-
ReACKed QUICer: Measuring the Performance of Instant Acknowledgments in QUIC Handshakes
Authors:
Jonas Mücke,
Marcin Nawrocki,
Raphael Hiesgen,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
In this paper, we present a detailed performance analysis of QUIC instant ACK, a standard-compliant approach to reduce waiting times during the QUIC connection setup in common CDN deployments. To understand the root causes of the performance properties, we combine numerical analysis and the emulation of eight QUIC implementations using the QUIC Interop Runner. Our experiments comprehensively cover…
▽ More
In this paper, we present a detailed performance analysis of QUIC instant ACK, a standard-compliant approach to reduce waiting times during the QUIC connection setup in common CDN deployments. To understand the root causes of the performance properties, we combine numerical analysis and the emulation of eight QUIC implementations using the QUIC Interop Runner. Our experiments comprehensively cover packet loss and non-loss scenarios, different round trip times, and TLS certificate sizes. To clarify instant ACK deployments in the wild, we conduct active measurements of 1M popular domain names. For almost all domain names under control of Cloudflare, Cloudflare uses instant ACK, which in fact improves performance. We also find, however, that instant ACK may lead to unnecessary retransmissions or longer waiting times under some network conditions, raising awareness of drawbacks of instant ACK in the future.
△ Less
Submitted 27 October, 2024;
originally announced October 2024.
-
The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS Assessments
Authors:
Raphael Hiesgen,
Marcin Nawrocki,
Marinho Barcellos,
Daniel Kopp,
Oliver Hohlfeld,
Echo Chan,
Roland Dobbins,
Christian Doerr,
Christian Rossow,
Daniel R. Thomas,
Mattijs Jonker,
Ricky Mok,
Xiapu Luo,
John Kristoff,
Thomas C. Schmidt,
Matthias Wählisch,
kc claffy
Abstract:
Motivated by the impressive but diffuse scope of DDoS research and reporting, we undertake a multistakeholder (joint industry-academic) analysis to seek convergence across the best available macroscopic views of the relative trends in two dominant classes of attacks - direct-path attacks and reflection-amplification attacks. We first analyze 24 industry reports to extract trends and (in)consistenc…
▽ More
Motivated by the impressive but diffuse scope of DDoS research and reporting, we undertake a multistakeholder (joint industry-academic) analysis to seek convergence across the best available macroscopic views of the relative trends in two dominant classes of attacks - direct-path attacks and reflection-amplification attacks. We first analyze 24 industry reports to extract trends and (in)consistencies across observations by commercial stakeholders in 2022. We then analyze ten data sets spanning industry and academic sources, across four years (2019-2023), to find and explain discrepancies based on data sources, vantage points, methods, and parameters. Our method includes a new approach: we share an aggregated list of DDoS targets with industry players who return the results of joining this list with their proprietary data sources to reveal gaps in visibility of the academic data sources. We use academic data sources to explore an industry-reported relative drop in spoofed reflection-amplification attacks in 2021-2022. Our study illustrates the value, but also the challenge, in independent validation of security-related properties of Internet infrastructure. Finally, we reflect on opportunities to facilitate greater common understanding of the DDoS landscape. We hope our results inform not only future academic and industry pursuits but also emerging policy efforts to reduce systemic Internet security vulnerabilities.
△ Less
Submitted 21 October, 2024; v1 submitted 15 October, 2024;
originally announced October 2024.
-
SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots
Authors:
Marcin Nawrocki,
John Kristoff,
Raphael Hiesgen,
Chris Kanich,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
In this paper, we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematical…
▽ More
In this paper, we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations. Moreover, by applying data from a large-scale honeypot deployment, network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness. Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges.
△ Less
Submitted 24 April, 2023; v1 submitted 9 February, 2023;
originally announced February 2023.
-
On the Interplay between TLS Certificates and QUIC Performance
Authors:
Marcin Nawrocki,
Pouyan Fotouhi Tehrani,
Raphael Hiesgen,
Jonas Mücke,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
In this paper, we revisit the performance of the QUIC connection setup and relate the design choices for fast and secure connections to common Web deployments. We analyze over 1M Web domains with 272k QUIC-enabled services and find two worrying results. First, current practices of creating, providing, and fetching Web certificates undermine reduced round trip times during the connection setup sinc…
▽ More
In this paper, we revisit the performance of the QUIC connection setup and relate the design choices for fast and secure connections to common Web deployments. We analyze over 1M Web domains with 272k QUIC-enabled services and find two worrying results. First, current practices of creating, providing, and fetching Web certificates undermine reduced round trip times during the connection setup since sizes of 35% of server certificates exceed the amplification limit. Second, non-standard server implementations lead to larger amplification factors than QUIC permits, which increase even further in IP spoofing scenarios. We present guidance for all involved stakeholders to improve the situation.
△ Less
Submitted 4 November, 2022;
originally announced November 2022.
-
Waiting for QUIC: On the Opportunities of Passive Measurements to Understand QUIC Deployments
Authors:
Jonas Mücke,
Marcin Nawrocki,
Raphael Hiesgen,
Patrick Sattler,
Johannes Zirngibl,
Georg Carle,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
In this paper, we study the potentials of passive measurements to gain advanced knowledge about QUIC deployments. By analyzing one month backscatter traffic of the /9 CAIDA network telescope, we are able to make the following observations. First, we can identify different off-net deployments of hypergiants, using packet features such as QUIC source connection IDs (SCID), packet coalescence, and pa…
▽ More
In this paper, we study the potentials of passive measurements to gain advanced knowledge about QUIC deployments. By analyzing one month backscatter traffic of the /9 CAIDA network telescope, we are able to make the following observations. First, we can identify different off-net deployments of hypergiants, using packet features such as QUIC source connection IDs (SCID), packet coalescence, and packet lengths. Second, Facebook and Google configure significantly different retransmission timeouts and maximum number of retransmissions. Third, SCIDs allow further insights into load balancer deployments such as number of servers per load balancer. We bolster our results by active measurements.
△ Less
Submitted 2 September, 2022;
originally announced September 2022.
-
Securing name resolution in the IoT: DNS over CoAP
Authors:
Martine S. Lenders,
Christian Amsüss,
Cenk Gündogan,
Marcin Nawrocki,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
In this paper, we present the design, implementation, and analysis of DNS over CoAP (DoC), a new proposal for secure and privacy-friendly name resolution of constrained IoT devices. We implement different design choices of DoC in RIOT, an open-source operating system for the IoT, evaluate performance measures in a testbed, compare with DNS over UDP and DNS over DTLS, and validate our protocol desi…
▽ More
In this paper, we present the design, implementation, and analysis of DNS over CoAP (DoC), a new proposal for secure and privacy-friendly name resolution of constrained IoT devices. We implement different design choices of DoC in RIOT, an open-source operating system for the IoT, evaluate performance measures in a testbed, compare with DNS over UDP and DNS over DTLS, and validate our protocol design based on empirical DNS IoT data. Our findings indicate that plain DoC is on par with common DNS solutions for the constrained IoT but significantly outperforms when additional standard features of CoAP are used such as caching. With OSCORE, we can save more than 10 kBytes of code memory compared to DTLS, when a CoAP application is already present, and retain the end-to-end trust chain with intermediate proxies, while leveraging features such as group communication or encrypted en-route caching. We also discuss a compression scheme for very restricted links that reduces data by up to 70%.
△ Less
Submitted 27 July, 2023; v1 submitted 15 July, 2022;
originally announced July 2022.
-
The Race to the Vulnerable: Measuring the Log4j Shell Incident
Authors:
Raphael Hiesgen,
Marcin Nawrocki,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
The critical remote-code-execution (RCE) Log4Shell is a severe vulnerability that was disclosed to the public on December 10, 2021. It exploits a bug in the wide-spread Log4j library. Any service that uses the library and exposes an interface to the Internet is potentially vulnerable.
In this paper, we measure the rush of scanners during the two months after the disclosure. We use several vantag…
▽ More
The critical remote-code-execution (RCE) Log4Shell is a severe vulnerability that was disclosed to the public on December 10, 2021. It exploits a bug in the wide-spread Log4j library. Any service that uses the library and exposes an interface to the Internet is potentially vulnerable.
In this paper, we measure the rush of scanners during the two months after the disclosure. We use several vantage points to observe both researchers and attackers. For this purpose, we collect and analyze payloads sent by benign and malicious communication parties, their origins, and churn. We find that the initial rush of scanners quickly ebbed. Especially non-malicious scanners were only interested in the days after the disclosure. In contrast, malicious scanners continue targeting the vulnerability.
△ Less
Submitted 7 June, 2022; v1 submitted 5 May, 2022;
originally announced May 2022.
-
Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope
Authors:
Raphael Hiesgen,
Marcin Nawrocki,
Alistair King,
Alberto Dainotti,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack, which remains invisible to network telescopes that only capture the first incoming packet and is not observed as a related event by ho…
▽ More
Large-scale Internet scans are a common method to identify victims of a specific attack. Stateless scanning like in ZMap has been established as an efficient approach to probing at Internet scale. Stateless scans, however, need a second phase to perform the attack, which remains invisible to network telescopes that only capture the first incoming packet and is not observed as a related event by honeypots. In this work, we examine Internet-wide scan traffic through Spoki, a reactive network telescope operating in real-time that we design and implement. Spoki responds to asynchronous TCP SYN packets and engages in TCP handshakes initiated in the second phase of two-phase scans. Because it is extremely lightweight it scales to large prefixes where it has the unique opportunity to record the first data sequence submitted within the TCP handshake ACK. We analyze two-phase scanners during a three months period using globally deployed Spoki reactive telescopes as well as flow data sets from IXPs and ISPs. We find that a predominant fraction of TCP SYNs on the Internet has irregular characteristics. Our findings also provide a clear signature of today's scans as: (i) highly targeted, (ii) scanning activities notably vary between regional vantage points, and (iii) a significant share originates from malicious sources.
△ Less
Submitted 11 October, 2021;
originally announced October 2021.
-
Transparent Forwarders: An Unnoticed Component of the Open DNS Infrastructure
Authors:
Marcin Nawrocki,
Maynard Koch,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
In this paper, we revisit the open DNS (ODNS) infrastructure and, for the first time, systematically measure and analyze transparent forwarders, DNS components that transparently relay between stub resolvers and recursive resolvers. Our key findings include four takeaways. First, transparent forwarders contribute 26% (563k) to the current ODNS infrastructure. Unfortunately, common periodic scannin…
▽ More
In this paper, we revisit the open DNS (ODNS) infrastructure and, for the first time, systematically measure and analyze transparent forwarders, DNS components that transparently relay between stub resolvers and recursive resolvers. Our key findings include four takeaways. First, transparent forwarders contribute 26% (563k) to the current ODNS infrastructure. Unfortunately, common periodic scanning campaigns such as Shadowserver do not capture transparent forwarders and thus underestimate the current threat potential of the ODNS. Second, we find an increased deployment of transparent forwarders in Asia and South America. In India alone, the ODNS consists of 80% transparent forwarders. Third, many transparent forwarders relay to a few selected public resolvers such as Google and Cloudflare, which confirms a consolidation trend of DNS stakeholders. Finally, we introduce DNSRoute++, a new traceroute approach to understand the network infrastructure connecting transparent forwarders and resolvers.
△ Less
Submitted 4 November, 2021; v1 submitted 5 October, 2021;
originally announced October 2021.
-
QUICsand: Quantifying QUIC Reconnaissance Scans and DoS Flooding Events
Authors:
Marcin Nawrocki,
Raphael Hiesgen,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
In this paper, we present first measurements of Internet background radiation originating from the emerging transport protocol QUIC. Our analysis is based on the UCSD network telescope, correlated with active measurements. We find that research projects dominate the QUIC scanning ecosystem but also discover traffic from non-benign sources. We argue that although QUIC has been carefully designed to…
▽ More
In this paper, we present first measurements of Internet background radiation originating from the emerging transport protocol QUIC. Our analysis is based on the UCSD network telescope, correlated with active measurements. We find that research projects dominate the QUIC scanning ecosystem but also discover traffic from non-benign sources. We argue that although QUIC has been carefully designed to restrict reflective amplification attacks, the QUIC handshake is prone to resource exhaustion attacks, similar to TCP SYN floods. We confirm this conjecture by showing how this attack vector is already exploited in multi-vector attacks: On average, the Internet is exposed to four QUIC floods per hour and half of these attacks occur concurrently with other common attack types such as TCP/ICMP floods.
△ Less
Submitted 5 October, 2021; v1 submitted 2 September, 2021;
originally announced September 2021.
-
The Far Side of DNS Amplification: Tracing the DDoS Attack Ecosystem from the Internet Core
Authors:
Marcin Nawrocki,
Mattijs Jonker,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable hon…
▽ More
In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14x). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making.
△ Less
Submitted 6 October, 2021; v1 submitted 2 September, 2021;
originally announced September 2021.
-
Uncovering Vulnerable Industrial Control Systems from the Internet Core
Authors:
Marcin Nawrocki,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure but also the Internet ecosystem (e.…
▽ More
Industrial control systems (ICS) are managed remotely with the help of dedicated protocols that were originally designed to work in walled gardens. Many of these protocols have been adapted to Internet transport and support wide-area communication. ICS now exchange insecure traffic on an inter-domain level, putting at risk not only common critical infrastructure but also the Internet ecosystem (e.g., DRDoS~attacks).
In this paper, we uncover unprotected inter-domain ICS traffic at two central Internet vantage points, an IXP and an ISP. This traffic analysis is correlated with data from honeypots and Internet-wide scans to separate industrial from non-industrial ICS traffic. We provide an in-depth view on Internet-wide ICS communication. Our results can be used i) to create precise filters for potentially harmful non-industrial ICS traffic, and ii) to detect ICS sending unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and traffic manipulation attacks.
△ Less
Submitted 23 April, 2020; v1 submitted 14 January, 2019;
originally announced January 2019.
-
A Survey on Honeypot Software and Data Analysis
Authors:
Marcin Nawrocki,
Matthias Wählisch,
Thomas C. Schmidt,
Christian Keil,
Jochen Schönfelder
Abstract:
In this survey, we give an extensive overview on honeypots. This includes not only honeypot software but also methodologies to analyse honeypot data.
In this survey, we give an extensive overview on honeypots. This includes not only honeypot software but also methodologies to analyse honeypot data.
△ Less
Submitted 22 August, 2016;
originally announced August 2016.
