IPv6-Network Telescope Network Traffic Overview

The Internet is now in the transition stage from IPv4 to IPv6. At present, the research of IPv6 network mainly focuses on routing, addressing and security. However, there is little research on background scanning of IPv6 network. CERNET2 provides us with a 240C: C000::/20 IPv6 network which is not allocated and does not provide any network services for network experiments. We used these unused address segments as a honeypot to study the network background scanning environment of IPv6 by capturing the background radiation traffic of TCP / UDP and ICMP. In August 2020, we announced the route of this / 20 address to the global business network, which made the new traffic data different from before. Different from the previous work, we analyzed the traffic under the new network configuration. Compared with the previous data results, we found that the data traffic increased by three times. The origin of the source address has also changed. Most of the source addresses in the previous results came from China and the United States. The particularly active address has also changed. We also analyzed and compared the prefix distribution of the source address and destination address. We found that the suspicious source address was evenly distributed when the address block was divided by / 64. The scanned destination addresses were mainly distributed in 3 /64 address blocks. Our work will help network users to understand the distribution of suspicious source addresses and network behavior more effectively, so as to strengthen the restrictions on these suspicious addresses on the Internet.