HMap: Efficient Internet-Wide IPv6 Scanning With Dynamic Search

Abstract

Internet-wide scanning is integral to network measurement and security analysis, but the expansive address space of IPv6 limits existing approaches in achieving efficient global-scale scans. This study introduces HMap, an innovative IPv6 scanner that markedly improves scan efficiency and coverage through the implementation of a dynamic search (DS) technique, relying solely on IPv6 routeable BGP prefixes. DS employs a dynamic feedback-driven probing strategy that uses information from previous replies to prioritize more promising address regions in subsequent scans. In Internet-wide scans over IPv6, encompassing both ping-like and traceroute-like scans with DS, HMap has demonstrated its capability to discover 2.29 million non-alias active target addresses, 0.13 million peripheries/middleboxes, and 1.61 million router interfaces, using only million-scale probes. This represents a noteworthy improvement of 1.91 times, 1.63 times, and 12.38 times, respectively, compared to current state-of-the-art alternatives. Additionally, by utilizing an efficient target generation algorithm (TGA) that more effectively leverages seed addresses, HMap expands the non-alias active address count to 44.05 million. This coverage spans 18.97 thousand ASes with a one-hour scan at a limited probing speed of 100 Kpps. The volume of active IPv6 addresses is 4.88 times larger than the currently disclosed largest IPv6 hitlists, providing a more diverse set of IPv6 networks. Unlike prior IPv6 scan studies that preclude their use for Internet-scale security analysis, we also conduct the Internet-wide security scans of IPv6 networks, focusing on the exposed internal IPv6 devices and security-sensitive services in IPv6 routers.