X-Check

Detection of Security Incidents at IXPs

Description

The majority of today’s information and communications systems communicate with each other via the Internet. Hence, two attack vectors exist:

  • making use of the Internet to spread attacks
  • preventing communication by disrupting the Internet infrastructure

Threats on the network and application layer are omnipresent. For example, misconfigurations of backbone-routers allow the redirection of data (prefix hijacking), and well-established application protocols are susceptible to misuse by overloading the network (amplification attacks). In order to detect such incidents, it is required to select the appropriate monitoring points, to evaluate high volumes of data in an efficient way, and to deploy protecting protocols and system components.

X-Check aims to detect and prevent security incidents reliably by operating across multiple ISPs. The state of the art detection of network incidents is based on active and passive measurements that retrieve data from closed, cooperating or open, decoupled probes. So far, the possible large-scale detection of anomalies by utilizing IXPs has been neglected. IXPs are transit points for public network data and crucial components of the Internet infrastructure. They provide a holistic view beyond individual ISP boundaries and offer additionally an interface to the ISPs by its route servers. However, IXPs face two major challenges:

  • They must not compete with their members by deploying extra services.
  • They experience similar attacks compared to ISPs, but act as a critical multiplier.

X-Check will not only design an observation method and assess the threat potential for IXPs, but rather provide added value by techniques and tools that cannot be implemented by its individual members.

Partners

  • BCIX
  • DE-CIX
  • Freie Universität Berlin
  • HAW Hamburg
  • DFN-CERT Services GmbH

Finished student theses

Author Title Type Advisors Links
Maximilian Pudelko Comparison of Queuing Data Structures for Traffic Analysers BA Paul Emmerich, Sebastian Gallenmüller Pdf
Patrick Sattler Parsing geographical locations from DNS names GR Quirin Scheitle, Oliver Gasser
Paulin Tchonin TTL Analysis for DDoS Defense MA Quirin Scheitle, Oliver Gasser, Paul Emmerich
Minoo Rouhi Vejdani Comparing IPv4 and IPv6 hosts and paths in the Internet MA Quirin Scheitle, Oliver Gasser, Paul Emmerich Pdf

Open and running student theses

Author Title Type Advisors Links
Maximilian Pudelko Payload Extraction for Flows with Anomalous TTL Behaviour IDP Quirin Scheitle, Oliver Gasser, Paul Emmerich Pdf
Florens Werner Finding Active IPv6 Addresses BA Quirin Scheitle, Oliver Gasser Pdf
Markus Sosnowski Internet-Wide Assessment of TCP Options BA Quirin Scheitle, Oliver Gasser, Minoo Rouhi, Paul Emmerich, Dominik Scholz Pdf
Thomas Bachmaier Scanning for TCP SYN Proxy Implementations BA Dominik Scholz, Paul Emmerich, Quirin Scheitle, Minoo Rouhi Pdf
Katharina Wiegräbe Identifying Web-enabled Devices on Internet Paths BA Minoo Rouhi, Dominik Scholz, Quirin Scheitle Pdf
Samy Deib Detecting IPv6-IPv4 Sibling Pairs Based on few Data Points BA Quirin Scheitle, Oliver Gasser, Minoo Rouhi Pdf
Alexander Schulz Identification of IPv6-IPv4 Sibling Pairs from Passive Observations BA Quirin Scheitle, Oliver Gasser, Minoo Rouhi
Patrick Sattler Parsing geographical locations from DNS names IDP Quirin Scheitle, Oliver Gasser
Offen Comparing IPv4 and IPv6 Paths in the Internet MA Quirin Scheitle, Oliver Gasser, Minoo Rouhi Vejdani Pdf