Detecting and Quantifying IPv6-based SMTP Abuse
Time 10/30/14 09:15AM-10:00AM
Abuse of the IPv6 Internet is still largely unexplored and uncertain. Quantifying and characterizing abusive traffic over IPv6 will help to better understand current and future threats associated with its continued deployment. In this work we address IPv6-based abuse of the Simple Mail Transfer Protocol (SMTP) by collecting and analyzing a year’s worth of data from a large enterprise. We elicit abusive activity by instituting a type of SMTP honeypot for the organization’s email domain, concurrent with its production deployment. We implement novel techniques for fingerprinting operating systems (OSes) and applications and associating IPv4 and IPv6 addresses from dual-stack clients. We study the presence of IPv6 activity at our honeypot and find activity distributed among various operating systems and network origins, yet dwarfed by the abusive IPv4 activity at the same honeypot.
Speaker Casey Deccio VeriSign, Inc.
Primary track Advanced Networking/Joint Techs
Secondary tracks Security