X-Check

Detection of Security Incidents at IXPs

Description

The majority of today’s information and communications systems communicate with each other via the Internet. Hence, two attack vectors exist:

  • making use of the Internet to spread attacks
  • preventing communication by disrupting the Internet infrastructure

Threats on the network and application layer are omnipresent. For example, misconfigurations of backbone-routers allow the redirection of data (prefix hijacking), and well-established application protocols are susceptible to misuse by overloading the network (amplification attacks). In order to detect such incidents, it is required to select the appropriate monitoring points, to evaluate high volumes of data in an efficient way, and to deploy protecting protocols and system components.

X-Check aims to detect and prevent security incidents reliably by operating across multiple ISPs. The state of the art detection of network incidents is based on active and passive measurements that retrieve data from closed, cooperating or open, decoupled probes. So far, the possible large-scale detection of anomalies by utilizing IXPs has been neglected. IXPs are transit points for public network data and crucial components of the Internet infrastructure. They provide a holistic view beyond individual ISP boundaries and offer additionally an interface to the ISPs by its route servers. However, IXPs face two major challenges:

  • They must not compete with their members by deploying extra services.
  • They experience similar attacks compared to ISPs, but act as a critical multiplier.

X-Check will not only design an observation method and assess the threat potential for IXPs, but rather provide added value by techniques and tools that cannot be implemented by its individual members.

Partners

  • BCIX
  • DE-CIX
  • Freie Universität Berlin
  • HAW Hamburg
  • DFN-CERT Services GmbH

Related publications

2017.11 Johanna Amann, Oliver Gasser, Quirin Scheitle, Lexi Brent, Georg Carle, Ralph Holz, “Mission Accomplished? HTTPS Security after DigiNotar,” in Proceedings of the Internet Measurement Conference (IMC 2017), London, UK, Nov. 2017. [Bib]
2017.08 Quirin Scheitle, Matthias Wählisch, Oliver Gasser, Thomas C. Schmidt, Georg Carle, “Towards an Ecosystem for Reproducible Research in Computer Networking,” in ACM SIGCOMM Reproducibility Workshop, Los Angeles, USA, Aug. 2017. [Pdf] [Slides] [Bib]
2017.06 Matthias Wachs, Quirin Scheitle, Georg Carle, “Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication,” in Network Traffic Measurement and Analysis Conference (TMA), Best Paper Award, Jun. 2017. [Pdf] [Slides] [Recording] [Bib]
2017.06 Quirin Scheitle, Oliver Gasser, Minoo Rouhi, Georg Carle, “Large-Scale Classification of IPv6-IPv4 Siblings with Variable Clock Skew,” in Network Traffic Measurement and Analysis Conference (TMA), Jun. 2017. [Pdf] [Slides] [Rawdata] [Recording] [Arxiv] [Bib]
2017.06 Quirin Scheitle, Oliver Gasser, Patrick Sattler, Georg Carle, “HLOC: Hints-Based Geolocation Leveraging Multiple Measurement Frameworks,” in Network Traffic Measurement and Analysis Conference (TMA), Best Dataset Award, Dublin, Ireland, Jun. 2017. [Pdf] [Slides] [Rawdata] [Arxiv] [Bib]
2017.05 Oliver Gasser, Quirin Scheitle, Carl Denis, Nadja Schricker, Georg Carle, “Security Implications of Publicly Reachable Building Automation Systems,” in Proc. 2nd Int. Workshop on Traffic Measurements for Cybersecurity, San Jose, CA, USA, May 2017. [Pdf] [Bib]
2017.02 Oliver Gasser, Quirin Scheitle, Carl Denis, Nadja Schricker, Georg Carle, “Öffentlich erreichbare Gebäudeautomatisierung: Amplification-Anfälligkeit von BACnet und Deployment-Analyse im Internet und DFN,” in 24. DFN-Konferenz Sicherheit in vernetzten Systemen, Hamburg, Germany, Feb. 2017. [Pdf] [Bib]

Finished student theses

Author Title Type Advisors Links
Alexander Schulz Identification of IPv6-IPv4 Sibling Pairs from Passive Observations BA Quirin Scheitle, Oliver Gasser, Minoo Rouhi Pdf
Thomas Bachmaier Scanning for TCP SYN Proxy Implementations BA Dominik Scholz, Paul Emmerich, Quirin Scheitle, Minoo Rouhi Pdf
Katharina Wiegräbe Identifying Web-enabled Devices on Internet Paths BA Minoo Rouhi, Dominik Scholz, Quirin Scheitle Pdf
Paulin Tchonin TTL Analysis for DDoS Defense MA Quirin Scheitle, Oliver Gasser, Paul Emmerich
Maximilian Pudelko Comparison of Queuing Data Structures for Traffic Analysers BA Paul Emmerich, Sebastian Gallenmüller Pdf
Patrick Sattler Parsing geographical locations from DNS names GR Quirin Scheitle, Oliver Gasser
Minoo Rouhi Vejdani Comparing IPv4 and IPv6 hosts and paths in the Internet MA Quirin Scheitle, Oliver Gasser, Paul Emmerich Pdf

Open and running student theses

Author Title Type Advisors Links
Maximilian Pudelko Payload Extraction for Flows with Anomalous TTL Behaviour IDP Quirin Scheitle, Oliver Gasser, Paul Emmerich Pdf
Markus Sosnowski Internet-Wide Assessment of TCP Options BA Quirin Scheitle, Oliver Gasser, Minoo Rouhi, Paul Emmerich, Dominik Scholz Pdf
Florens Werner Finding Active IPv6 Addresses BA Quirin Scheitle, Oliver Gasser Pdf
Samy Deib Detecting IPv6-IPv4 Sibling Pairs Based on few Data Points BA Quirin Scheitle, Oliver Gasser, Minoo Rouhi Pdf
Florens Werner Finding Active IPv6 Addresses BA Quirin Scheitle, Oliver Gasser Pdf
Patrick Sattler Parsing geographical locations from DNS names IDP Quirin Scheitle, Oliver Gasser
Offen Comparing IPv4 and IPv6 Paths in the Internet MA Quirin Scheitle, Oliver Gasser, Minoo Rouhi Vejdani Pdf