Network-aware Active Wardens in IPv6

Every day the world grows more and more dependent on digital communication. Technologies like e-mail or the World Wide Web that not so long ago were considered experimental, have first become accepted and then indispensable tools of everyday life. New communication technologies built on top of the existing ones continuously race to provide newer and better functionality. Even established communication media like books, radio, or television have become digital in an effort to avoid extinction. In this torrent of digital communication a constant struggle takes place. On one hand, people, organizations, companies and countries attempt to control the ongoing communications and subject them to their policies and laws. On the other hand, there oftentimes is a need to ensure and protect the anonymity and privacy of the very same communications. Neither side in this struggle is necessarily noble or malicious. We can easily imagine that in presence of oppressive censorship two parties might have a legitimate reason to communicate covertly. And at the same time, the use of digital communications for business, military, and also criminal purposes gives equally compelling reasons for monitoring them thoroughly. Covert channels are communication mechanisms that were never intended nor designed to carry information. As such, they are often able to act ``below\u27\u27 the notice of mechanisms designed to enforce security policies. Therefore, using covert channels it might be possible to establish a covert communication that escapes notice of the enforcement mechanism in place. Any covert channel present in digital communications offers a possibility of achieving a secret, and therefore unmonitored, communication. There have been numerous studies investigating possibilities of hiding information in digital images, audio streams, videos, etc. We turn our attention to the covert channels that exist in the digital networks themselves, that is in the digital communication protocols. Currently, one of the most ubiquitous protocols in deployment is the Internet Protocol version 4 (IPv4). Its universal presence and range make it an ideal candidate for covert channel investigation. However, IPv4 is approaching the end of its dominance as its address space nears exhaustion. This imminent exhaustion of IPv4 address space will soon force a mass migration towards Internet Protocol version 6 (IPv6) expressly designed as its successor. While the protocol itself is already over a decade old, its adoption is still in its infancy. The low acceptance of IPv6 results in an insufficient understanding of its security properties. We investigated the protocols forming the foundation of the next generation Internet, Internet Protocol version 6 (IPv6) and Internet Control Message Protocol (ICMPv6) and found numerous covert channels. In order to properly assess their capabilities and performance, we built cctool, a comprehensive covert channel tool. Finally, we considered countermeasures capable of defeating discovered covert channels. For this purpose we extended the previously existing notions of active wardens to equip them with the knowledge of the surrounding network and allow them to more effectively fulfill their role

An investigation into Off-Link IPv6 host enumeration search methods

This research investigated search methods for enumerating networked devices on off-link 64 bit Internet Protocol version 6 (IPv6) subnetworks. IPv6 host enumeration is an emerging research area involving strategies to enable detection of networked devices on IPv6 networks. Host enumeration is an integral component in vulnerability assessments (VAs), and can be used to strengthen the security profile of a system. Recently, host enumeration has been applied to Internet-wide VAs in an effort to detect devices that are vulnerable to specific threats. These host enumeration exercises rely on the fact that the existing Internet Protocol version 4 (IPv4) can be exhaustively enumerated in less than an hour. The same is not true for IPv6, which would take over 584,940 years to enumerate a single network. As such, research is required to determine appropriate host enumeration search methods for IPv6, given that the protocol is seeing increase global usage. For this study, a survey of Internet resources was conducted to gather information about the nature of IPv6 usage in real-world scenarios. The collected survey data revealed patterns in the usage of IPv6 that influenced search techniques. The research tested the efficacy of various searching algorithms against IPv6 datasets through the use of simulation. Multiple algorithms were devised to test different approaches to host enumeration against 64 bit IPv6 subnetworks. Of these, a novel adaptive heuristic search algorithm, a genetic algorithm and a stripe search algorithm were chosen to conduct off-link IPv6 host enumeration. The suitability of a linear algorithm, a Monte Carlo algorithm and a pattern heuristics algorithm were also tested for their suitability in searching off-link IPv6 networks. These algorithms were applied to two test IPv6 address datasets, one comprised of unique IPv6 data observed during the survey phase, and one comprised of unique IPv6 data generated using pseudorandom number generators. Searching against the two unique datasets was performed in order to determine appropriate strategies for off-link host enumeration under circumstances where networked devices were configured with addresses that represented real-word IPv6 addresses, and where device addresses were configured through some randomisation function. Whilst the outcomes of this research support that an exhaustive enumeration of an IPv6 network is infeasible, it has been demonstrated that devices on IPv6 networks can be enumerated. In particular, it was identified that the linear search technique and the variants tested in this study (pattern search and stripe search), remained the most consistent means of enumerating an IPv6 network. Machine learning methods were also successfully applied to the problem. It was determined that the novel adaptive heuristic search algorithm was an appropriate candidate for search operations. The adaptive heuristic search algorithm successfully enumerated over 24% of the available devices on the dataset that was crafted from surveyed IPv6 address data. Moreover, it was confirmed that stochastic address generation can reduce the effectiveness of enumeration strategies, as all of the algorithms failed to enumerate more than 1% of hosts against a pseudorandomly generated dataset. This research highlights a requirement for effective IPv6 host enumeration algorithms, and presents and validates appropriate methods. The methods presented in this thesis can help to influence the tools and utilities that are used to conduct host enumeration exercises

Identifying and Preventing Large-scale Internet Abuse

The widespread access to the Internet and the ubiquity of web-based services make it easy to communicate and interact globally. Unfortunately, the software and protocols implementing the functionality of these services are often vulnerable to attacks. In turn, an attacker can exploit them to compromise, take over, and abuse the services for her own nefarious purposes. In this dissertation, we aim to better understand such attacks, and we develop methods and algorithms to detect and prevent them, which we evaluate on large-scale datasets.First, we detail Meerkat, a system to detect a visible way in which websites are being compromised, namely website defacements. They can inflict significant harm on the websites’ operators through the loss of sales, the loss in reputation, or because of legal ramifications. Meerkat requires no prior knowledge about the websites’ content or their structure, but only the Uniform Resource Identifier (URI) at which they can be reached. By design, Meerkat mimics how a human analyst decides if a website was defaced when viewing it in a browser, by using computer vision techniques. Thus, it tackles the problem of detecting website defacements through their attention-seeking nature, their goal and purpose, rather than code or data artifacts that they might exhibit. In turn, it is much harder for an attacker to evade our system, as she needs to change her modus operandi. When Meerkat detects a website as defaced, the website can automatically be put into maintenance mode or restored to a known good state.An attacker, however, is not limited to abuse a compromised website in a way that is visible to the website’s visitors. Instead, she can misuse the website to infect its visitors with malicious software (malware). Although malware is well studied, identifying malicious websites remains a major challenge in today’s Internet. Second, we introduce Delta, a novel, purely static analysis approach that extracts change-related features between two versions of the same website, uses machine learning to derive a model of website changes, detects if an introduced change was malicious or benign, identifies the underlying infection vector based on clustering, and generates an identifying signature. Furthermore, due to the way Delta clusters campaigns, it can uncover infection campaigns that leverage specific vulnerable applications as a distribution channel, and it can greatly reduce the human labor necessary to uncover the application responsible for a service’s compromise.Third, we investigate the practicality and impact of domain takeover attacks, which an attacker can similarly abuse to spread misinformation or malware, and we present a defense on how such takeover attacks can be rendered toothless. Specifically, the new elasticity of Internet resources, in particular Internet protocol (IP) addresses in the context of Infrastructure-as-a-Service cloud service providers, combined with previously made protocol assumptions can lead to security issues. In Cloud Strife, we show that this dynamic component paired with recent developments in trust-based ecosystems (e.g., Transport Layer Security (TLS) certificates) creates so far unknown attack vectors. For example, a substantial number of stale domain name system (DNS) records points to readily available IP addresses in clouds, yet, they are still actively attempted to be accessed. Often, these records belong to discontinued services that were previously hosted in the cloud. We demonstrate that it is practical, and time and cost-efficient for attackers to allocate the IP addresses to which stale DNS records point. Further considering the ubiquity of domain validation in trust ecosystems, an attacker can impersonate the service by obtaining and using a valid certificate that is trusted by all major operating systems and browsers, which severely increases the attackers’ capabilities. The attacker can then also exploit residual trust in the domain name for phishing, receiving and sending emails, or possibly distributing code to clients that load remote code from the domain (e.g., loading of native code by mobile apps, or JavaScript libraries by websites). To prevent such attacks, we introduce a new authentication method for trust-based domain validation that mitigates staleness issues without incurring additional certificate requester effort by incorporating existing trust into the validation process.Finally, the analyses of Delta, Meerkat, and Cloud Strife have made use of large-scale measurements to assess our approaches’ impact and viability. Indeed, security research in general has made extensive use of exhaustive Internet-wide scans over the recent years, as they can provide significant insights into the state of security of the Internet (e.g., if classes of devices are behaving maliciously, or if they might be insecure and could turn malicious in an instant). However, the address space of the Internet’s core addressing protocol (Internet Protocol version 4; IPv4) is exhausted, and a migration to its successor (Internet Protocol version 6; IPv6), the only accepted long-term solution, is inevitable. In turn, to better understand the security of devices connected to the Internet, in particular Internet of Things devices, it is imperative to include IPv6 addresses in security evaluations and scans. Unfortunately, it is practically infeasible to iterate through the entire IPv6 address space, as it is 296 times larger than the IPv4 address space. Without enumerating hosts prior to scanning, we will be unable to retain visibility into the overall security of Internet-connected devices in the future, and we will be unable to detect and prevent their abuse or compromise. To mitigate this blind spot, we introduce a novel technique to enumerate part of the IPv6 address space by walking DNSSEC-signed IPv6 reverse zones. We show (i) that enumerating active IPv6 hosts is practical without a preferential network position contrary to common belief, (ii) that the security of active IPv6 hosts is currently still lagging behind the security state of IPv4 hosts, and (iii) that unintended default IPv6 connectivity is a major security issue

Distributed mobility management for a flat architecture in 5G mobile networks: solutions, analysis and experimental validation

In the last years, the commercial deployment of data services in mobile networks has been evolving quickly, providing enhanced radio access technologies and more efficient network architectures. Nowadays, mobile users enjoy broadband and ubiquitous wireless access through their portable devices, like smartphones and tablets, exploiting the connectivity offered by the modern 4G network. Nevertheless, the technological evolution keeps moving towards the development of next generation networks, or 5G, aiming at further improving the current system in order to cope with the huge data traffic growth foreseen in the future years. One of the possible research guidelines aims at innovating the mobile networks architecture by designing a flat system. Indeed, current systems are built upon a centralized and hierarchical structure, where multiple access networks are connected to a central core hosting crucial network functions, e.g., charging, control and maintenance, as well as mobility management, which is the main topic of this thesis. In such a central mobility management system, users’ traffic is aggregated at some key nodes in the core, called mobility anchors. Thus, an anchor can easily handle user’s mobility by redirecting traffic flows to his/her location, but i) it poses scalability issues, ii) it represents a single point of failure, and iii) the routing path is in general suboptimal. These problems can be overcome moving to a flat architecture, adopting a Distributed Mobility Management (DMM) system, where the centralized anchor is removed. This thesis develops within the DMM framework, presenting the design, analysis, implementation and experimental validation of several DMM protocols. In this work we describe original protocols for client-based and network-based mobility management, as well as a hybrid solution. We study analytically our solutions to evaluate their signaling cost, the packet delivery cost, and the latency introduced to handle a handover event. Finally, we assess the validity of some of our protocols with experiments run over a network prototype built in our lab implementing such solutions.El despliegue comercial de los servicios de datos en las redes móviles ha evolucionado rápidamente en los últimos años, proporcionando tecnologías de acceso radio más avanzadas y arquitecturas de red más eficientes. Los usuarios ya pueden disfrutar de los servicios de banda ancha desde sus dispositivos móviles, como smartphones y tablets, aprovechando la conectividad de las modernas redes 4G. Sin embargo, la evolución tecnológica sigue trazando su camino hasta el desarrollo de las redes de próxima generación, o 5G, en previsión del enorme aumento del tráfico de los años futuros. Una de las innovaciones bajo estudio aborda la arquitectura de las redes móviles, con el objetivo de diseñar un sistema plano. Efectivamente, el sistema actual se basa en una estructura centralizada y jerárquica, en la cual múltiples redes de acceso se conectan al núcleo central, dónde residen funciones cruciales para el control de la red y facturación, así como la gestión de la movilidad, que es el tema central de esta tesis. En un sistema con gestión centralizada de la movilidad, se agregan los flujos de tráfico en algunos nodos claves situados en el núcleo de la red, llamados anclas de movilidad. De este modo, un ancla puede fácilmente redirigir los flujos al lugar donde se halla el usuario, pero i) supone problemas de escalabilidad, ii) representa un punto único de fallo, y iii) el encaminamiento es en general sub-óptimo. Estos problemas se pueden resolver pasando a una arquitectura plana, cambiándose a un sistema de gestión distribuida de la movilidad (Distributed Mobility Management – DMM), donde no hay anclas centralizadas. Esta tesis se desarrolla dentro el marco propuesto por DMM, presentando el diseño, el análisis, la implementación y la validación experimental de varios protocolos de movilidad distribuida. Se describen soluciones basadas en el cliente y en la red, así como una solución híbrida. El funcionamiento de las soluciones ha sido estudiado analíticamente, para evaluar los costes de señalización, el coste del transporte de los paquetes y la latencia para gestionar el traspaso de los usuarios de una red a otra. Finalmente, la validez de los protocolos ha sido demostrada con experimentos sobre un prototipo donde se implementan algunas de las soluciones utilizando el equipamiento de nuestro laboratorio.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: Arturo Azcorra Saloña.- Secretario: Ramón Agüero Calvo.- Vocal: Jouni Korhone

Distributed IP mobility management for hosts and networks

Includes bibliographical references.The Internet was originally designed for stationary nodes. With the advancement of mobile nodes (such as smartphones and tablets) that have wireless Internet access capability, the original design of the Internet is no longer sufficient. These mobile nodes are capable of communicating while moving and changing their point of attachment in the Internet. To maintain communication session(s) continuity for these mobile nodes, the Internet needs mobility management mechanisms. The main mobility management protocols standardised by the Internet Engineering Task Force (IETF) are mobile IP (MIPv6 and MIPv4) and their numerous extensions and variants, including proxy MIP (PMIPv6 and PMIPv4). The architectural structures of these protocols employ a centralized mobility anchor to manage the mobility of the mobile nodes in the control and data planes. The mobility anchor manages the mobility binding information and the forwarding of data packets for all mobile nodes registered in the network. However, in the context of the rapid growth in the number of mobile users and the data traffic volume, as well as the trend towards a flat architecture in mobile networks, the centralized mobility management approach provides insufficient mobility support to the mobile nodes. For example, to manage the demand for increased mobile users, a huge amount of data traffic will be pushed to the centralized mobility anchor. Yet, routing huge volumes of traffic via the centralized mobility anchor can be non-optimal in terms of routing efficiency. Thus, the centralised mobility anchor can be a potential bottleneck, and a single point of failure. Consequently, failure of the mobility anchor may lead to a service outage for a large number of mobile nodes. Ultimately, the centralized mobility management approach does not scale well with the increase in number of mobile users and the data traffic volume. These problems are also costly to resolve within the centralized mobility management approach and its related centralized network architecture. Distributed mobility management (DMM) is one recent approach that can efficiently address the shortcomings of centralized mobility management. It provides an alternative paradigm for developing IP mobility management – without employing centralized mobility anchors. In this paradigm, either the mobility anchors, or their mobility management functions, are distributed to different networks/elements. The mobility anchors, or the mobility management functions, are brought to the edge of the networks, which is closer to the mobile nodes. Distributed mobility management also offers dynamic mobility features that allow a mobile node to anchor traffic at different mobility anchors. However, to date, mobility management schemes that have been developed based on the DMM approach are still in the preliminary stages, and there is no current standard in place. These developed DMM schemes are still experiencing problems, such as long routing paths, especially for long-lasting data traffic, a lack of route optimization for ongoing communication, and a lack of synchronization of the mobile nodes‟ location in different networks. Moreover, the majority of these proposed schemes still need to be analysed, in order to quantify their feasibility. The thesis proposes three novel network-based distributed mobility management schemes, which are based on the DMM approach. The schemes enhance PMIPv6 to work in a distributed manner, in order to address the problems of centralized mobility management. Furthermore, the schemes address the following issues: (1) the lack of route optimization for ongoing communication; (2) the lack of synchronization of the mobile nodes‟ location in different networks; and (3) the long end-to-end packet delivery delay problems in recently proposed DMM schemes. The first scheme, called the network-based distributed mobility management scheme with routing management function at the gateways (DM-RMG), decomposes the logical mobility management functions of the Local Mobility Anchor (LMA) in PMIPv6 into internetwork location management (LM), routing management (RM), and home network prefix allocation (HNP) functions. After the decomposition, the RM function is collocated at the gateways of different networks. In this way, the data-plane routing function of the respective mobile nodes is served by the corresponding local RM function at the network gateway. The DM-RMG scheme offers distributed mobility management for individual mobile nodes (i.e., mobile hosts) during mobility events. DM-RMG also implements a mechanism to optimize the handover delay. The results obtained from analytical modelling and simulation show that the DM-RMG scheme outperforms the centralized mobility management schemes, as well as currently proposed distributed mobility management schemes in terms of the end-to-end packet delivery delay under different network load conditions. The optimized handover performance of the DM-RMG scheme, investigated under different traffic patterns and mobile node speeds, shows that the scheme also mitigates the internetwork handover delay and packet loss. The second proposed scheme, called network-based distributed mobility management for the network mobility (NDM-RMG), uses a similar approach to DM-RMG. However, it proposes a network-based DMM scheme for Network Mobility (NEMO). The main goal of the NDMRMG scheme is to address the problems of centralized mobility management protocols for NEMO, including the pinball routing problem in nested NEMO. NDM-RMG is compared with centralized mobility management schemes for NEMO, and recently proposed distributed IP mobility management schemes for NEMO by means of analytical modelling and simulation evaluations. NDM-RMG shows better performance in terms of reducing the packet delivery latency, the size of the packet header, and the packet overhead experienced over the wireless link. The third proposed scheme, called network-based distributed mobility management scheme with RM and HNP allocation functions distributed to the access routers (DM-RMA), distributes the RM and the HNP allocation functions at the access routers with the mobility client function. This brings the mobility-related functions closer to the mobile nodes, that is, to the edge of the network. An analytical model is developed to investigate the mobility cost performance of the scheme, due to signalling, packet delivery, and tunnelling. The analytical results indicate that DM-RMA performs better than the previous DMM schemes in terms of packet delivery, tunnelling and total costs. Network simulator-2 (ns-2) is used to model the DM-RMA scheme. The simulated scenarios confirm that DM-RMA performs better than other proposed DMM schemes in terms of reducing the location update latency at the location managers, end-to-end packet delivery delay, handover delay, and packet loss. In addition to the three proposed DMM schemes, this thesis proposes a routing optimization scheme for PMIPv6. The main goal of this scheme is to enable PMIPv6 to offer route optimization to mobile nodes in a PMIPv6 domain. The scheme reduces the route optimization-establishment latency, the packet delivery latency, and the packet loss. Using ns-2 simulations and considering different simulated scenarios, the results show that the scheme reduces route optimization-establishment latency and delayed packets during the route optimization operation, as compared to previously proposed PMIPv6 route optimization schemes. The results also show that the scheme reduces packet loss when a mobile node undergoes handover in the PMIPv6 domain