2012 ASE International Conference on Social Informatics (SocialInformatics 2012) / 2012 ASE International Conference on Cyber

Security (CyberSecurity2012 International

2012) / 2012 ASEConference onConference
International Cyber Security
on BioMedical Computing

An adaptive honeypot system to capture IPv6

address scans
Kazuya Kishimoto∗ , Kenji Ohira† , Yukiko Yamaguchi‡ , Hirofumi Yamaki‡ and Hiroki Takakura‡
∗ Graduate School of Information Science
Nagoya University, Nagoya, 464-8601 Japan
Email: kishimoto@net.itc.nagoya-u.ac.jp
† Nara institute of science and technology, Ikoma, 630-0192 Japan

Email: k-ohira@is.naist.jp
‡ Information Technology Center

Nagoya University, Nagoya, 464-8601 Japan

Email: {yamaguchi, yamaki, takakura}@itc.nagoya-u.ac.jp

Abstract—The vastness of IPv6 address space and rapid spread
of its deployment attract us to usage of IPv6 network. Various
types of devices, including embedded systems, are ready to use
IPv6 addresses and some of them have already been connected
directly to the Internet. Such situation entices attackers to change
their strategies and choose the embedded systems as their targets.
We have to deploy various types of honeypots on IPv6 network
to trace his activities and infer his objective. Huge address space
and wide variety of devices, however, suggest the limitation of
conventional honeypots. In this paper, we propose a system that
dynamically assigns an address to a honeypot by detecting an
access to an unassigned address. We also present our strategy
against IPv6 address scans by making honeypots collaborate each
other.
Index Terms—honeypot, IPv6, security
I. I NTRODUCTION
In recent years, serious incidents such as targeted attacks
have been reported frequently. Such kind of attacks has a
tendency to use a zero-day attack which exploits undisclosed
vulnerabilities. Traditional security countermeasures heavily
depend on a detection pattern, i.e., a virus definition or an
attack signature. Since a sign of the zero-day attack can be
hardly caught, we cannot obtain the detection pattern before-
hand and the current countermeasures do not work effectively
against these attacks. Furthermore, cases that incidents are
occurred in LAN, e.g., home network, office network, are
increased. In that situation, the effectiveness of firewall and
IPS (Intrusion Prevention System) are limited. In order to
defend our network from these attacks, many techniques have
been studied. Building and deploying honeypots is one of the
approaches widely known. A honeypot gathers information of
cyber attacks by accepting attacks.
Stocks of IPv4 address blocks managed by IANA ran out
on February 3, 2011 [1], which causes serious problems on
the growth of the Internet. This fact and the events like World
IPv6 Launch started at June 6, 2012 accelerate the adoption of
IPv6. A honeypot system that gathers information effectively
in IPv6 is needed.
In general, the address space of 64 bits, that is, 1.8 × 1019
are available in one network segment in IPv6. Because of the
exhaustion of IPv4 addresses, many devices cannot be assigned
a global IP address and should be deployed under NAT which
also plays the role of a substitution of a firewall. On the other
hand, the vastness of IPv6 allows various types of devices to
connect to the Internet directly.
Stateless address autoconfigulation (SLAAC) is convention-
ally used when a device choose its IPv6 address. In case
of SLAAC, most devices generate IPv6 addresses from their
MAC addresses. A MAC address contains the information to
know its vendor and its model of the device. As a result, an
IPv6 address derived from a MAC address is dependent on
the vendor and the model of the device.
In recent year, embedded devices, e.g., home appliances,
building facilities, industrial control systems, connect to the
Internet. Many of them start to adopt IPv6 [2][3][4] and the
number of such devices will be increased more and more
hereafter. The majority of devices that connected to the IPv6
network is considered to be such devices not PCs.
Because of such change of the network environment, at-
tackers focus on on not only PCs but also embedded devices.
Stuxnet was one of the typical examples of attacks to SCADA
(Supervisory Control And Data Acquisition) systems. After
Stuxnet, several its variants and new malware which targeted
to SCADA have been reported. Some of conventional propaga-
tion methods cannot be used when attackers want to discover
embedded devices. For example, spam mails cannot be used
to sensors because they are not designed to receive mails. One
of the methods to discover such devices is a scan. Usually, it
is considered that a scan to IPv6 network is infeasible because
of its vast address space. If an attacker targets a specific device
which is used in a certain organization, he can scan only
address space derived from SLAAC to identify the device. In
the case of the easiest scenario, he has to search 232 address
space1 .
On the other hand, in order to gather attack information,
it is required to know which address will be attacked and
deploy a honeypot to the address. It is difficult to predict in
1= 216 (subnet ID of prefix) and 216 (lower 16 bit of interface ID)

978-0-7695-5014-5/12 $26.00 © 2012 IEEE

978-0-7695-4938-5/12 508
165
DOI 10.1109/CyberSecurity.2012.28
10.1109/SocialInformatics.2012.46
advance which IPv6 address will be attacked. A honeypot that
is assigned only one address cannot be found by IPv6 attackers
[5] because an IPv6 address space is vast. It is not favorable
to give a clue that the responding node is a honeypot. Thus, it
is necessary for an IPv6 honeypot system to choose accesses
it responds and to give responses that are appropriate to them.
In this paper, we focus on mechanism of IPv6 address
assignment [6] and propose a new system which can automati-
cally deploy an appropriate honeypot. In an IPv6 environment,
a neighbor solicitation (NS) message is multicasted in order
that an initiator node, e.g., a router, obtains the MAC address
of a target node, e.g., an end host. Since a NS message contains
the IPv6 address of the target node, our system monitors the
message and identifies a product which an attacker tries to
intrude in. As honeypots, our system stores virtual machines
where various types of OSs and applications are installed
in advance. Based on the MAC address inferred from a NS
message, the most appropriate virtual machine is selected from
them and connected to the Internet. We mention attacker’s
strategies of IPv6 address scans and propose the strategies
against each of them.
The rest of the paper is organized as follows. In Section II,
we describe typical honeypots and problems when deploying
honeypots in IPv6. In Section III, we describe the proposed
method and the strategies for IPv6 scans. In Section IV,
we show experiments and analyze them. Finally, we present
concluding remarks and suggestions for future study.
II. L URING ATTACKERS INTO H ONEYPOTS IN IP V 6
A. Honeypots
In order to deceive a defender, an attacker may scan address
range which does not cover his target device. Because the
utilization of passive sensor cannot infer the target, honeypots
are mandatory for identifying his objective. Spizner [7] defines
a honeypot as “an information system resource whose value
lies in unauthorized or illicit use of that resource.” A honeypot
gathers samples of malicious programs and records of their
behavior whose information is utilized to defend our systems.
If an attacker plans to intrude into a certain organization,
he has to look around its network. We try to identify his
objective by analyzing his activity which is captured by the
honeypots. Because the attacker is quite cautious to perform
the reconnaissance, the honeypots should respond carefully to
his access. If he suspects the existence of honeypots, he stops
his activity and we cannot trace him anymore.
To realize such honeypots, several approaches are proposed
where a honeypot changes its behavior according to the type of
access it receives. Song et al. [8] proposes a honeypot system
which automatically controls listening ports. The design of
this systems is based on the experimental observation that an
attacker may be aware of honeypots if they respond to all
packets arrived at different ports. The system monitors network
traffic, analyzes request packets to all honeypots, and decides
which ports should be opened for each honeypot. Michael et
al. proposed Potemkin Virtual Honeyfarm [9] that monitor a
large number of IP addresses with a few physical resources by
166
509
using virtual machines. This system dynamically bind phys-
ical resources to external requests to emulate the execution
behavior of dedicated hosts. The resource requirements of
emulating an Internet host is reduced by exploiting idleness
at the network layer and physical memory coherence between
hosts. SGNET honeypot [10] emulates behavior of real OS by
utilizing Finite State Machine (FSM) model. Against known
attacks, the honeypot can respond as they are the actual OS. If
new/unknown attacks are arrived, it works as proxy in order
to transfer the communication to the central controller and
requires a new FSM model. Participants of SGNET project
deploy the honeypots all over the world and share collected
information.
There are some researches on the deployment of honeypots
in IPv6 network. Robert et al. [11] deployed spam honeypots
to IPv6 network. Klaus Steding-Jessen et al. [12] deployed an
IPv6 honeypot server that hosting a web server and a mail
server.
B. Assumed scenario of honeypots
It is assumed a honeypot is accessed by an attacker as
follows.
1) A honeypot is deployed to a static IP address.
It is assigned a static IP address, and is exposed to the
Internet.
2) An attacker discovers the honeypot.
He/she scans the IP addresses of targeted country or
organization. If the scan covers the IP address assigned
to the honeypot, it may become the candidate for his/her
attack.
3) The attacker examines the honeypot.
He/she examines whether the machine is a honeypot
and whether it has vulnerabilities. If he/she regards the
machine as a honeypot, he/she aborts the attack. A
honeypot should return appropriate responses so as not
to be doubted by the attacker.
4) The honeypot is attacked.
The attacker starts attacking the honeypot if he/she
judges that it is not a honeypot and finds vulnerabilities.
C. Vast address space of IPv6
Because the address space of IPv4 is limited, it is impossible
to connect all devices directly to the Internet. In many cases,
we deploy NAT in IPv4 because of the exhaustion of IPv4
addresses. It also works as a substitution of a firewall.
In IPv6, it becomes possible for all devices to be assigned
one or more global addresses. All devices can be IP reachable
and can establish an end-to-end communication in IPv6.
An IPv6 address consists of 128 bits, and the upper 64 bits
are the network prefix and the lower 64 bits are the interface
identifier. The network prefix can be utilized to know the
region or the country where the network exists. Note that the
64-bit address space for interface identifier is so large that most
part of address block in a subnet is not used. If an attacker
chooses an address randomly, he/she will most probably fail
to find existing nodes.
 #$
 network printers have frequently become victims of cyber
"
 !
 !
 attacks. Stuxnet [16] attacked SCADA system and caused


 

   
 serious damage to the nuclear plant. Several home appliances
were compromised and misused as stepping-stones for further




  
 attacks.








 !
!

 







  Furthermore, wide spread of smartphones and tablets in-








troduce new trend of device usage, i.e., BYOD(Bring Your
Fig. 1. Structure of an IPv6 address derived from EUI-64 format Own Device). Since most of BYODs are ready for IPv6
and have ability of tethering, BYOD causes new security
issues, BYON(Bring Your Own Network). Many organization,
Similar to attackers, defenders have to take care of the including Nagoya University, has suffered from several issues.
situation to deploy honeypots. If we adopt a strategy similar For example, misconfigured devices tried to introduce an
to the conventional one where each honeypot is assigned fixed another IPv6 network which is not assigned the university.
IP address, the honeypots sparsely exist in IPv6 address space As another example, a compromised smartphone attempted to
of a subnet and hardly detect malicious activities. On the other hijack IPv6 sessions.
hand, if we deploy too many honeypots on a subnet, an attacker The reason for the shift can be considered as follows.
can easily identify such unnatural subnet. Therefore, we need First, the embedded devices with network connection become
some smart method to deploy honeypots in IPv6 environment. common and many of them are directly connected the Internet.
In IPv6, an IP address derived from EUI-64 format [13] is Second, their security level is relatively low comparing with
conventionally used. EUI-64 format is automatically calculated conventional PCs. Because of the reduction on production
from a MAC address. A MAC address is a unique identifier costs, these devices must be equipped with the minimum
assigned to network interfaces and consists of 48 bits. The specification of hardware resources. Such specification cannot
first 24 bits represent a vendor code managed by IEEE, and afford to installing security functions, e.g., anti-virus. Most of
the lower 24 bits are assigned by each vendor. Conventionally the embedded systems are derivation of the conventional OSs
the lower 24 bits are sequentially assigned to a device. As a like Linux, FreeBSD, Windows. Since life cycle of the devices
result, the lower 24 bits of same model devices are sequential. is very long, e.g., 10 years, and it is not an easy task to update
If high-order bits of the lower 24 bits are same, the devices are their OSs, their vulnerabilities are frequently left. An attacker
probably same model. In this paper, the first 8 bits of lower can easily understand their structures. Therefore, these devices
24 bits are termed a model identifier and the remaining 16 bits become easy targets for the attackers.
are termed a serial identifier. An EUI-64 format is generated
by inserting hex FFFE to middle of MAC address as shown E. Attacker’s strategies to scan IPv6 network
in Fig. 1 The enlarged address space of IPv6 and the SLAAC causes
Since an IP addresses derived from EUI-64 may accept new critical problems which do not exist in IPv4. In IPv6, the
incoming connection requests from other devices [14], most step 2 and 3 of II-B is more difficult than that of IPv4.
implementation of OS innocently responds to connection re- Most types of IPS monitor network traffic for a certain
quests to the addresses. This situation helps an attacker to period of time, e.g., 1 minute. For each source address,
identify his target devices. Instead of searching the entire destination IP addresses are sorted in order to find sweep
address space of a subnet, he just look around the limited range behavior. In order to evade from such detection mechanism, a
of IP addresses which are derived from EUI-64. If an attacker smart attacker frequently adopts slow scan [17]. Slow scan is
targets a specific device, he can obtain detailed knowledge of a technique that send some packets a day, often from different
its behavior. If a honeypot cannot properly respond to him, source addresses, not to be detected by IPS.
he suspects the existence of the honeypot and suspends the This paper assumes that an attacker selects one of three
interaction with it. scan strategies below, one ordinary scan and two slow scan
D. Security of networked embedded systems and IPv6 strategies.
Building facilities such as thermometers, air-conditioners 1) The attacker accesses almost all IPv6 addresses within
and lighting equipments are managed through IP network. a specific address range in a short period of time.
Furthermore, a huge number of SCADA systems is ready In this strategy, the attacker tries to discover as many
for IPv6 [2][3][4]. Even in a house, set-top boxes, TV sets, hosts as possible. Even if the IPv6 addresses are selected
DVRs are equipped with the embedded systems and ready to randomly, recent IPS has sophisticated algorithm to
talk IPv4/IPv6 protocols. Power grid researches have promoted detect this activity and can drop such scan packets.
the network connection of such embedded systems [15]. For 2) Slow scan to search a specific product.
example, an electric car is connected to power line of a house. If an attacker who tries to attack a certain organization
In case of an emergency, its battery can be used as power knows undisclosed vulnerabilities of a specific product,
source for the house. With taking into consideration on such e.g., a digital TV set, he may be interested in the
advancement, recent targets of attackers have been shifted lowest 16 bits of IPv6 addresses. Because he can easily
from conventional PCs to embedded systems. As one example, obtain the vendor code and the model identifier of the

167
510
 %
 
2) Databases: Databases store the information that is used
 





  
in selecting an appropriate honeypot and assigning an IPv6

 
address to it. We defined three databases described as follows.
• Machine management database

  䞉䞉䞉 
&
%'
Fig. 2. honeypot system structure
product. However, he may not have prior knowledge
which network segment his targets exists. Every time
when he sends one scan packet, he selects one subnet
identifier of the organization and one serial identifier of
MAC addresses randomly.
3) Slow scan for a pinpoint attack to a target device.
If an attacker has a clear target person in an organization,
he may be eager to know the MAC address of personal
devices like a smart phone. After he is succeeded to
obtain the MAC address, he never needs to search the
interface identifier of the IPv6 address. Only subnet
identifier attracts his interest. Similar to 2), he selects a
subnet identifier randomly but fixes interface identifier.
As results, it is quite difficult for IPS to detect such slow
and random walk scan.
Compared with the number of grobal routing prefix, that of
allocated prefixes [18] are very small, i.e., 248 v.s. 230 . If an
attacker want to find out someone’s device in the world by
using a botnet, his task does not becomes so difficult.
III. P ROPOSED M ETHOD
We propose a system that monitor an access to an unas-
signed address based on EUI-64 and assigns an address to the
appropriate honeypot dynamically.
A. Architecture of proposed system
The proposed honeypot system is constructed from multiple
honeypots, three databases and an address assigning manager.
Fig. 2 shows the overview.
1) Honeypots: In order to cope with the problem, we
generated various types of honeypot as virtual images and
install the images into the system in advance. By using a
virtual honeypot and applying a snapshot command, we can
easily obtain compromised disk image of the honeypot. Also
by restoring original image of the honeypot, the honeypot
immediately returns to clean status. For each combination of
OS and applications, an image of a honeypot is prepared.
Every time when an access to an unassigned IPv6 address
is detected, our system infers attacker’s target type and select
the most appropriate honeypot among the images.
Currently we deploy conventional OSs, e.g., Windows,
Linux, as virtual machines. In addition, we are planning to
develop virtual machines which emulate embedded systems
such as home-appliance, sensors. Since behavior of the embed-
ded systems is simple compared to the conventional OSs, it is
feasible to develop the system applying SGNET like methods.
168
511
It manages the information of real machines and VMs in
the network segment. A real machine indicates a machine
which is not a honeypot. The entry of each machine is
manually registered before the proposed honeypot system
is started. TABLE I shows the attributes and explanation
of this database. id represents a machine identifier. ma-
chine represents an operating system name installed to the
machine. mac represents a MAC address of the machine.
addr represents an IPv6 address that statically assigned
to the machine.
TABLE I
ATTRIBUTES OF MACHINE MANAGEMENT DATABASE
id machine identifier
machine machine name
mac MAC address of machine
addr static IPv6 address
• Address management database
It manages current or past status of each IPv6 address.
TABLE II shows the attributes and explanation of this
database. addr represents an address that was accessed.
id represents a machine identifier that responds past
accesses. chk is decided from past accesses and it is used
which honeypot the address is assigned is decided. chk
has five parameters of success, failure, run, yet
and in-use. success represents that an attack was
executed to machine with id when addr was assigned to.
This means that the attack is not aborted in step 3 of
Section II-B and an attacker proceeds step 4. failure
represents that an attack was aborted. run represents that
the addr is assigned to machine with the id at that time.
yet represents that the addr have not be assigned to
machine with the id. in-use represents that the addr is
assigned to the machine that is not honeypot.
TABLE II
ATTRIBUTES OF ADDRESS MANAGEMENT DATABASE
addr IPv6 address
id machine identifier
chk state of entry
• MAC address database
This database stores vendor codes, model identifiers and
a machine identifiers. The vendor code is published by
IEEE. The 256 entries exist for each vendor code because
a model identifier is a 8-bit number. When our system
finds an attack that aims at IPv6 addresses derived from
MAC addresses, the database is referred and its content is
updated. TABLE III shows the attributes and explanation
of this database. vendor represents a vendor code and
model represents a model identifier described in Section
II-D. id represents a machine identifier of the honeypot.
 TABLE III %'
ATTRIBUTES OF MAC ADDRESS DATABASE 

 $  

- %'

%'

%'

vendor Organizationally Unique Identifier   

model model identifier ( $)*+


id machine identifier 


,#

   ,.'


3) Address assigning manager: According to observed traf- ,# /    '

/  

'
fic data, this module performs several functions among the 
0,

1(!

followings. 

 $)*+
• Assign an IPv6 address to a honeypot. 2 '
 $
Details will be described in Section III-B2.
• Release an IPv6 address from a honeypot.
䞉
Details will be described in Section III-B4. 䞉
䞉

• Judge reconnaissance accesses.

Details will be described in Section III-B4.
• Update databases.
Details will be described in Section III-B2 and III-B4.
• Clean honeypots image file and reboot honeypots.
Details will be described in Section III-B4.
B. Detailed procedure of address assignments
We focus on the ICMPv6 neighbor discovery protocol
(NDP) [6] to detect an access from attackers to an unas-
signed address. The NDP provides the address resolution that
corresponds to ARP. This honeypot system can be set up
without changing the network configuration of other devices
in network segment by utilizing the process of NDP.
1) Ordinary address resolution in the NDP: The address
resolution in the NDP is performed in the following order.
1) A node receives a packet whose destination IPv6 address
does not exist in its neighbor cache table irrespective of
protocol, e.g., TCP, UDP or ICMP.
2) The node sends a NS (neighbor solicitation) message to
a solicited-node multicast address corresponding to the
destination IPv6 address.
3) A node which has the destination IPv6 address receives
the message. Then the node responds NA (neighbor
advertisement) message with its MAC address.
4) After receiving the NA message, its entry is stored in
the neighbor cache table. Then, the packet received in
process 1 is delivered to the correct destination.
The proposed honeypot system assigns an IPv6 address to
a honeypot while detecting NS message and returning NA
message in order to maintain communication with an attacker
accessing to an unassigned address. The honeypot needs to
return responses that resemble to the responses from the
device originally on the IPv6 address. Among various types of
honeypots which are constructed in advance, the most suitable
one is selected.
2) Process of assigning an IPv6 address to a honeypot: We
describe the process assigning an IPv6 address by modifying
process 3 of Section III-B1. When the access to an unassigned
address is detected, an address assignment is performed. Fig.3
shows the overview of the processes. An address assigning
manager assigns an address to a honeypot in the following
five processes.
Fig. 3. Address assigning process
1) Detect the NS message except DAD (Duplicate Address
Detection) to an unassigned IPv6 address. Our system
should confirm that the detected address is not currently
used in the network segment.
2) Judge whether the packet is part of a scan and decide the
strategy of address assignment. The proposed method
changes the strategy of the address assignment according
to the type of the scan. Details will be described in
Section III-C.
3) Select the best honeypot to respond to the accessed IPv6
address
If the accessed IPv6 address is derived from a
MAC address
Search entries of MAC address database with
same vendor code as the one of the accessed
IPv6 address. Select the honeypot of the entry
with same model identifier from the results
and go to process 3.
Else
Search entries of the address management
database with same addr value as accessed one.
If there is a entry with chk=success
Select the honeypot and go to pro-
cess 4.
Else if there are entries with chk=yet
Select one honeypot at random from
them, and go to process 4.
Else
Insert entries for all honeypot with
chk=yet. Then select a honeypot at
random from them, and go to process
4.
4) Assign IPv6 address to honeypot
The address assigning manager assign the IPv6 address
to the honeypot that is selected in process 3. The entry
corresponding to this address assignment is updated to
chk=run.
5) Respond a NA message

169
512
 The address assigning manager makes and sends a NA
message which corresponds to the response to the NS
message that is detected in process 1.
The packet that reached to the router before process 1 is sent to
the honeypot that is assigned the accessed address after process
5. The honeypot becomes possible to begin to communicate
with attacker.
3) Management of addresses used in network segment:
The address of real machines in network segment can be re-
configured based on router advertisement. If the address is not
registered to the address management database, the address can
be mistakenly assigned to a honeypot. To prevent this situation,
when a DAD packet is detected, the address assigning manager
regards that the address is used and registers it to the address
management database with chk=in-use not to be assigned
to honeypots. We assume that DHCPv6 is disabled on the
network segment in this paper.
4) Collect reconnaissance accesses: The accesses to the
unassigned address are regarded as reconnaissance one. We
judge the attack have been executed when the count of serial
communication exceeds the threshold. Otherwise, we assume
that the attack is aborted by the attacker because there is no
vulnerability that the attacker targets or the attacker notices the
target is a honeypot. Currently the threshold is a fixed value
and it is defined beforehand.
When an attack is continued, the attack is classified into the
following three patterns.
• The honeypot has returned responses that look like the
target device one.
• The attacker has not comprehended the response of the
target device yet.
• The attacker does not search specific target devices.
Various information is obtained by analyzing the attack even
if it is which pattern. For example, there is a possibility
that malwares can be collected in the first and the second
pattern. The malware is assumed that it targets the device with
same vendor code and same model identifier. The unknown
vulnerabilities of the device and countermeasures against the
attack can be obtained by analyzing the malware.
If the communication continues and if the number of its
packets exceeds the threshold, the address assigning manager
updates chk of corresponding entry of address management
database to success and the disk image of the honeypot
is stored to be able to analyze it later, then the honeypot is
rebooted by using a clean disk image. A clean disk image
is a copy of disk image of a honeypot before it is attacked.
Otherwise, chk is updated to failure and the IPv6 address
is released from the honeypot. When chk of all entry related to
the accessed address become to failure, they are changed
to yet again.
C. Strategies of address assignment
The proposed method changes the strategy of address as-
signment according to the interface identifier of the accessed
IPv6 address and the type of scan described in SectionII-E.
170
513
1) Grouping of an IPv6 address: We classify IPv6 ad-
dresses to three groups, human friendly, EUI-64 derived and
random/unknown, according to its interface identifier.
• Human friendly addresses
According to [19], network administrators tend to select
the interface identifier of an IPv6 address with one of the
following patterns.
– “low-byte” addresses
All bytes of the interface identifier except the lowest
one are set to 0 (as in 2001:db8::3).
– IPv4-based addresses
The interface identifier encodes the IPv4-address of
the network interface (as in 2001:db8::192:168:1:1).
– Wordy addresses
The interface identifier determined from encode
words (as in 2001:db8::dead:beef). We regard “ace”,
“add”, “bad”, “bee”, “beef”, “bed”, “bead”, “cab”,
“cafe”, “dad”, “dead”, “face”, “fade”, “fee” and
“feed” as encode words.
The first and second patterns of above contain many 0s in
the interface identifier. If the half or more of hexadecimals
of an interface identifier are 0 or the interface identifier
determined from encode words, the proposed method
classifies the IPv6 address to human friendly addresses.
• Addresses derived from EUI-64
IPv6 addresses with an interface identifier derived from
EUI-64 format are classified into this group. The vendor
and the model of the device are identified from the
interface identifier as described in Section II-C.
• random/unknown addresses
IPv6 addresses except above two groups are classified
into this group. It is assumed that the interface identifier
is generated from Privacy Extensions [14] or random
values or unknown algorithms. They are out of our scope
because it is difficult to expect the relation between
packets with such destination address.
2) Strategy for the accesses to human friendly addresses:
Compared with other groups, there is tendency that a human
friendly address is assigned to a specific purpose device, e.g.,
server, router. Therefore, when the proposed method detects
the NS packet to the address of the group, it assigns the address
to a honeypot. If our honeypot responds to all scan packet
targeted /64 network, this behavior is unnatural and an attacker
may suspect the existence of the honeypot. In order to avoid
such situation, our method assigns X IPv6 addresses at most.
X represents the maximum number of assignable IPv6 address
for each segment and is determined based on environment of
each segment.
3) Strategy for slow scan to addresses derived from EUI-64:
As described in Section II-E, most attackers adopt the slow
scan. In order to detect such scan, our honeypot systems should
be deployed in various network segments and the systems
should collaborate with each others. When one honeypot
system observes an access to unassigned IPv6 address, the
system sends a message to all systems. By examining the
messages from honeypot systems in other network segments,  

each hoenypot system may find out that destination address 


have the same vendor code and the model identifier. In this
case, our system regards the activity as the slow scan. 33 444''''446! 33 4445555446!

If our system detects changes on the lowest 16 bits of IPv6 %

 
address, this activity is classified scan type 2 described in 
 
 $
Section II-E. In this case, our system waits Y packets passed, 
7
 
and then assigns at most Z IPv6 addresses against reached
packets. Because an attacker never expects his first packet hits
his target, we should not respond to the attacker immediately. 䞉䞉䞉

 
When a honeypot system assigns an IPv6 address, the system
sends a message to all systems. Each honeypot system counts
how many honeypots are deployed in all honeypot systems. Fig. 4. Network configuration diagram
When a system deploys Zth honeypot, this information is
shared by all systems and no honeypot is assigned anymore.
If our systems notice that all bits of interface identifier are B. Implementation of proposed method
fixed among several segments, this attack is classified scan TABLE IV shows the specifications of physical machine and
type 3 described in Section II-D. Similar to the strategy above, TABLE V shows virtual honeypots operated on the physical
our system waits Y packets passed and assignes only one IPv6 machine.
addresses. Virtual honeypots are constructed by QEMU [20]+KVM
The value of Y and Z are determined by observing the [21] and databases are constructed by MySQL and the ad-
traffic in real environment. dress assigning manager is implemented by Perl 5.12.4. The
4) Suppression of duplicate address detection: In normal address assignment described in process 4 of Section III-B2
case of IPv6 address assignment, a host must perform DAD is executed by logging in to the selected honeypot via ssh.
in order not to utilize already-used address. If our honeypot
performs DAD for each address assignment, swift deployment TABLE IV
S PECIFICATION OF PHYSICAL MACHINE
of the honeypot cannot be realized. To solve this problem,
address management database pays attention to the address CPU Intel Xeon E3-1220 3.10 GHz/8MB
duplication and thus, a honeypot is not required to perform memory 16GB
OS Ubuntu Server 11.10
DAD.
TABLE V
IV. E XPERIMENTAL EVALUATION V IRTUAL HONEYPOTS
We implemented the proposed method to evaluate its per-
OS memory
formance. Ubuntu desktop 10.04 1GB
Ubuntu Server 11.10 1GB
A. Description of the experiment CentOS 6.0 1GB
In order to evaluate swift deployment of honeypots, we Windows Vista SP2 1GB
measured the time between attack and its response. As shown
in Fig. 4, we used two network segments in our university
IPv6 network. The attacker’s PC and honeypot system were C. Results
deployed on the left and right segments respectively. An attack TABLE VI shows the result of the mesurement. “Std dev” in
was started when the attaker’s PC sent a ping6 packet to an TABLE VI represents the standard deviation. It was confirmed
unassigned IPv6 address. When the PC received its response that we could deploy Ubuntu and CentOS honeypots in about
from a honeypot, we regarded completion of the deployment. 1 second. We also found that required time to deploy Windows
We measured 10 times for each virtual machine. honeypot was in about 2 seconds. TABLE VII shows the
As preliminary experiment, we used ping6 command to execution time for processes 3, 4 and 5 of Section III-B2.
measure delay between 2 segments. Instead of honeypots, we
deployed a real machine on the honeypot segment. Average D. Analysis of the result
response time between attacker’s PC and the machine is 0.018 From TABLE VII, we notice that there is no difference on
seconds, so we confirmed short delay of our experimental processes 3 and 5 among three OSs. It was because these
environment. processes are executed by the address assigning manager
We also measured execution time concerning processes de- which resided on Host machine.
scribed in Section III-B2. The execution time was obtained by For process 4, each OS had different execution time. This
Host machine shown in Fig. 4. For each OS, the measurement was because of the implementation of sshd. In particular, it
was started from detection of NS (process 1). Since required took more time in Windows Vista compared with other OSs.
time for process 2 was too short to measure, we obtained The OS used OpenSSH in Cygwin and it is reported that it
execution time for processes 3, 4 and 5. takes time to execute external command in Cygwin.

171
514
 TABLE VI
R ESPONSE TIME OF PING
OS average time (s) std dev (s) worst time (s)
Ubuntu 10.04 1.04 0.04
CentOS 6.0 1.24 0.23
Windows Vista SP2 2.12 0.14
TABLE VII
T IME TAKEN IN EACH PROCESS
Ubuntu10.04 CentOS 6.0 Windows Vista
process 3 (ms) 9.11
process 4 (ms) 192 262 1244
process 5 (ms) 3.22
Even if we took the situation into account, there still
existed significant gaps among values of TABLEs VI and VII.
Therefore we investigated its reason and found that there was
blank time on Address assignment manager between processes
4 and 5.
After process 4 completed, the manager logged into a hon-
eypot and set up IPv6 address. Because the required time for
the process was obtained by Host machine, its measurement
was terminated when the manager issued ifconfig/ipconfig
command. Therefore we performed an additional experiment
to measure time of completion of the command and identified
that it took 0.9 seconds on average.
Furthermore, we should take into account of timeout of
3-way handshake to establish the TCP connection. Its value
depends on each OS implementation. From our analysis [22],
the time was 6 seconds at least. This result means that our
system can establish TCP connections without dropping any
packet and continue communication with attackers. Therefore,
we confirmed the feasibility of the proposed method.
V. C ONCLUSIONS
In this paper, we have pointed out the obstructions to deploy
IPv6 honeypots and attacker’s strategies to scan IPv6 network.
In IPv6, each network segment has vast address space and an
IPv6 address derived from EUI-64 format is dependent on the
model of the device. IPv6 attackers can target and discover
a specific device by performing scans address space derived
from SLAAC.
To deal with the vast address space of IPv6 and dependence
of IPv6 addresses, we have proposed a honeypot system whose
IPv6 address is derived from an attack. Our system identifies
an attacked address by detecting a NS packet that is multi-
casted from a router. The address is assigned to a honeypot
that emulates behaviors of an appropriate device before the
communication with attackers. To cope with slow scans, we
have proposed strategies that the systems collaborate with each
other by deploying them in various network segments.
The proposed method can complete the address assignment
to be in time for the timeout of the TCP connection from
the experiment. We confirmed the feasibility of the proposed
method.
As of now, only VMs based on conventional OS are imple-
mented to the system. For future works, we will implement
VMs that observe behaviors of embedded system and emulate
it to our system. We will evaluate the effectiveness of strategies
for slow scans in real network.
1.12
2.02 R EFERENCES
2.41 [1] Available Pool of Unallocated IPv4 Internet Addresses Now Completely
Emptied, http://www.icann.org/en/news/releases/release-03feb11-en.pdf.
[2] Y. Gelogo, S. Jeon, and T. Kim, “Ipv6 mobile sensor network architec-
ture for scada system,” in Computational Intelligence and Communica-
tion Networks (CICN), 2011 International Conference on. IEEE, 2011,
pp. 485–488.
[3] S. Suriadi, A. Tickle, E. Ahmed, J. Smith, and H. Morarji, “Risk mod-
elling the transition of scada system to ipv6,” What Kind of Information
Society? Governance, Virtuality, Surveillance, Sustainability, Resilience,
pp. 384–395, 2010.
[4] IPv6 Embedded Systems and 6LoWPAN Sencor Networks,
http://www.rmv6tf.org/2010-IPv6-Summit-Presentations/RMv6TF-
Sensor-Network-Preso - Chuck Sellers.pdf.
[5] RFC 5157 IPv6 Implications for Network Scanning,
http://tools.ietf.org/html/rfc5157.
[6] RFC 4861 Neighbor Discovery for IP Version 6 (IPv6),
http://tools.ietf.org/html/rfc4861.
[7] L. Spizner, Definitions and Vlaue of Honeypots,
http://www.trackinghackers.com/papers/honeypots.html.
[8] J. Song, H. Takakura, and Y. Okabe, “Cooperation of intelligent hon-
eypots to detect unknown malicious codes,” in WOMBAT Workshop on
Information Security Threats Data Collection and Sharing. IEEE, 2008,
pp. 31–39.
[9] M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. Snoeren,
G. Voelker, and S. Savage, “Scalability, fidelity, and containment in
the potemkin virtual honeyfarm,” in ACM SIGOPS Operating Systems
Review, vol. 39, no. 5. ACM, 2005, pp. 148–162.
[10] SGNET, http://wombat-project.eu/WP3/FP7-ICT-216026-
Wombat WP3 D13 V01-Sensor-deployment.pdf.
[11] R. Beverly, Opportunistic IPv6 Insight via Abusive Traffic,
http://www.caida.org/workshops/isma/1202/slides/aims1202 rbeverly.pdf.
[12] K. Steding-Jessen, Development of an IPv6 Honeypot,
http://www.cert.br/docs/palestras/certbr-ipv6-national-csirts-
meeting2009.pdf.
[13] Guidelines for 64-bit Global Identifier (EUI-64) Registration Authority,
http://standards.ieee.org/develop/regauth/tut/eui64.pdf.
[14] RFC 4941 Privacy Extensions for Stateless Address Autoconfiguration
in IPv6, http://tools.ietf.org/html/rfc4941.
[15] T. Miyamoto, Y. Koyama, K. Sakai, and Y. Okabe, “A gmpls-based
power resource reservation system toward energy-on-demand home
networking,” in Applications and the Internet (SAINT), 2012 IEEE/IPSJ
12th International Symposium on. IEEE, 2012, pp. 138–147.
[16] Cyberattacks on Iran – Stuxnet and Flame,
http://topics.nytimes.com/top/reference/timestopics/
subjects/c/computer malware/stuxnet/index.html.
[17] M. Dabbagh, A. Ghandour, K. Fawaz, W. Hajj, and H. Hajj, “Slow port
scanning detection,” in Information Assurance and Security (IAS), 2011
7th International Conference on. IEEE, 2011, pp. 228–233.
[18] Measurement of IPv6 readiness, http://v6metric.jp/html/st01/12.html.
[19] Network Reconnaissance in IPv6 Networks,
http://tools.ietf.org/html/draft-gont-opsec-ipv6-host-scanning-01.
[20] F. Bellard, “Qemu, a fast and portable dynamic translator,”
in Proceedings of the annual conference on USENIX Annual
Technical Conference, ser. ATEC ’05. Berkeley, CA, USA:
USENIX Association, 2005, pp. 41–46. [Online]. Available:
http://dl.acm.org/citation.cfm?id=1247360.1247401
[21] A. Kivity, Y. Kamay, D. Laor, U. Lublin, and A. Liguori, “kvm: the
linux virtual machine monitor,” in Proceedings of the Linux Symposium,
vol. 1, 2007, pp. 225–230.
[22] N. Kitagawa, H. Takakura, and T. Suzuki, “An anti-spam method via
real-time retransmission detection,” 18th IEEE International Conference
on Networks (to be appeared), 2012.
172
515