77 research outputs found
Endpoint-transparent Multipath Transport with Software-defined Networks
Multipath forwarding consists of using multiple paths simultaneously to
transport data over the network. While most such techniques require endpoint
modifications, we investigate how multipath forwarding can be done inside the
network, transparently to endpoint hosts. With such a network-centric approach,
packet reordering becomes a critical issue as it may cause critical performance
degradation.
We present a Software Defined Network architecture which automatically sets
up multipath forwarding, including solutions for reordering and performance
improvement, both at the sending side through multipath scheduling algorithms,
and the receiver side, by resequencing out-of-order packets in a dedicated
in-network buffer.
We implemented a prototype with commonly available technology and evaluated
it in both emulated and real networks. Our results show consistent throughput
improvements, thanks to the use of aggregated path capacity. We give
comparisons to Multipath TCP, where we show our approach can achieve a similar
performance while offering the advantage of endpoint transparency
Quantifying Security Risks in Cloud Infrastructures:A Data-driven Approach
Businesses increasingly outsource their ICT services to cloud environments, mostly driven by considerations about costs, processes and security. However concerns around cloud exposure against cyber-security attacks are also growing. This bring about the question if the cloud really makes us more secure, or if it merely changes the type of threats we are exposed to. This PhD project aims at addressing this question by focusing on cloud infrastructure security. Using Internet measurements, we will take a data-driven approach to identify vulnerabilities and single points of failure in cloud infrastructure. Based on our analysis, we will propose solutions to mitigate these vulnerabilities and enhance the overall security of cloud environments
The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem
In this paper, we analyze the evolution of Certificate Transparency (CT) over
time and explore the implications of exposing certificate DNS names from the
perspective of security and privacy. We find that certificates in CT logs have
seen exponential growth. Website support for CT has also constantly increased,
with now 33% of established connections supporting CT. With the increasing
deployment of CT, there are also concerns of information leakage due to all
certificates being visible in CT logs. To understand this threat, we introduce
a CT honeypot and show that data from CT logs is being used to identify targets
for scanning campaigns only minutes after certificate issuance. We present and
evaluate a methodology to learn and validate new subdomains from the vast
number of domains extracted from CT logged certificates.Comment: To be published at ACM IMC 201
Packed to the Brim: Investigating the Impact of Highly Responsive Prefixes on Internet-wide Measurement Campaigns
Internet-wide scans are an important tool to evaluate the deployment of
services. To enable large-scale application layer scans, a fast, stateless port
scan (e.g., using ZMap) is often performed ahead of time to collect responsive
targets. It is a common expectation that port scans on the entire IPv4 address
space provide a relatively unbiased view as they cover the complete address
space. Previous work, however, has found prefixes where all addresses share
particular properties. In IPv6, aliased prefixes and fully responsive prefixes,
i.e., prefixes where all addresses are responsive, are a well-known phenomenon.
However, there is no such in-depth analysis for prefixes with these
responsiveness patterns in IPv4. This paper delves into the underlying factors
of this phenomenon in the context of IPv4 and evaluates port scans on a total
of 161 ports (142 TCP & 19 UDP ports) from three different vantage points. To
account for packet loss and other scanning artifacts, we propose the notion of
a new category of prefixes, which we call highly responsive prefixes (HRPs).
Our findings show that the share of HRPs can make up 70 % of responsive
addresses on selected ports. Regarding specific ports, we observe that CDNs
contribute to the largest fraction of HRPs on TCP/80 and TCP/443, while TCP
proxies emerge as the primary cause of HRPs on other ports. Our analysis also
reveals that application layer handshakes to targets outside HRPs are,
depending on the chosen service, up to three times more likely to be successful
compared to handshakes with targets located in HRPs. To improve future scanning
campaigns conducted by the research community, we make our study's data
publicly available and provide a tool for detecting HRPs. Furthermore, we
propose an approach for a more efficient, ethical, and sustainable application
layer target selection
- …