We present, validate, and apply an active measurement technique that ascertains whether candidate IPv4 and IPv6 server addresses are ``siblings,'' i.e., assigned to the same physical machine. In contrast to prior efforts limited to passive monitoring, opportunistic measurements, or end-client populations, we propose an \emph{active} methodology that generalizes to all TCP-reachable devices, including servers. Our method extends prior device fingerprinting techniques to improve their feasibility in modern environments, and uses them to support measurement-based detection of sibling interfaces. We validate our technique against a diverse set of 65 web servers with known sibling addresses and find it to be over 97\% accurate with 99\% precision. Finally, we apply the technique to characterize the top $\sim$6,400 Alexa IPv6-capable web domains, and discover that a DNS name in common does not imply that the corresponding IPv4 and IPv6 addresses are on the same machine, network, or even autonomous system. Understanding sibling and non-sibling relationships gives insight not only into IPv6 deployment and evolution, but also helps characterize the potential for correlated failures and susceptibility to certain attacks.

[PDF] [BibTeX]
[Presentation Slides]

[ Return to publications ]