Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure Via Active Fingerprinting

Beverly, Robert; Berger, Arno

doi:10.1007/978-3-319-15509-8_12

Cited by 28 publications

(23 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, iGreedy could be useful in general, adding e.g., a relevant feature for troubleshooting [56], including e.g., ensuring reachability of specific anycast replicas, or detecting unexpected affinity between a specific replica and (a faraway) vantage point. Additionally, some inference techniques could be applied only on the unicast context [57], [58], where authors generally have to resort to some heuristic to discard suspiciously anycasted instances: in this context, iGreedy could either automatically validate the assumption, or raise a flag forbidding to use such unicast-only techniques in case of positive detection.…”

Section: Applicationsmentioning

confidence: 99%

Latency-Based Anycast Geolocation: Algorithms, Software, and Data Sets

Cicalese

Joumblatt

Rossi

et al. 2016

IEEE J. Select. Areas Commun.

View full text Add to dashboard Cite

Use of IP-layer anycast has increased in the last few years beyond the DNS realm. Existing measurement techniques to identify and enumerate anycast replicas exploit specifics of the DNS protocol, which limits their applicability to this particular service. In this paper, we propose and thoroughly validate a protocol-agnostic technique for anycast replicas discovery and geolocation, further we also provide the community with open source software and datasets allowing others to replicate our experimental results, potentially facilitating the development of new techniques such as ours.In particular, our proposed method achieves thorough enumeration and city-level geolocalization of anycast instances from a set of known vantage points. The algorithm features an iterative workflow, pipelining enumeration (an optimization problem using latency as input) and geolocalization (a classification problem using side channel information such as city population) of anycast replicas. Results of a thorough validation campaign show our algorithm to be robust to measurement noise, and very lightweight as it requires only a handful of latency measurements.

show abstract

Section: Applicationsmentioning

confidence: 99%

Latency-Based Anycast Geolocation: Algorithms, Software, and Data Sets

Cicalese

Joumblatt

Rossi

et al. 2016

IEEE J. Select. Areas Commun.

View full text Add to dashboard Cite

show abstract

“…This technique only works on DNS clients or open resolvers, and requires a DNS server backend infrastructure. In 2015, Beverly and Berger [10] refine prior work on remote clock skew estimation through TCP timestamps and apply it to actively probe IPv6-IPv4 servers for sibling classification. Their algorithm is as follows: First, they filter non-siblings based on different TCP option signatures.…”

Section: Related Workmentioning

confidence: 99%

“…This level of relation may help to draw deeper conclusions from service-level IPv6-IPv4 comparative studies, e.g., on latency [7] or security comparisons [12]. We base our classification approach on active measurements of TCP timestamps, based on prior work by Kohno [19], Zander [32], and Beverly and Berger [10]. Our approach leverages novel features, such as the identification of unique nonlinear patterns caused by variable skew.…”

Section: Introductionmentioning

confidence: 99%

Large-scale classification of IPv6-IPv4 siblings with variable clock skew

Scheitle

Gasser

Rouhi

et al. 2017

2017 Network Traffic Measurement and Analysis Conference (TMA)

View full text Add to dashboard Cite

Linking the growing IPv6 deployment to existing IPv4 addresses is an interesting field of research, be it for network forensics, structural analysis, or reconnaissance. In this work, we focus on classifying pairs of server IPv6 and IPv4 addresses as siblings, i.e., running on the same machine. Our methodology leverages active measurements of TCP timestamps and other network characteristics, which we measure against a diverse ground truth of 682 hosts. We define and extract a set of features, including estimation of variable (opposed to constant) remote clock skew. On these features, we train a manually crafted algorithm as well as a machine-learned decision tree. By conducting several measurement runs and training in cross-validation rounds, we aim to create models that generalize well and do not overfit our training data. We find both models to exceed 99% precision in train and test performance. We validate scalability by classifying 149k siblings in a large-scale measurement of 371k sibling candidates. We argue that this methodology, thoroughly cross-validated and likely to generalize well, can aid comparative studies of IPv6 and IPv4 behavior in the Internet. Striving for applicability and replicability, we release ready-to-use source code and raw data from our study.

show abstract

“…Stack fingerprinting is often used in market-share analysis [19], [20], Internet characterization [11], [14], research measurements [4], [8], [15], and security, where administrators aim to discover vulnerable devices and/or stealth intruders in the network [1], [17], [26]. We split the work across two main categories in Fig.…”

Section: A Remote Os Classificationmentioning

confidence: 99%

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Shamsi

Loguinov

2017

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

Maintaining and updating signature databases are tedious tasks that normally require a large amount of user effort. The problem becomes harder when features can be distorted by observation noise, which we call volatility. To address this issue, we propose algorithms and models to automatically generate signatures in the presence of noise, with a focus on single-probe stack fingerprinting, which is a research area that aims to discover the operating system of remote hosts using their response to a TCP SYN packet. Armed with this framework, we construct a database with 420 network stacks, label the signatures, develop a robust classifier for this database, and fingerprint 66M visible webservers on the Internet. We compare the obtained results against Nmap and discover interesting limitations of its classification process that prevent correct operation when its auxiliary probes (e.g., TCP rainbow, TCP ACK, and UDP to a closed port) are blocked by firewalls.Index Terms-OS fingerprinting, internet measurement.

show abstract

Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure Via Active Fingerprinting

Cited by 28 publications

References 11 publications

Latency-Based Anycast Geolocation: Algorithms, Software, and Data Sets

Latency-Based Anycast Geolocation: Algorithms, Software, and Data Sets

Large-scale classification of IPv6-IPv4 siblings with variable clock skew

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Contact Info

Product

Resources

About