Abstract
The state of the network can be reflected by the background traffic. Negative network measurements can be a very important way to understand the Internet. I would like to express appreciation to CERNET, who provided us with an IPv6 address space allocated but not a fully used network. By announcing a large /20 covering prefixes on this address, we have published routing information on China's domestic education network, business network, and foreign education network. Based on the honeypot method, we collect relative traffic at the last hop router of the experiment network. Thus, we make our experiment environment a network telescope. We discover that background radiation traffic grew more rapidly than it was years ago under the current ipv6 network situation. Moreover, suspicious IPv6 address scanning traffic shows up. We classify and analyze the traffic and classify all the source addresses and destination addresses. We found that the source addresses are mainly from Asian countries. In particular, we conduct further detection and monitor on the suspicious source addresses. We analyze the time when it appears and what it scans, including the destination address and the port type. The most interesting destination ports to the outside world are mainly 80, 8080, 443, 53, 21, 22, 23, and 25, which are related to web services and host system applications. We explain most of the data and highlight the significant attributes of the data. We found several special addresses scanning our address segment periodically. Our work reveals the situation and the problem under the current IPv6 network situation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
The Team Cymru Darknet Project. http://www.cymru.com/Darknet/
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, pp. 27–40 (2004)
Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 62–74 (2010)
Darknet Incoming Traffic Stats. http://www.cymru.com/Reach/darknet.html
Zhang, G., Quoitin, B., Zhou, S.: Phase changes in the evolution of the IPv4 and IPv6 AS-Level Internet topologies. Comput. Commun. 34(5), 649–657 (2011)
Ronan, J., Ford, M., Stevens, J.: Initial results from an IPv6 Darknet. (2006)
Deccio, C.T.: Turning Down the Lights: Darknet Deployment Lessons Learned. No. SAND2012–3966P. Sandia National Lab. (SNL-CA), Livermore, CA (United States) (2012)
Huston, G.: IPv6 Background Radiation. Technical report, Slides of a talk given at DUST 2012–The 1st International Workshop on Darkspace and UnSolicited Traffic Analysis, San Diego, California (2012)
Czyz, J., Lady, K., Miller, S. G., Bailey, M., Kallitsis, M., Karir, M.: Understanding IPv6 internet background radiation. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 105–118. (2013)
Cooke, E., Bailey, M., Watson, D., Jahanian, F., Nazario, J.: The Internet motion sensor: a distributed global scoped Internet threat monitoring system. Technical Report CSE-TR-491–04 (2004)
Yegneswaran, V., Barford, P., Plonka, D.: On the design and use of Internet sinks for network abuse monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30143-1_8
Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: 2006 40th Annual Conference on Information Sciences and System, pp. 1496–1501. IEEE (2006)
Brownlee, N.: One-way traffic monitoring with iatmon. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 179–188. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28537-0_18
Glatz, E., Dimitropoulos, X.: Classifying internet one-way traffic. In: Proceedings of the 2012 Internet Measurement Conference, pp. 37–50 (2012)
Dainotti, A., King, A., Claffy, K., Papale, F., Pescapé, A.: Analysis of a “/0” stealth scan from a botnet. IEEE/ACM Trans. Networking 23(2), 341–354 (2014)
King, A.: Syria disappears from the Internet (2012)
Aben, E., King, A., Benson, K., Hyun, Y., Dainotti, A., Claffy, K.: Lessons learned by “measuring” the Internet during/after the Sandy storm. In: Proceedings of FCC Workshop on Network Resiliency (2013)
Dainotti, A., et al.: Analysis of country-wide internet outages caused by censorship. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 1–18 (2011)
Barford, P., Nowak, R., Willett, R., Yegneswaran, V.: Toward a model for source addresses of internet background radiation. In: Proceedings of the Passive and Active Measurement Conference (2006)
Bailey, M., Cooke, E., Jahanian, F., Provos, N., Rosaen, K., Watson, D.: Data reduction for the scalable automated analysis of distributed darknet traffic. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement, p. 21 (2005)
Cooke, E., Bailey, M., Mao, Z. M., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 54–64 (2004)
Moore, D., Shannon, C., Voelker, G., Savage, S.: Network telescopes: technical report. In: Cooperative Association for Internet Data Analysis (CAIDA) (2004)
Pandya, S.S.: Active defence system for network security ─ honeypot. Adv. Comput. Sci. Inf. Technol. (ACSIT) 2(4), 383–386 (2015)
Kishimoto, K., Ohira, K., Yamaguchi, Y., Yamaki, H., Takakura, H.: An adaptive honeypot system to capture ipv6 address scans. In: 2012 International Conference on Cyber Security, pp. 165–172. IEEE (2012)
Schindler, S., Schnor, B., Kiertscher, S., Scheffler, T., Zack, E.: HoneydV6: A low-interaction IPv6 honeypot. In: 2013 International Conference on Security and Cryptography (SECRYPT), pp. 1–12. IEEE (2013)
Schindler, S., Schnor, B., Kiertscher, S., Scheffler, T., Zack, E.: IPv6 network attack detection with HoneydV6. In: Obaidat, M.S., Filipe, J. (eds.) ICETE 2013. CCIS, vol. 456, pp. 252–269. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44788-8_15
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Liu, C., Liu, Q., Hao, S., Bao, C., Li, X. (2021). IPv6-Darknet Network Traffic Detection. In: Sun, X., Zhang, X., Xia, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2021. Lecture Notes in Computer Science(), vol 12737. Springer, Cham. https://doi.org/10.1007/978-3-030-78612-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-78612-0_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78611-3
Online ISBN: 978-3-030-78612-0
eBook Packages: Computer ScienceComputer Science (R0)