A first look at the misuse and abuse of the IPv4 Transfer Market

The depletion of the unallocated address space in combination with the slow pace of IPv6 deployment have given rise to the IPv4 transfer market, namely the trading of allocated IPv4 prefixes between ASes. While RIRs have established detailed policies in an effort to regulate the IPv4 transfer market for malicious networks such as spammers and bulletproof ASes, IPv4 transfers pose an opportunity to bypass reputational penalties of abusive behaviour since they can obtain "clean" address space or offload blacklisted address space. Additionally, IP transfers create a window of uncertainty about legitimate ownership of prefixes, which adversaries to hijack parts of the transferred address space. In this paper, we provide the first detailed study of how transferred IPv4 prefixes are misused in the wild by synthesizing an array of longitudinal IP blacklists and lists of prefix hijacking incidents. Our findings yield evidence that the transferred network blocks are used by malicious networks to address botnets and fraudulent sites in much higher rates compared to non-transferred addresses, while the timing of the attacks indicates efforts to evade filtering mechanisms

Internet... the final frontier: an ethnographic account: exploring the cultural space of the Net from the inside

The research project The Internet as a space for interaction, which completed its mission in Autumn 1998, studied the constitutive features of network culture and network organisation. Special emphasis was given to the dynamic interplay of technical and social conventions regarding both the Net’s organisation as well as its change. The ethnographic perspective chosen studied the Internet from the inside. Research concentrated upon three fields of study: the hegemonial operating technology of net nodes (UNIX) the network’s basic transmission technology (the Internet Protocol IP) and a popular communication service (Usenet). The project’s final report includes the results of the three branches explored. Drawing upon the development in the three fields it is shown that changes that come about on the Net are neither anarchic nor arbitrary. Instead, the decentrally organised Internet is based upon technically and organisationally distributed forms of coordination within which individual preferences collectively attain the power of developing into definitive standards. --

We have to go back: A Historic IP Attribution Service for Network Measurement

Researchers and practitioners often face the issue of having to attribute anIP address to an organization. For current data this is comparably easy, usingservices like whois or other databases. Similarly, for historic data, severalentities like the RIPE NCC provide websites that provide access to historicrecords. For large-scale network measurement work, though, researchers oftenhave to attribute millions of addresses. For current data, Team Cymru providesa bulk whois service which allows bulk address attribution. However, at thetime of writing, there is no service available that allows historic bulkattribution of IP addresses. Hence, in this paper, we introduce and evaluateour `Back-to-the-Future whois' service, allowing historic bulk attribution ofIP addresses on a daily granularity based on CAIDA Routeviews aggregates. Weprovide this service to the community for free, and also share ourimplementation so researchers can run instances themselves.<br

Honeypots in the age of universal attacks and the Internet of Things

Today's Internet connects billions of physical devices. These devices are often immature and insecure, and share common vulnerabilities. The predominant form of attacks relies on recent advances in Internet-wide scanning and device discovery. The speed at which (vulnerable) devices can be discovered, and the device monoculture, mean that a single exploit, potentially trivial, can affect millions of devices across brands and continents. In an attempt to detect and profile the growing threat of autonomous and Internet-scale attacks against the Internet of Things, we revisit honeypots, resources that appear to be legitimate systems. We show that this endeavour was previously limited by a fundamentally flawed generation of honeypots and associated misconceptions. We show with two one-year-long studies that the display of warning messages has no deterrent effect in an attacked computer system. Previous research assumed that they would measure individual behaviour, but we find that the number of human attackers is orders of magnitude lower than previously assumed. Turning to the current generation of low- and medium-interaction honeypots, we demonstrate that their architecture is fatally flawed. The use of off-the-shelf libraries to provide the transport layer means that the protocols are implemented subtly differently from the systems being impersonated. We developed a generic technique which can find any such honeypot at Internet scale with just one packet for an established TCP connection. We then applied our technique and conducted several Internet-wide scans over a one-year period. By logging in to two SSH honeypots and sending specific commands, we not only revealed their configuration and patch status, but also found that many of them were not up to date. As we were the first to knowingly authenticate to honeypots, we provide a detailed legal analysis and an extended ethical justification for our research to show why we did not infringe computer-misuse laws. Lastly, we present honware, a honeypot framework for rapid implementation and deployment of high-interaction honeypots. Honware automatically processes a standard firmware image and can emulate a wide range of devices without any access to the manufacturers' hardware. We believe that honware is a major contribution towards re-balancing the economics of attackers and defenders by reducing the period in which attackers can exploit vulnerabilities at Internet scale in a world of ubiquitous networked `things'.Premium Research Studentship, Department of Computer Science and Technology, University of Cambridg

Internet... the final frontier: an ethnographic account ; exploring the cultural space of the net from the inside

"The research project 'The Internet as a space for interaction', which completed its mission in Autumn 1998, studied the constitutive features of network culture and network organisation. Special emphasis was given to the dynamic interplay of technical and social conventions regarding both the net's organisation as well as its change. The ethnographic perspective chosen studied the Internet from the inside. Research concentrated upon three fields of study: the hegemonial operating technology of net nodes (UNIX) the network’s basic transmission technology (the Internet Protocol IP) and a popular communication service (Usenet). The project's final report includes the results of the three branches explored. Drawing upon the development in the three fields it is shown that changes that come about on the Net are neither anarchic nor arbitrary. Instead, the decentrally organised Internet is based upon technically and organisationally distributed forms of coordination within which individual preferences collectively attain the power of developing into definitive standards." (author's abstract)"Das im Herbst 1998 abgeschlossene Forschungsprojekt 'Interaktionsraum Internet' hat sich mit den konstitutiven Merkmalen der Netzkultur und Netzwerkorganisation beschäftigt. Im Vordergrund des Interesses stand das dynamische Zusammenspiel technischer und gesellschaftlicher Konventionen in der Organisation wie auch im Wandel des Netzes. Die ethnographisch angeleitete Binnenperspektive auf das Internet konzentrierte sich auf drei ausgewählte Bereiche, um Prozesse der Institutionenbildung und die Formen ihrer Transformation zu studieren: die hegemoniale Betriebstechnik der Netzknoten (UNIX), die grundlegende Übertragungstechnik im Netz (das Internet Protokoll IP) und einen populären Kommunikationsdienst (Usenet). Der Schlußbericht des Projekts enthält die Ergebnisse der drei Untersuchungsstränge. Gezeigt wird anhand der Entwicklung in den drei Feldern, daß sich der Wandel des Netzes weder beliebig noch anarchisch vollzieht. Das dezentral organisierte Internet beruht vielmehr auf technisch wie organisatorisch verteilten Formen der Koordination, in denen individuelle Handlungspräferenzen kollektiv definitionsmächtig werden." (Autorenreferat

DDoS-Capable IoT Malwares: comparative analysis and Mirai Investigation

The Internet of Things (IoT) revolution has not only carried the astonishing promise to interconnect a whole generation of traditionally “dumb” devices, but also brought to the Internet the menace of billions of badly protected and easily hackable objects. Not surprisingly, this sudden flooding of fresh and insecure devices fueled older threats, such as Distributed Denial of Service (DDoS) attacks. In this paper, we first propose an updated and comprehensive taxonomy of DDoS attacks, together with a number of examples on how this classification maps to real-world attacks. Then, we outline the current situation of DDoS-enabled malwares in IoT networks, highlighting how recent data support our concerns about the growing in popularity of these malwares. Finally, we give a detailed analysis of the general framework and the operating principles of Mirai, the most disruptive DDoS-capable IoT malware seen so far

Addressing the challenges of modern DNS:a comprehensive tutorial

The Domain Name System (DNS) plays a crucial role in connecting services and users on the Internet. Since its first specification, DNS has been extended in numerous documents to keep it fit for today’s challenges and demands. And these challenges are many. Revelations of snooping on DNS traffic led to changes to guarantee confidentiality of DNS queries. Attacks to forge DNS traffic led to changes to shore up the integrity of the DNS. Finally, denial-of-service attack on DNS operations have led to new DNS operations architectures. All of these developments make DNS a highly interesting, but also highly challenging research topic. This tutorial – aimed at graduate students and early-career researchers – provides a overview of the modern DNS, its ongoing development and its open challenges. This tutorial has four major contributions. We first provide a comprehensive overview of the DNS protocol. Then, we explain how DNS is deployed in practice. This lays the foundation for the third contribution: a review of the biggest challenges the modern DNS faces today and how they can be addressed. These challenges are (i) protecting the confidentiality and (ii) guaranteeing the integrity of the information provided in the DNS, (iii) ensuring the availability of the DNS infrastructure, and (iv) detecting and preventing attacks that make use of the DNS. Last, we discuss which challenges remain open, pointing the reader towards new research areas