watching the watchers with ipv6 nonce based inverse
play

Watching the Watchers with IPv6 : Nonce-based Inverse Surveillance - PowerPoint PPT Presentation

Dec 20, 2023 •210 likes •624 views

Watching the Watchers with IPv6 : Nonce-based Inverse Surveillance to Remotely Detect Monitoring Laura M. Roberts Princeton University / Akamai Technologies David Plonka Akamai Technologies NPS/CAIDA 2020 Virtual IPv6 Workshop June 17, 2020

  1. Watching the Watchers with IPv6 : Nonce-based Inverse Surveillance to Remotely Detect Monitoring Laura M. Roberts Princeton University / Akamai Technologies David Plonka Akamai Technologies NPS/CAIDA 2020 Virtual IPv6 Workshop June 17, 2020 Presented at TMA 2020: https://tma.ifip.org/2020/main-conference/ Open-access preprint: https://arxiv.org/abs/2005.07641 1

  2. In today’s Internet, pervasive monitoring is deemed a threat. 2

  3. Internet users and service providers don’t know who’s watching their Internet traffic. 3

  4. We desire a way to detect who is monitoring Internet traffic and where it’s being monitored. • Want to detect organizations who monitor traffic and systems that monitor traffic, such as network firewalls or email filters • Want to know where they are, be it along network links or at edges 4

  5. Research question: Can we build a system that remotely detects monitoring? 5

  6. We propose the use of nonces to accomplish this. • Nonces are single-use, pseudorandom values • First, we actively disseminate nonces, i.e., we transmit them as a packet’s IPv6 source address in an active measurement survey • Then we passively listen for a surveillant to propagate / react to the nonce, e.g., to use it in a reverse DNS query • Because nonces are unique, we can correlate the dissemination with subsequent propagations / reactions • We’re also able to glean topological information on paths that nonces traverse, which helps locate where the surveillants might be 6

  7. We present NOISE, the Nonce Observatory for Inverse Surveillance of Eavesdroppers. • A novel way to detect monitors of Internet traffic remotely 7

  8. Agenda • Describe the system • Present our results 8

  9. Let’s describe the system. 9

  10. We disseminate nonces and listen for reactions. • There is an active component to our system and a passive component • We need a way to actively spread nonces ( dissemination ) in Internet traffic and to passively detect reactions to these nonces ( propagation ) • There are various strategies we could use to realize both components • We used a worldwide, IPv6 traceroute-like measurement campaign to do just that and detect surveillants 10

  11. Our Strategy - The Nonces • First we generate 64-bit nonces, and because of IPv6’s huge address space, we embed them in (128-bit) IPv6 addresses, for example, in the lower 64 bits • We generate nonces by encrypting 64 bits of data with the ChaCha20 stream cipher • We do this because it’s important that our nonces be unpredictable • If they were predictable, an adversary could craft and transmit valid nonces itself, instead of by merely reacting to ours, confusing our analysis 11

  12. Our Strategy - The Active Component • With our “nonced” IPv6 addresses in hand, we disseminate them by running a special traceroute campaign. 12

  13. First, let’s review how regular traceroute works. • Probes are sent from the IP address of the source host to the targets Traceroute from X to Y Target Source IP: X ; TTL: 1 host Y Source IP: X ; TTL: 2 Trace source X Source IP: X; TTL: 1 Source IP: X; TTL: 2 Target host Z Traceroute from X to Z 13

  14. In our special traceroute campaign, we craft or forge one-time-use, nonce-laden source addresses. • We emit packets with those rather than the host’s usual source address. Here we show one nonce per destination. A reaction to nonce NY indicates Traceroute from X that a surveillant was along the to Y Target Source IP: NY ; TTL: 1 path to Y. host Y Source IP: NY ; TTL: 2 Trace source X Source IP: NZ; TTL: 1 Source IP: NZ; TTL: 2 Target host Z Traceroute from X to Z 14

  15. Let’s have forged source IPv6 addresses for each TTL (hop limit) . The IPv6 number space is huge so we can afford to place a unique nonce in every • packet we emit; Offers us finer granularity in determining where the surveillant actually was along the path Traceroute from X A reaction to nonce NY2 indicates that to Y a surveillant was within 2 hops along Target Source IP: NY1 ; TTL: 1 the path to Target Y . host Y Source IP: NY2 ; TTL: 2 Trace source X Source IP: NZ1; TTL: 1 Source IP: NZ2; TTL: 2 Target host Z Traceroute from X to Z 15

  16. How are we able to collect responses to our traceroute probes given that the source addresses are forged? We limit our forged sources to an IPv6 address block (/36) completely under our • control and forward all packets destined to addresses within that block to the NOISE source host Traceroute from X to Y Target Source IP: NY1 ; TTL: 1 Set up static route in our router to forward all host Y addresses within our /36 to our NOISE source host Source IP: NY2 ; TTL: 2 Our router NOISE source host Source IP: NZ1; TTL: 1 Source IP: NZ2; TTL: 2 Target host Z Traceroute from X to Z 16

  17. Let’s take a closer look at the /36 IPv6 address block that’s under our control. • The NOISE address block is an IPv6 /36 prefix that has 2 92 possible addresses, each of which can contain any of 2 64 possible nonces 64 bits 36-bit prefix 2001:0db8:0XXX:XXXX: dead:beef:f00d:cafe 92 bits 128-bit IPv6 address 17

  18. Our Strategy - The Active Component • In our experiments, we ran yarrp on a computer dedicated to NOISE—this is our trace source host • We traced from nonced IPv6 source addresses to the approximately 15.2M target addresses used in prior work[1] which is to the best of our knowledge the largest IPv6 topology survey to date • We are disseminating our nonces while getting a sense of the topology so we can know where the monitoring happened [1] “In the IP of the Beholder: Strategies for Active IPv6 Topology Discovery” by Beverly et al. (IMC 2018) https://arxiv.org/abs/1805.11308 18

  19. Our Strategy - The Passive Component • After disseminating our nonces via this special yarrp-based traceroute survey, we then wait to see who or what reacts with interest to our nonced source addresses • An example of “interest” could be the receipt of a packet destined for a nonce- laden address from a host that was not a target of our traceroutes, and we capture all such unsolicited packets on our machine. We call these “ pcap ” reactions. 19

  20. Our Strategy - The Passive Component • We know from experience that a common reaction to unsolicited traffic from an unfamiliar address (from our /36) is to perform a reverse DNS query on it • We capture this traffic at our NOISE DNS server, which is NSD (open-source DNS server) running on a virtual machine (VM) that was made to be the authoritative reverse DNS nameserver for NOISE’S /36 IPv6 address block • This way, we’re able to capture DNS queries involving any of our nonced source addresses ourselves • We refer to these as “ rdns ” reactions 20

  21. Our Strategy - The Passive Component • Our nameserver is also authoritative for forward queries in two NOISE project domains, which enables us to capture “ fdns ” reactions • And we have access to DNSDB, a passive DNS database, which allows us to determine when queries for our nonced addresses or project domains were shared with this third-party commercial database, and we refer to these as “ pdns ” reactions 21

  22. We employ all of these components in our NOISE experiments to evaluate its performance in detecting monitoring. something1 .noise.example.com 2001:0db8:0XXX:XXXX: dead:beef:f00d:cafe something2 .noise.example.com pcap pcap yarrp apache2 DNS database NSD Our Router NOISE trace source host Our VM machine /36 22

  23. Let’s discuss our results. 23

  24. Our results come from three experiments. 24

  25. Macroscopic View • Across three experiments, NOISE detected monitoring more than 200k times, ostensibly in 268 networks, for probes destined for 437 networks. • We are particularly interested in the following types of evidence of monitoring: • rdns : reverse lookups • pcap : unexpected packets that talk back to our nonced source addresses • pdns : entries in DNSDB, a commercial passive DNS database 25

  26. Macroscopic View: times to detection of nonce propagation 5ms 30ms 100ms .5s 1s 3s5s10s 30s1m 3m 10m 30m1h 2h 4h 12h1d 18d 43d 113d 1ms 1 1 UDP:443c rdns (80k, 2.5k peers) UDP:443s rdns (76k, 3.1k peers) Ping rdns (55k, 2.3k peers) 0.8 0.8 UDP:443c pcap (7.6k, 70 peers) UDP:443s pcap (6.2k, 62 peers) Proportion (CDF) Ping pcap (1.9k, 50 peers) 0.6 0.6 UDP:443c pdns (21 entries) UDP:443s pdns (154 entries) 0.4 0.4 0.2 0.2 0 0 1 10 100 1 k 10 k 100 k 1 M 10 M 100 M 1 G 10 G 26 Time, milliseconds

  27. Macroscopic View 27

  28. Macroscopic View 28

  29. Macroscopic View 29

  30. Microscopic View of NOISE Capabilities and Results Validation 30

  31. 31

  32. NOISE Capability 1: Detection of Curious Queries and Improved Reachability Measurements 32

  33. 33

  34. NOISE Capability 2: Detection of Sharing Passive DNS Data 34

  35. 35

  36. NOISE Capability 3: Detection of Eavesdropping 36

  37. 37

  38. 38

Recommend

Watching the Watchers: Automatically Inferring TV Content From Outdoor Light Effusions Yi Xu,

Watching the Watchers: Automatically Inferring TV Content From Outdoor Light Effusions Yi Xu,

Watching the Watchers: Automatically Inferring TV Content From Outdoor Light Effusions Yi Xu, Jan-Michael Frahm and Fabian Monrose CCS 2014 Bart Kosciarz Introduction + Why Should You Care? Exploit emanations of changes in light to reveal TV

618 views • 17 slides
Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Nonce-based Encryption Formalized by Rogaway Primary Condition Uniqueness of the nonce

Dhiman Saha 1 , Sukhendu Kuila 2 , Dipanwita Roy Chowdhury 1 1 Dept. Of Computer Science & Engineering, IIT Kharagpur, INDIA 2 Dept. Of Mathematics, Vidyasagar University, INDIA DIAC 2014, Santa Barbara, USA Nonce-based Encryption

298 views • 19 slides
NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn Tackmann University of California, San Diego Eurocrypt 2016, Vienna May 11, 2016

521 views • 37 slides
IPv6: Where are we in 2017? Based on Internet Society 2017 report

IPv6: Where are we in 2017? Based on Internet Society 2017 report

IPv6: Where are we in 2017? Based on Internet Society 2017 report https://www.internetsociety.org/doc/state-ipv6-deployment-2017 June 6, 2017 History of IPv6 1990: IETF realized that IPv4 address space would run out Took steps to

588 views • 25 slides
Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M.

Statistical Fault Attacks on Nonce-Based Authenticated Encryption Schemes C. Dobraunig 1 , M. Eichlseder 1 , T. Korak 1 , V. Lomn e 2 , F. Mendel 1 AsiaCrypt 2016 1 Graz University of Technology, Austria 2 ANSSI, Paris, France

602 views • 27 slides
1 IPv6 Packet Format IPv6 Packet Format 40 Byte minimum 0 8 16 31 Mandatory fields

1 IPv6 Packet Format IPv6 Packet Format 40 Byte minimum 0 8 16 31 Mandatory fields

IPv6 IPv6, MPLS History Next generation IP (AKA IPng) Intended to extend address space and routing limitations of IPv4 Requires header change Attempted to include everything new in one change IETF moderated Based

506 views • 5 slides
IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6 Global allocations by RIR APNIC 337 21% RIPENCC 737 45% ARIN 438 LACNIC AFRINIC 27% 87 37 5% 2% Unit: IPv6 pref i x 3 IPv6

603 views • 24 slides
IPv6 Ready Logo Aiding IPv6 Deployment Timothy Winters LACNIC 27 May 2017 IPv6 Forums IPv6

IPv6 Ready Logo Aiding IPv6 Deployment Timothy Winters LACNIC 27 May 2017 IPv6 Forums IPv6

IPv6 Ready Logo Aiding IPv6 Deployment Timothy Winters LACNIC 27 May 2017 IPv6 Forums IPv6 Ready Logo Goal 2001-Present: Conformance and Interoperability test program intended to increase user confidence and promote IPv6 deployment.

403 views • 11 slides
Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU)

Nonce Generators and the Nonce Reset Problem Erik Zenner Technical University Denmark (DTU) Department of Mathematics e.zenner@mat.dtu.dk Pisa, Sep. 9, 2009 Erik Zenner (DTU-MAT) Nonce Generators Pisa, Sep. 9, 2009 1 / 29 Everyone

337 views • 32 slides
BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020 Introduction

1.74k views • 57 slides
Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit

Encrypt or Decrypt ? To Make a Single-Key BBB Secure Nonce-Based MAC Nilanjan Datta 1 , Avijit Dutta 2 , Mridul Nandi 2 and Kan Yasuda 3 1. Indian Institute of Technology, Kharagpur, India 2. Indian Statistical Institute, Kolkata, India 3. NTT

580 views • 45 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already

IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already

IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already Here Monash IPv6 Progress Addressing End Systems Monitoring Network Address Usage Traffic Monitoring Problems IPv6 is Coming

779 views • 41 slides
Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA

Life with IPv6 Journe Cohabitation IPv4-IPv6 16 Fvrier 2005 Keiichi SHIMA <keiichi@iijlab.net> IIJ Research Laboratory / WIDE project Contents IPv6 service in Japan How I live Example of IPv6 configuration Some news of IPv6

653 views • 16 slides
Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.121 / S-03 / N Beijar IPv6

Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.121 / S-03 / N Beijar IPv6

Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 S-38.121 / S-03 / N Beijar IPv6 addresses 128 bits long Written as eight 16-bit integers separated with colons E.g. 1080:0000:0000:0000:0000:0008:200C:417A =

617 views • 20 slides
IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6

IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6

IPv6 Deployment WG in IPv6 Promotion Council and its Deployment Guideline 2005.2.23 IPv6 Deployment WG Chair Takashi Arano (Intec NetCore, Inc.) IPv6 Deployment Guideline solves barriers for deployment I cant see IPv6s

319 views • 7 slides
IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space

IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space

IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space and routing limitations of IPv4 Requires header change Attempted to include everything new in one change IETF moderated Based

775 views • 46 slides
Why Inverse F-transform? A General Definition of . . . A Compression-Based A Reasonable . . .

Why Inverse F-transform? A General Definition of . . . A Compression-Based A Reasonable . . .

Data Compression F-Transform Inverse F-transform At First Glance, . . . Why Inverse F-transform? A General Definition of . . . A Compression-Based A Reasonable . . . Discussion and Main . . . Explanation Proof Conclusion Vladik

401 views • 13 slides
Introduction to IPv6 (Chapter 4 in Huitema) S-38.121 / Fall-04 / N Beijar IPv6,Mobility-1 IPv6

Introduction to IPv6 (Chapter 4 in Huitema) S-38.121 / Fall-04 / N Beijar IPv6,Mobility-1 IPv6

Introduction to IPv6 (Chapter 4 in Huitema) S-38.121 / Fall-04 / N Beijar IPv6,Mobility-1 IPv6 addresses 128 bits long Written as eight 16-bit integers separated with colons E.g. 1080:0000:0000:0000:0000:0008:200C:417A =

556 views • 20 slides
Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com When will IPv6-only deployment happen? Hypothesis 1 1st node is All IPv4 nodes dual-stack speak also IPv6 IPv4-only IPv4 & IPv6 IPv6-only

675 views • 25 slides
IPv6 Introduction by Harald Welte <laforge@rfc2460.org> IPv6 Introduction What? Why?

IPv6 Introduction by Harald Welte <laforge@rfc2460.org> IPv6 Introduction What? Why?

IPv6 Introduction by Harald Welte <laforge@rfc2460.org> IPv6 Introduction What? Why? What is IPv6? Successor of currently used IP Version 4 Specified 1995 in RFC 2460 Why? Address space in IPv4 too small Routing tables too large

476 views • 19 slides
Inverse Problems Recovering x 0 R N from noisy observations y = x 0 + w R P Inverse

Inverse Problems Recovering x 0 R N from noisy observations y = x 0 + w R P Inverse

Low Complexity Regularization of Inverse Problems Joint work with: Samuel Vaiter Jalal Fadili Gabriel Peyr VISI N www.numerical-tours.com Inverse Problems Recovering x 0 R N from noisy observations y = x 0 + w R P Inverse

574 views • 55 slides
The World is Watching Your Department Who Will Tell Your Story, You or Them? Presented by

The World is Watching Your Department Who Will Tell Your Story, You or Them? Presented by

The World is Watching Your Department Who Will Tell Your Story, You or Them? Presented by Jeff Hammerstein and Mike Legeros on July 17, 2014 South Atlantic Fire Rescue Expo - Raleigh, NC Presentation Description The World is Watching Your

845 views • 69 slides

More recommend