基于SSDP和DNS-SD协议的双栈主机发现方法及其安全分析

doi:10.11959/j.issn.2096-109x.2023003

摘要/Abstract

摘要：

随着全球互联网IPv4地址分配耗尽，IPv6开始加速推广和部署。双栈技术允许设备同时启用IPv4和IPv6 栈，这意味着用户暴露了双倍的安全风险。尽管现有的工作可实现对部分双栈服务器的识别和测量，但仍存在以下问题。首先，双栈主机识别需要对主机服务进行深层协议识别，然而这种方式会消耗过高的扫描资源。其次，实际的网络服务提供商有可能在分布式主机上提供一致的服务，使得通过服务指纹进行双栈主机判别的准确性难以保证。针对此问题，利用局域网服务发现协议将主机服务与 IP 地址绑定的协议特性，提出了基于SSDP和DNS-SD协议的双栈主机发现方法：在IPv4网络环境下，通过SSDP诱导目标主机主动向构建的IPv6服务器发送请求，然后从服务器日志中提取IPv6地址；或通过DNS-SD协议枚举目标主机的服务列表及其对应的AAAA记录，获取目标主机IPv6地址，实现双栈地址对的发现。该方法直接从IPv4主机获取其IPv6 地址，确保了发现的双栈主机的准确性，同时，在发现过程中只需要针对特定协议构造请求数据包，极大地节约了扫描资源。基于该方法，对全球IPv4网络意外暴露的SSDP主机和DNS-SD主机进行了测量，共收集到158 000个不重复的IPv6地址，其中55 000个为拥有全球可达IPv6地址的双栈主机地址对。与现有工作将测量目标聚焦于双栈服务器不同，该方法主要针对终端用户和客户端设备，构建了迄今为止尚未探索过的活跃IPv6设备独特集合及双栈主机地址对集合。通过对获取的IPv6地址编址类型的分析，随机生成已成为当前IPv6地址分配的主要方式，这一方式大大降低了IPv6主机被扫描发现的可能性。特别地，通过对双栈主机的开放端口和服务测量，发现双栈主机在不同协议栈上的安全策略差异：IPv6 栈上暴露了更多高风险服务，扩大了主机的攻击面。研究结果表明，IPv6 地址空间遍历扫描的不可行性缓解了 IPv6 的安全风险，但错误的网络配置大幅增加了这些高风险的IPv6主机被发现的可能性，用户应该重新审视双栈主机上的IPv6安全策略。

关键词: 双栈主机, 简单服务发现协议, DNS服务发现, 网络测量

Abstract:

With the exhaustion of the IPv4 addresses, the promotion and deployment of IPv6 has been accelerating.Dual-stack technology allows devices to enable both IPv4 and IPv6 protocols, which means that users are facing more security risks.Although the existing work can realize the identification and measurement of some dual-stack servers, the following problems still exist.Dual-stack host identification requires deep protocol identification of host services, but this method consumes too much scanning resources.Besides, network service providers may provide consistent services on distributed hosts, making it difficult to guarantee the accuracy of dual-stack host identification through service fingerprints.To solve these problems, the LAN service discovery protocol was used to bind host services to IP addresses, and a dual-stack host discovery method based on SSDP and DNS-SD protocols was proposed.In IPv4 network environment, the target host was induced to actively send a request to the constructed IPv6 server through SSDP protocol, and then the IPv6 address was extracted from the server’s log.Or the service list of the target host and its corresponding AAAA record was enumerated through the DNS-SD protocol and the IPv6 address of the target host was obtained, in order to realize the discovery of the dual stack address pairs.With this method, IPv6 addresses was obtained directly from the IPv4 host, which ensured the accuracy of the discovered dual-stack host.At the same time, only request packets for specific protocols were needed during the discovery process, which greatly saved scanning resources.Based on this method, the SSDP hosts and DNS-SD hosts accidentally exposed to the global IPv4 network were measured.A total number of 158k unique IPv6 addresses were collected, of which 55k were dual-stack host address pairs with globally reachable IPv6 addresses.Unlike existing work that focused on dual-stack servers, this method mainly targeted end-users and client devices, and built a unique set of active IPv6 devices and dual-stack host address pairs that have not been explored so far.Through the analysis of the obtained IPv6 address addressing type, it shows that IPv6 address is mainly generated in a random manner, which greatly reduces the possibility of IPv6 hosts being discovered by scanning.In particular, by measuring the ports and services of dual-stack hosts, we found that the security policy differences of dual-stack hosts on different protocol stacks.Especially, IPv6 protocol stack exposes more high-risk services, expanding the attack surface of hosts.The research results also show that the infeasibility of IPv6 address space traversal scanning mitigates the security risks of IPv6, but incorrect network configuration greatly increases the possibility of these high-risk IPv6 hosts being discovered and users should revisit IPv6 security strategy on dual-stack hosts.

Key words: dual-stack host, SSDP, DNS-SD, network measurement

中图分类号:

TP393

施凡, 钟瑶, 薛鹏飞, 许成喜. 基于SSDP和DNS-SD协议的双栈主机发现方法及其安全分析[J]. 网络与信息安全学报, 2023, 9(1): 56-66.

Fan SHI, Yao ZHONG, Pengfei XUE, Chengxi XU. Dual-stack host discovery method based on SSDP and DNS-SD protocol[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 56-66.

图/表 11

图1

图2

图3

图4

图5

表1

表2

表3

表4

图6

图7

参考文献 32

[1]	APNIC. IPv6 capable rate by country (%)[EB].
[2]	W3Techs. Usage statistics of IPv6 for websites[EB].
[3]	Google. IPv6 adoption statistics[EB]. .
[4]	VYNCKE é , CHITTIMANENI K , KAEO M ,et al. Operational security considerations for IPv6 networks[S]. IETF RFC 9099, 2021.
[5]	赵帆, 罗向阳, 刘粉林 . 网络空间测绘技术研究[J]. 网络与信息安全学报, 2016,2(9): 1-11.
	ZHAO F , LUO X Y , LIU F L . Research on cyberspace surveying and mapping technology[J]. Chinese Journal of Network and Information Security, 2016,2(9): 1-11.
[6]	STEPHEN D S . Bootstrapping active IPv6 measurement with IPv4 and public DNS[J]. arXiv preprint arXiv:1710.08536, 2017.
[7]	FIEBIG T , BORGOLTE K , HAO S ,et al. Something from nothing (there):collecting global IPv6 datasets from DNS[C]// International Conference on Passive and Active Network Measurement. 2017: 30-43.
[8]	FIEBIG T , BORGOLTE K , HAO S ,et al. In rDNS we trust:revisiting a common data-source’s reliability[C]// International Conference on Passive and Active Network Measurement. 2018: 131-145.
[9]	PLONKA D , BERGER A . Temporal and spatial classification of active IPv6 addresses[C]// Proceedings of the 2015 Internet Measurement Conference. 2015: 509-522.
[10]	GASSER O , SCHEITLE Q , GEBHARD S ,et al. Scanning the IPv6 internet:towards a comprehensive hitlist[J]. arXiv preprint arXiv:1607.05179, 2016.
[11]	BEVERLY R , DURAIRAJAN R , PLONKA D ,et al. In the IP of the beholder:strategies for active IPv6 topology discovery[C]// Proceedings of the Internet Measurement Conference. 2018: 308-321.
[12]	MILESCU G , BARDAC M . Ipv6 peer availability in BitTorrent distributed hash table[C]// 2013 19th International Conference on Control Systems and Computer Science. 2013: 532-536.
[13]	MURDOCK A , LI F , BRAMSEN P ,et al. Target generation for internet-wide IPv6 scanning[C]// Proceedings of the 2017 Internet Measurement Conference. 2017: 242-253.
[14]	GASSER O , SCHEITLE Q , FOREMSKI P ,et al. Clusters in the expanse:understanding and unbiasing IPv6 hitlists[C]// Proceedings of the Internet Measurement Conference. 2018: 364-378.
[15]	SONG G , HE L , WANG Z ,et al. Towards the construction of global IPv6 hitlist and efficient probing of IPv6 address space[C]// 2020 IEEE/ACM 28th International Symposium on Quality of Service (IWQoS). 2020: 1-10.
[16]	张千里, 姜彩萍, 王继龙 ,等. IPv6地址结构标准化研究综述[J]. 计算机学报, 2019,42(6): 1384-1405.
	ZHANG Q L , JIANG C P , WANG J L ,et al. A survey on IPv6 address structure standardization research[J]. Chinese Journal of Computers, 2019,42(6): 1384-1405.
[17]	BEVERLY R , BERGER A . Server siblings:Identifying shared IPv4/IPv6 infrastructure via active fingerprinting[C]// International Conference on Passive and Active Network Measurement. 2015: 149-161.
[18]	SCHEITLE Q , GASSER O , ROUHI M ,et al. Large-scale classification of IPv6-IPv4 siblings with variable clock skew[C]// 2017 Network Traffic Measurement and Analysis Conference (TMA). 2017: 1-9.
[19]	CZYZ J , LUCKIE M , ALLMAN M ,et al. Don't forget to lock the back door! a characterization of IPv6 network security policy[C]// Network and Distributed Systems Security (NDSS). 2016.
[20]	BERGER A , WEAVER N , BEVERLY R ,et al. Internet name server IPv4 and IPv6 address relationships[C]// Proceedings of the 2013 Internet Measurement Conference. 2013: 91-104.
[21]	AL-DALKY R , SCHOMP K . Characterization of collaborative resolution in recursive DNS resolvers[C]// International Conference on Passive and Active Network Measurement. 2018: 146-157.
[22]	LIN H , DONG S K , BERGMANN N W . SAGA:secure auto-configurable gateway architecture for smart home[C]// 2019 IEEE 24th Pacific Rim International Symposium on Dependable Computing (PRDC). 2019: 11-1109.
[23]	韩虹莹 . 基于 SSDP 的 DDoS 攻击防御技术的研究[D]. 长春：吉林大学, 2019.
	HAN H Y . Research on DDoS attack defense technology based on SSDP[D]. Changchun:Jilin University, 2019.
[24]	GOLAND Y Y , CAI T , LEACH P . Simple service discovery protocol/1.0[S]. IETF DRAFT, 1999.
[25]	BOUCADAIR M , PENNO R , PENNO R ,et al. Universal plug and play (UPnP) Internet gateway device-port control protocol interworking function (IGD-PCP IWF)[S]. IETF RFC 6970, 2013.
[26]	HAKIM M A , AKSU H , ULUAGAC A S ,et al. U-pot:a honeypot framework for UPnP-based IoT devices[C]// 2018 IEEE 37th International Performance Computing and Communications Conference (IPCCC). 2018: 1-8.
[27]	MARTIN Z , ALEKSANDAR N . IPv6 unmasking via UPnP[EB].
[28]	CHESHIRE S , KROCHMAL M . Multicast DNS[S]. IETF RFC 6762, 2013.
[29]	CHESHIRE S , KROCHMAL M . DNS-based service discovery[S]. IETF RFC 6763, 2013.
[30]	BAILEY M , DITTRICH D , KENNEALLY E ,et al. The menlo report[J]. IEEE Security ＆ Privacy. 2012,10(2): 71-75.
[31]	GONT F , COOPER A , THALER D ,et al. Recommendation on stable IPv6 interface[S]. IETF RFC 8064, 2017.
[32]	SONG G , YANG J , WANG Z ,et al. DET:enabling efficient probing of IPv6 active addresses[J]. IEEE/ACM Transactions on Networking, 2022,30(4): 1629-1643.

协议	地区	地址数量	EUI-64	%	Random	%
	CN	9 041	701	7.75	8 034	88.86
	TH	4 220	182	4.31	4 036	95.64
SSDP	VN	3 958	3 782	95.55	175	4.42
	PK	3 196	78	2.44	3 116	97.50
	其他地区	7 223	5 048	69.89	934	12.93
	US	5 985	1 823	30.46	2 916	48.72
	FR	4 499	3 550	78.91	272	6.05
	DE	2 081	670	32.20	462	22.20
DNS-SD	CN	2 442	1 211	49.59	692	28.34
	其他地区	12 448	7 505	60.29	2 612	20.98
	Link-Scoped（私有地址）	100 111	83 662	83.57	15 868	15.85
	Unique Local（私有地址）	3 070	2 349	76.51	449	14.63
	总计	158 274	110 561	69.85	39 566	25.00

类型	数量	IID占比	类型	数量	IID占比
EUI-64	9 793	35.43	Byte-pattern	58	0.21
Low-byte	605	2.19	Random	16 299	58.97
Embed-IPv4	883	3.20	Total	27 638	100.0

类型	数量	IID占比	类型	数量	IID占比
EUI-64	14 817	53.97	Byte-pattern	323	1.18
Low-byte	4 215	15.35	Random	7 009	25.53
Embed-IPv4	1 091	3.97	Total	27 455	100.0

操作系统	版本	UPnP客户端	版本	数量
Ubuntu	16.04	MiniUPnPc	1.9	7 046
Debian	8.11	MiniUPnPc	2.1	7 030
Debian	bullseye/sid	MiniUPnPc	2.1	4 355
Ubuntu	12.04	MiniUPnPc	2.1	3 582
Linux	3.10.0-957.el7.x86_64	MiniUPnPc	2.2.3	2 980