Skip to main content
SpringerLink
Log in

IPv6-Darknet Network Traffic Detection

  • Conference paper
  • First Online:
Artificial Intelligence and Security (ICAIS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12737))

Included in the following conference series:

Abstract

The state of the network can be reflected by the background traffic. Negative network measurements can be a very important way to understand the Internet. I would like to express appreciation to CERNET, who provided us with an IPv6 address space allocated but not a fully used network. By announcing a large /20 covering prefixes on this address, we have published routing information on China's domestic education network, business network, and foreign education network. Based on the honeypot method, we collect relative traffic at the last hop router of the experiment network. Thus, we make our experiment environment a network telescope. We discover that background radiation traffic grew more rapidly than it was years ago under the current ipv6 network situation. Moreover, suspicious IPv6 address scanning traffic shows up. We classify and analyze the traffic and classify all the source addresses and destination addresses. We found that the source addresses are mainly from Asian countries. In particular, we conduct further detection and monitor on the suspicious source addresses. We analyze the time when it appears and what it scans, including the destination address and the port type. The most interesting destination ports to the outside world are mainly 80, 8080, 443, 53, 21, 22, 23, and 25, which are related to web services and host system applications. We explain most of the data and highlight the significant attributes of the data. We found several special addresses scanning our address segment periodically. Our work reveals the situation and the problem under the current IPv6 network situation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. The Team Cymru Darknet Project. http://www.cymru.com/Darknet/

  2. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, pp. 27–40 (2004)

    Google Scholar 

  3. Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 62–74 (2010)

    Google Scholar 

  4. Darknet Incoming Traffic Stats. http://www.cymru.com/Reach/darknet.html

  5. Zhang, G., Quoitin, B., Zhou, S.: Phase changes in the evolution of the IPv4 and IPv6 AS-Level Internet topologies. Comput. Commun. 34(5), 649–657 (2011)

    Article  Google Scholar 

  6. Ronan, J., Ford, M., Stevens, J.: Initial results from an IPv6 Darknet. (2006)

    Google Scholar 

  7. Deccio, C.T.: Turning Down the Lights: Darknet Deployment Lessons Learned. No. SAND2012–3966P. Sandia National Lab. (SNL-CA), Livermore, CA (United States) (2012)

    Google Scholar 

  8. Huston, G.: IPv6 Background Radiation. Technical report, Slides of a talk given at DUST 2012–The 1st International Workshop on Darkspace and UnSolicited Traffic Analysis, San Diego, California (2012)

    Google Scholar 

  9. Czyz, J., Lady, K., Miller, S. G., Bailey, M., Kallitsis, M., Karir, M.: Understanding IPv6 internet background radiation. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 105–118. (2013)

    Google Scholar 

  10. Cooke, E., Bailey, M., Watson, D., Jahanian, F., Nazario, J.: The Internet motion sensor: a distributed global scoped Internet threat monitoring system. Technical Report CSE-TR-491–04 (2004)

    Google Scholar 

  11. Yegneswaran, V., Barford, P., Plonka, D.: On the design and use of Internet sinks for network abuse monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30143-1_8

    Chapter  Google Scholar 

  12. Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: 2006 40th Annual Conference on Information Sciences and System, pp. 1496–1501. IEEE (2006)

    Google Scholar 

  13. Brownlee, N.: One-way traffic monitoring with iatmon. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 179–188. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28537-0_18

    Chapter  Google Scholar 

  14. Glatz, E., Dimitropoulos, X.: Classifying internet one-way traffic. In: Proceedings of the 2012 Internet Measurement Conference, pp. 37–50 (2012)

    Google Scholar 

  15. Dainotti, A., King, A., Claffy, K., Papale, F., Pescapé, A.: Analysis of a “/0” stealth scan from a botnet. IEEE/ACM Trans. Networking 23(2), 341–354 (2014)

    Article  Google Scholar 

  16. King, A.: Syria disappears from the Internet (2012)

    Google Scholar 

  17. Aben, E., King, A., Benson, K., Hyun, Y., Dainotti, A., Claffy, K.: Lessons learned by “measuring” the Internet during/after the Sandy storm. In: Proceedings of FCC Workshop on Network Resiliency (2013)

    Google Scholar 

  18. Dainotti, A., et al.: Analysis of country-wide internet outages caused by censorship. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 1–18 (2011)

    Google Scholar 

  19. Barford, P., Nowak, R., Willett, R., Yegneswaran, V.: Toward a model for source addresses of internet background radiation. In: Proceedings of the Passive and Active Measurement Conference (2006)

    Google Scholar 

  20. Bailey, M., Cooke, E., Jahanian, F., Provos, N., Rosaen, K., Watson, D.: Data reduction for the scalable automated analysis of distributed darknet traffic. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, p. 21 (2005)

    Google Scholar 

  21. Cooke, E., Bailey, M., Mao, Z. M., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 54–64 (2004)

    Google Scholar 

  22. Moore, D., Shannon, C., Voelker, G., Savage, S.: Network telescopes: technical report. In: Cooperative Association for Internet Data Analysis (CAIDA) (2004)

    Google Scholar 

  23. Pandya, S.S.: Active defence system for network security ─ honeypot. Adv. Comput. Sci. Inf. Technol. (ACSIT) 2(4), 383–386 (2015)

    Google Scholar 

  24. Kishimoto, K., Ohira, K., Yamaguchi, Y., Yamaki, H., Takakura, H.: An adaptive honeypot system to capture ipv6 address scans. In: 2012 International Conference on Cyber Security, pp. 165–172. IEEE (2012)

    Google Scholar 

  25. Schindler, S., Schnor, B., Kiertscher, S., Scheffler, T., Zack, E.: HoneydV6: A low-interaction IPv6 honeypot. In: 2013 International Conference on Security and Cryptography (SECRYPT), pp. 1–12. IEEE (2013)

    Google Scholar 

  26. Schindler, S., Schnor, B., Kiertscher, S., Scheffler, T., Zack, E.: IPv6 network attack detection with HoneydV6. In: Obaidat, M.S., Filipe, J. (eds.) ICETE 2013. CCIS, vol. 456, pp. 252–269. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44788-8_15

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electronic Engineering, Tsinghua University, Tsinghua National Laboratory for Information Science and Technology, Beiging, 10084, China

    ChenHuan Liu, QianKun Liu, ShanShan Hao, CongXiao Bao & Xing Li

Authors
  1. ChenHuan Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. QianKun Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. ShanShan Hao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. CongXiao Bao
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Xing Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xing Li .

Editor information

Editors and Affiliations

  1. Nanjing University of Information Science and Technology, Nanjing, China

    Xingming Sun

  2. Nanjing University of Information Science and Technology, Nanjing, China

    Xiaorui Zhang

  3. Jinan University, Guangzhou, China

    Zhihua Xia

  4. Purdue University, West Lafayette, IN, USA

    Elisa Bertino

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, C., Liu, Q., Hao, S., Bao, C., Li, X. (2021). IPv6-Darknet Network Traffic Detection. In: Sun, X., Zhang, X., Xia, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2021. Lecture Notes in Computer Science(), vol 12737. Springer, Cham. https://doi.org/10.1007/978-3-030-78612-0_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-78612-0_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-78611-3

  • Online ISBN: 978-3-030-78612-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation