Obtaining insights into the core Internet protocols is critical for understanding misconfigurations and vulnerabilities and for designing and adopting new mechanisms and technologies. Although much effort is invested in understanding the Internet, many tools are still missing. Existing tools often do not support important properties such as repeatability of experiments or evaluation over long time periods. Furthermore, existing tools are not simple to use since they do not come with user friendly interface and do not support easy generation of statistics and analysis of the collected data. Tools for performing dedicated measurements, tailored for specific tasks such as censorship, require either additional infrastructure or internal cooperation from within the measured network.
The main goal of this project is to devise tools for automated, repetitive data collection and analysis without requiring collaboration from the tested target network. Our goal is to provide insights into the Internet infrastructure: how the systems are configured, how the cryptographic material is generated, such as keys and signatures, what are the misconfigurations, what are the vulnerabilities, how attacks are launched (for instance, how censorship is enforced across different countries and continents), and also what are the obstacles towards deployment of defences and new technologies. We aim to explore these questions with respect to the core Internet protocols. Our experience shows that human factor is the main cause for misconfigurations and errors in usage of tools or deployment of technologies and defences. Hence, tools developed within this project need to be to the maximal extent possible automated. Their user interfaces will be developed in collaboration with Project 3 to ensure user friendly interface and easy invocation. Leveraging our tools, data from core Internet infrastructures will be collected, periodically analysed and results will be displayed in forms of graphs and charts. The new tools aim to be protocol specific, e.g., tools for measuring misconfigurations in DNS or BGP as well as in their respective defence mechanisms, and task specific, such as detection of censorship, DNS cache poisoning or BGP prefix hijacking. The project will also devise tools for detection of BGP prefix hijacking and DNS cache poisoning attacks: (1) off-line tools that analyse historical data, such as CAIDA and other traffic collection repositories and (2) online tools that perform live monitoring for detection of attacks. For latter, Project 1 aims at devising tools that would monitor services on entire networks, e.g., for Internet Service Operators (ISPs) as well as end host based tools, e.g., for browsers. The resulting tools will allow the collection of information needed to understand practical attacks and methodologies that are used by the Internet attackers. The deliverable will be a platform offering a comprehensive set of tools for collection of information about the core protocols in the Internet and about the attacks.
Internet infrastructure is extremely vulnerable to attacks. Based on the insights gained from Project 1, this project aims at designing new security mechanisms, possibly extending existing proposals to address the gaps in the current standards and implementations. Our investigations in this project mainly focus on three core Internet protocols: BGP, DNS and NTP. More precisely, the project explores: (1) attacks against core Internet protocols as well as abuse thereof for attacks against other systems and (2) deployment of defences.
Explore attacks against core Internet protocols and abuses thereof. The project develops practical attacks and tests their abuse for development of sophisticated attacks against security mechanisms, applications and systems. We perform DNS cache poisoning attacks and exploit it to evaluate attacks against a variety of systems in the Internet. In first step we will develop and evaluate novel attacks leveraging our testbed from Project 1. In second step we will perform live evaluation of the attacks on the Internet and will carry out large scale measurements to estimate the scope of the vulnerabilities, and the fraction of networks and systems that are at risk.
Development and deployment of defences. We will work on deployment of defences for core Internet protocols, drawing on the insights learnt from Project 1. We will try to build upon the existing defences when possible, potentially developing extensions to address the problems which prevent wide adoption of the security, for instance, by adding incentives or resolving obstacles. Our first and foremost goals is to push deployment of RPKI and DNSSEC forward. When deployed, these defence mechanisms will prevent most traffic hijack attacks (whether due to BGP prefix hijacking or as a result of DNS cache poisoning).
The ABC project Visual Security Analytics is focused on the visualization of large security data repositories. The Internet is a massive network with many devices connected to it. In this project we work on visualizations to analyze global internet routing as well as local network traffic. Our visual analysis tool for the global routing gives new insights on the connections between autonomous systems and creates a novel geographic approximation of how traffic is routed around the world. The second focus is on the visualization of local network traffic. As the number of devices in company or home networks grow and more undetected cyber attacks take place, we work on a novel progressive visual analytics tool to analyze the large network traffic log files. We provide a work-in-progress online prototype at netcapvis.igd.fraunhofer.de. Within this ATHENE mission we are also working in cooperation with TU Darmstadt on a large-scale visualization of computer botnets, to analyze crawler information gathered from current active botnets on the Internet.
Botnets represent a particular danger on the internet. They can be used to attack individual targets such as a company or government agency in a distributed manner by massively concentrating the traffic of nodes used for the attacks. To protect potential victims it is therefore necessary to detect botnets as early as possible and to thwart their attacks before they can roll out their full attack force. Today’s centralized attack detection systems in the internet are not adequate to detect and fight botnets as early on as required. The project’s goal is to develop a new system that aggregates and analyzes data collected in a decentralized manner through cooperative data analysis. This is achieved through local processing of data by decentralized instances and the exchange of the local attack detection results among each other to detect threats on a larger scale.