Towards A User-Level Understanding of IPv6 Behavior

ACM Internet Measurement Conference (IMC)


IP address classification and clustering are important tools for security practitioners in understanding attacks and employing proactive defenses. Over the past decade, network providers have begun transitioning from IPv4 to the more flexible IPv6, and a third of users now access online services over IPv6. However, there is no reason to believe that the properties of IPv4 addresses used for security applications should carry over to IPv6, and to date there has not yet been a large-scale study comparing the two protocols at a user (as opposed to a client or address) level.

In this paper we establish empirical grounding on how both ordinary users and attackers use IPv6 in practice, compared with IPv4. Using data on benign and abusive accounts at a large online platform, we conduct user-centric analyses that assess the spatial and temporal properties of users’ IP addresses, and IP-centric evaluations that characterize the user populations on IP addresses. We find that compared with IPv4, IPv6 addresses are less populated with users and shorter lived for each user. While both protocols exhibit outlying behavior, we determine that IPv6 outliers are significantly less prevalent and diverse, and more readily predicted. We also study the effects of subnetting IPv6 addresses at different prefix lengths, and find that while /56 subnets are closest in behavior to IPv4 addresses for malicious users, either the full IPv6 address or /64 subnets are most suitable for IP-based security applications, with both providing better performance tradeoffs than IPv4 addresses. Ultimately, our findings provide guidance on how security practitioners can handle IPv6 for applications such as blocklisting, rate limiting, and training machine learning models.

Related Publications

All Publications

URSI GASS - September 5, 2020

Development of Measurement and Modeling Procedures of Diffractive near-LOS Wireless Links

Santiago Pérez-Peña, Marta Castiella-Fernández, Pedro Velasco-de-la-Fuente, José Manuel Riera, Mateo Burgos-García, Pedro García-del-Pino, Luis Mendo, Julius Kusuma, Erik Boch

CODE - November 20, 2020

Privacy-Preserving Randomized Controlled Trials: A Protocol for Industry Scale Deployment (Extended Abstract)

Mahnush Movahedi, Benjamin M. Case, Andrew Knox, Li Li, Yiming Paul Li, Sanjay Saravanan, Shubho Sengupta, Erik Taubeneck

USENIX Security - November 11, 2020

Deep Entity Classification: Abusive Account Detection for Online Social Networks

Teng Xu, Gerard Goossen, Huseyin Kerem Cevahir, Sara Khodeir, Yingyezhe Jin, Frank Li, Shawn Shan, Sagar Patel, David Freeman, Paul Pearce

ACM SIGCOMM - October 26, 2020

Zero Downtime Release: Disruption-free Load Balancing of a Multi-Billion User Website

Usama Naseer, Luca Niccolini, Udip Pant, Alan Frindell, Ranjeeth Dasineni, Theophilus A. Benson

To help personalize content, tailor and measure ads, and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookies Policy