Network scans have become increasingly popular thanks to handy and casual scanning tools such as masscan and zmap. Now it takes less than an hour to scan the whole IPv4 address space with a general PC.
Detecting such large-scale IPv4 network scans is an important issue for network/security operations, because knowledge of such malicious activity may help anticipate large-scale attacks.
A well-known technique to detect IPv4 network-wide scans is to monitor a darknet (also known as a network telescope), which is a route-advertised network that has no legitimate hosts. This means strange behaviours such as random network scans, reflections of DoS, and configuration misses are easily seen — a /16 darknet (65,536 IPs) detects one packet from a 10,000 packet per second (pps) random scan in 6.6 seconds.
Unfortunately, it is impossible to detect random IPv6 network-wide scans with an IPv6 darknet due to the huge address space — a /48 IPv6 darknet cannot detect a 1M pps random scanner in the lifetime of the universe. As IPv6 becomes more visible on the Internet, it is important to be able to find an equally practical way to detect these scans as we have for IPv4 to properly mitigate malicious activities.
Introducing DNS backscatter
Recent IPv6 scanners that have been developed to assist with this problem use target lists and generative algorithms instead of random addresses. Our research group has been working on detecting such scans with a different approach called DNS backscatter.
The key idea of DNS backscatter is that a large network event automatically triggers reverse DNS queries near the target (Figure 1), in the process checking the hostnames of a scanner’s IP address (originator). A single reverse query has little information on the scanner but if many reverse DNS queries (DNS backscatter), generated by caching resolvers (queriers), appear at authoritative DNS servers, we could identify such network-wide events in a centralized way.
DNS backscatter has several benefits when detecting network-wide activities. It is:
- Easy to deploy because it is observable at DNS authoritative servers.
- Automatically triggered by caching resolvers (not targets), so it is privacy friendly.
- Robust against malicious sources, that is those that are difficult to evade.
How does it perform?
A practical issue that needed to be considered for when DNS backscatter is deployed in a real network was how to identify malicious activities from well-known large-scale benign activities.
In IPv4 DNS backscatter, we collect a large number of benign and malicious IPs as labelled data and apply supervised machine learning techniques to classify potential malicious IPs. However, due to a lack of caching resolvers triggering backscatter queries in IPv6, we currently define heuristics-based rules to classify these into four types of events: content providers, well-known services, routers, and potential abuse content, which includes scans and spams.
To demonstrate the effectiveness of this approach, we analysed six month’s worth of reverse DNS queries (ip6.arpa) measured at a B-root DNS server. In theory, root DNS servers are able to capture all network-wide events through a DNS caching mechanism, including the number of observable DNS backscatters.
Our dataset consisted of 29M IPv6 event originators, 435K unique caching resolvers, and 31M unique event originator — caching resolver pairs. After applying our heuristic-based rules to the dataset, we detected on average, 6,700 event originators per week.
As expected, most originators were benign: 74.5% of the originators were related to content providers, 16.1% of them were well-known services, and 7.5% of them were router interfaces (triggered by traceroute). However, we also confirmed that 0.24% of them (16 IPs) were network scans listed in blacklist databases or validated at backbone traffic datasets, and 1.7% of them (112 IPs) were potential malicious activities.
Interestingly, our DNS backscatter technique detected large-scale network scans by academic research projects without any prior knowledge, as well as unidentified scans. Thus, we were able to observe network-wide IPv6 scans in the wild.
Furthermore, we reported a slight increase in the number of IPv6 scans over six months.
From our analysis, we believe DNS backscatter has the potential to be a useful tool for network operators and network security professionals to detect network-wide scans in IPv6. If you’re interested in learning more about our work, check out our research paper [PDF].
Kensuke Fukuda is an Associate Professor of Information Systems Architecture Research Division at the National Institute of Informatics, Japan.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.