Detection of Security Incidents at IXPs
|Scientists:||Oliver Gasser, M.Sc. (Contact person), Dipl.-Ing. Univ. Quirin Scheitle, Johannes Naab, M.Sc., Minoo Rouhi, M. Sc., Prof. Dr.-Ing. Georg Carle|
|Duration:||01.05.2016 – 30.04.2019|
|Funding:||BMBF (Federal Ministry for Education and Research)|
The majority of today’s information and communications systems communicate with each other via the Internet. Hence, two attack vectors exist:
- making use of the Internet to spread attacks
- preventing communication by disrupting the Internet infrastructure
Threats on the network and application layer are omnipresent. For example, misconfigurations of backbone-routers allow the redirection of data (prefix hijacking), and well-established application protocols are susceptible to misuse by overloading the network (amplification attacks). In order to detect such incidents, it is required to select the appropriate monitoring points, to evaluate high volumes of data in an efficient way, and to deploy protecting protocols and system components.
X-Check aims to detect and prevent security incidents reliably by operating across multiple ISPs. The state of the art detection of network incidents is based on active and passive measurements that retrieve data from closed, cooperating or open, decoupled probes. So far, the possible large-scale detection of anomalies by utilizing IXPs has been neglected. IXPs are transit points for public network data and crucial components of the Internet infrastructure. They provide a holistic view beyond individual ISP boundaries and offer additionally an interface to the ISPs by its route servers. However, IXPs face two major challenges:
- They must not compete with their members by deploying extra services.
- They experience similar attacks compared to ISPs, but act as a critical multiplier.
X-Check will not only design an observation method and assess the threat potential for IXPs, but rather provide added value by techniques and tools that cannot be implemented by its individual members.
- Freie Universität Berlin
- HAW Hamburg
- DFN-CERT Services GmbH
Finished student theses
|Maximilian Pudelko||Comparison of Queuing Data Structures for Traffic Analysers||BA||Paul Emmerich, Sebastian Gallenmüller|
|Patrick Sattler||Parsing geographical locations from DNS names||GR||Quirin Scheitle, Oliver Gasser|
|Paulin Tchonin||TTL Analysis for DDoS Defense||MA||Quirin Scheitle, Oliver Gasser, Paul Emmerich|
|Minoo Rouhi Vejdani||Comparing IPv4 and IPv6 hosts and paths in the Internet||MA||Quirin Scheitle, Oliver Gasser, Paul Emmerich|
Open and running student theses
|Maximilian Pudelko||Payload Extraction for Flows with Anomalous TTL Behaviour||IDP||Quirin Scheitle, Oliver Gasser, Paul Emmerich|
|Florens Werner||Finding Active IPv6 Addresses||BA||Quirin Scheitle, Oliver Gasser|
|Markus Sosnowski||Internet-Wide Assessment of TCP Options||BA||Quirin Scheitle, Oliver Gasser, Minoo Rouhi, Paul Emmerich, Dominik Scholz|
|Thomas Bachmaier||Scanning for TCP SYN Proxy Implementations||BA||Dominik Scholz, Paul Emmerich, Quirin Scheitle, Minoo Rouhi|
|Katharina Wiegräbe||Identifying Web-enabled Devices on Internet Paths||BA||Minoo Rouhi, Dominik Scholz, Quirin Scheitle|
|Samy Deib||Detecting IPv6-IPv4 Sibling Pairs Based on few Data Points||BA||Quirin Scheitle, Oliver Gasser, Minoo Rouhi|
|Alexander Schulz||Identification of IPv6-IPv4 Sibling Pairs from Passive Observations||BA||Quirin Scheitle, Oliver Gasser, Minoo Rouhi|
|Patrick Sattler||Parsing geographical locations from DNS names||IDP||Quirin Scheitle, Oliver Gasser|
|Offen||Comparing IPv4 and IPv6 Paths in the Internet||MA||Quirin Scheitle, Oliver Gasser, Minoo Rouhi Vejdani|