IPv6 Hitlist: The Impact of the Great Firewall of China

The following plot depicts the IPv6 Hitlist service results before the publication of Rusty Clusters? Dusting an IPv6 Research Foundation


The published hitlist contains significant spikes in responsive addresses. However, those spikes are only visible for UDP/53 scans. These spikes are due to DNS responses injected by the Great Firewall of China. ZMapv6 is configured to send DNS queries requesting a AAAA record for www.google.com. For more than 130M IPv6 addresses, the response to those UDP/53 probes contains a AAAA record including a Teredo address. However, the IPv4 address embedded into the Teredo address is not related to Google. Furthermore, we receive multiple responses for each query from those addresses. Most of these adresses are not responsive to any other protocol and no responses are seen for other DNS queries. Therefore, we filter those responses in the future to provide cleaned results. For more detail, we refer to the analysis in the paper.

GFW filer

We provide a script to filter the output of UDP/53 scans from the impact of the GFW.
Python source: filter_gfw.py