The traceability of network attacks is vital for enhancing security defenses. While IPv6 adoption grows, research on interacting with IPv6 threats and tracing attacks remains limited. In this paper, we extend the dark network that is an unadvertised segment of the Internet, into an enhanced honeypot to study attack traceability. Our research features the broadest address prefix and longest monitoring period among similar studies. We collect non-production IPv6 traffic by announcing a /20 prefix and 128 /32 prefixes. IPv6 scanner behaviors, including HTTP and SSH scanning strategies, are analyzed via full-address reflection within /48 prefixes. Initially, no production systems were deployed; later, honeypots were introduced. Through prefix-based experiments, we evaluate traffic spatiotemporal characteristics and identify high-risk segments via a honeypot capture index. Our findings reveal malicious domains linked to a sensitive organization and 16 IPv6 addresses involved in periodic scanning and attacks over 16 months. Web and SSH scans increasingly target specific IPv6 addresses. Analysis shows HTTP attacks focus on asset scanning, weak credentials, and scripts, while SSH attacks exploit Log4j vulnerabilities.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

From Dark Network to Honeypot: Analysis and Traceability of Multi-prefix IPv6 Network Attacks

  • Youjun Huang,
  • Xiang Li,
  • Fasheng Miao,
  • Yanyan Ding,
  • Haixin Duan,
  • Jia Zhang

摘要

The traceability of network attacks is vital for enhancing security defenses. While IPv6 adoption grows, research on interacting with IPv6 threats and tracing attacks remains limited. In this paper, we extend the dark network that is an unadvertised segment of the Internet, into an enhanced honeypot to study attack traceability. Our research features the broadest address prefix and longest monitoring period among similar studies. We collect non-production IPv6 traffic by announcing a /20 prefix and 128 /32 prefixes. IPv6 scanner behaviors, including HTTP and SSH scanning strategies, are analyzed via full-address reflection within /48 prefixes. Initially, no production systems were deployed; later, honeypots were introduced. Through prefix-based experiments, we evaluate traffic spatiotemporal characteristics and identify high-risk segments via a honeypot capture index. Our findings reveal malicious domains linked to a sensitive organization and 16 IPv6 addresses involved in periodic scanning and attacks over 16 months. Web and SSH scans increasingly target specific IPv6 addresses. Analysis shows HTTP attacks focus on asset scanning, weak credentials, and scripts, while SSH attacks exploit Log4j vulnerabilities.