Packed to the Brim: Investigating the Impact of Highly Responsive Prefixes on Internet-wide Measurement Campaigns-Reference-Cited by-同舟云学术

Packed to the Brim: Investigating the Impact of Highly Responsive Prefixes on Internet-wide Measurement Campaigns

Published:2023-11-27 Issue:CoNEXT3 Volume:1 Page:1-21
ISSN:2834-5509
Container-title:Proceedings of the ACM on Networking
language:en
Short-container-title:Proc. ACM Netw.

Author:

Sattler Patrick¹^ORCID,Zirngibl Johannes¹^ORCID,Jonker Mattijs²^ORCID,Gasser Oliver³^ORCID,Carle Georg¹^ORCID,Holz Ralph⁴^ORCID

Affiliation:

1. Technical University of Munich, Munich, Germany

2. University of Twente, Enschede, Netherlands

3. Max Planck Institute for Informatics, Saarbrücken, Germany

4. University of Münster, Münster, Netherlands

Abstract

Internet-wide scans are an important tool to evaluate the deployment of services. To enable large-scale application layer scans, a fast, stateless port scan (e.g., using ZMap) is often performed ahead of time to collect responsive targets. It is a common expectation that port scans on the entire IPv4 address space provide a relatively unbiased view as they cover the complete address space. Previous work, however, has found prefixes where all addresses share particular properties. In IPv6, aliased prefixes and fully responsive prefixes, i.e., prefixes where all addresses are responsive, are a well-known phenomenon. However, there is no such in-depth analysis for prefixes with these responsiveness patterns in IPv4. This paper delves into the underlying factors of this phenomenon in the context of IPv4 and evaluates port scans on a total of 161 ports (142 TCP & 19 UDP ports) from three different vantage points. To account for packet loss and other scanning artifacts, we propose the notion of a new category of prefixes, which we call highly responsive prefixes (HRPs). Our findings show that the share of HRPs can make up 70% of responsive addresses on selected ports. Regarding specific ports, we observe that CDNs contribute to the largest fraction of HRPs on TCP/80 and TCP/443, while TCP proxies emerge as the primary cause of HRPs on other ports. Our analysis also reveals that application layer handshakes to targets outside HRPs are, depending on the chosen service, up to three times more likely to be successful compared to handshakes with targets located in HRPs. To improve future scanning campaigns conducted by the research community, we make our study's data publicly available and provide a tool for detecting HRPs. Furthermore, we propose an approach for a more efficient, ethical, and sustainable application layer target selection. We demonstrate that our approach has the potential to reduce the number of TLS handshakes by up to 75% during an Internet-wide scan while successfully obtaining 99 % of all unique certificates.

Funder

Netherlands Organisation for Scientific Research

German Federal Ministry of Education and Research

German Research Foundation

Horizon 2020 Framework Programme

Publisher

Association for Computing Machinery (ACM)

Link

https://dl.acm.org/doi/pdf/10.1145/3629146

Reference43 articles.

1. Uncovering network tarpits with degreaser

2. Shehar Bano , Philipp Richter , Mobin Javed , Srikanth Sundaresan , Zakir Durumeric , Steven J. Murdoch , Richard Mortier , and Vern Paxson . 2018. Scanning the Internet for Liveness. ACM SIGCOMM Computer Communication Review ( 2018 ). Shehar Bano, Philipp Richter, Mobin Javed, Srikanth Sundaresan, Zakir Durumeric, Steven J. Murdoch, Richard Mortier, and Vern Paxson. 2018. Scanning the Internet for Liveness. ACM SIGCOMM Computer Communication Review (2018).

3. Robert Beverly , William Brinkmeyer , Matthew Luckie , and Justin P . Rohrer . 2013 . IPv6 Alias Resolution via Induced Fragmentation. In Proc. Passive and Active Measurement (PAM) . Robert Beverly, William Brinkmeyer, Matthew Luckie, and Justin P. Rohrer. 2013. IPv6 Alias Resolution via Induced Fragmentation. In Proc. Passive and Active Measurement (PAM).

4. Cloudflare. 2019. It's crowded in here! https://blog.cloudflare.com/its-crowded-in-here/ Cloudflare. 2019. It's crowded in here! https://blog.cloudflare.com/its-crowded-in-here/

5. Cloudflare. 2021. Unbuckling the narrow waist of IP: Addressing Agility for Names and Web Services. https://blog.cloudflare.com/addressing-agility/ Cloudflare. 2021. Unbuckling the narrow waist of IP: Addressing Agility for Names and Web Services. https://blog.cloudflare.com/addressing-agility/