745 research outputs found
CAIR: Using Formal Languages to Study Routing, Leaking, and Interception in BGP
The Internet routing protocol BGP expresses topological reachability and
policy-based decisions simultaneously in path vectors. A complete view on the
Internet backbone routing is given by the collection of all valid routes, which
is infeasible to obtain due to information hiding of BGP, the lack of
omnipresent collection points, and data complexity. Commonly, graph-based data
models are used to represent the Internet topology from a given set of BGP
routing tables but fall short of explaining policy contexts. As a consequence,
routing anomalies such as route leaks and interception attacks cannot be
explained with graphs.
In this paper, we use formal languages to represent the global routing system
in a rigorous model. Our CAIR framework translates BGP announcements into a
finite route language that allows for the incremental construction of minimal
route automata. CAIR preserves route diversity, is highly efficient, and
well-suited to monitor BGP path changes in real-time. We formally derive
implementable search patterns for route leaks and interception attacks. In
contrast to the state-of-the-art, we can detect these incidents. In practical
experiments, we analyze public BGP data over the last seven years
Adaptive Traffic Fingerprinting for Darknet Threat Intelligence
Darknet technology such as Tor has been used by various threat actors for
organising illegal activities and data exfiltration. As such, there is a case
for organisations to block such traffic, or to try and identify when it is used
and for what purposes. However, anonymity in cyberspace has always been a
domain of conflicting interests. While it gives enough power to nefarious
actors to masquerade their illegal activities, it is also the cornerstone to
facilitate freedom of speech and privacy. We present a proof of concept for a
novel algorithm that could form the fundamental pillar of a darknet-capable
Cyber Threat Intelligence platform. The solution can reduce anonymity of users
of Tor, and considers the existing visibility of network traffic before
optionally initiating targeted or widespread BGP interception. In combination
with server HTTP response manipulation, the algorithm attempts to reduce the
candidate data set to eliminate client-side traffic that is most unlikely to be
responsible for server-side connections of interest. Our test results show that
MITM manipulated server responses lead to expected changes received by the Tor
client. Using simulation data generated by shadow, we show that the detection
scheme is effective with false positive rate of 0.001, while sensitivity
detecting non-targets was 0.016+-0.127. Our algorithm could assist
collaborating organisations willing to share their threat intelligence or
cooperate during investigations.Comment: 26 page
The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire
The vulnerability of the Internet has been demonstrated by prominent IP
prefix hijacking events. Major outages such as the China Telecom incident in
2010 stimulate speculations about malicious intentions behind such anomalies.
Surprisingly, almost all discussions in the current literature assume that
hijacking incidents are enabled by the lack of security mechanisms in the
inter-domain routing protocol BGP. In this paper, we discuss an attacker model
that accounts for the hijacking of network ownership information stored in
Regional Internet Registry (RIR) databases. We show that such threats emerge
from abandoned Internet resources (e.g., IP address blocks, AS numbers). When
DNS names expire, attackers gain the opportunity to take resource ownership by
re-registering domain names that are referenced by corresponding RIR database
objects. We argue that this kind of attack is more attractive than conventional
hijacking, since the attacker can act in full anonymity on behalf of a victim.
Despite corresponding incidents have been observed in the past, current
detection techniques are not qualified to deal with these attacks. We show that
they are feasible with very little effort, and analyze the risk potential of
abandoned Internet resources for the European service region: our findings
reveal that currently 73 /24 IP prefixes and 7 ASes are vulnerable to be
stealthily abused. We discuss countermeasures and outline research directions
towards preventive solutions.Comment: Final version for TMA 201
Securing Internet Applications from Routing Attacks
Attacks on Internet routing are typically viewed through the lens of
availability and confidentiality, assuming an adversary that either discards
traffic or performs eavesdropping. Yet, a strategic adversary can use routing
attacks to compromise the security of critical Internet applications like Tor,
certificate authorities, and the bitcoin network. In this paper, we survey such
application-specific routing attacks and argue that both application-layer and
network-layer defenses are essential and urgently needed. While
application-layer defenses are easier to deploy in the short term, we hope that
our work serves to provide much needed momentum for the deployment of
network-layer defenses
A model and framework for reliable build systems
Reliable and fast builds are essential for rapid turnaround during
development and testing. Popular existing build systems rely on correct manual
specification of build dependencies, which can lead to invalid build outputs
and nondeterminism. We outline the challenges of developing reliable build
systems and explore the design space for their implementation, with a focus on
non-distributed, incremental, parallel build systems. We define a general model
for resources accessed by build tasks and show its correspondence to the
implementation technique of minimum information libraries, APIs that return no
information that the application doesn't plan to use. We also summarize
preliminary experimental results from several prototype build managers
A FRAMEWORK FOR DEFENDING AGAINST PREFIX HIJACK ATTACKS
Border Gateway Protocol (BGP) prefix hijacking is a serious problem in the Internet today. Although there are several services being offered to detect a prefix hijack, there has been little work done to prevent a hijack or to continue providing network service during a prefix hijack attack. This thesis proposes a novel framework to provide defense against prefix hijacking which can be offered as a service by Content Distribution Networks and large Internet Service Providers. Our experiments revealed that the hijack success rate reduced from 90.36% to 30.53% at Tier 2, 84.65% to 10.98% at Tier 3 and 82.45% to 8.39% at Tier 4 using Autonomous Systems (ASs) of Akamai as Hijack Prevention Service Provider. We also observed that 70% of the data captured by Hijack Prevention Service Provider (HPSP) can be routed back to Victim. However if we use tunneling, i.e. trying to route data to neighbors of Victims which in turn sends the traffic to Victims, we observed that data can be routed to Victim 98.09% of the time. Also, the cost of such redirection is minimal, since the average increase in path length was observed to be 2.07 AS hops
- …