Abstract
Due to its large address space, IPv6 remains a challenge for Internet measurements. Thus, IPv6 scans often resort to hitlists that, however, mainly cover core Internet infrastructure and servers. Contrarily, a recent approach to source addresses leveraging NTP servers promises to discover more user-related hosts. Yet, an in-depth analysis of hosts found by this approach is missing and its impact remains unclear. In this paper, we close this gap by sourcing client IPv6 addresses from our NTP Pool servers and scanning related hosts. We get 3 040 325 302 IPv6 addresses, unveiling 283 867 deployments of consumer products underrepresented in a state-of-the-art hitlist, only leading to 37 858 finds. Security-wise, we find that only 28.4 % of 73 975 NTP-sourced SSH and IoT-related hosts appear to be securely configured, compared to 43.5 % of 854 704 hosts in the hitlist, revealing previously underestimated security issues. Last, we switch sides and identify first (covert) actors adopting NTP-based address sourcing in their scanning.
Michael Klopsch
Constantin Sander, M.Sc.
Researcher
Klaus Wehrle
Head of Group
