Secure Naming and Addressing Operations for Store, Carry and Forward Networks

This paper describes concepts for secure naming and addressing directed at Store, Carry and Forward (SCF) distributed applications, where disconnection and intermittent connectivity between forwarding systems is the norm. The paper provides a brief overview of store, carry and forward distributed applications followed by an in depth discussion of how to securely: create a namespace; allocate names within the namespace; query for names known within a local processing system or connected subnetwork; validate ownership of a given name; authenticate data from a given name; and, encrypt data to a given name. Critical issues such as revocation of names, mobility and the ability to use various namespaces to secure operations or for Quality-of-Service are also presented. Although the concepts presented for naming and addressing have been developed for SCF, they are directly applicable to fully connected systems

Gateway Architectures for Interaction between the Current Internet and Future Internet Architectures

In this project, we design, analyze, and implement a gateway for the SCION secure Internet architecture. This enables communication between legacy IP hosts and SCION hosts, and enables legacy IP traffic to be encapsulated and transported over the SCION network. We also analyze the security implications/benefits for legacy traffic to be interfaced with SCION and how the SCION Gateway can provide DDoS defense properties for the legacy hosts it serves, without requiring any infrastructure chang

Plataforma modular para deteção de ataques de encaminhamento BGP

In order for Internet connectivity to be possible, routing protocols have been created to assist in this task. The global routing protocol in use is BGP, which uses the aggregation of several network prefixes into ASes to create a graph containing information regarding routes to all public network prefixes, leading to global connectivity. Despite serving its purpose, this protocol is based on blind trust between all the BGP peers and as such leaves it exposed to attacks. Since this protocol is responsible for global connectivity, an attack carried on this protocol can have traffic re-routed from its normal path, and right into the attackers’ hands, which may then be able to read and or alter the information contained in the traffic. Although security measures have been created for this protocol, they are not widely deployed, and, as such, most of the BGP devices’ routing tables can still be compromised by a rogue BGP peer. ISPs have ways to detect these kind of attacks, and act upon them but the users, such as private users or companies, are left at the mercy of their ISPs ability to detect and notify their clients of such attacks. That being the case, this dissertation proposes a platform capable of monitoring networks in order to detect BGP routing attacks. The platform has been made as modular as possible, to facilitate changes, and addition of new methods to detect such anomalies, and has also implemented two different methodologies for the detection of BGP routing anomalies. One of them based in an already published paper while the other one is proposed by the author of this dissertation. From data collection with the use of several probes, to the analysis of said data to detect the anomalies, all of that will be presented and explained to demonstrate that the platform does indeed detect BGP routing attacks with an accuracy of over 90%. This platform can then help the users to defend themselves against such attacks, by providing information of when those are happening in near realtime as well as allow for the deployment of custom countermeasures, which can be set to activate when an alarm is raised, giving more control to the users and making them less reliant on their ISPs for information and action.Para a conectividade da Internet ser possível, foram criados protocolos de encaminhamento para esse propósito. O protocolo de encaminhamento global utilizado é o BGP, que utiliza a agregação de vários prefixos de redes em ASes de maneira a criar um grafo que contém a informação sobre as rotas para os diversos prefixos de redes públicas, criando assim as condições para conectividade global. Apesar de satisfazer o seu propósito, este protocolo é baseado em confiança cega entre pares de BGP levando a que este fique exposto a ataques. Sendo este protocolo responsável pela conectividade global, um ataque efetuado através deste protocol pode levar a que o tráfego seja desviado da sua rota normal e vá parar às mãos do atacante, dando a possibilidade de este conseguir ler e ou alterar o seu conteúdo. Apesar de medidas de segurança já terem sido propostas, estas não estão atualmente implementadas na maioria dos dispositivos que utilizam este protocolo, deixando-os assim vulneráveis a dispositivos comprometidos, podendo comprometer as suas tabelas de encaminhamento. Os ISPs (provedor de serviço de Internet) têm metodologias para detetar este tipo de ataques e agir sobre eles mas os utilizadores, tais como privados e ou empresas, são deixados à mercê da capacidade dos seus ISPs detetarem e os notificarem de tais ataques. Sendo esse o caso, esta dissertação propõe uma plataforma capaz de monitorizar a conectividade entre redes de modo a detetar ataques de encaminhamento BGP. Esta plataforma foi construída de forma a ser o mais modular possível, de modo a facilitar a alteração ou adição de novos métodos de deteção de anomalias. A plataforma no estado atual tem já integrada duas metodologias. Uma das metodologias é baseada em um artigo já publicado, sendo a outra proposta pelo autor desta dissertação. Desde recolha de dados utilizando várias sondas, à sua análise de modo a detetar possíveis anomalias, tudo isto será apresentado e explicado de maneira a demonstrar que a plataforma proposta é realmente capaz de detetar em tempo útil este tipo de ataques, com uma precisão superior a 90%. Esta plataforma pode então ajudar o utilizador a defender-se contra estes ataques, dando a informação de quando estes ataques estão a ocorrer, quase em tempo real, permitindo também que os utilizadores possam empregar contra medidas que serão acionadas automaticamente pela plataforma, caso estejam ativas, oferecendo assim um maior controlo aos utilizadores e menor dependência dos ISPs.Mestrado em Engenharia de Computadores e Telemátic

Design and implementation of a secure wide-area object middleware

Tanenbaum, A.S. [Promotor]Crispo, C.B. [Copromotor

Security Implications of Insecure DNS Usage in the Internet

The Domain Name System (DNS) provides domain-to-address lookup-services used by almost all internet applications. Because of this ubiquitous use of the DNS, attacks against the DNS have become more and more critical. However, in the past, studies of DNS security have been mostly conducted against individual protocols and applications. In this thesis, we perform the first comprehensive evaluation of DNS-based attacks against a wide range of internet applications, ranging from time-synchronisation via NTP over internet resource management to security mechanisms. We show how to attack those applications by exploiting various weaknesses in the DNS. These attacks are based on both, already known weaknesses which are adapted to new attacks, as well as previously unknown attack vectors which have been found during the course of this thesis. We evaluate our attacks and provide the first taxonomy of DNS applications, to show how adversaries can systematically develop attacks exploiting the DNS. We analyze the attack surface created by our attacks in the internet and find that a significant number of applications and systems can be attacked. We work together with the developers of the vulnerable applications to develop patches and general countermeasures which can be applied by various parties to block our attacks. We also provide conceptual insights into the root causes allowing our attacks to help with the development of new applications and standards. The findings of this thesis are published in in 4 full-paper publications and 2 posters at international academic conferences. Additionally, we disclose our finding to developers which has lead to the registration of 8 Common Vulnerabilities and Exposures identifiers (CVE IDs) and patches in 10 software implementations. To raise awareness, we also presented our findings at several community meetings and via invited articles