-
MAnycast Reloaded: a Tool for an Open, Fast, Responsible and Efficient Daily Anycast Census
Authors:
Remi Hendriks,
Matthew Luckie,
Mattijs Jonker,
Raffaele Sommese,
Roland van Rijswijk-Deij
Abstract:
IP anycast is a widely adopted technique in which an address is replicated at multiple locations, to, e.g., reduce latency and enhance resilience. Due to anycast's crucial role on the modern Internet, earlier research introduced tools to perform anycast censuses. The first, iGreedy, uses latency measurements from geographically dispersed locations to map anycast deployments. The second, MAnycast2,…
▽ More
IP anycast is a widely adopted technique in which an address is replicated at multiple locations, to, e.g., reduce latency and enhance resilience. Due to anycast's crucial role on the modern Internet, earlier research introduced tools to perform anycast censuses. The first, iGreedy, uses latency measurements from geographically dispersed locations to map anycast deployments. The second, MAnycast2, uses anycast to perform a census of other anycast networks. MAnycast2's advantage is speed, performing an Internet-wide census in 3 hours, but it suffers from problems with accuracy and precision. Inversely, iGreedy is highly accurate but much slower. On top of that, iGreedy has a much higher probing cost.
In this paper we address the shortcomings of both systems and present MAnycast Reloaded (MAnycastR). Taking MAnycast2 as a basis, we completely redesign its measurement pipeline, and add support for distributed probing, additional protocols (UDP, TCP and IPv6) and latency measurements similar to iGreedy. We validate MAnycastR on an anycast testbed with 32 globally distributed nodes, compare against an external anycast production deployment and extensive latency measurements with RIPE Atlas, and cross-check over 60% of detected anycast prefixes against operator ground truth. This shows that MAnycastR achieves high accuracy and precision. We make continual daily MAnycastR censuses available to the community and release the source code of the tool under a permissive open source license.
△ Less
Submitted 26 March, 2025;
originally announced March 2025.
-
Load-Balancing versus Anycast: A First Look at Operational Challenges
Authors:
Remi Hendriks,
Mattijs Jonker,
Roland van Rijswijk-Deij,
Raffaele Sommese
Abstract:
Load Balancing (LB) is a routing strategy that increases performance by distributing traffic over multiple outgoing links. In this work, we introduce a novel methodology to detect the influence of LB on anycast routing, which can be used by operators to detect network regions that experience anycast routing instability. We use our methodology to measure the effects of LB-behavior on anycast routin…
▽ More
Load Balancing (LB) is a routing strategy that increases performance by distributing traffic over multiple outgoing links. In this work, we introduce a novel methodology to detect the influence of LB on anycast routing, which can be used by operators to detect network regions that experience anycast routing instability. We use our methodology to measure the effects of LB-behavior on anycast routing at a global scale, covering both IPv4 and IPv6. Our results show that LB-induced anycast routing instability is widespread. The results also show our method can detect LB implementations on the global Internet, including detection and classification of Points-of-Presence (PoP) and egress selection techniques deployed by hypergiants, cloud providers, and network operators. We observe LB-induced routing instability directs distinct flows to different anycast sites with significant latency inflation. In cases with two paths between an anycast instance and a load-balanced destination, we observe an average RTT difference of 30 ms with 8% of load-balanced destinations seeing RTT differences of over 100 ms. Being able to detect these cases can help anycast operators significantly improve their service for affected clients.
△ Less
Submitted 18 March, 2025;
originally announced March 2025.
-
WetLinks: a Large-Scale Longitudinal Starlink Dataset with Contiguous Weather Data
Authors:
Dominic Laniewski,
Eric Lanfer,
Bernd Meijerink,
Roland van Rijswijk-Deij,
Nils Aschenbruck
Abstract:
Low Orbit Satellite (LEO) networks such as Starlink promise Internet access everywhere around the world. In this paper, we present WetLinks - a large and publicly available trace-based dataset of Starlink measurements. The measurements were concurrently collected from two European vantage points over a span of six months. Consisting of approximately 140,000 measurements, the dataset comprises all…
▽ More
Low Orbit Satellite (LEO) networks such as Starlink promise Internet access everywhere around the world. In this paper, we present WetLinks - a large and publicly available trace-based dataset of Starlink measurements. The measurements were concurrently collected from two European vantage points over a span of six months. Consisting of approximately 140,000 measurements, the dataset comprises all relevant network parameters such as the upload and download throughputs, the RTT, packet loss, and traceroutes. We further augment the dataset with concurrent data from professional weather stations placed next to both Starlink terminals. Based on our dataset, we analyse Starlink performance, including its susceptibility to weather conditions. We use this to validate our dataset by replicating the results of earlier smaller-scale studies. We release our datasets and all accompanying tooling as open data. To the best of our knowledge, ours is the largest Starlink dataset to date.
△ Less
Submitted 13 March, 2024; v1 submitted 26 February, 2024;
originally announced February 2024.
-
Your Vulnerability Disclosure Is Important To Us: An Analysis of Coordinated Vulnerability Disclosure Responses Using a Real Security Issue
Authors:
Koen van Hove,
Jeroen van der Ham-de Vos,
Roland van Rijswijk-Deij
Abstract:
It is a public secret that doing email securely is fraught with challenges. We found a vulnerability present at many email providers, allowing us to spoof email on behalf of many organisations. As email vulnerabilities are ten a penny, instead of focusing on yet another email vulnerability we ask a different question: how do organisations react to the disclosure of such a security issue in the wil…
▽ More
It is a public secret that doing email securely is fraught with challenges. We found a vulnerability present at many email providers, allowing us to spoof email on behalf of many organisations. As email vulnerabilities are ten a penny, instead of focusing on yet another email vulnerability we ask a different question: how do organisations react to the disclosure of such a security issue in the wild? We specifically focus on organisations from the public and critical infrastructure sector who are required to respond to such notifications by law. We find that many organisations are difficult to reach when it concerns security issues, even if they have a security contact point. Additionally, our findings show that having policy in place improves the response and resolution rate, but that even with a policy in place, half of our reports remain unanswered and unsolved after 90~days. Based on these findings we provide recommendations to organisations and bodies such as ENISA to improve future coordinated vulnerability disclosure processes.
△ Less
Submitted 12 December, 2023;
originally announced December 2023.
-
This Is a Local Domain: On Amassing Country-Code Top-Level Domains from Public Data
Authors:
Raffaele Sommese,
Roland van Rijswijk-Deij,
Mattijs Jonker
Abstract:
Domain lists are a key ingredient for representative censuses of the Web. Unfortunately, such censuses typically lack a view on domains under country-code top-level domains (ccTLDs). This introduces unwanted bias: many countries have a rich local Web that remains hidden if their ccTLDs are not considered. The reason ccTLDs are rarely considered is that gaining access -- if possible at all -- is of…
▽ More
Domain lists are a key ingredient for representative censuses of the Web. Unfortunately, such censuses typically lack a view on domains under country-code top-level domains (ccTLDs). This introduces unwanted bias: many countries have a rich local Web that remains hidden if their ccTLDs are not considered. The reason ccTLDs are rarely considered is that gaining access -- if possible at all -- is often laborious. To tackle this, we ask: what can we learn about ccTLDs from public sources? We extract domain names under ccTLDs from 6 years of public data from Certificate Transparency logs and Common Crawl. We compare this against ground truth for 19 ccTLDs for which we have the full DNS zone. We find that public data covers 43%-80% of these ccTLDs, and that coverage grows over time. By also comparing port scan data we then show that these public sources reveal a significant part of the Web presence under a ccTLD. We conclude that in the absence of full access to ccTLDs, domain names learned from public sources can be a good proxy when performing Web censuses.
△ Less
Submitted 4 September, 2023;
originally announced September 2023.
-
No Time for Downtime: Understanding Post-Attack Behaviors by Customers of Managed DNS Providers
Authors:
Muhammad Yasir Muzayan Haq,
Mattijs Jonker,
Roland van Rijswijk-Deij,
KC Claffy,
Lambert J. M. Nieuwenhuis,
Abhishta Abhishta
Abstract:
We leverage large-scale DNS measurement data on authoritative name servers to study the reactions of domain owners affected by the 2016 DDoS attack on Dyn. We use industry sources of information about domain names to study the influence of factors such as industry sector and website popularity on the willingness of domain managers to invest in high availability of online services. Specifically, we…
▽ More
We leverage large-scale DNS measurement data on authoritative name servers to study the reactions of domain owners affected by the 2016 DDoS attack on Dyn. We use industry sources of information about domain names to study the influence of factors such as industry sector and website popularity on the willingness of domain managers to invest in high availability of online services. Specifically, we correlate business characteristics of domain owners with their resilience strategies in the wake of DoS attacks affecting their domains. Our analysis revealed correlations between two properties of domains -- industry sector and popularity -- and post-attack strategies. Specifically, owners of more popular domains were more likely to re-act to increase the diversity of their authoritative DNS service for their domains. Similarly, domains in certain industry sectors were more likely to seek out such diversity in their DNS service. For example, domains categorized as General News were nearly 6 times more likely to re-act than domains categorized as Internet Services. Our results can inform managed DNS and other network service providers regarding the potential impact of downtime on their customer portfolio.
△ Less
Submitted 25 May, 2022;
originally announced May 2022.
-
Rpkiller: Threat Analysis from an RPKI Relying Party Perspective
Authors:
Koen van Hove,
Jeroen van der Ham,
Roland van Rijswijk-Deij
Abstract:
The Resource Public Key Infrastructure (RPKI) aims to secure internet routing by creating an infrastructure where resource holders can make attestations about their resources. RPKI Certificate Authorities issue these attestations and publish them at Publication Points. Relying Party software retrieves and processes the RPKI-related data from all publication points, validates the data and makes it…
▽ More
The Resource Public Key Infrastructure (RPKI) aims to secure internet routing by creating an infrastructure where resource holders can make attestations about their resources. RPKI Certificate Authorities issue these attestations and publish them at Publication Points. Relying Party software retrieves and processes the RPKI-related data from all publication points, validates the data and makes it available to routers so they can make secure routing decisions. In this work, we create a threat model for Relying Party software, where an attacker controls a Certificate Authority and Publication Point. We implement a prototype testbed to analyse how current Relying Party software implementations react to scenarios originating from that threat model. Our results show that all current Relying Party software was susceptible to at least one of the identified threats. In addition to this, we also identified threats stemming from choices made in the protocol itself. Taken together, these threats potentially allow an attacker to fully disrupt all RPKI Relying Party software on a global scale. We performed a Coordinated Vulnerability Disclosure to the implementers and have made our testbed software available for future studies.
△ Less
Submitted 2 March, 2022;
originally announced March 2022.
-
Saving Brian's Privacy: the Perils of Privacy Exposure through Reverse DNS
Authors:
Olivier van der Toorn,
Raffaele Sommese,
Anna Sperotto,
Roland van Rijswijk-Deij,
Mattijs Jonker
Abstract:
Given the importance of privacy, many Internet protocols are nowadays designed with privacy in mind (e.g., using TLS for confidentiality). Foreseeing all privacy issues at the time of protocol design is, however, challenging and may become near impossible when interaction out of protocol bounds occurs. One demonstrably not well understood interaction occurs when DHCP exchanges are accompanied by a…
▽ More
Given the importance of privacy, many Internet protocols are nowadays designed with privacy in mind (e.g., using TLS for confidentiality). Foreseeing all privacy issues at the time of protocol design is, however, challenging and may become near impossible when interaction out of protocol bounds occurs. One demonstrably not well understood interaction occurs when DHCP exchanges are accompanied by automated changes to the global DNS (e.g., to dynamically add hostnames for allocated IP addresses). As we will substantiate, this is a privacy risk: one may be able to infer device presence and network dynamics from virtually anywhere on the Internet -- and even identify and track individuals -- even if other mechanisms to limit tracking by outsiders (e.g., blocking pings) are in place.
We present a first of its kind study into this risk. We identify networks that expose client identifiers in reverse DNS records and study the relation between the presence of clients and said records. Our results show a strong link: in 9 out of 10 cases, records linger for at most an hour, for a selection of academic, enterprise and ISP networks alike. We also demonstrate how client patterns and network dynamics can be learned, by tracking devices owned by persons named Brian over time, revealing shifts in work patterns caused by COVID-19 related work-from-home measures, and by determining a good time to stage a heist.
△ Less
Submitted 20 September, 2022; v1 submitted 2 February, 2022;
originally announced February 2022.
-
Improving Proximity Classification for Contact Tracing using a Multi-channel Approach
Authors:
Eric Lanfer,
Thomas Hänel,
Roland van Rijswijk-Deij,
Nils Aschenbruck
Abstract:
Due to the COVID 19 pandemic, smartphone-based proximity tracing systems became of utmost interest. Many of these systems use BLE signals to estimate the distance between two persons. The quality of this method depends on many factors and, therefore, does not always deliver accurate results. In this paper, we present a multi-channel approach to improve proximity classification, and a novel, public…
▽ More
Due to the COVID 19 pandemic, smartphone-based proximity tracing systems became of utmost interest. Many of these systems use BLE signals to estimate the distance between two persons. The quality of this method depends on many factors and, therefore, does not always deliver accurate results. In this paper, we present a multi-channel approach to improve proximity classification, and a novel, publicly available data set that contains matched IEEE 802.11 (2.4 GHz and 5 GHz) and BLE signal strength data, measured in four different environments. We have developed and evaluated a combined classification model based on BLE and IEEE 802.11 signals. Our approach significantly improves the distance classification and consequently also the contact tracing accuracy. We are able to achieve good results with our approach in everyday public transport scenarios. However, in our implementation based on IEEE 802.11 probe requests, we also encountered privacy problems and limitations due to the consistency and interval at which such probes are sent. We discuss these limitations and sketch how our approach could be improved to make it suitable for real-world deployment.
△ Less
Submitted 20 April, 2022; v1 submitted 25 January, 2022;
originally announced January 2022.
-
Tangled: A Cooperative Anycast Testbed
Authors:
Leandro M. Bertholdo,
Joao M. Ceron,
Wouter B. de Vries,
Ricardo de O. Schmitt,
Lisandro Zambenedetti Granville,
Roland van Rijswijk-Deij,
Aiko Pras
Abstract:
Anycast routing is an area of studies that has been attracting interest of several researchers in recent years. Most anycast studies conducted in the past relied on coarse measurement data, mainly due to the lack of infrastructure where it is possible to test and collect data at same time. In this paper we present Tangled, an anycast test environment where researchers can run experiments and bette…
▽ More
Anycast routing is an area of studies that has been attracting interest of several researchers in recent years. Most anycast studies conducted in the past relied on coarse measurement data, mainly due to the lack of infrastructure where it is possible to test and collect data at same time. In this paper we present Tangled, an anycast test environment where researchers can run experiments and better understand the impacts of their proposals on a global infrastructure connected to the Internet.
△ Less
Submitted 28 August, 2020;
originally announced August 2020.
