Enumerating Active IPv6 Hosts for Large-scale Security Scans via DNSSEC-signed Reverse Zones

Security research has made extensive use of exhaustive Internet-wide scans over the recent years, as they can provide significant insights into the overall state of security of the Internet, and ZMap made scanning the entire IPv4 address space practical. However, the IPv4 address space is exhausted, and a switch to IPv6, the only accepted long-term solution, is inevitable. In turn, to better understand the security of devices connected to the Internet, including in particular Internet of Things devices, it is imperative to include IPv6 addresses in security evaluations and scans. Unfortunately, it is practically infeasible to iterate through the entire IPv6 address space, as it is 2^96 times larger than the IPv4 address space. Therefore, enumeration of active hosts prior to scanning is necessary. Without it, we will be unable to investigate the overall security of Internet-connected devices in the future. In this paper, we introduce a novel technique to enumerate an active part of the IPv6 address space by walking DNSSEC-signed IPv6 reverse zones. Subsequently, by scanning the enumerated addresses, we uncover significant security problems: the exposure of sensitive data, and incorrectly controlled access to hosts, such as access to routing infrastructure via administrative interfaces, all of which were accessible via IPv6. Furthermore, from our analysis of the differences between accessing dual-stack hosts via IPv6 and IPv4, we hypothesize that the root cause is that machines automatically and by default take on globally routable IPv6 addresses. This is a practice that the affected system administrators appear unaware of, as the respective services are almost always properly protected from unauthorized access via IPv4. Our findings indicate (i) that enumerating active IPv6 hosts is practical without a preferential network position contrary to common belief, (ii) that the security of active IPv6 hosts is currently still lagging behind the security state of IPv4 hosts, and (iii) that unintended IPv6 connectivity is a major security issue for unaware system administrators.Accepted Author ManuscriptInformation and Communication Technolog

Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates

Infrastructure-as-a-Service (IaaS), and more generallythe “cloud,” like Amazon Web Services (AWS) or MicrosoftAzure, have changed the landscape of system operations on theInternet. Their elasticity allows operators to rapidly allocate anduse resources as needed, from virtual machines, to storage, tobandwidth, and even to IP addresses, which is what made thempopular and spurred innovation.In this paper, we show that the dynamic component pairedwith recent developments in trust-based ecosystems (e.g., SSLcertificates) creates so far unknown attack vectors. Specifically, wediscover a substantial number of stale DNS records that point toavailable IP addresses in clouds, yet, are still actively attempted tobe accessed. Often, these records belong to discontinued servicesthat were previously hosted in the cloud. We demonstrate that itis practical, and time and cost efficient for attackers to allocateIP addresses to which stale DNS records point. Consideringthe ubiquity of domain validation in trust ecosystems, like SSLcertificates, an attacker can impersonate the service using avalid certificate trusted by all major operating systems andbrowsers. The attacker can then also exploit residual trust inthe domain name for phishing, receiving and sending emails, orpossibly distribute code to clients that load remote code from thedomain (e.g., loading of native code by mobile apps, or JavaScriptlibraries by websites).Even worse, an aggressive attacker could execute the attackin less than 70 seconds, well below common time-to-live (TTL) forDNS records. In turn, it means an attacker could exploit normalservice migrations in the cloud to obtain a valid SSL certificatefor domains owned and managed by others, and, worse, that shemight not actually be bound by DNS records being (temporarily)stale, but that she can exploit caching instead.We introduce a new authentication method for trust-based domainvalidation that mitigates staleness issues without incurringadditional certificate requester effort by incorporating existingtrust of a name into the validation process. Furthermore, weprovide recommendations for domain name owners and cloudoperators to reduce their and their clients’ exposure to DNSstaleness issues and the resulting domain takeover attacks.Information and Communication Technolog

Something From Nothing (There): Collecting Global IPv6 Datasets from DNS

Current large-scale IPv6 studies mostly rely on non-public datasets, asmost public datasets are domain specific. For instance, traceroute-based datasetsare biased toward network equipment. In this paper, we present a new methodologyto collect IPv6 address datasets that does not require access to restrictednetwork vantage points. We collect a new dataset spanning more than 5.8 millionIPv6 addresses by exploiting DNS’ denial of existence semantics (NXDOMAIN).This paper documents our efforts in obtaining new datasets of allocated IPv6 addresses,so others can avoid the obstacles we encountered

In rDNS We Trust: Revisiting a Common Data-Source’s Reliability

Reverse DNS (rDNS) is regularly used as a data source in Internet measurement research. However, existing work is polarized on its reliability, and new techniques to collect active IPv6 datasets have not yet been sufficiently evaluated. In this paper, we investigate active and passive data collection and practical use aspects of rDNS datasets.We observe that the share of non-authoritatively answerable IPv4 rDNS queries reduced since earlier studies and IPv6 rDNS has less non-authoritatively answerable queries than IPv4 rDNS. Furthermore, we compare passively collected datasets with actively collected ones, and we show that they enable observing the same effects in rDNS data. While highlighting opportunities for future research, we find no immediate challenges to the use of rDNS as active and passive data-source for Internet measurement research.Information and Communication Technolog