1 subscriber
14 links
Networking, Security & Privacy, Measurement
Download Telegram
to view and join the conversation
Channel created
On the Origin of Scanning: The Impact of Location on Internet-Wide Scans:

1.We find that individual origins miss an average 1.6–8.4% of HTTP, 1.5–4.6% of HTTPS, and 8.3–18.2% of SSH hosts.
2. Factors like topological distance, peering relationships, and geographic boundaries are poor indicators for the transient inaccessibility that origins experience.
3. SSH scans miss five times as many hosts as HTTP(S) scans. We trace this discrepancy back to several large providers — most prominently Alibaba — that dynamically detect and block SSH scanners, as well as non-deterministic behavior in OpenSSH where servers will
probabilistically drop sessions after detecting multiple unauthenticated connections. This protection prevents initial completion of an
SSH handshake with most missing hosts, but can be easily detected and avoided with immediate retries.
4. Our results indicate that single-probe Internet-wide scans achieve lower global coverage than originally estimated.

Comparing DNS Resolvers in the Wild (IMC 2010 short paper): http://conferences.sigcomm.org/imc/2010/papers/p15.pdf
#DNS, #measurement, #performanceAnalysis, #DNSresolvers

Based on active measurements from inside more than 50 commercial ISPs, we have studied DNS performance by com- paring the ISPs’ DNS deployment against widely used third- party DNS resolvers, namely GoogleDNS and OpenDNS.
Typically, end-hosts experience very small latencies to the resolvers maintained by the local ISP, though there exist cases where GoogleDNS and OpenDNS outperform the local DNS resolvers in terms of the observed response times. Moreover, our findings suggest that several ISPs and OpenDNS rely on a load balancing setup without a shared cache, resulting in poor caching efficiency. Even Google Public DNS, despite their claim (https://developers.google.com/speed/public-dns/docs/performance) exhibits the same behavior for a few vantage points. Moreover, we observe that third-party DNS resolvers do not manage to redirect the users towards content available within the ISP, contrary to the local DNS ones. This observation holds for all akamaized content.

1. Although both GoogleDNS and OpenDNS main- tain a large set of strategically placed resolvers and rely on anycast to route DNS queries, their latencies could be far higher than those of the local resolver.
2. we find that the local DNS resolvers gen- erally provide lower latencies due to their proximity to the end-hosts.
Impact of Configuration Errors on DNS Robustness (SIGCOMM 2004, IEEE 2009?)

#DNS, #Misconfigurations, #Resiliency

passive (campus ISP) and active (sample set of DNS zones randomly selected from the ISC reverse zone files) measurement

1. Zones with configuration errors suffer from reduced availability and increased query delays up to an order of magnitude. Furthermore, while the original DNS design assumed that redundant DNS servers fail independently, our measure- ments show that operational choices made at individual zones can severely affect the availability of other zones. We found that, left unchecked, DNS configuration errors are widespread, with lame delegation affecting 15% of the DNS zones, diminished server redundancy being even more prevalent, and cyclic dependency appearing in 2% of the zones.

2. DNS implementation choices can introduce a coupling between the reachability to a zone’s DNS servers and the load at the top level DNS servers.
Partitioning Oracle Attacks https://www.usenix.org/conference/usenixsecurity21/presentation/len

Partitioning oracle attacks enable an attacker to efficiently recover a password from a Shadowsocks server
HAWatcher: Semantics-Aware Anomaly Detection for Appified Smart Homes https://www.usenix.org/system/files/sec21-fu-chenglong.pdf

#ML #security #AnomalyDetection
Domain Shadowing:
Leveraging Content Delivery Networks for
Robust Blocking-Resistant Communications https://www.usenix.org/system/files/sec21-wei.pdf
#network #security #censorship #circumvention
Weaponizing Middleboxes for
TCP Reflected Amplification usenix.org/system/files/sec21-bock.pdf
#network #security #attacks #censorship #sidechannel

Regret haven't read it until now. Such a neat paper. It shows how DDoS by TCP amplification could be achieved by utilizing censorship devices (i.e. NIDs/middleboxes) at large. The Internet is like a jungle and it is so interesting to see how characteristics of those devices could be used by (more) malicious actors to conduct DDoS attacks.
How Great is the Great Firewall?
Measuring China’s DNS Censorship https://www.usenix.org/system/files/sec21-hoang.pdf
#network #security #censorship
Hopper: Modeling and Detecting Lateral Movement https://www.usenix.org/system/files/sec21-ho.pdf
#ml #security #AnomalyDetection

Hopper: a system for detecting lateral movement based on commonly available enterprise logs.
The Hijackers Guide To The Galaxy: Off-Path Taking Over Internet Resources
Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path


Studied an emerging issue around DNS, the hidden interception of the DNS resolution path (DNSIntercept) by on-path devices

* By default configuration, users’ recursive nameservers are pointed to the ones operated by ISPs.

* Global-wide & China-wide analysis
Channel name was changed to «DumblelisaPaperNotes»
Themis: Ambiguity-Aware Network Intrusion Detection based on
Symbolic Model Comparison


#security #network