X-Check
Detection of Security Incidents at IXPs
| Scientists: | Dr. Oliver Gasser, Dr.-Ing. Quirin Scheitle, Johannes Naab, M.Sc., Minoo Rouhi, M. Sc., Prof. Dr.-Ing. Georg Carle |
| Duration: | 01.05.2016 – 30.04.2019 |
| Funding: | BMBF (Federal Ministry for Education and Research) |
| Homepage: | http://x-check.realmv6.org/ |
Description
The majority of today’s information and communications systems communicate with each other via the Internet. Hence, two attack vectors exist:
- making use of the Internet to spread attacks
- preventing communication by disrupting the Internet infrastructure
Threats on the network and application layer are omnipresent. For example, misconfigurations of backbone-routers allow the redirection of data (prefix hijacking), and well-established application protocols are susceptible to misuse by overloading the network (amplification attacks). In order to detect such incidents, it is required to select the appropriate monitoring points, to evaluate high volumes of data in an efficient way, and to deploy protecting protocols and system components.
X-Check aims to detect and prevent security incidents reliably by operating across multiple ISPs. The state of the art detection of network incidents is based on active and passive measurements that retrieve data from closed, cooperating or open, decoupled probes. So far, the possible large-scale detection of anomalies by utilizing IXPs has been neglected. IXPs are transit points for public network data and crucial components of the Internet infrastructure. They provide a holistic view beyond individual ISP boundaries and offer additionally an interface to the ISPs by its route servers. However, IXPs face two major challenges:
- They must not compete with their members by deploying extra services.
- They experience similar attacks compared to ISPs, but act as a critical multiplier.
X-Check will not only design an observation method and assess the threat potential for IXPs, but rather provide added value by techniques and tools that cannot be implemented by its individual members.
Partners
- BCIX
- DE-CIX
- Freie Universität Berlin
- HAW Hamburg
- DFN-CERT Services GmbH
Related publications
| 2020-06-01 | Maximilian Pudelko, Paul Emmerich, Sebastian Gallenmüller, Georg Carle, “Performance Analysis of VPN Gateways,” in IFIP Networking 2020, Paris, France, Jun. 2020. [Pdf] [Bib] |
| 2020-04-01 | Simon Bauer, Kilian Holzinger, Benedikt Jaeger, Paul Emmerich, Georg Carle, “Online Monitoring of TCP Throughput Limitations,” in 2020 IEEE/IFIP Network Operations and Management Symposium (NOMS 2020), Budapest, Hungary (Virtual Conference), Apr. 2020. [Pdf] [Bib] |
| 2019-10-01 | Johannes Naab, Patrick Sattler, Jonas Jelten, Oliver Gasser, Georg Carle, “Prefix Top Lists: Gaining Insights with Prefixes from Domain-based Top Lists on DNS Deployment,” in Proceedings of the Internet Measurement Conference, New York, NY, USA, Oct. 2019, pp. 351–357. [Pdf] [Slides] [Homepage] [DOI] [Bib] |
| 2019-03-01 | Wouter B. de Vries, Quirin Scheitle, Moritz Müller, Willem Toorop, Ralph Dolmans, Roland van Rijswijk-Deij, “A First Look at QNAME Minimization in the Domain Name System,” in Proceedings of the Passive and Active Measurement Conference (PAM 2019), Best Dataset Award, Puerto Varas, Chile, Mar. 2019. [Url] [Bib] |
| 2018-11-01 | Oliver Gasser, Quirin Scheitle, Pawel Foremski, Qasim Lone, Maciej Korczynski, Stephen D. Strowes, Luuk Hendriks, Georg Carle, “Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists,” in Proceedings of the 2018 Internet Measurement Conference, New York, NY, USA, Nov. 2018. [Pdf] [Slides] [Homepage] [Rawdata] [Arxiv] [Blog] [DOI] [Bib] |
| 2018-11-01 | Quirin Scheitle, Oliver Gasser, Theodor Nolte, Johanna Amann, Lexi Brent, Georg Carle, Ralph Holz, Thomas C. Schmidt, Matthias Wählisch, “The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem,” in Internet Measurement Conference (2018), Boston, USA, Nov. 2018, pp. 343–349. [Rawdata] [Arxiv] [DOI] [Bib] |
| 2018-11-01 | Quirin Scheitle, Oliver Hohlfeld, Julien Gamba, Jonas Jelten, Torsten Zimmermann, Stephen D. Strowes, Narseo Vallina-Rodriguez, “A Long Way to the Top: Significance, Structure, and Stability of Internet Top Lists,” in Internet Measurement Conference (IMC’18), IMC’18 Community Contribution Award, Boston, USA, Nov. 2018, pp. 478–493. [Homepage] [Rawdata] [Arxiv] [DOI] [Bib] |
| 2018-10-01 | Paul Emmerich, Maximilian Pudelko, Quirin Scheitle, Georg Carle, “Efficient Dynamic Flow Tracking for Packet Analyzers,” in CloudNet, Tokyo, Japan, Oct. 2018. [Pdf] [Bib] |
| 2018-04-01 | Quirin Scheitle, Taejoong Chung, Jens Hiller, Oliver Gasser, Johannes Naab, Roland van Rijswijk-Deij, Oliver Hohlfeld, Ralph Holz, Dave Choffnes, Alan Mislove, Georg Carle, “A First Look at Certification Authority Authorization (CAA),” ACM SIGCOMM Computer Communications Review (CCR), Apr. 2018. [Url] [Pdf] [Preprint] [Homepage] [Rawdata] [Bib] |
| 2018-03-01 | Tobias Brunnwieser, Oliver Gasser, Sree Harsha Totakura, Georg Carle, “Live Detection and Analysis of HTTPS Interceptions,” in Passive and Active Measurement Conference (PAM), Poster, Berlin, Germany, Mar. 2018. [Pdf] [Poster] [Bib] |
| 2018-03-01 | Oliver Gasser, Benjamin Hof, Max Helm, Maciej Korczynski, Ralph Holz, Georg Carle, “In Log We Trust: Revealing Poor Security Practices with Certificate Transparency Logs and Internet Measurements,” in Proceedings of the Passive and Active Measurement Conference (PAM 2018), Best Paper Award, Berlin, Germany, Mar. 2018. [Url] [Pdf] [Slides] [Sourcecode] [Rawdata] [Blog] [Bib] |
| 2018-03-01 | Quirin Scheitle, Jonas Jelten, Oliver Hohlfeld, Luca Ciprian, Georg Carle, “Structure and Stability of Internet Top Lists,” in PAM’18 Poster, Berlin, Mar. 2018. [Arxiv] [Bib] |
| 2017-11-01 | Johanna Amann*, Oliver Gasser*, Quirin Scheitle*, Lexi Brent, Georg Carle, Ralph Holz, “Mission Accomplished? HTTPS Security after DigiNotar,” in Proceedings of the Internet Measurement Conference (IMC 2017), IMC’17 Community Contribution Award, IRTF Applied Networking Research Prize (ANRP) 2018, London, UK, Nov. 2017. [Url] [Pdf] [Slides] [Sourcecode] [Rawdata] [Bib] |
| 2017-11-01 | Patricia Callejo, Connor Kelton, Narseo Vallina-Rodriguez, Rubén Cuevas, Oliver Gasser, Christian Kreibich, Florian Wohlfart, Ángel Cuevas, “Opportunities and Challenges of Ad-based Measurements from the Edge of the Network,” in Proc. of the 16th ACM Workshop on Hot Topics in Networks, Nov. 2017. [Pdf] [Bib] |
| 2017-10-01 | Oliver Gasser, Quirin Scheitle, Benedikt Rudolph, Carl Denis, Nadja Schricker, Georg Carle, “The Amplification Threat Posed by Publicly Reachable BACnet Devices,” Journal of Cyber Security and Mobility, Oct. 2017. [Url] [Pdf] [Bib] |
| 2017-08-01 | Quirin Scheitle, Matthias Wählisch, Oliver Gasser, Thomas C. Schmidt, Georg Carle, “Towards an Ecosystem for Reproducible Research in Computer Networking,” in ACM SIGCOMM Reproducibility Workshop, Los Angeles, USA, Aug. 2017. [Pdf] [Slides] [Bib] |
| 2017-06-01 | Matthias Wachs, Quirin Scheitle, Georg Carle, “Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication,” in Network Traffic Measurement and Analysis Conference (TMA), Best Paper Award TMA’17, IEEE ComSoc ITC Best Paper Award 2017, Jun. 2017. [Pdf] [Slides] [Recording] [Bib] |
| 2017-06-01 | Quirin Scheitle, Oliver Gasser, Minoo Rouhi, Georg Carle, “Large-Scale Classification of IPv6-IPv4 Siblings with Variable Clock Skew,” in Network Traffic Measurement and Analysis Conference (TMA), Jun. 2017. [Pdf] [Slides] [Rawdata] [Recording] [Arxiv] [Bib] |
| 2017-06-01 | Quirin Scheitle, Oliver Gasser, Patrick Sattler, Georg Carle, “HLOC: Hints-Based Geolocation Leveraging Multiple Measurement Frameworks,” in Network Traffic Measurement and Analysis Conference (TMA), Best Dataset Award, Dublin, Ireland, Jun. 2017. [Pdf] [Slides] [Rawdata] [Arxiv] [Bib] |
| 2017-06-01 | Paul Emmerich, Maximilian Pudelko, Sebastian Gallenmüller, Georg Carle, “FlowScope: Efficient Packet Capture and Storage in 100 Gbit/s Networks,” in IFIP Networking 2017, Stockholm, Sweden, Jun. 2017. [Pdf] [Bib] |
| 2017-05-01 | Oliver Gasser, Quirin Scheitle, Carl Denis, Nadja Schricker, Georg Carle, “Security Implications of Publicly Reachable Building Automation Systems,” in Proc. 2nd Int. Workshop on Traffic Measurements for Cybersecurity, San Jose, CA, USA, May 2017. [Pdf] [Bib] |
| 2017-02-01 | Oliver Gasser, Quirin Scheitle, Carl Denis, Nadja Schricker, Georg Carle, “Öffentlich erreichbare Gebäudeautomatisierung: Amplification-Anfälligkeit von BACnet und Deployment-Analyse im Internet und DFN,” in 24. DFN-Konferenz Sicherheit in vernetzten Systemen, Hamburg, Germany, Feb. 2017. [Pdf] [Bib] |
Finished student theses
| Author | Title | Type | Advisors | Year | Links |
| Johannes Zirngibl | Extensive Analysis of IPv6 Address Assignment and its rDNS Special Domain ip6.arpa. | MA | Johannes Naab, Quirin Scheitle | 2018 | |
| Johannes Zirngibl | Creating IPv6 Hitlists through Rigorous and Deterministic rDNS Walking | IDP | Johannes Naab, Quirin Scheitle | 2018 | |
| Patrick Sattler | Large-Scale DNS Analysis | MA | Johannes Naab, Quirin Scheitle | 2018 | |
| Felix Beil | Long Term Analysis of HTTP Strict Transport Security | BA | Quirin Scheitle, Oliver Gasser | 2018 | |
| Ralf Baun | Performance and Security Analysis of Alternative DNS Transports | BA | Quirin Scheitle, Johannes Naab | 2018 |
|
| Glenn Skjong | Internet Toplists: Creating an Alternative Internet Top List Service | MA | Quirin Scheitle, Jonas Jelten | 2018 | |
| Johannes Schleger | Detection and Characterization of TLS Interception in Access Networks | MA | Jonas Jelten, Florian Wohlfart, Quirin Scheitle | 2018 | |
| Alexander Schulz | Identification of IPv6-IPv4 Sibling Pairs from Passive Observations | BA | Quirin Scheitle, Oliver Gasser, Minoo Rouhi | 2017 |
|
| Samy el Deib | Detecting IPv6-IPv4 Sibling Pairs Based on few Data Points | BA | Quirin Scheitle, Oliver Gasser, Minoo Rouhi | 2017 |
|
| Florens Werner | Finding Active IPv6 Addresses | BA | Quirin Scheitle, Oliver Gasser, Johannes Naab | 2017 |
|
| Katharina Wiegräbe | Identifying Web-enabled Devices on Internet Paths | BA | Minoo Rouhi, Dominik Scholz, Quirin Scheitle | 2017 |
|
| Maximilian Pudelko | Payload Extraction for Flows with Anomalous TTL Behaviour | IDP | Quirin Scheitle, Paul Emmerich | 2017 |
|
| Markus Sosnowski | Internet-Wide Assessment of TCP Options | BA | Quirin Scheitle, Oliver Gasser, Minoo Rouhi, Paul Emmerich, Dominik Scholz | 2017 |
|
| Thomas Bachmaier | Scanning for TCP SYN Proxy Implementations | BA | Dominik Scholz, Paul Emmerich, Quirin Scheitle, Minoo Rouhi | 2017 |
|
| Paulin Tchonin | TTL Analysis for DDoS Defense | MA | Quirin Scheitle, Oliver Gasser, Paul Emmerich | 2016 | |
| Patrick Sattler | Parsing geographical locations from DNS names | IDP | Quirin Scheitle, Oliver Gasser | 2016 | |
| Patrick Sattler | Parsing geographical locations from DNS names | GR | Quirin Scheitle, Oliver Gasser | 2016 | |
| Maximilian Pudelko | Comparison of Queuing Data Structures for Traffic Analysers | BA | Paul Emmerich, Sebastian Gallenmüller | 2016 |
|
| Minoo Rouhi Vejdani | Comparing IPv4 and IPv6 hosts and paths in the Internet | MA | Quirin Scheitle, Oliver Gasser, Paul Emmerich | 2015 |
|