网络与信息安全学报 (Feb 2023)
Dual-stack host discovery method based on SSDP and DNS-SD protocol
Abstract
With the exhaustion of the IPv4 addresses, the promotion and deployment of IPv6 has been accelerating.Dual-stack technology allows devices to enable both IPv4 and IPv6 protocols, which means that users are facing more security risks.Although the existing work can realize the identification and measurement of some dual-stack servers, the following problems still exist.Dual-stack host identification requires deep protocol identification of host services, but this method consumes too much scanning resources.Besides, network service providers may provide consistent services on distributed hosts, making it difficult to guarantee the accuracy of dual-stack host identification through service fingerprints.To solve these problems, the LAN service discovery protocol was used to bind host services to IP addresses, and a dual-stack host discovery method based on SSDP and DNS-SD protocols was proposed.In IPv4 network environment, the target host was induced to actively send a request to the constructed IPv6 server through SSDP protocol, and then the IPv6 address was extracted from the server’s log.Or the service list of the target host and its corresponding AAAA record was enumerated through the DNS-SD protocol and the IPv6 address of the target host was obtained, in order to realize the discovery of the dual stack address pairs.With this method, IPv6 addresses was obtained directly from the IPv4 host, which ensured the accuracy of the discovered dual-stack host.At the same time, only request packets for specific protocols were needed during the discovery process, which greatly saved scanning resources.Based on this method, the SSDP hosts and DNS-SD hosts accidentally exposed to the global IPv4 network were measured.A total number of 158k unique IPv6 addresses were collected, of which 55k were dual-stack host address pairs with globally reachable IPv6 addresses.Unlike existing work that focused on dual-stack servers, this method mainly targeted end-users and client devices, and built a unique set of active IPv6 devices and dual-stack host address pairs that have not been explored so far.Through the analysis of the obtained IPv6 address addressing type, it shows that IPv6 address is mainly generated in a random manner, which greatly reduces the possibility of IPv6 hosts being discovered by scanning.In particular, by measuring the ports and services of dual-stack hosts, we found that the security policy differences of dual-stack hosts on different protocol stacks.Especially, IPv6 protocol stack exposes more high-risk services, expanding the attack surface of hosts.The research results also show that the infeasibility of IPv6 address space traversal scanning mitigates the security risks of IPv6, but incorrect network configuration greatly increases the possibility of these high-risk IPv6 hosts being discovered and users should revisit IPv6 security strategy on dual-stack hosts.