Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure via Active Fingerprinting
Robert Beverly and Arthur Berger
Proceedings of the Sixteenth Passive and Active Measurement (PAM 2015) Conference,
New York, NY, March 2015.

We present, validate, and apply an active measurement technique that ascertains whether candidate IPv4 and IPv6 server addresses are ``siblings,'' i.e., assigned to the same physical machine. In contrast to prior efforts limited to passive monitoring, opportunistic measurements, or end-client populations, we propose an \emph{active} methodology that generalizes to all TCP-reachable devices, including servers. Our method extends prior device fingerprinting techniques to improve their feasibility in modern environments, and uses them to support measurement-based detection of sibling interfaces. We validate our technique against a diverse set of 65 web servers with known sibling addresses and find it to be over 97\% accurate with 99\% precision. Finally, we apply the technique to characterize the top $\sim$6,400 Alexa IPv6-capable web domains, and discover that a DNS name in common does not imply that the corresponding IPv4 and IPv6 addresses are on the same machine, network, or even autonomous system. Understanding sibling and non-sibling relationships gives insight not only into IPv6 deployment and evolution, but also helps characterize the potential for correlated failures and susceptibility to certain attacks.

[PDF] [BibTeX]
[Presentation Slides]

[ Return to publications ]