::? 2::?? 5/16 2 2::1:1 1 2::?:? 2::2 2::1:? 2::1 1 2::?:? 5/16 2 2::3 2::1:1 2::1:? 2::a0 2::b1 2 2::?? 3/16 2 2::1:2 2/16 4 2::ffff 2::dddd 4 2::???? 2::a0 ... 2::b1 2::c3 2::ffff 2::dddd 21

  22. Evaluation 1. ~3M DNS AAAA seeds from Rapid7 ○ ~ 8K routes prefixes* ○ ~ 7K ASes 2. Run 6Gen on each routed prefix (1M budget per prefix) 3. Convert list of target ranges to addresses (~6B targets)** 4. Probe addresses on tcp/80 (SYN scan) Post talk note: *In the talk I mentioned that this total is for prefixes with 2 or more seeds. In the paper we do not remove prefixes with one seed and report this number as 10,038. **I mention in the talk that this total is less than 8B because 6Gen does not always generate 1M targets. 22

  23. Where are the dynamic nybbles? | Prefix | Subnet | 64-bit host Identifier | 23

  24. Evaluation ~55 million responses from ~6B probes ● ~30 Million from Akamai ● ~20 Million from Amazon Encounter large blocks of responsive addresses ● E.g., Akamai has “active” /56s 24

  25. How can we quickly detect large active regions? Randomly probe each /96 -> 2 32 possible addresses Filter removed { 10.0 M / 10.2 M } /96s from 138 ASes Manually removed two additional ASes (after /96 filtering) /96 filter + manual inspection removed 98% of hits 25

  26. Filtered Results Hits by Number of Seeds ~ 1M new (non-seed) responses ~ 3K routed prefixes ~ 2K Ases New addresses for ~40% of prefixes* Post talk note: *In the talk I mentioned that this percentage is for prefixes with 2 or more seeds. In the paper we do not exclude prefixes with one seed and report this metric as 28%. 26

  27. Future Work Better detection of “active” blocks Adaptive Scanning ● Density validation ● Pattern recognition for ranges 27

  28. Thank You Austin Murdock austinmurdock@berkeley.edu @austinkarch 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning Vulnerability Mitigation with Internet wide Scanning J. Alex Halderman Mining Your Ps and Qs: Widespread Weak Keys in Network Devices Nadia Heninger, Zakir

640 views • 53 slides
Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Internet-Wide Network Studies Previous research has shown promise of Internet-wide surveys Mining

Fast Internet-Wide Scanning, ZMap Weak Keys and the HTTPS Certificate Ecosystem Zakir Durumeric Michael Bailey University of Michigan ZMap: Fast Internet-Wide Scanning, Weak Keys, and the HTTPS Certificate Ecosystem Zakir Durumeric

491 views • 46 slides
Internet-Wide Scanning and its Measurement Applications Zakir Durumeric University of Michigan

Internet-Wide Scanning and its Measurement Applications Zakir Durumeric University of Michigan

Internet-Wide Scanning and its Measurement Applications Zakir Durumeric University of Michigan RIPE 68 - Measurement, Analysis and Tools Working Group 15 May 2014 Golden Age of Internet Scanning As of the last year, it is now possible to scan

865 views • 23 slides
Mapping the Great Void Smarter scanning for IPv6 Richard Barnes, Rick Altmann, Daniel Kerr BBN

Mapping the Great Void Smarter scanning for IPv6 Richard Barnes, Rick Altmann, Daniel Kerr BBN

Mapping the Great Void Smarter scanning for IPv6 Richard Barnes, Rick Altmann, Daniel Kerr BBN Technologies Agenda Challenges for mapping the IPv6 Internet Some approaches to smarter scanning CIDR++ Registry information

736 views • 26 slides
IPv6 Tarik Cicic University of Oslo December 2001 Overview New generation IP protocol

IPv6 Tarik Cicic University of Oslo December 2001 Overview New generation IP protocol

IPv6 Tarik Cicic University of Oslo December 2001 Overview New generation IP protocol (IPv6): why do we need it support for new Internet services discussion 2 Internet technology Users Idea: exchange of information

422 views • 6 slides
IPv6 - The Next Generation Internet Subnetting and Classless Inter-domain Routing (CIDR)

IPv6 - The Next Generation Internet Subnetting and Classless Inter-domain Routing (CIDR)

IPv6 - The Next Generation Internet Subnetting and Classless Inter-domain Routing (CIDR) improve utilization of IP address space and slow growth of routing information, but at some point, they will not be sufficient more than 32 bits

579 views • 18 slides
Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6 Global allocations by RIR APNIC 337 21% RIPENCC 737 45% ARIN 438 LACNIC AFRINIC 27% 87 37 5% 2% Unit: IPv6 pref i x 3 IPv6

603 views • 24 slides
ZMap and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University

ZMap and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University

Fast Internet-Wide Scanning ZMap and its Security Applications Zakir Durumeric Eric Wustrow J. Alex Halderman University of Michigan ZMap: Fast Internet-Wide Scanning and its Security Applications Internet-Wide Network Studies Previous

655 views • 32 slides
Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet

Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet

Mobile Ad-hoc Network WIDE project/KEIO University ryuji@sfc.wide.ad.jp ToC Global Internet Connectivity MANET/NEMO integration IPv6 Support on MANET MANET on the Internet Where can MANET be deployed in our daily life?

564 views • 27 slides
Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima

Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima

Toward the IPv6 Mobile Internet The 7th TWNIC IP OPM November 23, 2006 Keiichi Shima &lt;keiichi@iijlab.net&gt; Internet Initiative Japan Inc. / WIDE Project PROJECT Background Widely deployed Internet Available in

658 views • 34 slides
Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com When will IPv6-only deployment happen? Hypothesis 1 1st node is All IPv4 nodes dual-stack speak also IPv6 IPv4-only IPv4 &amp; IPv6 IPv6-only

675 views • 25 slides
Internet Protocol Version 6 (IPv6): North American IPv6 Summit April 10, 2012 Steven Pirzchalski

Internet Protocol Version 6 (IPv6): North American IPv6 Summit April 10, 2012 Steven Pirzchalski

Department of Veterans Affairs Internet Protocol Version 6 (IPv6): North American IPv6 Summit April 10, 2012 Steven Pirzchalski Director, Enterprise Transport Services VA IPv6 Transition Manager Outreach Chair, Federal IPv6 Task Force Major

382 views • 13 slides
Mobility Activity in WIDE Keio University/WIDE Ryuji Wakikawa ryuji@sfc.wide.ad.jp Goal of

Mobility Activity in WIDE Keio University/WIDE Ryuji Wakikawa ryuji@sfc.wide.ad.jp Goal of

Mobility Activity in WIDE Keio University/WIDE Ryuji Wakikawa ryuji@sfc.wide.ad.jp Goal of Mobility Society IPv6 AAA IP dynamic network: MANET Internet Technology IP Telephony: VoIP, SIP, ENUM IP Mobility: MIP, NEMO Cell Phone: W-CDMA,

328 views • 17 slides
The Internet Protocol (IP) Part 2: IPv6 JeanYves Le Boudec Fall 2009 1 1 Contents 1. IPv6

The Internet Protocol (IP) Part 2: IPv6 JeanYves Le Boudec Fall 2009 1 1 Contents 1. IPv6

COLE POLYTECHNIQUE FDRALE DE LAUSANNE The Internet Protocol (IP) Part 2: IPv6 JeanYves Le Boudec Fall 2009 1 1 Contents 1. IPv6 2. NATs 3. Interworking IPv4 / IPv6 4. Routing Implications 5. Recap Some slides come from:

911 views • 73 slides
IPv6 (Internet Protocol version 6) APNIC meeting, 3 September 2002 Internet Initiative Japan,

IPv6 (Internet Protocol version 6) APNIC meeting, 3 September 2002 Internet Initiative Japan,

IPv6 (Internet Protocol version 6) APNIC meeting, 3 September 2002 Internet Initiative Japan, Inc. / KAME Project Keiichi SHIMA &lt;keiichi@iij.ad.jp&gt; Contents Why do we use IPv6? IPv6 Addresses Link-layer address resolution

1.55k views • 116 slides
IPv6 Implications for TCP/UDP Port Scanning Tim Chown tjc@ecs.soton.ac.uk IETF 65, March 23rd

IPv6 Implications for TCP/UDP Port Scanning Tim Chown tjc@ecs.soton.ac.uk IETF 65, March 23rd

IPv6 Implications for TCP/UDP Port Scanning Tim Chown tjc@ecs.soton.ac.uk IETF 65, March 23rd 2006 Dallas, TX draft-chown-v6ops-port-scanning-implications-02 Rationale The goals of the document are currently to Note the properties of

635 views • 6 slides
District Plans to Address Educational Equity: Findings from Worlds Best Workforce Summary Scan

District Plans to Address Educational Equity: Findings from Worlds Best Workforce Summary Scan

District Plans to Address Educational Equity: Findings from Worlds Best Workforce Summary Scan Minnesota Department of Education 5/17/2019 MDE introduction and context Agenda 1. Welcome and introductions 2. Overview of REL Midwest 3.

1.03k views • 68 slides
BitWeaving: Fast Scans for Main Memory Data Processing Yinan Li and Jignesh M. Patel University

BitWeaving: Fast Scans for Main Memory Data Processing Yinan Li and Jignesh M. Patel University

BitWeaving: Fast Scans for Main Memory Data Processing Yinan Li and Jignesh M. Patel University of Wisconsin-Madison Motivation - Example TPC-H Query 6 SELECT SUM(l_extendedprice * l_discount) FROM lineitem WHERE l_shipdate BETWEEN Date

861 views • 82 slides
Feasibility of Periodic Scan Schedules Ants PI Meeting, Seattle, May 2000 Bruno Dutertre System

Feasibility of Periodic Scan Schedules Ants PI Meeting, Seattle, May 2000 Bruno Dutertre System

SRI System Design Laboratory Feasibility of Periodic Scan Schedules Ants PI Meeting, Seattle, May 2000 Bruno Dutertre System Design Laboratory SRI International e-mail: bruno@sdl.sri.com 1 SRI System Design Laboratory Scan Scheduling Scan

267 views • 11 slides
Prefix sums on GPUs Motivating Problem Definitions Other Applications Parallel Algorithms

Prefix sums on GPUs Motivating Problem Definitions Other Applications Parallel Algorithms

Prefix sums on GPUs Bruce Merry Definition and Applications Prefix sums on GPUs Motivating Problem Definitions Other Applications Parallel Algorithms Bruce Merry Kogge-Stone Brent-Kung GPU Strategies Department of Computer Science,

1.13k views • 88 slides
Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies with 1000+ web applications running Move to m -services architectures making things worse Huge shortage of skilled security engineers to

732 views • 48 slides
Domestic Scan 17-01 Successful Approaches for the Use of Unmanned Aerial Systems (UAS) by

Domestic Scan 17-01 Successful Approaches for the Use of Unmanned Aerial Systems (UAS) by

NCH NCHRP 2 P 20-68A 68A US Do Domes estic S Scan P Program Domestic Scan 17-01 Successful Approaches for the Use of Unmanned Aerial Systems (UAS) by Surface Transportation Agencies Findings, Conclusions and Recommendations

315 views • 17 slides
Spiral scanning of keV electrons: applications in picosecond photon sensors A. Margaryan, R.

Spiral scanning of keV electrons: applications in picosecond photon sensors A. Margaryan, R.

Spiral scanning of keV electrons: applications in picosecond photon sensors A. Margaryan, R. Ajvazyan, H. Elbakyan, L. Gevorgian, V. Kakoyan Yerevan Physics Institute, Armenia J. Annand Department of Physics and Astronomy, University of

475 views • 21 slides
Twin Valley Roundtable March 12, 2020 A Look Ahead Calendar 13-17 th ~ Spring Exploration

Twin Valley Roundtable March 12, 2020 A Look Ahead Calendar 13-17 th ~ Spring Exploration

Did you sign the attendance sheet? or Scan Here! Twin Valley Roundtable March 12, 2020 A Look Ahead Calendar 13-17 th ~ Spring Exploration Camp, Week 2 March 17-18 th ~ Wente Work Weekend 4 th ~ BALOO &amp; Introduction to

896 views • 41 slides

More recommend