Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure Via Active Fingerprinting

We present, validate, and apply an active measurement technique that ascertains whether candidate IPv4 and IPv6 server addresses are “siblings,” i.e., assigned to the same physical machine. In contrast to prior efforts limited to passive monitoring, opportunistic measurements, or end-client populations, we propose an active methodology that generalizes to all TCP-reachable devices, including servers. Our method extends prior device fingerprinting techniques to improve their feasibility in modern environments, and uses them to support measurement-based detection of sibling interfaces. We validate our technique against a diverse set of 61 web servers with known sibling addresses and find it to be over 97 % accurate with 99 % precision. Finally, we apply the technique to characterize the top \(\sim \)6,400 Alexa IPv6-capable web domains, and discover that a DNS name in common does not imply that the corresponding IPv4 and IPv6 addresses are on the same machine, network, or even autonomous system. Understanding sibling and non-sibling relationships gives insight not only into IPv6 deployment and evolution, but also helps characterize the potential for correlated failures and susceptibility to certain attacks.

[1]  Steve Uhlig,et al.  Investigating IPv6 Traffic - What Happened at the World IPv6 Day? , 2012, PAM.

[2]  Van Jacobson,et al.  TCP Extensions for High Performance , 1992, RFC.

[3]  Donald F. Towsley,et al.  Estimation and removal of clock skew from network delay measurements , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[4]  Nina Taft,et al.  Passive and Active Measurement , 2012, Lecture Notes in Computer Science.

[5]  Jing Zhang,et al.  Measuring IPv6 adoption , 2015, SIGCOMM 2015.

[6]  Mark Allman,et al.  A middlebox-cooperative TCP for a non end-to-end internet , 2015, SIGCOMM 2015.

[7]  Kimberly C. Claffy,et al.  Tracking IPv6 evolution: data we have and data we need , 2011, CCRV.

[8]  Kimberly C. Claffy,et al.  Measuring the deployment of IPv6: topology, routing and performance , 2012, IMC '12.

[9]  Kathleen J. Mullen,et al.  Agricultural Policies in India , 2018, OECD Food and Agricultural Reviews.

[10]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[11]  Michael J. Silbersack Improving TCP / IP security through randomization without sacrificing interoperability , 2005 .

[12]  Lachlan L. H. Andrew,et al.  Mitigating sampling error when measuring internet client IPv6 capabilities , 2012, IMC '12.

[13]  Gordon Fyodor Lyon,et al.  Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[14]  Robert Beverly,et al.  Internet nameserver IPv4 and IPv6 address relationships , 2013, Internet Measurement Conference.