Inferring Internet AS Relationships Based on BGP Routing Policies

The type of business relationships between the Internet autonomous systems (AS) determines the BGP inter-domain routing. Previous works on inferring AS relationships relied on the connectivity information between ASes. In this paper we infer AS relationships by analysing the routing polices of ASes encoded in the BGP attributes Communities and the Locpref. We accumulate BGP data from RouteViews, RIPE RIS and the public Route Servers in August 2010 and February 2011. Based on the routing policies extracted from data of the two BGP attributes, we obtain AS relationships for 39% links in our data, which include all links among the Tier-1 ASes and most links between Tier-1 and Tier-2 ASes. We also reveal a number of special AS relationships, namely the hybrid relationship, the partial-transit relationship, the indirect peering relationship and the backup links. These special relationships are relevant to a better understanding of the Internet routing. Our work provides a profound methodological progress for inferring the AS relationships.Comment: 8 pages and 3 figure

CommunityWatch: The Swiss-Army Knife of BGP Anomaly Detection

We present CommunityWatch, an open-source system that enables timely and accurate detection of BGP routing anomalies. CommunityWatch leverages meta-data encoded by AS operators on their advertised routes through the BGP Communities attribute. The BGP Communities values lack standardized semantics, offering the flexibility to attach a wide range of information, including AS relationships, location data, and route redistribution policies. Therefore, parsing and correlating Community values and their dynamics enables the detection and tracking of a variety of routing anomalies. We exhibit the efficacy of CommunityWatch through the detection of three different types of anomalies: infrastructure outages, route leaks, and traffic blackholing

A first look at the misuse and abuse of the IPv4 Transfer Market

The depletion of the unallocated address space in combination with the slow pace of IPv6 deployment have given rise to the IPv4 transfer market, namely the trading of allocated IPv4 prefixes between ASes. While RIRs have established detailed policies in an effort to regulate the IPv4 transfer market for malicious networks such as spammers and bulletproof ASes, IPv4 transfers pose an opportunity to bypass reputational penalties of abusive behaviour since they can obtain "clean" address space or offload blacklisted address space. Additionally, IP transfers create a window of uncertainty about legitimate ownership of prefixes, which adversaries to hijack parts of the transferred address space. In this paper, we provide the first detailed study of how transferred IPv4 prefixes are misused in the wild by synthesizing an array of longitudinal IP blacklists and lists of prefix hijacking incidents. Our findings yield evidence that the transferred network blocks are used by malicious networks to address botnets and fraudulent sites in much higher rates compared to non-transferred addresses, while the timing of the attacks indicates efforts to evade filtering mechanisms

Performance Analysis of Multipath BGP

Multipath BGP (M-BGP) allows a BGP router to install multiple 'equally-good' paths, via parallel inter-domain border links, to a destination prefix. M-BGP differs from the multipath routing techniques in many ways, e.g. M-BGP is only implemented at border routers of Autonomous Systems (ASes); and while it shares traffic to different IP addresses in a destination prefix via different border links, any traffic to a given destination IP always follows the same border link. Recently we studied Looking Glass data and reported the wide deployment of M-BGP in the Internet; in particular, Hurricane Electric (AS6939) has implemented over 1,000 cases of M-BGP to hundreds of its peering ASes. In this paper, we analyzed the performance of M-BGP. We used RIPE Atlas to send traceroute probes to a series of destination prefixes through Hurricane Electric's border routers implemented with M-BGP. We examined the distribution of Round Trip Time to each probed IP address in a destination prefix and their variation during the measurement. We observed that the deployment of M-BGP can guarantee stable routing between ASes and enhance a network's resilience to traffic changes. Our work provides insights into the unique characteristics of M-BGP as an effective technique for load balancing.Comment: IEEE Global Internet (GI) Symposium 202

Honeypots for Automatic Network-Level Industrial Control System Security

The proposed doctoral work investigates a new approach to implement, deploy and manage honeypots for Industrial Control Systems (ICS). Our goal is to address unique challenges of ICS security in terms of interactivity, resource utilization, timeliness of detection and uninterrupted operation, which are much stricter compared to traditional systems, making the existing approaches inefficient. Our proposal combines different levels of interactivity and coupling of the honeypots with the ICS network to satisfy trade-offs of detection accuracy and risk, and integrates the honeypot detection feeds with an SDN framework to enable autonomic reconfiguration

Improving the discovery of IXP peering links through passive BGP measurements

The Internet Autonomous System (AS) topology has important implications on end-to-end routing, network economics and security. Despite the significance of the AS topology research, it has not been possible to collect a complete map of the AS interconnections due to the difficulties involved in discovering peering links. The problem of topology incompleteness is amplified by the increasing popularity of Internet eXchange Points (IXPs) and the 'flattening' AS hierarchy. A recent study discovered that the number of missing peering links at a single IXP is larger than the total number of the observable peering links. As a result a large body of research focuses on measurement techniques that can alleviate the incompleteness problem. Most of these proposals require the deployment of additional BGP vantage points and traceroute monitors. In this paper we propose a new measurement methodology for improving the discovery of missing peering links through the publicly available BGP data. Our approach utilizes the traffic engineering BGP Communities used by IXPs' Route Servers to implement multi-lateral peering agreements. We are able to discover 36K additional p2p links from 11 large IXPs. The discovered links are not only invisible in previous BGP-based AS topology collections, but also 97% of those links are invisible to traceroute data from CAIDA's Ark and DIMES projects for June 2012. The advantages of the proposed technique are threefold. First, it provides a new source of previously invisible p2p links. Second, it does not require changes in the existing measurement infrastructure. Finally, it offers a new source of policy data regarding multilateral peering links at IXPs

World Wide ICS Honeypots:A Study into the Deployment of Conpot Honeypots

Honeypots are a well-known concept used for threat intelligence and are becoming more ordinary within ICS environments. A well-known ICS honeypot, Conpot, is popular and has been deployed on a large scale. These deployments are not always correctly configured and have odd characteristics compared to a real industrial control system. This paper explores several common Conpot signatures and deployments found through internet search engines such as Shodan. We identify that the default deployment of Conpot is not enough when deploying a honeypot. Afterwards, we explore the behaviour of a real PLC when conducting the same reconnaissance operations. To verify these red flags, we deploy three honeypots with a different configuration, have them scanned by Shodan and evaluate the traffic they get. Our experiments indicate that Shodan leverages CIP for ICS classification. We conclude that proper deployment of a low-interaction honeypot, such as Conpot, requires time and resources to entirely obfuscate the device and fool the attacker to a limited level. However, small changes to the default configuration does increase the performance of Conpot and results in more returning traffic

BGP-Multipath Routing in the Internet

BGP-Multipath (BGP-M) is a multipath routing technique for load balancing. Distinct from other techniques deployed at a router inside an Autonomous System (AS), BGP-M is deployed at a border router that has installed multiple inter-domain border links to a neighbour AS. It uses the equal-cost multi-path (ECMP) function of a border router to share traffic to a destination prefix on different border links. Despite recent research interests in multipath routing, there is little study on BGP-M. Here we provide the first measurement and a comprehensive analysis of BGP-M routing in the Internet. We extracted information on BGP-M from query data collected from Looking Glass (LG) servers. We revealed that BGP-M has already been extensively deployed and used in the Internet. A particular example is Hurricane Electric (AS6939), a Tier-1 network operator, which has implemented >1,000 cases of BGP-M at 69 of its border routers to prefixes in 611 of its neighbour ASes, including many hyper-giant ASes and large content providers, on both IPv4 and IPv6 Internet. We examined the distribution and operation of BGP-M. We also ran traceroute using RIPE Atlas to infer the routing paths, the schemes of traffic allocation, and the delay on border links. This study provided the state-of-the-art knowledge on BGP-M with novel insights into the unique features and the distinct advantages of BGP-M as an effective and readily available technique for load balancing.Comment: 38 pages, 8 figures, 8 table

Identifying infected energy systems in the wild

The 2016 Mirai outbreak established an entirely new mindset in the history of large-scale Internet attacks. A plethora of Mirai-like variants have emerged in the last two years that are capable to infiltrate any type of device. In this paper we provide a 7-month retrospective analysis of Internet-connected energy systems that are infected by Mirai-like malware variants. By utilizing network measurements from several Internet vantage points, we demonstrate that a number of energy systems on a global scale were infected during the period of our observation. While past works have studied vulnerabilities and patching practises of ICS and energy systems, little information has been available on actual exploits of such vulnerabilities. Hence, we provide evidence that energy systems relying on ICS networks are often compromised by vulnerabilities in non-ICS devices (routers, servers and IoT devices) which provide foothold for lateral network attacks. Our work offers a first look in compromised energy systems by malware infections, and offers insights on the lack of proper security practices for systems that are increasingly dependent on internet services and more recently the IoT. In addition, we indicate that such systems were infected for relatively large periods, thus potentially remaining undetected by their corresponding organizational units

Deep Video Precoding

Several groups worldwide are currently investigating how deep learning may advance the state-of-the-art in image and video coding. An open question is how to make deep neural networks work in conjunction with existing (and upcoming) video codecs, such as MPEG H.264/AVC, H.265/HEVC, VVC, Google VP9 and AOMedia AV1, AV2, as well as existing container and transport formats, without imposing any changes at the client side. Such compatibility is a crucial aspect when it comes to practical deployment, especially when considering the fact that the video content industry and hardware manufacturers are expected to remain committed to supporting these standards for the foreseeable future. We propose to use deep neural networks as precoders for current and future video codecs and adaptive video streaming systems. In our current design, the core precoding component comprises a cascaded structure of downscaling neural networks that operates during video encoding, prior to transmission. This is coupled with a precoding mode selection algorithm for each independently-decodable stream segment, which adjusts the downscaling factor according to scene characteristics, the utilized encoder, and the desired bitrate and encoding configuration. Our framework is compatible with all current and future codec and transport standards, as our deep precoding network structure is trained in conjunction with linear upscaling filters (e.g., the bilinear filter), which are supported by all web video players. Extensive evaluation on FHD (1080p) and UHD (2160p) content and with widely-used H.264/AVC, H.265/HEVC and VP9 encoders, as well as a preliminary evaluation with the current test model of VVC (v.6.2rc1), shows that coupling such standards with the proposed deep video precoding allows for 8% to 52% rate reduction under encoding configurations and bitrates suitable for video-on-demand adaptive streaming systems. The use of precoding can also lead to encoding complexity reduction, which is essential for cost-effective cloud deployment of complex encoders like H.265/HEVC, VP9 and VVC, especially when considering the prominence of high-resolution adaptive video streaming