![]() ![]() Our research group has been working on detecting such scans with a different approach called DNS backscatter. Recent IPv6 scanners that have been developed to assist with this problem use target lists and generative algorithms instead of random addresses. As IPv6 becomes more visible on the Internet, it is important to be able to find an equally practical way to detect these scans as we have for IPv4 to properly mitigate malicious activities. Unfortunately, it is impossible to detect random IPv6 network-wide scans with an IPv6 darknet due to the huge address space - a /48 IPv6 darknet cannot detect a 1M pps random scanner in the lifetime of the universe. This means strange behaviours such as random network scans, reflections of DoS, and configuration misses are easily seen - a /16 darknet (65,536 IPs) detects one packet from a 10,000 packet per second (pps) random scan in 6.6 seconds. ![]() Now it takes less than an hour to scan the whole IPv4 address space with a general PC.ĭetecting such large-scale IPv4 network scans is an important issue for network/security operations, because knowledge of such malicious activity may help anticipate large-scale attacks.Ī well-known technique to detect IPv4 network-wide scans is to monitor a darknet (also known as a network telescope), which is a route-advertised network that has no legitimate hosts. Network scans have become increasingly popular thanks to handy and casual scanning tools such as masscan and zmap. ![]()
0 Comments
Leave a Reply. |