Chong Liu,Ruixiang Li,Fuxiang Yuan,Shichang Ding,Yan Liu,Xiangyang Luo

DOI: https://doi.org/10.1109/tnsm.2024.3400864

2024-08-25

IEEE Transactions on Network and Service Management

Abstract:IP scanning is crucial for network management and security. However, the brute-force scanning is infeasible in IPv6 networks due to the vast address space. Consequently, target generation algorithms (TGAs) have become necessary to address this issue. Nevertheless, existing algorithms often struggle with low hit rates due to coarse-grained pattern mining. To address this problem, we propose 6Subpattern, a target generation algorithm based on subpattern analysis for Internet-wide IPv6 scanning. 6Subpattern first clusters seeds into high-density regions according to the seed structure information. Subsequently, pattern mining and subpattern analysis are carried out in these regions. Different from previous works, 6Subpattern can obtain all fine-grained patterns while automatically avoiding the influence of outlier addresses and the quandary of setting heuristic thresholds through subpattern analysis. Moreover, pattern refining is conducted based on the distribution of nibbles in address regions to further narrow the scanning space. Finally, targets are effectively generated according to the density of the patterns. Experimental results on real-world networks demonstrate that the address patterns discovered by 6Subpattern provide a superior scanning space than existing algorithms. Further results of hit rates on nine candidate seed sets reveal that 6Subpattern can achieve a 53%-315% improvement over the static TGAs on all seed sets and achieve a 15%-25% improvement on all randomly sampled seed sets compared with dynamic TGAs in Internet-wide IPv6 scanning.

computer science, information systems

Guanglei Song,Lin He,Zhiliang Wang,Jiahai Yang,Tao Jin,Jieling Liu,Guo Li

DOI: https://doi.org/10.1109/iwqos49365.2020.9212980

2020-01-01

Abstract:Fast IPv4 scanning has made sufficient progress in network measurement and security research. However, it is infeasible to perform brute-force scanning of the IPv6 address space. We can find active IPv6 addresses through scanning candidate addresses generated by the state-of-the-art algorithms, whose probing efficiency of active IPv6 addresses, however, is still very low. In this paper, we aim to improve the probing efficiency of IPv6 addresses in two ways. Firstly, we perform a longitudinal active measurement study over four months, building a high-quality dataset called hitlist with more than 1.3 billion IPv6 addresses distributed in 45.2k BGP prefixes. Different from previous work, we probe the announced BGP prefixes using a pattern-based algorithm, which makes our dataset overcome the problems of uneven address distribution and low active rate. Secondly, we propose an efficient address generation algorithm DET, which builds a density space tree to learn high-density address regions of the seed addresses in linear time and improves the probing efficiency of active addresses. On the public hitlist and our hitlist, we compare our algorithm DET against state-of-the-art algorithms and find that DET increases the de-aliased active address ratio by 10%, and active address (including aliased addresses) ratio by 14%, by scanning 50 million addresses.

Liang Jiao,Yujia Zhu,Wenxiu Zhang,Lei Zhao,Yi Zhou,Qingyun Liu

DOI: https://doi.org/10.1109/cscwd61410.2024.10580769

2024-01-01

Abstract:Global IPv6 scanning has always been a challenge for researchers because of the limited network speed and computational power. In this paper, we introduce 6GAI to implement more efficient target address generation. 6GAI is built with Generative Adversarial Net (GAN) integrated with Convolutional Bottleneck Attention Module (CBAM). 6GAI allows the discriminative net to leak generated address’s high-level features extracted by CBAM to the generative net, while the generative net incorporates such informative signals into all generation steps through an additional Manger module, which takes the extracted features of current generated address nybbles and outputs a latent vector to guide the Worker module for active IPv6 address generation. This work outperformed the state-of-the-art target generation algorithms on two datasets including one public dataset and one independently collected dataset.

Guanglei Song,Lin He,Feiyu Zhu,Jinlei Lin,Wenjian Zhang,Linna Fan,Chenglong Li,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1109/tnet.2024.3406508

2024-01-01

Abstract:Fast Internet-wide scanning is essential for network situational awareness and asset evaluation. However, the vast IPv6 address space makes brute-force scanning infeasible. Despite advancements in state-of-the-art methods, they do not work in seedless regions and suffer low detection efficiency and speed in regions with known active IPv6 addresses (i.e., seed addresses). Moreover, the collected active address list (i.e., IPv6 hitlist) with low coverage cannot truly represent the active IPv6 address landscape of the Internet. This paper introduces, a fast, efficient, and comprehensive global active IPv6 address detection system. We design a systematic active IPv6 address detection strategy that divides the IPv6 space into two detection scenarios based on the presence or absence of seed addresses to discover active IPv6 addresses from scratch and from few to many. In the seedless regions, we present, leveraging a multi-level association policy to probe active addresses. It fills the gap of address detection in seedless regions and successfully discovers active addresses in 39,899 BGP prefixes without seed addresses, with a 1.03 x higher hit rate, 30 similar to 911 x higher speed, and 2.7 x broader coverage, compared to existing solutions. In the regions with seed addresses, our method dynamically generates target addresses using reinforcement learning. Compared to state-of-the-art methods, achieves an impressive 56.3% hit rate and a discovery speed of 839.0/s, which is 1.9 similar to 2153 x and 1.5 similar to 755 x of existing works, respectively. Finally, we deploy and discover 2.1B active IPv6 addresses, including 1.7B de-aliased active addresses and 0.4B aliased addresses, through continuous probing for three years.

Zhichao Zhang,Zhaoxin Zhang,Yanan Cheng,Ning Li

2024-01-13

Abstract:The discovery of active IPv6 addresses represents a pivotal challenge in IPv6 network survey, as it is a prerequisite for downstream tasks such as network topology measurements and security analysis. With the rapid spread of IPv6 networks in recent years, many researchers have focused on improving the hit rate, efficiency, and coverage of IPv6 scanning methods, resulting in considerable advancements. However, existing approaches remain heavily dependent on seed addresses, thereby limiting their effectiveness in unseeded prefixes. Consequently, this paper proposes 6Rover, a reinforcement learning-based model for active address discovery in unseeded environments. To overcome the reliance on seeded addresses, 6Rover constructs patterns with higher generality that reflects the actual address allocation strategies of network administrators, thereby avoiding biased transfers of patterns from seeded to unseeded prefixes. After that, 6Rover employs a multi-armed bandit model to optimize the probing resource allocation when applying patterns to unseeded spaces. It models the challenge of discovering optimal patterns in unseeded spaces as an exploration-exploitation dilemma, and progressively uncover the potential patterns applied in unseeded spaces, leading to the efficient discovery of active addresses without seed address as the prior knowledge. Experiments on large-scale unseeded datasets show that 6Rover has a higher hit rate than existing methods in the absence of any seed addresses as prior knowledge. In real network environments, 6Rover achieved a 5% - 8% hit rate in seedless spaces with 100 million budget scale, representing an approximate 200\% improvement over the existing state-of-the-art methods.

Networking and Internet Architecture

Guanglei Song,Jiahai Yang,Lin He,Zhiliang Wang,Guo Li,Chenxin Duan,Yaozhong Liu,Zhongxiang Sun

2022-01-01

Abstract:Fast Internet-wide scanning is essential for network situational awareness and asset evaluation. However, the vast IPv6 address space makes brute-force scanning infeasible. Although state-of-the-art techniques have made effective attempts, these methods do not work in seedless regions, while the detection efficiency is low in regions with seeds. Moreover, the constructed hitlists with low coverage cannot truly represent the active IPv6 address landscape of the Internet. This paper introduces AddrMiner, a systematic and comprehensive global active IPv6 address probing system. We divide the IPv6 address space regions into three kinds according to the number of seed addresses to discover active IPv6 addresses from scratch, from few to many. For the regions with no seeds, we present AddrMiner-N, leveraging an organization association strategy to mine active addresses. It fills the gap of address probing in seedless regions and finds active addresses covering 86.4K IPv6 prefixes announced by BGP, accounting for 81.6% of the probed announced prefixes. For the regions with few seeds, we propose AddrMiner-F, utilizing a similarity matching strategy to probe active addresses further. The hit rate of active address probing is improved by 70%-150% compared to existing algorithms. Moreover, for the regions with sufficient seeds, we present AddrMiner-S to generate target addresses based on reinforcement learning dynamically. It nearly doubles the hit rate compared to the state-of-the-art algorithms. Finally, we deploy AddrMiner and discover 2.1 billion active IPv6 addresses, including 1.7 billion de-aliased active addresses and 0.4 billion aliased addresses, through continuous probing for 13 months. We would like to further open the door of IPv6 measurement studies by publicly releasing AddrMiner and sharing our data.

Guanglei Song,Jiahai Yang,Zhiliang Wang,Lin He,Jinlei Lin,Long Pan,Chenxin Duan,Xiaowen Quan

DOI: https://doi.org/10.1109/tnet.2022.3145040

2022-01-01

IEEE/ACM Transactions on Networking

Abstract:Fast IPv4 scanning significantly improves network measurement and security research. Nevertheless, it is infeasible to perform brute-force scanning of the IPv6 address space. Alternatively, one can find active IPv6 addresses through scanning the candidate addresses generated by state-of-the-art algorithms. However, the probing efficiency of such algorithms is often very low. In this paper, our objective is to improve the probing efficiency of IPv6 addresses. We first perform a longitudinal active measurement study and build a high-quality dataset, hitlist, including more than 1.95B IPv6 addresses distributed in 58.2K BGP prefixes and collected over 17 months period. Different from the previous works, we probe the announced BGP prefixes using a pattern-based algorithm. This results in a dataset without uneven address distribution and low active rates. Further, we propose an efficient address generation algorithm, DET, which builds a density space tree to learn high-density address regions of the seed addresses with linear time complexity and improves the active addresses’ probing efficiency. We then compare our algorithm DET against state-of-the-art algorithms on the public hitlist and our hitlist by scanning 50M addresses. Our analysis shows that DET increases the de-aliased active address ratio and active address (including aliased addresses) ratio by 10%, and 14%, respectively. Furthermore, we develop a fingerprint-based method to detect aliased prefixes. The proposed method for the first time directly verifies whether the prefix is aliased or not. Our method finds that 10.64% of the public aliased prefixes are false positive.

LI Guo,HE Lin,SONG Guanglei,WANG Zhiliang,YANG Jiahai,LI Zimu

DOI: https://doi.org/10.11959/j.issn.1000-0801.2019296

2019-01-01

Abstract:Nowadays,the state-of-the-art technologies can spend a very short time to scan the whole IPv4 space,but these methods cannot be applied to the huge IPv6 space easily.Therefore,many researchers propose different heuristic algorithms for the sake of IPv6 scanning.The common way of these algorithms is to input collected IPv6 seed addresses and output new most likely active IPv6 addresses as candidates for later scanning.These methods greatly reduce the scanning range of the active address area.These technologies based on seed addresses were classified,analyzed and summarized,and detailed analysis of the advantages and disadvantages of each method was given.And the several challenges faced by the methods were discussed.73M seed addresses were collected in total from two sources,including published IPv6 datasets in papers and Beijing Node of China Education and Research Network.Through the proposed experiments,time performance and hit rate of four IPv6 address scanning technologies based on seed addresses was compared.Finally,the own thoughts on this field and some future research directions were proposed.

Xue Chen,Weiwei Shi,Jieyan Liu,Mengshu Hou,Yujun Li

DOI: https://doi.org/10.1145/3625403.3625426

2023-01-01

Abstract:Network management such as topology discovery and network diagnosis needs to be scanned based on the Internet, and the IPV6 address space is huge and it is difficult to perform global scanning. The existing IPV6 target generation method has a low hit rate, mainly because the spatial division of the address is not accurate enough. We propose an IPV6 address prediction method based on community discovery algorithm, which is called 6Community. 6Community first uses the community discovery algorithm to divide the address space, so that similar addresses can be divided into an address area, and then performs anomaly detection on the divided address space, and re-divides the space. Finally, the obtained address patterns are pre-detected to filter out low-quality address patterns and reduce the size of address scanning space, so as to accelerate the speed of address prediction and increase the hit rate of address prediction. We conducted experiments on three data sets. The results show that compared with the existing methods, the IPV6 address hit rate generated by 6Community is improved, which can reach 13.2% -33.5%. At the same time, the results show that the scanning space obtained by this method is reduced, and the abnormal points in the process of experiment are also reduced.

Tianyu Cui,Gaopeng Gou,Peipei Fu,G. Xiong,Chang Liu,Zhen Li

DOI: https://doi.org/10.1109/INFOCOM42981.2021.9488912

2021-05-10

Abstract:Global IPv6 scanning has always been a challenge for researchers because of the limited network speed and computational power. Target generation algorithms are recently proposed to overcome the problem for Internet assessments by predicting a candidate set to scan. However, IPv6 custom address configuration emerges diverse addressing patterns discouraging algorithmic inference. Widespread IPv6 alias could also mislead the algorithm to discover aliased regions rather than valid host targets. In this paper, we introduce 6GAN, a novel architecture built with Generative Adversarial Net (GAN) and reinforcement learning for multi-pattern target generation. 6GAN forces multiple generators to train with a multi-class discriminator and an alias detector to generate non-aliased active targets with different addressing pattern types. The rewards from the discriminator and the alias detector help supervise the address sequence decision-making process. After adversarial training, 6GAN’s generators could keep a strong imitating ability for each pattern and 6GAN’s discriminator obtains outstanding pattern discrimination ability with a 0.966 accuracy. Experiments indicate that our work outperformed the state-of-the-art target generation algorithms by reaching a higher-quality candidate set.

Computer Science,Engineering

Xiang Li,Baojun Liu,Xiaofeng Zheng,Haixin Duan,Qi Li,Youjun Huang

DOI: https://doi.org/10.1109/DSN48987.2021.00025

2021-01-01

Abstract:Numerous measurement researches have been performed to discover the IPv4 network security issues by leveraging the fast Internet-wide scanning techniques. However, IPv6 brings the 128-bit address space and renders brute-force network scanning impractical. Although significant efforts have been dedicated to enumerating active IPv6 hosts, limited by technique efficiency and probing accuracy, large-scale empirical measurement studies under the increasing IPv6 networks are infeasible now. To fill this research gap, by leveraging the extensively adopted IPv6 address allocation strategy, we propose a novel IPv6 network periphery discovery approach. Specifically, XMap, a fast network scanner, is developed to find the periphery, such as a home router. We evaluate it on twelve prominent Internet service providers and harvest 52M active peripheries. Grounded on these found devices, we explore IPv6 network risks of the unintended exposed security services and the flawed traffic routing strategies. First, we demonstrate the unintended exposed security services in IPv6 networks, such as DNS, and HTTP, have become emerging security risks by analyzing 4.7M peripheries. Second, by inspecting the periphery's packet routing strategies, we present the flawed implementations of IPv6 routing protocol affecting 5.8M router devices. Attackers can exploit this common vulnerability to conduct effective routing loop attacks, inducing DoS to the ISP's and home routers with an amplification factor of \gt 200. We responsibly disclose those issues to all involved vendors and ASes and discuss mitigation solutions. Our research results indicate that the security community should revisit IPv6 network strategies immediately.

Chenhuan Liu,Qiankun Liu,Shanshan Hao,CongXiao Bao,Xing Li

DOI: https://doi.org/10.1007/978-3-030-78612-0_19

2021-01-01

Abstract:The state of the network can be reflected by the background traffic. Negative network measurements can be a very important way to understand the Internet. I would like to express appreciation to CERNET, who provided us with an IPv6 address space allocated but not a fully used network. By announcing a large /20 covering prefixes on this address, we have published routing information on China's domestic education network, business network, and foreign education network. Based on the honeypot method, we collect relative traffic at the last hop router of the experiment network. Thus, we make our experiment environment a network telescope. We discover that background radiation traffic grew more rapidly than it was years ago under the current ipv6 network situation. Moreover, suspicious IPv6 address scanning traffic shows up. We classify and analyze the traffic and classify all the source addresses and destination addresses. We found that the source addresses are mainly from Asian countries. In particular, we conduct further detection and monitor on the suspicious source addresses. We analyze the time when it appears and what it scans, including the destination address and the port type. The most interesting destination ports to the outside world are mainly 80, 8080, 443, 53, 21, 22, 23, and 25, which are related to web services and host system applications. We explain most of the data and highlight the significant attributes of the data. We found several special addresses scanning our address segment periodically. Our work reveals the situation and the problem under the current IPv6 network situation.

Miao Li,Jiahai Yang,Changqing An,Chenxi Li,Fuliang Li

DOI: https://doi.org/10.1109/ISCC.2013.6755004

2013-01-01

Abstract:As a crucial function of network management, network topology discovery provides a basis for lots of network analysis, such as network monitoring and performance management, etc. With the undergoing deployment of IPv6, the importance of precise topology discovery method in IPv6 networks becomes more and more evident. However, IPv6 network topology discovery faces new challenges due to different characteristics between IPv4 and IPv6, and the lack of well support of IPv6 related MIBs from device manufacturers in current state. At present, there are no well-accepted topology discovery methods for pure IPv6 networks with high accuracy, high coverage and less reliance on network configuration and device support. In this paper, we propose an IPv6 network topology discovery solution combining the advantages of two discovery methods, based on ICMP and routing protocol respectively. We model the mapping process of topology results from the two methods above into a graph mapping problem, which is the key point of the entire solution, and design novel mapping algorithms. We focus on the mapping coverage and accuracy and validate the mapping algorithms by large scale simulation. We also implement and test the proposed algorithms on the real network CERNET2. The experiments and simulation results verify the practicability and excellent performance of our solutions, with 100% discovery accuracy and over 99% discovery coverage while spending less time and producing lower overhead.

Hammas Bin Tanveer,Rachee Singh,Paul Pearce,Rishab Nithyanand

DOI: https://doi.org/10.48550/arXiv.2210.02522

2022-10-06

Abstract:In this work we identify scanning strategies of IPv6 scanners on the Internet. We offer a unique perspective on the behavior of IPv6 scanners by conducting controlled experiments leveraging a large and unused /56 IPv6 subnet. We selectively make parts of the subnet visible to scanners by hosting applications that make direct or indirect contact with IPv6- capable servers on the Internet. By careful experiment design, we mitigate the effects of hidden variables on scans sent to our /56 subnet and establish causal relationships between IPv6 host activity types and the scanner attention they evoke. We show that IPv6 host activities e.g., Web browsing, membership in the NTP pool and Tor network, cause scanners to send a magnitude higher number of unsolicited IP scans and reverse DNS queries to our subnet than before. DNS scanners focus their scans in narrow regions of the address space where our applications are hosted whereas IP scanners broadly scan the entire subnet. Even after the host activity from our subnet subsides, we observe persistent residual scanning to portions of the address space that previously hosted applications

Networking and Internet Architecture

Ronghua Liang,Hai Zhuge,Xiaorui Jiang,Qiang Zeng,Xiaofei He

DOI: https://doi.org/10.1109/tkde.2014.2310207

IF: 9.235

2014-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Graphs are becoming increasingly dominant in modeling real-life networked data including social and biological networks, the WWW and the Semantic Web, etc. Graph pattern queries are useful for gathering information with expressive semantics from these graph-structured data. Current methods for graph pattern query processing have performance deficiency caused by inefficiencies of the underlying reachability index and costly merge-join operations on huge amounts of tuple-formatted intermediate results. To overcome the above problems, this paper contributes in the following aspects to boost graph pattern query evaluation. First, we propose an improved hop-based reachability indexing scheme 3-Hop which gains faster reachability query evaluation, less indexing costs and better scalabilities than state-of-the-art hop-based methods. Second, we propose a two-stage node filtering algorithm based on 3-Hop to answer tree pattern queries more efficiently. Tree pattern queries serve as the underlying facility for graph pattern query evaluation. Furthermore, we use a graph representation of the intermediate results during node filtering and final results enumeration. Experiments on real-life and synthetic datasets demonstrate the effectiveness of the proposed methods.

Qiankun Liu,Xing Li

DOI: https://doi.org/10.1109/iscc58397.2023.10218311

2023-01-01

Abstract:Active network scanning in IPv6 is hindered by the vast address space of IPv6. Researchers have proposed various target generation methods, which are proved effective for reducing scanning space, to solve this problem. However, the current landscape of address generation methods is characterized by either low hit rates or limited applicability. To overcome these limitations, we propose 6Former, a novel target generation system based on Transformer. 6Former integrates a discriminator and a generator to improve hit rates and overcome usage scenarios limitations. Our experimental findings demonstrate that 6Former improves hit rates by a minimum of 38.6% over state-of-the-art generation approaches, while reducing time consumption by 31.6% in comparison to other language model-based methods.

Fuliang Li,Changqing An,Jiahai Yang,Jianping Wu,Hui Zhang

DOI: https://doi.org/10.1016/j.comcom.2013.09.014

IF: 5.047

2014-01-01

Computer Communications

Abstract:Our understanding of IPv6 traffic cannot keep up with the growth of IPv6 traffic. Unraveling the characteristics of traffic is essential for network scale expansion, network technology selection, network management and security enhancement. In this paper, we conduct a comprehensive study of IPv6 traffic based on the packet-level traces of a nation-wide pure IPv6 network - CERNET2, and track user behaviors in 6TUNET, one of the largest campus network in CERNET2, by binding IP address with user name. We first analyze the usage and development of IPv6 network, especially user behaviors and new technologies, e.g. the efficiency of fine-grained source address validation technology which is widely deployed in CERNET2. Then we investigate the distribution of the aggregate traffic and the results reveal that traffic distribution is highly skewed among protocols, ports, applications and hosts. We pay particular attention to dominating protocols, ports, applications and hosts, as well as special protocols of IPv6 network, e.g. the usage of extension headers, which supplement the simplified basic header of IPv6. At last, we model the skewness in traffic distribution and present the dynamics of the traffic from the aspects of traffic prediction and inference. Based on the analysis, we obtain a comprehensive knowledge of IPv6 traffic which, we believe, can provide an experimental basis for IPv6 network operators and researchers.

Qiang Li,Tao Qin,Xiaohong Guan,Qinghua Zheng

DOI: https://doi.org/10.3837/tiis.2014.04.009

2014-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the exhaustion of global IPv4 addresses, IPv6 technologies have attracted increasing attentions, and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics obtained from IPv4 networks. Traditional models obtained from IPv4 cannot be used for IPv6 network monitoring directly and there is a need to investigate those changes. In this paper, we explore the flow features of IPv6 traffic and compare its difference with that of IPv4 traffic from flow level. Firstly, we analyze the differences of the general flow statistical characteristics and users' behavior between IPv4 and IPv6 networks. We find that there are more elephant flows in IPv6, which is critical for traffic engineering. Secondly, we find that there exist many one-way flows both in the IPv4 and IPv6 traffic, which are important information sources for abnormal behavior detection. Finally, in light of the challenges of analyzing massive data of large-scale network monitoring, we propose a group flow model which can greatly reduce the number of flows while capturing the primary traffic features, and perform a comparative measurement analysis of group users' behavior dynamic characteristics. We find there are less sharp changes caused by abnormity compared with IPv4, which shows there are less large-scale malicious activities in IPv6 currently. All the evaluation experiments are carried out based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network), and the results reveal the detailed flow characteristics of IPv6, which are useful for traffic management and anomaly detection in IPv6.

Shaojun Huang,Changqing An,Hui Wang,Jiahai Yang

DOI: https://doi.org/10.1007/978-3-540-88623-5_26

2008-01-01

Abstract:The most important challenge faced by current IPv6 networks is to attract more users. Our data analysis of traces from exit points of CERNET2 shows that the traffic in this network has increased a lot during last five months. In this paper, we try to find the incentives of IPv6 users by identifying host communities and studying their properties. We reveal that popular services on CERNET2 are Web, FTP and VOD. FTP and VOD are the killer applications in terms of traffic volume while Web produces the largest number of flows. By analyzing behaviors of end hosts, we discover that hosts form many communities. These communities have different flow-level topologies and various interests in services. Using IPv6 prefixes assignment data, we perform demographic study of IPv6 usage. By presenting CERNET2 usage from various perspectives, we believe this study provides insight into further deployment of IPv6.

Lei Gao,Jiahai Yang,Hui Zhang,Donghong Qin,Bin Zhang

DOI: https://doi.org/10.1109/noms.2012.6211949

2012-01-01

Abstract:With IPv4 addresses quickly dwindling, the Internet is forcing an evolution of itself. During the long term transition from IPv4 to IPv6, what's going on in IPv6 world becomes unknown for network operators and researchers. In this paper, we propose a heuristic algorithm to identify p2p traffic accurately and implement traffic classification based on Netflow v9 exports to illustrate what applications Chinese IPv6 users are really running. Additionally, we present a detailed study of p2p traffic over IPv6 and advice ISPs to localize p2p traffic at the AS level for future IPv6 traffic management and network resources planning, leaving modeling traffic behavior and deeper classification of IPv6 traffic as our future work.