244 research outputs found
Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists
Network measurements are an important tool in understanding the Internet. Due
to the expanse of the IPv6 address space, exhaustive scans as in IPv4 are not
possible for IPv6. In recent years, several studies have proposed the use of
target lists of IPv6 addresses, called IPv6 hitlists.
In this paper, we show that addresses in IPv6 hitlists are heavily clustered.
We present novel techniques that allow IPv6 hitlists to be pushed from quantity
to quality. We perform a longitudinal active measurement study over 6 months,
targeting more than 50 M addresses. We develop a rigorous method to detect
aliased prefixes, which identifies 1.5 % of our prefixes as aliased, pertaining
to about half of our target addresses. Using entropy clustering, we group the
entire hitlist into just 6 distinct addressing schemes. Furthermore, we perform
client measurements by leveraging crowdsourcing.
To encourage reproducibility in network measurement research and to serve as
a starting point for future IPv6 studies, we publish source code, analysis
tools, and data.Comment: See https://ipv6hitlist.github.io for daily IPv6 hitlists, historical
data, and additional analyse
Kirin: Hitting the Internet with Millions of Distributed IPv6 Announcements
The Internet is a critical resource in the day-to-day life of billions of
users. To support the growing number of users and their increasing demands,
operators have to continuously scale their network footprint -- e.g., by
joining Internet Exchange Points -- and adopt relevant technologies -- such as
IPv6. IPv6, however, has a vastly larger address space compared to its
predecessor, which allows for new kinds of attacks on the Internet routing
infrastructure. In this paper, we revisit prefix de-aggregation attacks in the
light of these two changes and introduce Kirin -- an advanced BGP prefix
de-aggregation attack that sources millions of IPv6 routes and distributes them
via thousands of sessions across various IXPs to overflow the memory of border
routers within thousands of remote ASes. Kirin's highly distributed nature
allows it to bypass traditional route-flooding defense mechanisms, such as
per-session prefix limits or route flap damping. We analyze the theoretical
feasibility of the attack by formulating it as a Integer Linear Programming
problem, test for practical hurdles by deploying the infrastructure required to
perform a small-scale Kirin attack using 4 IXPs, and validate our assumptions
via BGP data analysis, real-world measurements, and router testbed experiments.
Despite its low deployment cost, we find Kirin capable of injecting lethal
amounts of IPv6 routes in the routers of thousands of ASes
Stress-Induced Cocaine Seeking Requires a Beta-2 Adrenergic Receptor-Regulated Pathway from the Ventral Bed Nucleus of the Stria Terminalis That Regulates CRF Actions in the Ventral Tegmental Area
The ventral bed nucleus of the stria terminalis (vBNST) has been implicated in stress-induced cocaine use. Here we demonstrate that, in the vBNST, corticotropin releasing factor (CRF) is expressed in neurons that innervate the ventral tegmental area (VTA), a site where the CRF receptor antagonist antalarmin prevents the reinstatement of cocaine seeking by a stressor, intermittent footshock, following intravenous self-administration in rats. The vBNST receives dense noradrenergic innervation and expresses β adrenergic receptors (ARs). Footshock-induced reinstatement was prevented by bilateral intra-vBNST injection of the β-2 AR antagonist, ICI-118,551, but not the β-1 AR antagonist, betaxolol. Moreover, bilateral intra-vBNST injection of the β-2 AR agonist, clenbuterol, but not the β-1 agonist, dobutamine, reinstated cocaine seeking, suggesting that activation of vBNST β-2 AR is both necessary for stress-induced reinstatement and sufficient to induce cocaine seeking. The contribution of a β-2 AR-regulated vBNST-to-VTA pathway that releases CRF was investigated using a disconnection approach. Injection of ICI-118,551 into the vBNST in one hemisphere and antalarmin into the VTA of the contralateral hemisphere prevented footshock-induced reinstatement, whereas ipsilateral manipulations failed to attenuate stress-induced cocaine seeking, suggesting that β-2 AR regulate vBNST efferents that release CRF into the VTA, activating CRF receptors, and promoting cocaine use. Last, reinstatement by clenbuterol delivered bilaterally into the vBNST was prevented by bilateral vBNST pretreatment with antalarmin, indicating that β-2 AR-mediated actions in the vBNST also require local CRF receptor activation. Understanding the processes through which stress induces cocaine seeking should guide the development of new treatments for addiction
The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem
In this paper, we analyze the evolution of Certificate Transparency (CT) over
time and explore the implications of exposing certificate DNS names from the
perspective of security and privacy. We find that certificates in CT logs have
seen exponential growth. Website support for CT has also constantly increased,
with now 33% of established connections supporting CT. With the increasing
deployment of CT, there are also concerns of information leakage due to all
certificates being visible in CT logs. To understand this threat, we introduce
a CT honeypot and show that data from CT logs is being used to identify targets
for scanning campaigns only minutes after certificate issuance. We present and
evaluate a methodology to learn and validate new subdomains from the vast
number of domains extracted from CT logged certificates.Comment: To be published at ACM IMC 201
Rusty Clusters? Dusting an IPv6 Research Foundation
The long-running IPv6 Hitlist service is an important foundation for IPv6
measurement studies. It helps to overcome infeasible, complete address space
scans by collecting valuable, unbiased IPv6 address candidates and regularly
testing their responsiveness. However, the Internet itself is a quickly
changing ecosystem that can affect longrunning services, potentially inducing
biases and obscurities into ongoing data collection means. Frequent analyses
but also updates are necessary to enable a valuable service to the community.
In this paper, we show that the existing hitlist is highly impacted by the
Great Firewall of China, and we offer a cleaned view on the development of
responsive addresses. While the accumulated input shows an increasing bias
towards some networks, the cleaned set of responsive addresses is well
distributed and shows a steady increase.
Although it is a best practice to remove aliased prefixes from IPv6 hitlists,
we show that this also removes major content delivery networks. More than 98%
of all IPv6 addresses announced by Fastly were labeled as aliased and
Cloudflare prefixes hosting more than 10M domains were excluded. Depending on
the hitlist usage, e.g., higher layer protocol scans, inclusion of addresses
from these providers can be valuable.
Lastly, we evaluate different new address candidate sources, including target
generation algorithms to improve the coverage of the current IPv6 Hitlist. We
show that a combination of different methodologies is able to identify 5.6M
new, responsive addresses. This accounts for an increase by 174% and combined
with the current IPv6 Hitlist, we identify 8.8M responsive addresses
From Single Lane to Highways: Analyzing the Adoption of Multipath TCP in the Internet
Multipath TCP (MPTCP) extends traditional TCP to enable simultaneous use of
multiple connection endpoints at the source and destination. MPTCP has been
under active development since its standardization in 2013, and more recently
in February 2020, MPTCP was upstreamed to the Linux kernel.
In this paper, we provide the first broad analysis of MPTCPv0 in the
Internet. We probe the entire IPv4 address space and an IPv6 hitlist to detect
MPTCP-enabled systems operational on port 80 and 443. Our scans reveal a steady
increase in MPTCP-capable IPs, reaching 9k+ on IPv4 and a few dozen on IPv6. We
also discover a significant share of seemingly MPTCP-capable hosts, an artifact
of middleboxes mirroring TCP options. We conduct targeted HTTP(S) measurements
towards select hosts and find that middleboxes can aggressively impact the
perceived quality of applications utilizing MPTCP. Finally, we analyze two
complementary traffic traces from CAIDA and MAWI to shed light on the
real-world usage of MPTCP. We find that while MPTCP usage has increased by a
factor of 20 over the past few years, its traffic share is still quite low.Comment: Proceedings of the 2021 IFIP Networking Conference (Networking '21).
Visit https://mptcp.io for up-to-date MPTCP measurement result
Deep Dive into the IoT Backend Ecosystem
Internet of Things (IoT) devices are becoming increasingly ubiquitous, e.g.,
at home, in enterprise environments, and in production lines. To support the
advanced functionalities of IoT devices, IoT vendors as well as service and
cloud companies operate IoT backends -- the focus of this paper. We propose a
methodology to identify and locate them by (a) compiling a list of domains used
exclusively by major IoT backend providers and (b) then identifying their
server IP addresses. We rely on multiple sources, including IoT backend
provider documentation, passive DNS data, and active scanning. For analyzing
IoT traffic patterns, we rely on passive network flows from a major European
ISP.
Our analysis focuses on the top IoT backends and unveils diverse operational
strategies -- from operating their own infrastructure to utilizing the public
cloud. We find that the majority of the top IoT backend providers are located
in multiple locations and countries. Still, a handful are located only in one
country, which could raise regulatory scrutiny as the client IoT devices are
located in other regions. Indeed, our analysis shows that up to 35% of IoT
traffic is exchanged with IoT backend servers located in other continents. We
also find that at least six of the top IoT backends rely on other IoT backend
providers. We also evaluate if cascading effects among the IoT backend
providers are possible in the event of an outage, a misconfiguration, or an
attack
- …