X-Check

Detection of Security Incidents at IXPs

Description

The majority of today’s information and communications systems communicate with each other via the Internet. Hence, two attack vectors exist:

  • making use of the Internet to spread attacks
  • preventing communication by disrupting the Internet infrastructure

Threats on the network and application layer are omnipresent. For example, misconfigurations of backbone-routers allow the redirection of data (prefix hijacking), and well-established application protocols are susceptible to misuse by overloading the network (amplification attacks). In order to detect such incidents, it is required to select the appropriate monitoring points, to evaluate high volumes of data in an efficient way, and to deploy protecting protocols and system components.

X-Check aims to detect and prevent security incidents reliably by operating across multiple ISPs. The state of the art detection of network incidents is based on active and passive measurements that retrieve data from closed, cooperating or open, decoupled probes. So far, the possible large-scale detection of anomalies by utilizing IXPs has been neglected. IXPs are transit points for public network data and crucial components of the Internet infrastructure. They provide a holistic view beyond individual ISP boundaries and offer additionally an interface to the ISPs by its route servers. However, IXPs face two major challenges:

  • They must not compete with their members by deploying extra services.
  • They experience similar attacks compared to ISPs, but act as a critical multiplier.

X-Check will not only design an observation method and assess the threat potential for IXPs, but rather provide added value by techniques and tools that cannot be implemented by its individual members.

Partners

  • BCIX
  • DE-CIX
  • Freie Universität Berlin
  • HAW Hamburg
  • DFN-CERT Services GmbH

Related publications

2018-11-01 Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczynski, Stephen D. Strowes, Luuk Hendriks, Georg Carle, “Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists,” in Proceedings of the 2018 Internet Measurement Conference, New York, NY, USA, Nov. 2018. [Pdf] [Homepage] [Rawdata] [Arxiv] [Blog] [DOI] [Bib]
2018-11-01 Quirin Scheitle, Oliver Gasser, Theodor Nolte, Johanna Amann, Lexi Brent, Georg Carle, Ralph Holz, Thomas C. Schmidt, Matthias Wählisch, “The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem,” in Internet Measurement Conference (2018), Boston, USA, Nov. 2018, pp. 343–349. [Rawdata] [Arxiv] [DOI] [Bib]
2018-11-01 Quirin Scheitle, Oliver Hohlfeld, Julien Gamba, Jonas Jelten, Torsten Zimmermann, Stephen D. Strowes, Narseo Vallina-Rodriguez, “A Long Way to the Top: Significance, Structure, and Stability of Internet Top Lists,” in Internet Measurement Conference (IMC’18), IMC’18 Community Contribution Award, Boston, USA, Nov. 2018, pp. 478–493. [Homepage] [Rawdata] [Arxiv] [DOI] [Bib]
2018-10-01 Paul Emmerich, Maximilian Pudelko, Quirin Scheitle, Georg Carle, “Efficient Dynamic Flow Tracking for Packet Analyzers,” in CloudNet, Tokyo, Japan, Oct. 2018. [Pdf] [Bib]
2018-04-01 Quirin Scheitle, Taejoong Chung, Jens Hiller, Oliver Gasser, Johannes Naab, Roland van Rijswijk-Deij, Oliver Hohlfeld, Ralph Holz, Dave Choffnes, Alan Mislove, Georg Carle, “A First Look at Certification Authority Authorization (CAA),” ACM SIGCOMM Computer Communications Review (CCR), Apr. 2018. [Url] [Pdf] [Preprint] [Homepage] [Rawdata] [Bib]
2018-03-01 Tobias Brunnwieser, Oliver Gasser, Sree Harsha Totakura, Georg Carle, “Live Detection and Analysis of HTTPS Interceptions,” in Passive and Active Measurement Conference (PAM), Poster, Berlin, Germany, Mar. 2018. [Pdf] [Bib]
2018-03-01 Quirin Scheitle, Jonas Jelten, Oliver Hohlfeld, Luca Ciprian, Georg Carle, “Structure and Stability of Internet Top Lists,” in PAM’18 Poster, Berlin, Mar. 2018. [Arxiv] [Bib]
2018-03-01 Oliver Gasser, Benjamin Hof, Max Helm, Maciej Korczynski, Ralph Holz, Georg Carle, “In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements,” in Proceedings of the Passive and Active Measurement Conference (PAM 2018), Best Paper Award, Berlin, Germany, Mar. 2018. [Url] [Pdf] [Slides] [Sourcecode] [Rawdata] [Blog] [Bib]
2017-11-01 Johanna Amann*, Oliver Gasser*, Quirin Scheitle*, Lexi Brent, Georg Carle, Ralph Holz, “Mission Accomplished? HTTPS Security after DigiNotar,” in Proceedings of the Internet Measurement Conference (IMC 2017), IMC’17 Community Contribution Award, IRTF Applied Networking Research Prize (ANRP) 2018, London, UK, Nov. 2017. [Url] [Pdf] [Slides] [Sourcecode] [Rawdata] [Bib]
2017-11-01 Patricia Callejo, Connor Kelton, Narseo Vallina-Rodriguez, Rubén Cuevas, Oliver Gasser, Christian Kreibich, Florian Wohlfart, Ángel Cuevas, “Opportunities and Challenges of Ad-based Measurements from the Edge of the Network,” in Proc. of the 16th ACM Workshop on Hot Topics in Networks, Nov. 2017. [Pdf] [Bib]
2017-10-01 Oliver Gasser, Quirin Scheitle, Benedikt Rudolph, Carl Denis, Nadja Schricker, Georg Carle, “The Amplification Threat Posed by Publicly Reachable BACnet Devices,” Journal of Cyber Security and Mobility, Oct. 2017. [Url] [Pdf] [Bib]
2017-08-01 Quirin Scheitle, Matthias Wählisch, Oliver Gasser, Thomas C. Schmidt, Georg Carle, “Towards an Ecosystem for Reproducible Research in Computer Networking,” in ACM SIGCOMM Reproducibility Workshop, Los Angeles, USA, Aug. 2017. [Pdf] [Slides] [Bib]
2017-06-01 Matthias Wachs, Quirin Scheitle, Georg Carle, “Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication,” in Network Traffic Measurement and Analysis Conference (TMA), Best Paper Award TMA’17, IEEE ComSoc ITC Best Paper Award 2017, Jun. 2017. [Pdf] [Slides] [Recording] [Bib]
2017-06-01 Quirin Scheitle, Oliver Gasser, Patrick Sattler, Georg Carle, “HLOC: Hints-Based Geolocation Leveraging Multiple Measurement Frameworks,” in Network Traffic Measurement and Analysis Conference (TMA), Best Dataset Award, Dublin, Ireland, Jun. 2017. [Pdf] [Slides] [Rawdata] [Arxiv] [Bib]
2017-06-01 Quirin Scheitle, Oliver Gasser, Minoo Rouhi, Georg Carle, “Large-Scale Classification of IPv6-IPv4 Siblings with Variable Clock Skew,” in Network Traffic Measurement and Analysis Conference (TMA), Jun. 2017. [Pdf] [Slides] [Rawdata] [Recording] [Arxiv] [Bib]
2017-06-01 Paul Emmerich, Maximilian Pudelko, Sebastian Gallenmüller, Georg Carle, “FlowScope: Efficient Packet Capture and Storage in 100 Gbit/s Networks,” in IFIP Networking 2017, Stockholm, Sweden, Jun. 2017. [Pdf] [Bib]
2017-05-01 Oliver Gasser, Quirin Scheitle, Carl Denis, Nadja Schricker, Georg Carle, “Security Implications of Publicly Reachable Building Automation Systems,” in Proc. 2nd Int. Workshop on Traffic Measurements for Cybersecurity, San Jose, CA, USA, May 2017. [Pdf] [Bib]
2017-02-01 Oliver Gasser, Quirin Scheitle, Carl Denis, Nadja Schricker, Georg Carle, “Öffentlich erreichbare Gebäudeautomatisierung: Amplification-Anfälligkeit von BACnet und Deployment-Analyse im Internet und DFN,” in 24. DFN-Konferenz Sicherheit in vernetzten Systemen, Hamburg, Germany, Feb. 2017. [Pdf] [Bib]

Finished student theses

Author Title Type Advisors Year Links
Johannes Schleger Detection and Characterization of TLS Interception in Access Networks MA Jonas Jelten, Florian Wohlfart, Quirin Scheitle 2018
Glenn Skjong Internet Toplists: Creating an Alternative Internet Top List Service MA Quirin Scheitle, Jonas Jelten 2018
Ralf Baun Performance and Security Analysis of Alternative DNS Transports BA Quirin Scheitle, Johannes Naab 2018 Pdf
Felix Beil Long Term Analysis of HTTP Strict Transport Security BA Quirin Scheitle, Oliver Gasser 2018
Johannes Zirngibl Creating IPv6 Hitlists through Rigorous and Deterministic rDNS Walking IDP Johannes Naab, Quirin Scheitle 2018
Alexander Schulz Identification of IPv6-IPv4 Sibling Pairs from Passive Observations BA Quirin Scheitle, Oliver Gasser, Minoo Rouhi 2017 Pdf
Markus Sosnowski Internet-Wide Assessment of TCP Options BA Quirin Scheitle, Oliver Gasser, Minoo Rouhi, Paul Emmerich, Dominik Scholz 2017 Pdf
Samy el Deib Detecting IPv6-IPv4 Sibling Pairs Based on few Data Points BA Quirin Scheitle, Oliver Gasser, Minoo Rouhi 2017 Pdf
Katharina Wiegräbe Identifying Web-enabled Devices on Internet Paths BA Minoo Rouhi, Dominik Scholz, Quirin Scheitle 2017 Pdf
Florens Werner Finding Active IPv6 Addresses BA Quirin Scheitle, Oliver Gasser, Johannes Naab 2017 Pdf
Maximilian Pudelko Payload Extraction for Flows with Anomalous TTL Behaviour IDP Quirin Scheitle, Paul Emmerich 2017 Pdf
Thomas Bachmaier Scanning for TCP SYN Proxy Implementations BA Dominik Scholz, Paul Emmerich, Quirin Scheitle, Minoo Rouhi 2017 Pdf
Paulin Tchonin TTL Analysis for DDoS Defense MA Quirin Scheitle, Oliver Gasser, Paul Emmerich 2016
Patrick Sattler Parsing geographical locations from DNS names GR Quirin Scheitle, Oliver Gasser 2016
Patrick Sattler Parsing geographical locations from DNS names IDP Quirin Scheitle, Oliver Gasser 2016
Maximilian Pudelko Comparison of Queuing Data Structures for Traffic Analysers BA Paul Emmerich, Sebastian Gallenmüller 2016 Pdf
Minoo Rouhi Vejdani Comparing IPv4 and IPv6 hosts and paths in the Internet MA Quirin Scheitle, Oliver Gasser, Paul Emmerich 2015 Pdf

Open and running student theses

Author Title Type Advisors Year Links
Patrick Sattler Large-Scale DNS Analysis MA Johannes Naab, Quirin Scheitle 2018
Johannes Zirngibl Extensive Analysis of IPv6 Address Assignment and its rDNS Special Domain ip6.arpa. MA Johannes Naab, Quirin Scheitle 2018