Uncovering Vulnerable Industrial Control Systems from the Internet Core

Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure but also the Internet ecosystem (e.g., DRDoS~attacks). In this paper, we uncover unprotected inter-domain ICS traffic at two central Internet vantage points, an IXP and an ISP. This traffic analysis is correlated with data from honeypots and Internet-wide scans to separate industrial from non-industrial ICS traffic. We provide an in-depth view on Internet-wide ICS communication. Our results can be used i) to create precise filters for potentially harmful non-industrial ICS traffic, and ii) to detect ICS sending unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks

Industrial control protocols in the Internet core: Dismantling operational practices

Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure but also the Internet ecosystem (e.g., by DRDoS attacks). In this paper, we measure and analyze inter-domain ICS traffic at two central Internet vantage points, an IXP and an ISP. These traffic observations are correlated with data from honeypots and Internet-wide scans to separate industrial from non-industrial ICS traffic. We uncover mainly unprotected inter-domain ICS traffic and provide an in-depth view on Internet-wide ICS communication. Our results can be used (i) to create precise filters for potentially harmful non-industrial ICS traffic and (ii) to detect ICS sending unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks. Additionally, we survey recent security extensions of ICS protocols, of which we find very little deployment. We estimate an upper bound of the deployment status for ICS security protocols in the Internet core

Carbon-Intelligent Global Routing in Path-Aware Networks

The growing energy consumption of Information and Communication Technology (ICT) has raised concerns about its environmental impact. However, the carbon efficiency of data transmission over the Internet has so far received little attention. This carbon efficiency can be enhanced effectively by sending traffic over carbon-efficient inter-domain paths. However, challenges in estimating and disseminating carbon intensity of inter-domain paths have prevented carbon-aware path selection from becoming a reality. In this paper, we take advantage of path-aware network architectures to overcome these challenges. In particular, we design CIRo, a system for forecasting the carbon intensity of inter-domain paths and disseminating them across the Internet. We implement a proof of concept for CIRo on the codebase of the SCION path-aware Internet architecture and test it on the SCIONLab global research testbed. Further, we demonstrate the potential of CIRo for reducing the carbon footprint of endpoints and end domains through large-scale simulations. We show that CIRo can reduce the carbon intensity of communications by at least 47% for half of the domain pairs and the carbon footprint of Internet usage by at least 50% for 87% of end domains

Horse: Towards an SDN traffic dynamics simulator for large scale networks

© 2016 Copyright held by the owner/author(s). The Software Defined Networking (SDN) paradigm can be successfully applied to the inter-domain ecosystem to empower network fabrics with finer grained policies and traffic engineering capabilities. However, introducing SDN at the inter-domain level might also lead to misconfigurations with potential to negatively impact on the Internet. Simulators are a popular approach to verify network behaviour and test applications before going into production. In the case of SDN, the available options do not scale for large scale networks nor high traffic loads. In this paper we propose a new simulator to foster SDN research and improve our understanding on the impact of the new use cases over the traffic flow. A simulation tool capable of efficiently reproducing large scale networks, high traffic loads, and policies, by abstracting the interactions between switches and controllers of the SDN network

Characteristics and Temporal Behavior of Internet Backbone Traffic

With the rapid increase demand for data usage, Internet has become complex and harder to analyze. Characterizing the Internet traffic might reveal information that are important for Network Operators to formulate policy decisions, develop techniques to detect network anomalies, help better provision network resources (capacity, buffers) and use workload characteristics for simulations (typical packet sizes, flow durations, common protocols). In this paper, using passive monitoring and measurements, we show collected data traffic at Internet backbone routers. First, we reveal main observations on patterns and characteristics of this dataset including packet sizes, traffic volume for inter and intra domain and protocol composition. Second, we further investigate independence structure of packet size arrivals using both visual and computational statistics. Finally, we show the temporal behavior of most active destination IP and Port addresses

Characteristics and Temporal Behavior of Internet Backbone Traffic

With the rapid increase demand for data usage, Internet has become complex and harder to analyze. Characterizing the Internet traffic might reveal information that are important for Network Operators to formulate policy decisions, develop techniques to detect network anomalies, help better provision network resources (capacity, buffers) and use workload characteristics for simulations (typical packet sizes, flow durations, common protocols). In this paper, using passive monitoring and measurements, we show collected data traffic at Internet backbone routers. First, we reveal main observations on patterns and characteristics of this dataset including packet sizes, traffic volume for inter and intra domain and protocol composition. Second, we further investigate independence structure of packet size arrivals using both visual and computational statistics. Finally, we show the temporal behavior of most active destination IP and Port addresses

Inter-domain traffic routing in vehicular delay tolerant networks

“Copyright © [2010] IEEE. Reprinted from IEEE International Conference on Communications (IEEE ICC 2010). ISSN:1550-3607. This material is posted here with permission of the IEEE. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to pubs [email protected]. By choosing to view this document, you agree to all provisions of the copyright laws protecting it.”In this paper, we consider the problem of dynamic inter-domain traffic routing between a VDTN and a non-DTN (e.g., Internet). The inter-domain traffic can be classified as inbound and outbound traffic. Our main contribution in this work is the intro- duction of several fault-tolerant routing algorithms for inbound and outbound traffic. Using simulations, we compare the performance of the proposed algorithms in terms of required resources, packet delivery time, and blocking probability.This work was supported in part by the Instituto de Telecomunicações, Next Generation Networks and Applications Group (NetGNA), Covilhã Delegation, Portugal in the framework of the VDTN@Lab Project

Supporting quality of service for internet applications

University of Technology, Sydney. Faculty of Information Technology.Regarding the dominance of IP applications and the requirement of providing quality of service for users, it is critical to provide an scalable network architecture capable of supporting sufficient Quality of Service (QoS). Of the two network models (Integrated Services and Differentiated Services) approved by the Internet Engineering Task Force (IETF) [1, 2], the differentiated service model has gained wider acceptance because of its scalability. Differentiated Services (DiffServ) QoS architecture is scalable but inadequate to deal with network congestion and unable to provide fairness among its traffic aggregates. Recently, IETF has recommended additional functions including admission control and resource discovery to enhance the original DiffServ [2]. In this thesis, we propose a new framework based on DiffServ. The new architecture, called Fair Intelligent Congestion Control DiffServ (FICC- DiffServ), applies the FICC algorithm and control loop to provide fairness among traffic aggregates and control congestion inside DiffServ networks. The augmented architecture is realisable within the existing IP network infrastructures. Simulation results show that the FICC-DiffServ performs excellently in terms of guaranteed fairness, minimised packet delay and jitter, as well as being robust to traffic attributes, and being simple to implement. Moreover, providing end-to-end QoS for Internet applications presents difficult problems, because the Internet is composed of many independently administrative domains called Autonomous Systems. Enabling end-to-end QoS, negotiations between domains is then crucial. As a means of negotiations, inter- autonomous system QoS routings play an important role in advertising the available network resources between domains. In this thesis, the Border Gateway Protocol (BGP) is extended to provide end-to-end QoS. The BGP is selected for two reasons: (1) BGP is an inter-domain routing protocol widely used on the Internet and (2) the use of attributes attached to routes makes BGP be a powerful and scalable inter-domain routing protocol. For end-to-end QoS, a completed framework includes a FICC-DiffServ in each domain, an extended BGP between domains and an admission control at the edge router. Via simulation, we demonstrate the reliability of the BGP-extended architecture, including route selection policy and overhead reduction issues