IPv4-to-IPv6 transition erodes the implicit firewalling provided by NAT, exposing home-networked devices directly to the public Internet and exacerbating IoT botnet threats. To address this gap, we propose the first large-scale, resource-efficient IPv6 active scanning framework tailored for low-end devices, integrating protocol identification with intelligent IPv6 address probing—enabling the first systematic, global measurement of residential IPv6 networks. Our measurement spans 118 countries, identifying 14 million active residential IPv6 addresses and characterizing highly exposed devices (e.g., printers, iPhones, smart lamps) along with their open services. Results confirm that numerous IoT devices operate without intermediary firewalls in IPv6, substantially expanding the attack surface and providing fertile ground for next-generation IPv6-native botnets. This work fills a critical void in empirical security research on IPv6 home networks and delivers foundational data to inform resilient defense architectures.

IPv4 NAT has limited the spread of IoT botnets considerably by default-denying bots' incoming connection requests to in-home devices unless the owner has explicitly allowed them. As the Internet transitions to majority IPv6, however, residential connections no longer require the use of NAT. This paper therefore asks: has the transition from IPv4 to IPv6 ultimately made residential networks more vulnerable to attack, thereby empowering the next generation of IPv6-based IoT botnets? To answer this question, we introduce a large-scale IPv6 scanning methodology that, unlike those that rely on AI, can be run on low-resource devices common in IoT botnets. We use this methodology to perform the largest-scale measurement of IPv6 residential networks to date, and compare which devices are publicly accessible to comparable IPv4 networks. We were able to receive responses from 14.0M distinct IPv6 addresses inside of residential networks (i.e., not the external-facing gateway), in 2,436 ASes across 118 countries. These responses come from protocols commonly exploited by IoT botnets (including telnet and FTP), as well as protocols typically associated with end-user devices (including iPhone-Sync and IPP). Comparing to IPv4, we show that we are able to reach more printers, iPhones, and smart lights over IPv6 than full IPv4-wide scans could. Collectively, our results show that NAT has indeed acted as the de facto firewall of the Internet, and the v4-to-v6 transition of residential networks is opening up new devices to attack.