99 research outputs found
Beyond Counting: New Perspectives on the Active IPv4 Address Space
In this study, we report on techniques and analyses that enable us to capture
Internet-wide activity at individual IP address-level granularity by relying on
server logs of a large commercial content delivery network (CDN) that serves
close to 3 trillion HTTP requests on a daily basis. Across the whole of 2015,
these logs recorded client activity involving 1.2 billion unique IPv4
addresses, the highest ever measured, in agreement with recent estimates.
Monthly client IPv4 address counts showed constant growth for years prior, but
since 2014, the IPv4 count has stagnated while IPv6 counts have grown. Thus, it
seems we have entered an era marked by increased complexity, one in which the
sole enumeration of active IPv4 addresses is of little use to characterize
recent growth of the Internet as a whole.
With this observation in mind, we consider new points of view in the study of
global IPv4 address activity. Our analysis shows significant churn in active
IPv4 addresses: the set of active IPv4 addresses varies by as much as 25% over
the course of a year. Second, by looking across the active addresses in a
prefix, we are able to identify and attribute activity patterns to network
restructurings, user behaviors, and, in particular, various address assignment
practices. Third, by combining spatio-temporal measures of address utilization
with measures of traffic volume, and sampling-based estimates of relative host
counts, we present novel perspectives on worldwide IPv4 address activity,
including empirical observation of under-utilization in some areas, and
complete utilization, or exhaustion, in others.Comment: in Proceedings of ACM IMC 201
A Brave New World: Studies on the Deployment and Security of the Emerging IPv6 Internet.
Recent IPv4 address exhaustion events are ushering in a new era of
rapid transition to the next generation Internet protocol---IPv6. Via
Internet-scale experiments and data analysis, this dissertation
characterizes the adoption and security of the emerging IPv6 network.
The work includes three studies, each the largest of its kind,
examining various facets of the new network protocol's deployment,
routing maturity, and security.
The first study provides an analysis of ten years of IPv6 deployment
data, including quantifying twelve metrics across ten global-scale
datasets, and affording a holistic understanding of the state and
recent progress of the IPv6 transition. Based on cross-dataset
analysis of relative global adoption rates and across features of the
protocol, we find evidence of a marked shift in the pace and nature
of adoption in recent years and observe that higher-level metrics of
adoption lag lower-level metrics.
Next, a network telescope study covering the IPv6 address space of the
majority of allocated networks provides insight into the early state
of IPv6 routing. Our analyses suggest that routing of average IPv6
prefixes is less stable than that of IPv4. This instability is
responsible for the majority of the captured misdirected IPv6 traffic.
Observed dark (unallocated destination) IPv6 traffic shows substantial
differences from the unwanted traffic seen in IPv4---in both character
and scale.
Finally, a third study examines the state of IPv6 network security
policy. We tested a sample of 25 thousand routers and 520 thousand
servers against sets of TCP and UDP ports commonly targeted by
attackers. We found systemic discrepancies between intended
security policy---as codified in IPv4---and deployed IPv6 policy.
Such lapses in ensuring that the IPv6 network is properly managed and
secured are leaving thousands of important devices more vulnerable to
attack than before IPv6 was enabled.
Taken together, findings from our three studies suggest that IPv6 has
reached a level and pace of adoption, and shows patterns of use, that
indicates serious production employment of the protocol on a broad
scale. However, weaker IPv6 routing and security are evident, and
these are leaving early dual-stack networks less robust than the IPv4
networks they augment.PhDComputer Science and EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/120689/1/jczyz_1.pd
Kirin: Hitting the Internet with Millions of Distributed IPv6 Announcements
The Internet is a critical resource in the day-to-day life of billions of
users. To support the growing number of users and their increasing demands,
operators have to continuously scale their network footprint -- e.g., by
joining Internet Exchange Points -- and adopt relevant technologies -- such as
IPv6. IPv6, however, has a vastly larger address space compared to its
predecessor, which allows for new kinds of attacks on the Internet routing
infrastructure. In this paper, we revisit prefix de-aggregation attacks in the
light of these two changes and introduce Kirin -- an advanced BGP prefix
de-aggregation attack that sources millions of IPv6 routes and distributes them
via thousands of sessions across various IXPs to overflow the memory of border
routers within thousands of remote ASes. Kirin's highly distributed nature
allows it to bypass traditional route-flooding defense mechanisms, such as
per-session prefix limits or route flap damping. We analyze the theoretical
feasibility of the attack by formulating it as a Integer Linear Programming
problem, test for practical hurdles by deploying the infrastructure required to
perform a small-scale Kirin attack using 4 IXPs, and validate our assumptions
via BGP data analysis, real-world measurements, and router testbed experiments.
Despite its low deployment cost, we find Kirin capable of injecting lethal
amounts of IPv6 routes in the routers of thousands of ASes
Non-Trivial Off-Path Network Measurements without Shared Side-Channel Resource Exhaustion
Most traditional network measurement scans and attacks are carried out through the use of direct, on-path network packet transmission. This requires that a machine be on-path (i.e, involved in the packet transmission process) and as a result have direct access to the data packets being transmitted. This limits network scans and attacks to situations where access can be gained to an on-path machine. If, for example, a researcher wanted to measure the round trip time between two machines they did not have access to, traditional scans would be of little help as they require access to an on-path machine to function. Instead the researcher would need to use an off-path measurement scan.
Prior work using network side-channels to perform off-path measurements or attacks relied on techniques that either exhausted the shared, finite resource being used as a side-channel or only measured basic features such as connectivity. The work presented in this dissertation takes a different approach to using network side-channels. I describe research that carries out network side-channel measurements that are more complex than connectivity, such as packet round-trip-time or detecting active TCP connections, and do not require a shared, finite resource be fully exhausted to cause information to leak via a side-channel. My work is able to accomplish this by understanding the ways in which internal network stack state changes cause observable behavior changes from the machine. The goal of this dissertation is to show that: Information side-channels can be modulated to take advantage of dependent, network state behavior to enable non-trivial, off-path measurements without fully exhausting the shared, finite resources they use
Implementation of ISO Frameworks to Risk Management in IPv6 Security
The Internet of Things is a technology wave sweeping across various industries and sectors. It promises to improve productivity and efficiency by providing new services and data to users. However, the full potential of this technology is still not realized due to the transition to IPv6 as a backbone. Despite the security assurances that IPv6 provides, privacy and concerns about the Internet of Things remain. This is why it is important that organizations thoroughly understand the protocol and its migration to ensure that they are equipped to take advantage of its many benefits. Due to the lack of available IPv4 addresses, organizations are in an uncertain situation when it comes to implementing IoT technologies.
The other aim is to fill in the gaps left by the ISO to identify and classify the risks that are not yet apparent. The thesis seeks to establish and implement the use of ISO to manage risks. It will also help to align security efforts with organizational goals. The proposed solution is evaluated through a survey that is designed to gather feedback from various levels of security and risk management professionals. The suggested modifications are also included in the study.
A survey on the implementation of ISO frameworks to risk management in IPv6 was conducted and with results as shown in the random sampling technique that was used for conducting the research a total of 75 questionnaires were shared online, 50 respondents returned responses online through emails and social media platforms. The result of the analysis shows that system admin has the highest pooling 26% of all the overall participants, followed by network admin with 20%, then cybersecurity specialists with 16%. 14% of the respondents were network architects while senior management and risk management professionals were 4% and 2% respectively. The majority of the respondents agreed that risk treatment enhances the risk management performance of the IPv6 network resulting from the proper selection and implementation of correct risk prevention strategies
Essays On The Market For Ipv4 Addresses
In this dissertation I study the market for IPv4 addresses - a multi-billion dollar market that is crucial for seamless internet communication. As this market has been understudied due to lack of accessible data, I collect data from various sources and create novel datasets that make this study possible.
In the chapter, ``Technology transition with frictions: Evidence from the market for IP addresses , I introduce IP addresses and the market for IPv4 addresses. Each IPv4 address is a durable, homogenous resource and has zero fundamental value once the standard changes from IPv4 to IPv6. Yet in the market prices have been continuously increasing. Understanding this pricing puzzle is not just interesting from a theoretical perspective, but also crucial for applied policy analysis.
To understand these and other empirical facts I explore the transition of firms from IPv4 to IPv6 in the presence of market frictions. The two key frictions in the market are switching costs and network effects. To substantiate this, I develop a dynamic model of firm behavior and calibrate the model to get a plausibly parametrized version of the model. This model can explain the striking increase in prices observed and the delay in IPv6 adoption.
In the parameterized version of the model I find that it would take 33 years to reach near complete IPv6 adoption. In counterfactual simulations, I examine the role of frictions and optimal adoption path by a social planner. A regulation that aims to shut down the market by a certain period leads to a coordination in IPv6 adoption and increase in producer surplus, thus making it in an effective policy tool to enable transition to IPv6. Thus, in the presence of market frictions, the market on its own could fail in efficiently transitioning to the next protocol
Network hygiene, incentives, and regulation: Deployment of source address validation in the internet
The Spoofer project has collected data on the deployment and characteristics of IP source address validation on the Internet since 2005. Data from the project comes from participants who install an active probing client that runs in the background. The client automatically runs tests both periodically and when it detects a new network attachment point. We analyze the rich dataset of Spoofer tests in multiple dimensions: across time, networks, autonomous systems, countries, and by Internet protocol version. In our data for the year ending August 2019, at least a quarter of tested ASes did not filter packets with spoofed source addresses leaving their networks. We show that routers performing Network Address Translation do not always filter spoofed packets, as 6.4% of IPv4/24 tested in the year ending August 2019 did not filter. Worse, at least two thirds of tested ASes did not filter packets entering their networks with source addresses claiming to be from within their network that arrived from outside their network. We explore several approaches to encouraging remediation and the challenges of evaluating their impact. While we have been able to remediate 352 IPv4/24, we have found an order of magnitude more IPv4/24 that remains unremediated, despite myriad remediation strategies, with 21% unremediated for more than six months. Our analysis provides the most complete and confident picture of the Internet's susceptibility to date of this long-standing vulnerability. Although there is no simple solution to address the remaining long-tail of unremediated networks, we conclude with a discussion of possible non-technical interventions, and demonstrate how the platform can support evaluation of the impact of such interventions over time
Security analysis of network neighbors
Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2010O presente trabalho aborda um problema comum a muitos dos actuais fornecedores de serviços Internet (ISPs): mitigação eficiente de tráfego malicioso na sua rede. Este tráfego indesejado impõe um desperdício de recursos de rede o que leva a uma consequente degradação da qualidade de serviço. Cria também um ambiente inseguro para os clientes, minando o potencial oferecido pela Internet e abrindo caminho para actividades criminosas graves. Algumas das principais condicionantes na criação de sistemas capazes de resolver estes problemas são: a enorme quantidade de tráfego a ser analisado, o facto da Internet ser inerentemente anónima e a falta de incentivo para os operadores de redes de trânsito em bloquear este tipo de tráfego.
No âmbito de um ISP de média escala, este trabalho concentra-se em três áreas principais: origens de tráfego malicioso, classificação de segurança de redes vizinhas ao ISP e políticas de
intervenção. Foram colectados dados de rede considerando, determinados tipos de tráfego malicioso: varrimento de endereços e inundação de fluxos de ligações; assim como informação de acessibilidades rede: mensagens de actualização de BGP disponibilizadas pelo RIPE Routing Information Service. Analisámos o tráfego malicioso em busca de padrões de rede, o que nos permitiu compreender que é maioritariamente originário de um subconjunto muito pequeno de ASes na Internet. No âmbito de um ISP e de acordo com um conjunto de métricas de segurança, definimos uma expressão de correlação para quantificar os riscos de segurança associados a conexões com redes vizinhas, a qual denominámos Risk Score. Finalmente, propusemos técnicas para concretização das tarefas de rede necessárias à redução de tráfego malicioso de forma eficiente, se possível em cooperação com redes vizinhas / ASes.
Não temos conhecimento de qualquer publicação existente que correlacione as características de tráfego malicioso de varrimento de endereços e inundação de fluxos de ligações, com informação de acessibilidades de rede no âmbito de um ISP, de forma a classificar a segurança das vizinhanças de rede, com o propósito de decidir filtrar o tráfego de prefixos específicos de um AS ou bloquear todo o tráfego proveniente de um AS.
Acreditamos que os resultados apresentados neste trabalho podem ser aplicados imediatamente em cenários reais, permitindo criar ambientes de rede mais seguros e escaláveis, desta forma melhorando as condições de rede necessárias ao desenvolvimento de novos serviços.This thesis addresses a common issue to many of current Internet Service Providers (ISPs): efficient mitigation of malicious traffic flowing through their network. This unwanted traffic imposes a waste of network resources, leading to a degradation of quality of service. It also creates an unsafe environment for users, therefore mining the Internet potential and opening way for severe criminal activity. Some of the main constraints of creating systems that may tackle these problems are the enormous amount of traffic to be analyzed, the fact that the Internet is inherently untraceable and the lack of incentive for transit networks to block this type of traffic.
Under the scope of a mid scale ISP, this thesis focuses on three main areas: the origins of malicious traffic, security classification of ISP neighbors and intervention policies.
We collected network data from particular types of malicious traffic: address scans and flow floods; and network reachability information: BGP update messages from RIPE Routing Information Service (RIS). We analyzed the malicious traffic looking for network patterns, which allowed us to understand that most of it originates from a very small subset of Internet ASes. We defined a correlation expression to quantify the security risks of neighbor connections within an ISP scope according to a set of security metrics that we named Risk Score. We finally proposed techniques to implement the network tasks required to mitigate malicious traffic efficiently, if possible in cooperation with other neighbors/ASes.
We are not aware of any work been done that correlates the malicious traffic characteristics of
address scans and flow flood attacks, with network reachability information of an ISP network, to classify the security of neighbor connections in order to decide to filter traffic from specific prefixes of an AS, or to block all traffic from an AS.
It is our belief, the findings presented in this thesis can be immediately applied to real world scenarios, enabling more secure and scalable network environments, therefore opening way for better deployment environments of new services
- …