基于SSDP和DNS-SD协议的双栈主机发现方法及其安全分析

doi:10.11959/j.issn.2096-109x.2023003

Abstract

Abstract:

With the exhaustion of the IPv4 addresses, the promotion and deployment of IPv6 has been accelerating.Dual-stack technology allows devices to enable both IPv4 and IPv6 protocols, which means that users are facing more security risks.Although the existing work can realize the identification and measurement of some dual-stack servers, the following problems still exist.Dual-stack host identification requires deep protocol identification of host services, but this method consumes too much scanning resources.Besides, network service providers may provide consistent services on distributed hosts, making it difficult to guarantee the accuracy of dual-stack host identification through service fingerprints.To solve these problems, the LAN service discovery protocol was used to bind host services to IP addresses, and a dual-stack host discovery method based on SSDP and DNS-SD protocols was proposed.In IPv4 network environment, the target host was induced to actively send a request to the constructed IPv6 server through SSDP protocol, and then the IPv6 address was extracted from the server’s log.Or the service list of the target host and its corresponding AAAA record was enumerated through the DNS-SD protocol and the IPv6 address of the target host was obtained, in order to realize the discovery of the dual stack address pairs.With this method, IPv6 addresses was obtained directly from the IPv4 host, which ensured the accuracy of the discovered dual-stack host.At the same time, only request packets for specific protocols were needed during the discovery process, which greatly saved scanning resources.Based on this method, the SSDP hosts and DNS-SD hosts accidentally exposed to the global IPv4 network were measured.A total number of 158k unique IPv6 addresses were collected, of which 55k were dual-stack host address pairs with globally reachable IPv6 addresses.Unlike existing work that focused on dual-stack servers, this method mainly targeted end-users and client devices, and built a unique set of active IPv6 devices and dual-stack host address pairs that have not been explored so far.Through the analysis of the obtained IPv6 address addressing type, it shows that IPv6 address is mainly generated in a random manner, which greatly reduces the possibility of IPv6 hosts being discovered by scanning.In particular, by measuring the ports and services of dual-stack hosts, we found that the security policy differences of dual-stack hosts on different protocol stacks.Especially, IPv6 protocol stack exposes more high-risk services, expanding the attack surface of hosts.The research results also show that the infeasibility of IPv6 address space traversal scanning mitigates the security risks of IPv6, but incorrect network configuration greatly increases the possibility of these high-risk IPv6 hosts being discovered and users should revisit IPv6 security strategy on dual-stack hosts.

Key words: dual-stack host, SSDP, DNS-SD, network measurement

CLC Number:

TP393

Fan SHI, Yao ZHONG, Pengfei XUE, Chengxi XU. Dual-stack host discovery method based on SSDP and DNS-SD protocol[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 56-66.

Figures/Tables 11

References 32

[1]	APNIC. IPv6 capable rate by country (%)[EB].
[2]	W3Techs. Usage statistics of IPv6 for websites[EB].
[3]	Google. IPv6 adoption statistics[EB]. .
[4]	VYNCKE é , CHITTIMANENI K , KAEO M ,et al. Operational security considerations for IPv6 networks[S]. IETF RFC 9099, 2021.
[5]	赵帆, 罗向阳, 刘粉林 . 网络空间测绘技术研究[J]. 网络与信息安全学报, 2016,2(9): 1-11.
	ZHAO F , LUO X Y , LIU F L . Research on cyberspace surveying and mapping technology[J]. Chinese Journal of Network and Information Security, 2016,2(9): 1-11.
[6]	STEPHEN D S . Bootstrapping active IPv6 measurement with IPv4 and public DNS[J]. arXiv preprint arXiv:1710.08536, 2017.
[7]	FIEBIG T , BORGOLTE K , HAO S ,et al. Something from nothing (there):collecting global IPv6 datasets from DNS[C]// International Conference on Passive and Active Network Measurement. 2017: 30-43.
[8]	FIEBIG T , BORGOLTE K , HAO S ,et al. In rDNS we trust:revisiting a common data-source’s reliability[C]// International Conference on Passive and Active Network Measurement. 2018: 131-145.
[9]	PLONKA D , BERGER A . Temporal and spatial classification of active IPv6 addresses[C]// Proceedings of the 2015 Internet Measurement Conference. 2015: 509-522.
[10]	GASSER O , SCHEITLE Q , GEBHARD S ,et al. Scanning the IPv6 internet:towards a comprehensive hitlist[J]. arXiv preprint arXiv:1607.05179, 2016.
[11]	BEVERLY R , DURAIRAJAN R , PLONKA D ,et al. In the IP of the beholder:strategies for active IPv6 topology discovery[C]// Proceedings of the Internet Measurement Conference. 2018: 308-321.
[12]	MILESCU G , BARDAC M . Ipv6 peer availability in BitTorrent distributed hash table[C]// 2013 19th International Conference on Control Systems and Computer Science. 2013: 532-536.
[13]	MURDOCK A , LI F , BRAMSEN P ,et al. Target generation for internet-wide IPv6 scanning[C]// Proceedings of the 2017 Internet Measurement Conference. 2017: 242-253.
[14]	GASSER O , SCHEITLE Q , FOREMSKI P ,et al. Clusters in the expanse:understanding and unbiasing IPv6 hitlists[C]// Proceedings of the Internet Measurement Conference. 2018: 364-378.
[15]	SONG G , HE L , WANG Z ,et al. Towards the construction of global IPv6 hitlist and efficient probing of IPv6 address space[C]// 2020 IEEE/ACM 28th International Symposium on Quality of Service (IWQoS). 2020: 1-10.
[16]	张千里, 姜彩萍, 王继龙 ,等. IPv6地址结构标准化研究综述[J]. 计算机学报, 2019,42(6): 1384-1405.
	ZHANG Q L , JIANG C P , WANG J L ,et al. A survey on IPv6 address structure standardization research[J]. Chinese Journal of Computers, 2019,42(6): 1384-1405.
[17]	BEVERLY R , BERGER A . Server siblings:Identifying shared IPv4/IPv6 infrastructure via active fingerprinting[C]// International Conference on Passive and Active Network Measurement. 2015: 149-161.
[18]	SCHEITLE Q , GASSER O , ROUHI M ,et al. Large-scale classification of IPv6-IPv4 siblings with variable clock skew[C]// 2017 Network Traffic Measurement and Analysis Conference (TMA). 2017: 1-9.
[19]	CZYZ J , LUCKIE M , ALLMAN M ,et al. Don't forget to lock the back door! a characterization of IPv6 network security policy[C]// Network and Distributed Systems Security (NDSS). 2016.
[20]	BERGER A , WEAVER N , BEVERLY R ,et al. Internet name server IPv4 and IPv6 address relationships[C]// Proceedings of the 2013 Internet Measurement Conference. 2013: 91-104.
[21]	AL-DALKY R , SCHOMP K . Characterization of collaborative resolution in recursive DNS resolvers[C]// International Conference on Passive and Active Network Measurement. 2018: 146-157.
[22]	LIN H , DONG S K , BERGMANN N W . SAGA:secure auto-configurable gateway architecture for smart home[C]// 2019 IEEE 24th Pacific Rim International Symposium on Dependable Computing (PRDC). 2019: 11-1109.
[23]	韩虹莹 . 基于 SSDP 的 DDoS 攻击防御技术的研究[D]. 长春：吉林大学, 2019.
	HAN H Y . Research on DDoS attack defense technology based on SSDP[D]. Changchun:Jilin University, 2019.
[24]	GOLAND Y Y , CAI T , LEACH P . Simple service discovery protocol/1.0[S]. IETF DRAFT, 1999.
[25]	BOUCADAIR M , PENNO R , PENNO R ,et al. Universal plug and play (UPnP) Internet gateway device-port control protocol interworking function (IGD-PCP IWF)[S]. IETF RFC 6970, 2013.
[26]	HAKIM M A , AKSU H , ULUAGAC A S ,et al. U-pot:a honeypot framework for UPnP-based IoT devices[C]// 2018 IEEE 37th International Performance Computing and Communications Conference (IPCCC). 2018: 1-8.
[27]	MARTIN Z , ALEKSANDAR N . IPv6 unmasking via UPnP[EB].
[28]	CHESHIRE S , KROCHMAL M . Multicast DNS[S]. IETF RFC 6762, 2013.
[29]	CHESHIRE S , KROCHMAL M . DNS-based service discovery[S]. IETF RFC 6763, 2013.
[30]	BAILEY M , DITTRICH D , KENNEALLY E ,et al. The menlo report[J]. IEEE Security ＆ Privacy. 2012,10(2): 71-75.
[31]	GONT F , COOPER A , THALER D ,et al. Recommendation on stable IPv6 interface[S]. IETF RFC 8064, 2017.
[32]	SONG G , YANG J , WANG Z ,et al. DET:enabling efficient probing of IPv6 active addresses[J]. IEEE/ACM Transactions on Networking, 2022,30(4): 1629-1643.

Metrics

Recommended 0

No Suggested Reading articles found!

协议	地区	地址数量	EUI-64	%	Random	%
	CN	9 041	701	7.75	8 034	88.86
	TH	4 220	182	4.31	4 036	95.64
SSDP	VN	3 958	3 782	95.55	175	4.42
	PK	3 196	78	2.44	3 116	97.50
	其他地区	7 223	5 048	69.89	934	12.93
	US	5 985	1 823	30.46	2 916	48.72
	FR	4 499	3 550	78.91	272	6.05
	DE	2 081	670	32.20	462	22.20
DNS-SD	CN	2 442	1 211	49.59	692	28.34
	其他地区	12 448	7 505	60.29	2 612	20.98
	Link-Scoped（私有地址）	100 111	83 662	83.57	15 868	15.85
	Unique Local（私有地址）	3 070	2 349	76.51	449	14.63
	总计	158 274	110 561	69.85	39 566	25.00

类型	数量	IID占比	类型	数量	IID占比
EUI-64	9 793	35.43	Byte-pattern	58	0.21
Low-byte	605	2.19	Random	16 299	58.97
Embed-IPv4	883	3.20	Total	27 638	100.0

类型	数量	IID占比	类型	数量	IID占比
EUI-64	14 817	53.97	Byte-pattern	323	1.18
Low-byte	4 215	15.35	Random	7 009	25.53
Embed-IPv4	1 091	3.97	Total	27 455	100.0

操作系统	版本	UPnP客户端	版本	数量
Ubuntu	16.04	MiniUPnPc	1.9	7 046
Debian	8.11	MiniUPnPc	2.1	7 030
Debian	bullseye/sid	MiniUPnPc	2.1	4 355
Ubuntu	12.04	MiniUPnPc	2.1	3 582
Linux	3.10.0-957.el7.x86_64	MiniUPnPc	2.2.3	2 980

Dual-stack host discovery method based on SSDP and DNS-SD protocol

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 32

Related Articles 1

Metrics

Recommended 0