Shen Wenchao,Chen Yanjiao,Zhang Qianli,Chen Yang,Deng Beixing,Li Xing,Lv Guohan

DOI: https://doi.org/10.1109/CCCM.2009.5270414

2009-01-01

Abstract:Our understanding of IPv6 usage is quite limited. In this paper, we carry out a detailed analysis of Netflow records collected from a China Tier-1 ISP. Many aspects related to traffic attributes and deployment issues are investigated: application types, transitional technologies, interface identifier assignment schemes, etc. Dominating of video streaming and P2P traffic as well as the widely use of random identifiers for privacy are most peculiar characteristics in China's IPv6 networks. To have a better understanding of how IPv6 network is used, we studied users' behavior from several perspectives, such as the traffic volume produced by each user, number of applications he uses and the frequency he uses IPv6 networks. Results show that IPv6 is only effectively used by a small fraction of the users. On the whole, our study suggests that from our vantage point, China's IPv6 network is in the transitional phase from the initial experimental period to practical application. ©2009 IEEE.

ChenHuan Liu,ShanShan Hao,QianKun Liu,CongXiao Bao,Xing Li

DOI: https://doi.org/10.1109/ICEIEC51955.2021.9463724

2021-01-01

Abstract:The Internet is now in the transition stage from IPv4 to IPv6. At present, the research of IPv6 network mainly focuses on routing, addressing and security. However, there is little research on background scanning of IPv6 network. CERNET2 provides us with a 240C: C000::/20 IPv6 network which is not allocated and does not provide any network services for network experiments. We used these unused add...

Fuliang Li,Changqing An,Jiahai Yang,Jianping Wu,Hui Zhang

DOI: https://doi.org/10.1016/j.comcom.2013.09.014

IF: 5.047

2014-01-01

Computer Communications

Abstract:Our understanding of IPv6 traffic cannot keep up with the growth of IPv6 traffic. Unraveling the characteristics of traffic is essential for network scale expansion, network technology selection, network management and security enhancement. In this paper, we conduct a comprehensive study of IPv6 traffic based on the packet-level traces of a nation-wide pure IPv6 network - CERNET2, and track user behaviors in 6TUNET, one of the largest campus network in CERNET2, by binding IP address with user name. We first analyze the usage and development of IPv6 network, especially user behaviors and new technologies, e.g. the efficiency of fine-grained source address validation technology which is widely deployed in CERNET2. Then we investigate the distribution of the aggregate traffic and the results reveal that traffic distribution is highly skewed among protocols, ports, applications and hosts. We pay particular attention to dominating protocols, ports, applications and hosts, as well as special protocols of IPv6 network, e.g. the usage of extension headers, which supplement the simplified basic header of IPv6. At last, we model the skewness in traffic distribution and present the dynamics of the traffic from the aspects of traffic prediction and inference. Based on the analysis, we obtain a comprehensive knowledge of IPv6 traffic which, we believe, can provide an experimental basis for IPv6 network operators and researchers.

Qiang Li,Tao Qin,Xiaohong Guan,Qinghua Zheng

DOI: https://doi.org/10.1109/ICON.2012.6506590

2012-01-01

Abstract:With the exhaustion of global IPv4 address, IPv6 technologies have attracted increasing attention and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics of IPv4 networks. In this paper, we present a measurement study on the traffic features and behaviors of the users over IPv4 and IPv6 in the campus network of XJTU. We shall investigate the differences between IPv4 and IPv6 traffic features in terms of the distribution of the average packet size, flow size, flow duration, and self-similarity of the packet size and traffic volume. As to the user's behaviors, we employ the connection degree to capture the behavior characteristics and Renyi entropy to measure behavior dynamics. The experimental results based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network) indicate that there exists distinct differences between IPv4 and IPv6 traffic due to the newly-emerged applications. The analysis results provide strategic guidance for traffic management and exhibit great potential in abnormal behavior detection in next generation network.

Shaojun Huang,Changqing An,Hui Wang,Jiahai Yang

DOI: https://doi.org/10.1007/978-3-540-88623-5_26

2008-01-01

Abstract:The most important challenge faced by current IPv6 networks is to attract more users. Our data analysis of traces from exit points of CERNET2 shows that the traffic in this network has increased a lot during last five months. In this paper, we try to find the incentives of IPv6 users by identifying host communities and studying their properties. We reveal that popular services on CERNET2 are Web, FTP and VOD. FTP and VOD are the killer applications in terms of traffic volume while Web produces the largest number of flows. By analyzing behaviors of end hosts, we discover that hosts form many communities. These communities have different flow-level topologies and various interests in services. Using IPv6 prefixes assignment data, we perform demographic study of IPv6 usage. By presenting CERNET2 usage from various perspectives, we believe this study provides insight into further deployment of IPv6.

Hammas Bin Tanveer,Rachee Singh,Paul Pearce,Rishab Nithyanand

DOI: https://doi.org/10.48550/arXiv.2210.02522

2022-10-06

Abstract:In this work we identify scanning strategies of IPv6 scanners on the Internet. We offer a unique perspective on the behavior of IPv6 scanners by conducting controlled experiments leveraging a large and unused /56 IPv6 subnet. We selectively make parts of the subnet visible to scanners by hosting applications that make direct or indirect contact with IPv6- capable servers on the Internet. By careful experiment design, we mitigate the effects of hidden variables on scans sent to our /56 subnet and establish causal relationships between IPv6 host activity types and the scanner attention they evoke. We show that IPv6 host activities e.g., Web browsing, membership in the NTP pool and Tor network, cause scanners to send a magnitude higher number of unsolicited IP scans and reverse DNS queries to our subnet than before. DNS scanners focus their scans in narrow regions of the address space where our applications are hosted whereas IP scanners broadly scan the entire subnet. Even after the host activity from our subnet subsides, we observe persistent residual scanning to portions of the address space that previously hosted applications

Networking and Internet Architecture

Xiang Li,Baojun Liu,Xiaofeng Zheng,Haixin Duan,Qi Li,Youjun Huang

DOI: https://doi.org/10.1109/DSN48987.2021.00025

2021-01-01

Abstract:Numerous measurement researches have been performed to discover the IPv4 network security issues by leveraging the fast Internet-wide scanning techniques. However, IPv6 brings the 128-bit address space and renders brute-force network scanning impractical. Although significant efforts have been dedicated to enumerating active IPv6 hosts, limited by technique efficiency and probing accuracy, large-scale empirical measurement studies under the increasing IPv6 networks are infeasible now. To fill this research gap, by leveraging the extensively adopted IPv6 address allocation strategy, we propose a novel IPv6 network periphery discovery approach. Specifically, XMap, a fast network scanner, is developed to find the periphery, such as a home router. We evaluate it on twelve prominent Internet service providers and harvest 52M active peripheries. Grounded on these found devices, we explore IPv6 network risks of the unintended exposed security services and the flawed traffic routing strategies. First, we demonstrate the unintended exposed security services in IPv6 networks, such as DNS, and HTTP, have become emerging security risks by analyzing 4.7M peripheries. Second, by inspecting the periphery's packet routing strategies, we present the flawed implementations of IPv6 routing protocol affecting 5.8M router devices. Attackers can exploit this common vulnerability to conduct effective routing loop attacks, inducing DoS to the ISP's and home routers with an amplification factor of \gt 200. We responsibly disclose those issues to all involved vendors and ASes and discuss mitigation solutions. Our research results indicate that the security community should revisit IPv6 network strategies immediately.

Lei Gao,Jiahai Yang,Hui Zhang,Donghong Qin,Bin Zhang

DOI: https://doi.org/10.1109/noms.2012.6211949

2012-01-01

Abstract:With IPv4 addresses quickly dwindling, the Internet is forcing an evolution of itself. During the long term transition from IPv4 to IPv6, what's going on in IPv6 world becomes unknown for network operators and researchers. In this paper, we propose a heuristic algorithm to identify p2p traffic accurately and implement traffic classification based on Netflow v9 exports to illustrate what applications Chinese IPv6 users are really running. Additionally, we present a detailed study of p2p traffic over IPv6 and advice ISPs to localize p2p traffic at the AS level for future IPv6 traffic management and network resources planning, leaving modeling traffic behavior and deeper classification of IPv6 traffic as our future work.

Zhiyang Sun,Hui Ruan,Yixin Cao,Yang Chen,Xin Wang

DOI: https://doi.org/10.3390/fi14120353

2022-01-01

Future Internet

Abstract:With the exhaustion of IPv4 addresses, research on the adoption, deployment, and prediction of IPv6 networks becomes more and more significant. This paper analyzes the IPv6 traffic of two campus networks in Shanghai, China. We first conduct a series of analyses for the traffic patterns and uncover weekday/weekend patterns, the self-similarity phenomenon, and the correlation between IPv6 and IPv4 traffic. On weekends, traffic usage is smaller than on weekdays, but the distribution does not change much. We find that the self-similarity of IPv4 traffic is close to that of IPv6 traffic, and there is a strong positive correlation between IPv6 traffic and IPv4 traffic. Based on our findings on traffic patterns, we propose a new IPv6 traffic prediction model by combining the advantages of the statistical and deep learning models. In addition, our model would extract useful information from the corresponding IPv4 traffic to enhance the prediction. Based on two real-world datasets, it is shown that the proposed model outperforms eight baselines with a lower prediction error. In conclusion, our approach is helpful for network resource allocation and network management.

Qiang Li,Tao Qin,Xiaohong Guan,Qinghua Zheng

DOI: https://doi.org/10.3837/tiis.2014.04.009

2014-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the exhaustion of global IPv4 addresses, IPv6 technologies have attracted increasing attentions, and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics obtained from IPv4 networks. Traditional models obtained from IPv4 cannot be used for IPv6 network monitoring directly and there is a need to investigate those changes. In this paper, we explore the flow features of IPv6 traffic and compare its difference with that of IPv4 traffic from flow level. Firstly, we analyze the differences of the general flow statistical characteristics and users' behavior between IPv4 and IPv6 networks. We find that there are more elephant flows in IPv6, which is critical for traffic engineering. Secondly, we find that there exist many one-way flows both in the IPv4 and IPv6 traffic, which are important information sources for abnormal behavior detection. Finally, in light of the challenges of analyzing massive data of large-scale network monitoring, we propose a group flow model which can greatly reduce the number of flows while capturing the primary traffic features, and perform a comparative measurement analysis of group users' behavior dynamic characteristics. We find there are less sharp changes caused by abnormity compared with IPv4, which shows there are less large-scale malicious activities in IPv6 currently. All the evaluation experiments are carried out based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network), and the results reveal the detailed flow characteristics of IPv6, which are useful for traffic management and anomaly detection in IPv6.

Guanglei Song,Lin He,Zhiliang Wang,Jiahai Yang,Tao Jin,Jieling Liu,Guo Li

DOI: https://doi.org/10.1109/iwqos49365.2020.9212980

2020-01-01

Abstract:Fast IPv4 scanning has made sufficient progress in network measurement and security research. However, it is infeasible to perform brute-force scanning of the IPv6 address space. We can find active IPv6 addresses through scanning candidate addresses generated by the state-of-the-art algorithms, whose probing efficiency of active IPv6 addresses, however, is still very low. In this paper, we aim to improve the probing efficiency of IPv6 addresses in two ways. Firstly, we perform a longitudinal active measurement study over four months, building a high-quality dataset called hitlist with more than 1.3 billion IPv6 addresses distributed in 45.2k BGP prefixes. Different from previous work, we probe the announced BGP prefixes using a pattern-based algorithm, which makes our dataset overcome the problems of uneven address distribution and low active rate. Secondly, we propose an efficient address generation algorithm DET, which builds a density space tree to learn high-density address regions of the seed addresses in linear time and improves the probing efficiency of active addresses. On the public hitlist and our hitlist, we compare our algorithm DET against state-of-the-art algorithms and find that DET increases the de-aliased active address ratio by 10%, and active address (including aliased addresses) ratio by 14%, by scanning 50 million addresses.

Guanglei Song,Lin He,Feiyu Zhu,Jinlei Lin,Wenjian Zhang,Linna Fan,Chenglong Li,Zhiliang Wang,Jiahai Yang

DOI: https://doi.org/10.1109/tnet.2024.3406508

2024-01-01

Abstract:Fast Internet-wide scanning is essential for network situational awareness and asset evaluation. However, the vast IPv6 address space makes brute-force scanning infeasible. Despite advancements in state-of-the-art methods, they do not work in seedless regions and suffer low detection efficiency and speed in regions with known active IPv6 addresses (i.e., seed addresses). Moreover, the collected active address list (i.e., IPv6 hitlist) with low coverage cannot truly represent the active IPv6 address landscape of the Internet. This paper introduces, a fast, efficient, and comprehensive global active IPv6 address detection system. We design a systematic active IPv6 address detection strategy that divides the IPv6 space into two detection scenarios based on the presence or absence of seed addresses to discover active IPv6 addresses from scratch and from few to many. In the seedless regions, we present, leveraging a multi-level association policy to probe active addresses. It fills the gap of address detection in seedless regions and successfully discovers active addresses in 39,899 BGP prefixes without seed addresses, with a 1.03 x higher hit rate, 30 similar to 911 x higher speed, and 2.7 x broader coverage, compared to existing solutions. In the regions with seed addresses, our method dynamically generates target addresses using reinforcement learning. Compared to state-of-the-art methods, achieves an impressive 56.3% hit rate and a discovery speed of 839.0/s, which is 1.9 similar to 2153 x and 1.5 similar to 755 x of existing works, respectively. Finally, we deploy and discover 2.1B active IPv6 addresses, including 1.7B de-aliased active addresses and 0.4B aliased addresses, through continuous probing for three years.

Shize Zhang,Hui Zhang,Jiahai Yang,Guanglei Song,Jianping Wu

DOI: https://doi.org/10.23919/APNOMS.2019.8893136

2019-01-01

Abstract:The Internet is in the transition from IPv4 to IPv6. At present, researches on IPv6 networks mainly focus on architectural issues, such as routing, addressing, and security; there are few studies on the operational issues of IPv6 networks. Our preliminary observation shows that there are a large amount adult websites and traffic in IPv6 networks. Adult websites can damage health of teenagers and bring operational issues in IPv6 networks. This paper conducts a comprehensive measurement and analysis of the adult websites and traffic in IPv6 networks to help solve these operational issues. The data used in this paper is the raw packet traffic from CNGI-CERNET2 which is a pure IPv6 academic network in China. The duration of the data is from July 2017 to January 2018 and the total amount is 40+ terabytes. We detected about 3000 adult websites in the global IPv6 network. This paper analyzes these adult websites and traffic from the perspectives of websites, users and ISPs respectively. We find that adult websites are still in the developing stage in IPv6 networks and only 30% adult websites with full resources can be accessed in IPv6-only networks. But due to the IPv6-first policy in RFC 4038, adult traffic will continue to migrate to IPv6 networks from IPv4 networks. On the other hand, we find that CDN vendors promote the development of adult websites in IPv6 networks and many adult website owners use muti-domain policies to escape ISPs restricting. Our findings may help ISPs effectively understand adult websites and enhance the restriction of adult content in IPv6 networks.

LI Guo,HE Lin,SONG Guanglei,WANG Zhiliang,YANG Jiahai,LI Zimu

DOI: https://doi.org/10.11959/j.issn.1000-0801.2019296

2019-01-01

Abstract:Nowadays,the state-of-the-art technologies can spend a very short time to scan the whole IPv4 space,but these methods cannot be applied to the huge IPv6 space easily.Therefore,many researchers propose different heuristic algorithms for the sake of IPv6 scanning.The common way of these algorithms is to input collected IPv6 seed addresses and output new most likely active IPv6 addresses as candidates for later scanning.These methods greatly reduce the scanning range of the active address area.These technologies based on seed addresses were classified,analyzed and summarized,and detailed analysis of the advantages and disadvantages of each method was given.And the several challenges faced by the methods were discussed.73M seed addresses were collected in total from two sources,including published IPv6 datasets in papers and Beijing Node of China Education and Research Network.Through the proposed experiments,time performance and hit rate of four IPv6 address scanning technologies based on seed addresses was compared.Finally,the own thoughts on this field and some future research directions were proposed.

Jan Rüth,Torsten Zimmermann,Oliver Hohlfeld

DOI: https://doi.org/10.48550/arXiv.1901.07265

2019-01-22

Abstract:Internet-wide scans are a common active measurement approach to study the Internet, e.g., studying security properties or protocol adoption. They involve probing large address ranges (IPv4 or parts of IPv6) for specific ports or protocols. Besides their primary use for probing (e.g., studying protocol adoption), we show that - at the same time - they provide valuable insights into the Internet control plane informed by ICMP responses to these probes - a currently unexplored secondary use. We collect one week of ICMP responses (637.50M messages) to several Internet-wide ZMap scans covering multiple TCP and UDP ports as well as DNS-based scans covering > 50% of the domain name space. This perspective enables us to study the Internet's control plane as a by-product of Internet measurements. We receive ICMP messages from ~171M different IPs in roughly 53K different autonomous systems. Additionally, we uncover multiple control plane problems, e.g., we detect a plethora of outdated and misconfigured routers and uncover the presence of large-scale persistent routing loops in IPv4.

Networking and Internet Architecture

Tianyu Cui,Chang Liu,Gaopeng Gou,Junzheng Shi,Gang Xiong

DOI: https://doi.org/10.48550/arXiv.2204.09539

2022-04-20

Networking and Internet Architecture

Abstract:Since the lack of IPv6 network development, China is currently accelerating IPv6 deployment. In this scenario, traffic and network structure show a huge shift. However, due to the long-term prosperity, we are ignorant of the problems behind such outbreak of traffic and performance improvement events in accelerating deployment. IPv6 development in some regions will still face similar challenges in the future. To contribute to solving this problem, in this paper, we produce a new measurement framework and implement a 5-month passive measurement on the IPv6 network during the accelerating deployment in China. We combine 6 global-scale datasets to form the normal status of IPv6 network, which is against to the accelerating status formed by the passive traffic. Moreover, we compare with the traffic during World IPv6 Day 2011 and Launch 2012 to discuss the common nature of accelerating deployment. Finally, the results indicate that the IPv6 accelerating deployment is often accompanied by an unbalanced network status. It exposes unresolved security issues including the challenge of user privacy and inappropriate access methods. According to the investigation, we point the future IPv6 development after accelerating deployment.

Xiaoke Jiang,Jun Bi,Yangyang Wang,Zhijie He,Wei Zhang

2006-01-01

Abstract:ICANN [1] announced that available pool of unallocated IPv4 Internet Address completely emptied on Feb 3, 2011 [2]. As a result, companies, researchers, Internet Service Providers (ISPs), and Internet Content Providers (CSPs), all devote their sight onto IPv6 intensively. They hope IPv6 can solve IP address exhaustion for a long time. IPv6 is not a new protocol. IETF raised RFC1752, named" The Recommendation for the IP Next Generation Protocol"[3] in 1994, and the first IPv6 address block was allocated in 1999. If we regard this as the beginning of IPv6 deployment, what is the status like in the 12-year evolution? Is IPv6 network mature and stable enough to undertake the load produced by billions of users? Is there some principles of IPv6 deployment? This paper attempts to answer those questions with in-depth statistics. Our results verify that IPv6 network is growing at a speed of O (d2)(d represents time) after …

Yunpeng Xing,Chaoyi Lu,Baojun Liu,Haixin Duan,Junzhe Sun,Zhou Li

DOI: https://doi.org/10.1145/3646547.3689023

2024-01-01

Abstract:We present a global, large-scale measurement of Internet traffic shadowing, a less-studied yet covert format of on-path manipulation. As part of pervasive monitoring, data within packets is silently observed, retained, and then leveraged to produce additional, unsolicited requests. To depict the landscape of such behaviors, we generate a collection of decoy traffic that lures on-path exhibitors, spread them via 4,364 vantage points recruited from commercial VPN providers, and capture unsolicited requests triggered by them. We find traffic shadowing against DNS, HTTP, and TLS protocols; DNS queries to several public resolvers are most susceptible, by being observed on a wide range of Internet paths. Through hop-by-hop tracerouting, we find observers of DNS queries associated with destinations, while HTTP messages are mostly observed on the wire. User data can be retained for long, e.g., over 10 days, and can be leveraged for more than once. While a notable portion of unsolicited requests originate from addresses labeled by blocklists, we find most of them are performing reconnaissance, and we see no evidence of exploits attempted in the collected traffic.

Chen Su,Renjie Liu,Xing Li

DOI: https://doi.org/10.1109/itaic.2019.8785473

2019-01-01

Abstract:Website IPv4 address distribution can be learned by scanning the entire IPv4 address space. However, the huge space of IPv6 addresses makes it difficult to collect and analyze active website IPv6 addresses. In this paper, we collect a dataset of nearly half a million IPv6 addresses visited by domain names through an experimental research network based on IVI, a stateless IPv4/IPv6 translation technique. As a result, a study was conducted on the dataset, which shows us the characteristics of geographic location, address type, ASN, and ports. Our result demonstrates that active website IPv6 addresses have obvious features especially in ASN. In addition, we compare different algorithms of mapping an IPv6 address into an IPv4 address.

Guanglei Song,Jiahai Yang,Zhiliang Wang,Lin He,Jinlei Lin,Long Pan,Chenxin Duan,Xiaowen Quan

DOI: https://doi.org/10.1109/tnet.2022.3145040

2022-01-01

IEEE/ACM Transactions on Networking

Abstract:Fast IPv4 scanning significantly improves network measurement and security research. Nevertheless, it is infeasible to perform brute-force scanning of the IPv6 address space. Alternatively, one can find active IPv6 addresses through scanning the candidate addresses generated by state-of-the-art algorithms. However, the probing efficiency of such algorithms is often very low. In this paper, our objective is to improve the probing efficiency of IPv6 addresses. We first perform a longitudinal active measurement study and build a high-quality dataset, hitlist, including more than 1.95B IPv6 addresses distributed in 58.2K BGP prefixes and collected over 17 months period. Different from the previous works, we probe the announced BGP prefixes using a pattern-based algorithm. This results in a dataset without uneven address distribution and low active rates. Further, we propose an efficient address generation algorithm, DET, which builds a density space tree to learn high-density address regions of the seed addresses with linear time complexity and improves the active addresses’ probing efficiency. We then compare our algorithm DET against state-of-the-art algorithms on the public hitlist and our hitlist by scanning 50M addresses. Our analysis shows that DET increases the de-aliased active address ratio and active address (including aliased addresses) ratio by 10%, and 14%, respectively. Furthermore, we develop a fingerprint-based method to detect aliased prefixes. The proposed method for the first time directly verifies whether the prefix is aliased or not. Our method finds that 10.64% of the public aliased prefixes are false positive.