Enumerating Active IPv6 Hosts for Large-scale Security Scans via DNSSEC-signed Reverse Zones

Kevin Borgolte, Shuang Hao, Tobias Fiebig, Giovanni Vigna

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

12 Citations (Scopus)
42 Downloads (Pure)

Abstract

Security research has made extensive use of exhaustive Internet-wide scans over the recent years, as they can provide significant insights into the overall state of security of the Internet, and ZMap made scanning the entire IPv4 address space practical. However, the IPv4 address space is exhausted, and a switch to IPv6, the only accepted long-term solution, is inevitable. In turn, to better understand the security of devices connected to the Internet, including in particular Internet of Things devices, it is imperative to include IPv6 addresses in security evaluations and scans. Unfortunately, it is practically infeasible to iterate through the entire IPv6 address space, as it is 2^96 times larger than the IPv4 address space. Therefore, enumeration of active hosts prior to scanning is necessary. Without it, we will be unable to investigate the overall security of Internet-connected devices in the future. In this paper, we introduce a novel technique to enumerate an active part of the IPv6 address space by walking DNSSEC-signed IPv6 reverse zones. Subsequently, by scanning the enumerated addresses, we uncover significant security problems: the exposure of sensitive data, and incorrectly controlled access to hosts, such as access to routing infrastructure via administrative interfaces, all of which were accessible via IPv6. Furthermore, from our analysis of the differences between accessing dual-stack hosts via IPv6 and IPv4, we hypothesize that the root cause is that machines automatically and by default take on globally routable IPv6 addresses. This is a practice that the affected system administrators appear unaware of, as the respective services are almost always properly protected from unauthorized access via IPv4. Our findings indicate (i) that enumerating active IPv6 hosts is practical without a preferential network position contrary to common belief, (ii) that the security of active IPv6 hosts is currently still lagging behind the security state of IPv4 hosts, and (iii) that unintended IPv6 connectivity is a major security issue for unaware system administrators.
Original languageEnglish
Title of host publicationProceedings of 39th IEEE Symposium on Security and Privacy (SP) 2018
PublisherIEEE
Pages1-15
Number of pages15
ISBN (Print)978-1-5386-4353-2
DOIs
Publication statusPublished - 2018
Event39th IEEE Symposium on Security and Privacy (SP) 2018 - San Francisco, United States
Duration: 21 Mar 201823 Mar 2018

Conference

Conference39th IEEE Symposium on Security and Privacy (SP) 2018
CountryUnited States
CitySan Francisco
Period21/03/1823/03/18

Fingerprint Dive into the research topics of 'Enumerating Active IPv6 Hosts for Large-scale Security Scans via DNSSEC-signed Reverse Zones'. Together they form a unique fingerprint.

Cite this