Security research has made extensive use of exhaustive Internet-wide scans over the recent years, as they can provide significant insights into the overall state of security of the Internet, and ZMap made scanning the entire IPv4 address space practical. However, the IPv4 address space is exhausted, and a switch to IPv6, the only accepted long-term solution, is inevitable. In turn, to better understand the security of devices connected to the Internet, including in particular Internet of Things devices, it is imperative to include IPv6 addresses in security evaluations and scans. Unfortunately, it is practically infeasible to iterate through the entire IPv6 address space, as it is 2^96 times larger than the IPv4 address space. Therefore, enumeration of active hosts prior to scanning is necessary. Without it, we will be unable to investigate the overall security of Internet-connected devices in the future. In this paper, we introduce a novel technique to enumerate an active part of the IPv6 address space by walking DNSSEC-signed IPv6 reverse zones. Subsequently, by scanning the enumerated addresses, we uncover significant security problems: the exposure of sensitive data, and incorrectly controlled access to hosts, such as access to routing infrastructure via administrative interfaces, all of which were accessible via IPv6. Furthermore, from our analysis of the differences between accessing dual-stack hosts via IPv6 and IPv4, we hypothesize that the root cause is that machines automatically and by default take on globally routable IPv6 addresses. This is a practice that the affected system administrators appear unaware of, as the respective services are almost always properly protected from unauthorized access via IPv4. Our findings indicate (i) that enumerating active IPv6 hosts is practical without a preferential network position contrary to common belief, (ii) that the security of active IPv6 hosts is currently still lagging behind the security state of IPv4 hosts...
more »
« less
Differences in Monitoring the DNS Root Over IPv4 and IPv6
The Domain Name System (DNS) is an essential service for the Internet
which maps host names to IP addresses. The DNS Root Sever System
operates the top of this namespace. RIPE Atlas observes DNS from more
than 11k vantage points (VPs) around the world, reporting the
reliability of the DNS Root Server System in DNSmon. DNSmon shows
that loss rates for queries to the DNS Root are nearly 10\% for IPv6,
much higher than the approximately 2\% loss seen for IPv4. Although
IPv6 is ``new,'' as an operational protocol available to a third of
Internet users, it ought to be just as reliable as IPv4. We examine
this difference at a finer granularity by investigating loss at
individual VPs. We confirm that specific VPs are the source of this
difference and identify two root causes: VP \emph{islands} with
routing problems at the edge which leave them unable to access IPv6
outside their LAN, and VP \emph{peninsulas} which indicate routing
problems in the core of the network. These problems account for most
of the loss and nearly all of the difference between IPv4 and IPv6
query loss rates. Islands account for most of the loss (half of IPv4
failures and 5/6ths of IPv6 failures), and we suggest these
measurement devices should be filtered out to get a more accurate
picture of loss rates. Peninsulas account for the main differences
between root identifiers, suggesting routing disagreements root
operators need to address. We believe that filtering out both of
these known problems provides a better measure of underlying network
anomalies and loss and will result in more actionable alerts.
more »
« less
- Award ID(s):
- 2007106
- NSF-PAR ID:
- 10421760
- Date Published:
- Journal Name:
- 2022 IEEE/ACM International Conference on Big Data Computing, Applications and Technologies (BDCAT)
- Page Range / eLocation ID:
- 194 to 203
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
DNS latency is a concern for many service operators: CDNs exist to reduce service latency to end-users but must rely on global DNS for reachability and load-balancing. Today, DNS latency is monitored by active probing from distributed platforms like RIPE Atlas, with Verfploeter, or with commercial services. While Atlas coverage is wide, its 10k sites see only a fraction of the Internet. In this paper we show that passive observation of TCP handshakes can measure \emph{live DNS latency, continuously, providing good coverage of current clients of the service}. Estimating RTT from TCP is an old idea, but its application to DNS has not previously been studied carefully. We show that there is sufficient TCP DNS traffic today to provide good operational coverage (particularly of IPv6), and very good temporal coverage (better than existing approaches), enabling near-real time evaluation of DNS latency from \emph{real clients}. We also show that DNS servers can optionally solicit TCP to broaden coverage. We quantify coverage and show that estimates of DNS latency from TCP is consistent with UDP latency. Our approach finds previously unknown, real problems: \emph{DNS polarization} is a new problem where a hypergiant sends global traffic to one anycast site rather than taking advantage of the global anycast deployment. Correcting polarization in Google DNS cut its latency from 100ms to 10ms; and from Microsoft Azure cut latency from 90ms to 20ms. We also show other instances of routing problems that add 100--200ms latency. Finally, \emph{real-time} use of our approach for a European country-level domain has helped detect and correct a BGP routing misconfiguration that detoured European traffic to Australia. We have integrated our approach into several open source tools: Entrada, our open source data warehouse for DNS, a monitoring tool (ANTS), which has been operational for the last 2 years on a country-level top-level domain, and a DNS anonymization tool in use at a root server since March 2021.more » « less
-
To mitigate IPv4 exhaustion, IPv6 provides expanded address space, and NAT allows a single public IPv4 address to suffice for many devices assigned private IPv4 address space. Even though NAT has greatly extended the shelf-life of IPv4, some networks need more private IPv4 space than what is officially allocated by IANA due to their size and/or network management practices. Some of these networks resort to using squat space , a term the network operations community uses for large public IPv4 address blocks allocated to organizations but historically never announced to the Internet. While squatting of IP addresses is an open secret, it introduces ethical, legal, and technical problems. In this work we examine billions of traceroutes to identify thousands of organizations squatting. We examine how they are using it and what happened when the US Department of Defense suddenly started announcing what had traditionally been squat space. In addition to shining light on a dirty secret of operational practices, our paper shows that squatting distorts common Internet measurement methodologies, which we argue have to be re-examined to account for squat space.more » « less
-
more » « less
Summary With the increasing number of Internet of Things (IoT) devices, current networking world is suffering in terms of management and operations with lack of IPv4 addresses leading to issues like network address translation (NAT) proliferation, security and quality of services. Software‐defined networking (SDN) and Internet Protocol version 6 (IPv6) are the new networking paradigms evolved to address related issues of legacy IPv4 networking. To adapt with global competitive environment and avoid all existing issues in legacy networking system, network service providers have to migrate their networks into IPv6 and SDN‐enabled networks. But immediate transformations of existing network are not viable due to several factors like higher cost of migration, lack of technical human resources, lack of standards and protocols during transitions, and many more. In this paper, we present the migration analysis for proper decision making of network transition in terms of customer demand, traffic engineering, and organizational strength with operation expenditure for network migration using evolutionary gaming approach. Joint migration to SDN‐enabled IPv6 network from game theoretic perspective is modeled and is validated using numerical results obtained from simulations. Our empirical analysis shows the evolutionary process of network migration while different internal and external factors in the organization affect the overall migration. Evolutionary game in migration planning is supportive in decision making for service providers to develop suitable strategy for their network migration. The proposed approach for migration decision making is mostly applicable to fairly sustained service providers who lack economics, regulation/policy, and resources strengths.
-
Reverse DNS (rDNS) is regularly used as a data source in Internet measurement research. However, existing work is polarized on its reliability, and new techniques to collect active IPv6 datasets have not yet been sufficiently evaluated. In this paper, we investigate active and passive data collection and practical use aspects of rDNS datasets. We observe that the share of non-authoritatively answerable IPv4 rDNS queries reduced since earlier studies and IPv6 rDNS has less non-authoritatively answerable queries than IPv4 rDNS. Furthermore, we compare passively collected datasets with actively collected ones, and we show that they enable observing the same effects in rDNS data. While highlighting opportunities for future research, we find no immediate challenges to the use of rDNS as active and passive data-source for Internet measurement research.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.1109/BDCAT56447.2022.00036
