2021年第51届IEEE/IFIP国际可靠系统和网络会议 | DSN 2021

摘要

Numerous measurement researches have been performed to discover the IPv4 network security issues by leveraging the fast Internet-wide scanning techniques. However, IPv6 brings the 128-bits address space and renders brute-force network scanning impractical. Although significant efforts have been dedicated to enumerating active IPv6 hosts, limited by technique efficiency and probing accuracy, large-scale empirical measurement studies under the increasing IPv6 networks are infeasible now.
To fill this research gap, by leveraging the extensively adopted IPv6 address allocation strategy, we propose a novel IPv6 network periphery discovery approach. Specifically, XMap, a fast network scanner, is developed to find the periphery, such as a home router. We evaluate it on twelve prominent Internet service providers and harvest 52M active peripheries. Grounded on these found devices, we explore IPv6 network risks of the unintended exposed security services and the flawed traffic routing strategies. First, we demonstrate the unintended exposed security services in IPv6 networks, such as DNS, and HTTP, have become emerging security risks by analyzing 4.7M peripheries. Second, by inspecting the periphery’s packet routing strategies, we present the flawed implementations of IPv6 routing protocol affecting 5.8M router devices. Attackers can exploit this common vulnerability to conduct effective routing loop attacks, inducing DoS to the ISP’s and home routers with an amplification factor of >200. We responsibly disclose those issues to all involved vendors and ASes and discuss mitigation solutions. Our research results indicate that the security community should revisit IPv6 network strategies immediately.

日期
6月 21, 2021 12:00 AM — 6月 24, 2021 11:45 PM
位置
线上举办

在2021年第51届IEEE/IFIP国际可靠系统和网络会议上(线上举办),我分享了论文:Fast IPv6 Network Periphery Discovery and Security Implications。

李想
李想
清华大学博士研究生(网络空间安全)

李想,清华大学网络科学与网络空间研究院五年级博士研究生,导师为李琦副教授和段海新教授。研究方向为网络与协议安全,已发表论文17篇(含一作6篇:在网络安全四大顶会均有发表、通讯1篇、二作3篇),授权专利1项,在Black Hat多次分享,获得190+CVE等漏洞编号,306+GitHub stars。研究获得多个政府及大学CERT安全公告、60+媒体报道,并被纳入RFC标准文档。其也获得了多项奖项荣誉,如IPv6创新大赛一等奖、GeekCon国际安全极客大赛亚军、王大中奖学金、博士研究生国家奖学金、清华优秀奖学金等。