evaluating network security using internet wide
play

Evaluating Network Security Using Internet-wide Measurements Oliver - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security Using Internet-wide Measurements Oliver Gasser Ph. D. Defense, Friday 24 th May, 2019 Chairman: Prof. Dr. Jrg


  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluating Network Security Using Internet-wide Measurements Oliver Gasser Ph. D. Defense, Friday 24 th May, 2019 Chairman: Prof. Dr. Jörg Ott Examiners: Prof. Dr.-Ing. Georg Carle Prof. Anja Feldmann, Ph. D.

  2. Motivation 2

  3. Motivation 3

  4. Motivation 3

  5. Motivation 3

  6. Motivation The Internet • Internet measurements can be leveraged to empirically assess security of • protocols, • devices, • implementations, and • configurations • Vast IPv6 address space poses big challenge for Internet measurements 4

  7. Motivation The Internet • Internet measurements can be leveraged to empirically assess security of • protocols, • devices, • implementations, and • configurations • Vast IPv6 address space poses big challenge for Internet measurements Goals • Improve measurement methodology for Internet-wide security measurements • IPv4 and IPv6 • Empirically assess security of three different protocols • HTTPS • BACnet • IPMI 4

  8. Research questions 5

  9. Research questions RQ I RQ II RQ III RQ IV RQ V 6

  10. Research questions RQ I: How can we perform Internet-scale IPv6 measurements? ZMapv6 goscanner RQ II RQ III RQ IV RQ V 6

  11. Research questions RQ I: How can we perform Internet-scale IPv6 measurements? ZMapv6 goscanner RQ II: How biased are address sources for IPv6 hitlists? Passive sources Active sources Biases in sources IPv6 Hitlist Service RQ III RQ IV RQ V 6

  12. Research questions RQ I: How can we perform Internet-scale IPv6 measurements? goscanner ZMapv6 RQ II: How biased are address sources for IPv6 hitlists? Passive sources Active sources Biases in sources IPv6 Hitlist Service RQ III: Are HTTPS servers still vulnerable to MitM attacks? Certificate security HTTPS security RQ IV RQ V 6

  13. Research questions RQ I: How can we perform Internet-scale IPv6 measurements? ZMapv6 goscanner RQ II: How biased are address sources for IPv6 hitlists? Passive sources Active sources Biases in sources IPv6 Hitlist Service RQ III: Are HTTPS servers still vulnerable to MitM attacks? Certificate security HTTPS security RQ IV: Are BACnet devices vulnerable to amplification attacks? Deployment Amplification Notification RQ V 6

  14. Research questions RQ I: How can we perform Internet-scale IPv6 measurements? ZMapv6 goscanner RQ II: How biased are address sources for IPv6 hitlists? Passive sources Active sources Biases in sources IPv6 Hitlist Service RQ III: Are HTTPS servers still vulnerable to MitM attacks? Certificate security HTTPS security RQ IV: Are BACnet devices vulnerable to amplification attacks? Deployment Amplification Notification RQ V: Are IPMI devices vulnerable to MitM attacks? Deployment TLS security 6

  15. Research questions RQ I: How can we perform Internet-scale IPv6 measurements? Chapter 3 ZMapv6 goscanner RQ II: How biased are address sources for IPv6 hitlists? Chapter 4 Passive sources Active sources Biases in sources IPv6 Hitlist Service RQ III: Are HTTPS servers still vulnerable to MitM attacks? Chapter 5 Certificate security HTTPS security RQ IV: Are BACnet devices vulnerable to amplification attacks? Chapter 6 Deployment Amplification Notification RQ V: Are IPMI devices vulnerable to MitM attacks? Chapter 7 Deployment TLS security 6

  16. Research questions RQ I: How can we perform Internet-scale IPv6 measurements? Chapter 3 ZMapv6 goscanner RQ II: How biased are address sources for IPv6 hitlists? Chapter 4 Passive sources Active sources Biases in sources IPv6 Hitlist Service RQ III: Are HTTPS servers still vulnerable to MitM attacks? Chapter 5 Certificate security HTTPS security RQ IV: Are BACnet devices vulnerable to amplification attacks? Chapter 6 Deployment Amplification Notification RQ V: Are IPMI devices vulnerable to MitM attacks? Chapter 7 Deployment TLS security 6

  17. RQ II: How biased are address sources for IPv6 hitlists? 7

  18. RQ II: How biased are address sources for IPv6 hitlists? Motivation • IPv6 address space too large to perform brute-force measurements • Assemble lists of IPv6 target addresses: IPv6 hitlists 8

  19. RQ II: How biased are address sources for IPv6 hitlists? Motivation • IPv6 address space too large to perform brute-force measurements • Assemble lists of IPv6 target addresses: IPv6 hitlists Measurements & analyses • Passive and active measurements • Empirical analysis of different types of biases • Weekly patterns • Different host populations • Different number of addresses • Over-representation of certain prefixes 8

  20. RQ II: How biased are address sources for IPv6 hitlists? IPv6 hitlist passive sources: new IPv6 addresses per day % of unique IPs per day that are new 100 100 90 90 80 80 70 70 60 60 50 50 40 40 30 30 Weekend Weekend Weekend Weekend IXP 20 20 10 MWN 10 0 0 3 4 5 6 7 8 9 0 1 2 3 4 5 6 0 0 0 0 0 1 1 1 1 1 0 0 1 1 - - - - - - - - - - - - - - 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 - - - - - - - - - - - - - - 5 5 5 5 5 5 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 2 Date 9

  21. RQ II: How biased are address sources for IPv6 hitlists? IPv6 hitlist passive sources: new IPv6 addresses per day % of unique IPs per day that are new 100 100 90 90 80 80 70 70 60 60 50 50 40 40 30 30 Weekend Weekend Weekend Weekend IXP 20 20 10 MWN 10 0 0 3 4 5 6 7 8 9 0 1 2 3 4 5 6 0 0 0 0 0 1 1 1 1 1 0 0 1 1 - - - - - - - - - - - - - - 9 9 9 9 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 - - - - - - - - - - - - - - 5 5 5 5 5 5 5 5 5 5 5 5 5 5 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 2 Date • Large share of new addresses each day hints at privacy extensions 9

  22. RQ II: How biased are address sources for IPv6 hitlists? IPv6 hitlist passive vs. active sources: Hamming weight distribution 42 N (31.5, 15.75) 40 Frequency [%] 10 8 6 4 2 0 0 10 20 30 40 50 60 Number of IID bits set to '1' (IXP) 10

  23. RQ II: How biased are address sources for IPv6 hitlists? IPv6 hitlist passive vs. active sources: Hamming weight distribution 42 N (31.5, 15.75) 40 Frequency [%] 10 8 6 4 2 0 0 10 20 30 40 50 60 Number of IID bits set to '1' (IXP) 42 N (31.5, 15.75) 40 Frequency [%] 10 8 6 4 2 0 0 10 20 30 40 50 60 Number of IID bits set to '1' (Traceroute) 10

  24. RQ II: How biased are address sources for IPv6 hitlists? IPv6 hitlist passive vs. active sources: Hamming weight distribution 42 N (31.5, 15.75) 40 Frequency [%] 10 8 6 4 2 0 0 10 20 30 40 50 60 Number of IID bits set to '1' (IXP) 42 N (31.5, 15.75) 40 Frequency [%] 10 8 6 4 2 0 0 10 20 30 40 50 60 Number of IID bits set to '1' (Traceroute) • Different host populations: clients at IXP (privacy extensions) vs. routers (manually as- signed addresses) 10

  25. RQ II: How biased are address sources for IPv6 hitlists? IPv6 hitlist active sources: Cumulative address runup 60 M Domainlists 50 M DNS ANY CT 40 M AXFR Bitnodes 30 M RIPE Atlas Traceroute 20 M 10 M 8 0 2 2 4 0 1 1 0 0 - - - - - 7 7 7 8 8 1 1 1 1 1 0 0 0 0 0 2 2 2 2 2 11

  26. RQ II: How biased are address sources for IPv6 hitlists? IPv6 hitlist active sources: Cumulative address runup 60 M Domainlists 50 M DNS ANY CT 40 M AXFR Bitnodes 30 M RIPE Atlas Traceroute 20 M 10 M 8 0 2 2 4 0 1 1 0 0 - - - - - 7 7 7 8 8 1 1 1 1 1 0 0 0 0 0 2 2 2 2 2 • Many addresses from domainlists, CT, and traceroutes • Rapid increase of traceroute addresses due to CPE routers 11

  27. 2001:0db8:0407:8000: 0 151:2900:77e9:03a8 2001:0db8:0407:8000: 1 5ab:3855:92a0:2341 16 branches (random IPs) 2001:0db8:0407:8000::/64 2001:0db8:0407:8000: e aae:cb10:9321:ba76 2001:0db8:0407:8000: f 693:2443:915e:1d2e RQ II: How biased are address sources for IPv6 hitlists? Taxonomy • Alias: another address of the same host • Aliased prefix: whole prefix bound to the same host • Bias: some hosts overrepresented due to aliased prefixes 12

  28. RQ II: How biased are address sources for IPv6 hitlists? Taxonomy • Alias: another address of the same host • Aliased prefix: whole prefix bound to the same host • Bias: some hosts overrepresented due to aliased prefixes Aliased prefix detection 2001:0db8:0407:8000: 0 151:2900:77e9:03a8 2001:0db8:0407:8000: 1 5ab:3855:92a0:2341 16 branches (random IPs) 2001:0db8:0407:8000::/64 2001:0db8:0407:8000: e aae:cb10:9321:ba76 2001:0db8:0407:8000: f 693:2443:915e:1d2e 12

  29. RQ II: How biased are address sources for IPv6 hitlists? Detected aliased prefixes 13

  30. RQ II: How biased are address sources for IPv6 hitlists? Detected aliased prefixes • Only 3.2 % of prefixes are aliased • But 46.6 % of addresses are in aliased prefixes → bias 13

  31. RQ II: How biased are address sources for IPv6 hitlists? 14

Recommend


More recommend