ARTEMIS: Real-Time Detection and Automatic Mitigation for BGP Prefix Hijacking

Prefix hijacking is a common phenomenon in the Internet that often causes routing problems and economic losses. In this demo, we propose ARTEMIS, a tool that enables network administrators to detect and mitigate prefix hijacking incidents, against their own prefixes. ARTEMIS is based on the real-time monitoring of BGP data in the Internet, and software-defined networking (SDN) principles, and can completely mitigate a prefix hijacking within a few minutes (e.g., 5-6 mins in our experiments) after it has been launched

A first look at the misuse and abuse of the IPv4 Transfer Market

The depletion of the unallocated address space in combination with the slow pace of IPv6 deployment have given rise to the IPv4 transfer market, namely the trading of allocated IPv4 prefixes between ASes. While RIRs have established detailed policies in an effort to regulate the IPv4 transfer market for malicious networks such as spammers and bulletproof ASes, IPv4 transfers pose an opportunity to bypass reputational penalties of abusive behaviour since they can obtain "clean" address space or offload blacklisted address space. Additionally, IP transfers create a window of uncertainty about legitimate ownership of prefixes, which adversaries to hijack parts of the transferred address space. In this paper, we provide the first detailed study of how transferred IPv4 prefixes are misused in the wild by synthesizing an array of longitudinal IP blacklists and lists of prefix hijacking incidents. Our findings yield evidence that the transferred network blocks are used by malicious networks to address botnets and fraudulent sites in much higher rates compared to non-transferred addresses, while the timing of the attacks indicates efforts to evade filtering mechanisms

Characterizing User-to-User Connectivity with RIPE Atlas

Characterizing the interconnectivity of networks at a country level is an interesting but non-trivial task. The IXP Country Jedi is an existing prototype that uses RIPE Atlas probes in order to explore interconnectivity at a country level, taking into account all Autonomous Systems (AS) where RIPE Atlas probes are deployed. In this work, we build upon this basis and specifically focus on "eyeball" networks, i.e. the user-facing networks with the largest user populations in any given country, and explore to what extent we can provide insights on their interconnectivity. In particular, with a focused user-to-user (and/or user-to-content) version of the IXP Country Jedi we work towards meaningful statistics and comparisons between countries/economies. This is something that a general-purpose probe-to-probe version is not able to capture. We present our preliminary work on the estimation of RIPE Atlas coverage in eyeball networks, as well as an approach to measure and visualize user interconnectivity with our Eyeball Jedi tool.Comment: In Proceedings of the Applied Networking Research Workshop (ANRW '17

Seven years in the life of Hypergiants' off-nets

Content Hypergiants deliver the vast majority of Internet traffic to end users. In recent years, some have invested heavily in deploying services and servers inside end-user networks. With several dozen Hypergiants and thousands of servers deployed inside networks, these off-net (meaning outside the Hypergiant networks) deployments change the structure of the Internet. Previous efforts to study them have relied on proprietary data or specialized per-Hypergiant measurement techniques that neither scale nor generalize, providing a limited view of content delivery on today's Internet. In this paper, we develop a generic and easy to implement methodology to measure the expansion of Hypergiants' off-nets. Our key observation is that Hypergiants increasingly encrypt their traffic to protect their customers' privacy. Thus, we can analyze publicly available Internet-wide scans of port 443 and retrieve TLS certificates to discover which IP addresses host Hypergiant certificates in order to infer the networks hosting off-nets for the corresponding Hypergiants. Our results show that the number of networks hosting Hypergiant off-nets has tripled from 2013 to 2021, reaching 4.5k networks. The largest Hypergiants dominate these deployments, with almost all of these networks hosting an off-net for at least one - and increasingly two or more - of Google, Netflix, Facebook, or Akamai. These four Hypergiants have off-nets within networks that provide access to a significant fraction of end user population. Cyber Securit

Towards a traffic map of the Internet Connecting the dots between popular services and users: Connecting the dots between popular services and users

The impact of Internet phenomena depends on how they impact users, but researchers lack visibility into how to translate Internet events into their impact. Distressingly, the research community seems to have lost hope of obtaining this information without relying on privileged viewpoints. We argue for optimism thanks to new network measurement methods and changes in Internet structure which make it possible to construct an "Internet traffic map". This map would identify the locations of users and major services, the paths between them, and the relative activity levels routed along these paths. We sketch our vision for the map, detail new measurement ideas for map construction, and identify key challenges that the research community should tackle. The realization of an Internet traffic map will be an Internet-scale research effort with Internet-scale impacts that reach far beyond the research community, and so we hope our fellow researchers are excited to join us in addressing this challenge. Cyber Securit