Two-phase scanning in IPV6 : first observations from a reactive IPV6 network telescope

Abstract

Scanning is prevalent on the Internet. Researchers, commercial services as well as malicious actors probe the Internet regularly and with high intensity. Stateless TCP~SYN scanning has been established as an efficient approach to explore the IPv4 service landscape within minutes. The huge IPv6 address space renders this impossible. In this poster, we analyze 18 months of IPv6 SYN scanning using the reactive network telescope Spoki, which responds to TCP SYN packets. In case of two-phase scans, it engages in TCP handshakes initiated in a second phase. Spoki has been successful in identifying malicious scanning behavior in IPv4 and found a stable share of $\approx 75$\% irregular TCP SYNs, which typically characterize a first, stateless scanning phase. In the IPv6 Internet, the share of irregular TCP SYNs has not saturated but fluctuates on a 30 days average between 20\% and 80\%. Fewer scanners return after an irregular SYN and returns happen significantly later than in IPv4, which may indicate larger address traversals that delay the second phase.