72 research outputs found
Endpoint-transparent Multipath Transport with Software-defined Networks
Multipath forwarding consists of using multiple paths simultaneously to
transport data over the network. While most such techniques require endpoint
modifications, we investigate how multipath forwarding can be done inside the
network, transparently to endpoint hosts. With such a network-centric approach,
packet reordering becomes a critical issue as it may cause critical performance
degradation.
We present a Software Defined Network architecture which automatically sets
up multipath forwarding, including solutions for reordering and performance
improvement, both at the sending side through multipath scheduling algorithms,
and the receiver side, by resequencing out-of-order packets in a dedicated
in-network buffer.
We implemented a prototype with commonly available technology and evaluated
it in both emulated and real networks. Our results show consistent throughput
improvements, thanks to the use of aggregated path capacity. We give
comparisons to Multipath TCP, where we show our approach can achieve a similar
performance while offering the advantage of endpoint transparency
The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem
In this paper, we analyze the evolution of Certificate Transparency (CT) over
time and explore the implications of exposing certificate DNS names from the
perspective of security and privacy. We find that certificates in CT logs have
seen exponential growth. Website support for CT has also constantly increased,
with now 33% of established connections supporting CT. With the increasing
deployment of CT, there are also concerns of information leakage due to all
certificates being visible in CT logs. To understand this threat, we introduce
a CT honeypot and show that data from CT logs is being used to identify targets
for scanning campaigns only minutes after certificate issuance. We present and
evaluate a methodology to learn and validate new subdomains from the vast
number of domains extracted from CT logged certificates.Comment: To be published at ACM IMC 201
Packed to the Brim: Investigating the Impact of Highly Responsive Prefixes on Internet-wide Measurement Campaigns
Internet-wide scans are an important tool to evaluate the deployment of
services. To enable large-scale application layer scans, a fast, stateless port
scan (e.g., using ZMap) is often performed ahead of time to collect responsive
targets. It is a common expectation that port scans on the entire IPv4 address
space provide a relatively unbiased view as they cover the complete address
space. Previous work, however, has found prefixes where all addresses share
particular properties. In IPv6, aliased prefixes and fully responsive prefixes,
i.e., prefixes where all addresses are responsive, are a well-known phenomenon.
However, there is no such in-depth analysis for prefixes with these
responsiveness patterns in IPv4. This paper delves into the underlying factors
of this phenomenon in the context of IPv4 and evaluates port scans on a total
of 161 ports (142 TCP & 19 UDP ports) from three different vantage points. To
account for packet loss and other scanning artifacts, we propose the notion of
a new category of prefixes, which we call highly responsive prefixes (HRPs).
Our findings show that the share of HRPs can make up 70 % of responsive
addresses on selected ports. Regarding specific ports, we observe that CDNs
contribute to the largest fraction of HRPs on TCP/80 and TCP/443, while TCP
proxies emerge as the primary cause of HRPs on other ports. Our analysis also
reveals that application layer handshakes to targets outside HRPs are,
depending on the chosen service, up to three times more likely to be successful
compared to handshakes with targets located in HRPs. To improve future scanning
campaigns conducted by the research community, we make our study's data
publicly available and provide a tool for detecting HRPs. Furthermore, we
propose an approach for a more efficient, ethical, and sustainable application
layer target selection
A Retrospective Analysis of User Exposure to (Illicit) Cryptocurrency Mining on the Web
In late 2017, a sudden proliferation of malicious JavaScript was reported on
the Web: browser-based mining exploited the CPU time of website visitors to
mine the cryptocurrency Monero. Several studies measured the deployment of such
code and developed defenses. However, previous work did not establish how many
users were really exposed to the identified mining sites and whether there was
a real risk given common user browsing behavior. In this paper, we present a
retroactive analysis to close this research gap. We pool large-scale,
longitudinal data from several vantage points, gathered during the prime time
of illicit cryptomining, to measure the impact on web users. We leverage data
from passive traffic monitoring of university networks and a large European
ISP, with suspected mining sites identified in previous active scans. We
corroborate our results with data from a browser extension with a large user
base that tracks site visits. We also monitor open HTTP proxies and the Tor
network for malicious injection of code. We find that the risk for most Web
users was always very low, much lower than what deployment scans suggested. Any
exposure period was also very brief. However, we also identify a previously
unknown and exploited attack vector on mobile devices
- …