Continuing our group's efforts to better understand the evolution of the Internet's new core protocol last week, at the 2014 SIGCOMM conference in Chicago, NSRG presented some exciting results about the state of IPv6 deployment and use. Our study which was also summarized in Arbor Networks' blog, examined a decade of data, including ten large-scale datasets that shed light on 12 aspects of IPv6 adoption. The work was a joint effort with colloborators at ICSI, Arbor Networks, and Verisign Labs. We found that the level of adoption varied considerably by region and by the specific metric examined. Most surprisingly, we found that the pace of adoption and nature of use of the new Internet protocol has made a dramatic leap forward in the last two years, indicating a major boost in adoption of the new protocol. Twenty years afrer it was standardized, IPv6 finally appears to be real. Slides of this talk can be downloaded here.
At the 13th ACM SIGCOMM Internet Measurement Conference that was held in Barcelona last week, we presented two talks.
Jakub Czyz presented a talk that summarized the full results of a four-month IPv6 background radiation study we conducted, which included covering prefix announcements subsuming a large majority of global allocated IPv6 networks. This was the study whose preliminary results we presented at RIPE, summarized below. We found large variation between background radiation seen by the five regional Internet regisistrars (RIRs), significant differences between background radiation in IPv6 and IPv4, and no evidence of broad malicious scanning in IPv6. We also found, via the covering prefix methodology, that there is considerable unstability in IPv6 routing, and that there are many cases of internal address space appearing in publicly routed packets. Slides of this talk can be downloaded here.
The second talk, given by Zakir Durumeric, detailed our 18 month analysis of the HTTPS certificate ecosystem, which identified more than 600 organizations with the ability to issue certificates for any website as well as identified CA practices that put the HTTPS ecosystem at risk. At the conference, we called on the community, especially browser vendors, to work together to improve the security of HTTPS. Slides are available here.
At the 66th RIPE meeting of European Network Operators, held in Dublin, Ireland, we presented preliminary results from our IPv6 network telescope experiment. In this work, we announce covering prefixes for the entire address space of four of the five regional Internet registries (RIR), capturing all unrouted Internet background radiation in IPv6 that falls under the unicast address space of these RIRs. This is the largest network telescope experiment conducted in IPv6 and one which we hope will shed light on the deployment, routing, security, and other operational issues of the new protocol.
Threats to the security and availability of the network have contributed to the use of Real-time Blackhole Lists (RBLs) as an attractive method for implementing dynamic filtering and blocking. While RBLs have received considerable study, little is known about the impact of these lists in practice. In this paper, we use nine different RBLs from three different categories to perform the evaluation of RBL tainted traffic at a large regional Internet Service Provider.
Abstract: Over the last 10 years, the Internet has become increasingly intertwined in the economic, political, and social fabric of our societies. Despite its immense social importance, the Internet has proven remarkably susceptible to disruption, corruption, and manipulation, through such diverse threats as worms, botnets, phishing, distributed denial of service attacks, and spam. In this talk I reflect on the evolution of Internet threats from the perspective of my work and the work of out network and security group at the University of Michigan. As a detailed example, I will briefly highlight our work in analyzing malware and our efforts to use this intelligence and other sources of information to detect and mitigate Internet threats.
Andrew White will be presenting his paper entitled "Clear and Present Data: Opaque Traffic and its Security Implications for the Future" at NDSS this Wednesday, February, 27th, 2013. The abreviated abstract from the NDSS 2013 website:
Opaque, i.e., compressed or encrypted, traffic incurs high overhead for DPI engines yet often yields little useful information. Our experiments indicate that 89% of payload-carrying TCP packets are opaque. We provide a first step toward addressing the challenges presented by the abundance of opaque traffic by introducing new techniques for accurate real-time filtering of opaque packets in 16 bytes or less.
We had a great time working with Andy, Sri, Fabian, and Phil on this paper. Check out Andrew's talk if you are in town for the conference!
This month, at the 57th North American Network Operators' Group (NANOG) meeting in Orlando, Florida, we presented some high-level results from our ongoing IPv6 adoption measurement study. Our talk reported on the state of IPv6 adoption as observed from a diverse set of vantage points, constituting what we believe is the largest and most comprehensive snapshot of the new protocol's evolution reported to date. Our findings show that, while overall adoption is still low (e.g. IPv6 traffic is about 0.2% of measured Internet traffic volume), the growth rate across most longitudinal metrics is monotonically increasing. Traffic volume, while more volatile than other measures, has doubled in the last year. What is more, single-day events, such as the 2012 World IPv6 Launch day, can have a marked and sustained impact on measured adoption.
Our paper "Bobtail: Avoiding Long Tails in the Cloud" has been accepted to be published in the Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2013).
Last year, at the annual IEEE International Conference on Dependable Systems and Networks (DSN '12), we published a paper on a method we developed for detecting misused credentials. Our approach included detecting a pattern called a "temporal-spatial violation" -- the observation that credential use, such as VPN access, by individuals from a geographical location distant from local use of those same credentials within a short period of time indicates a likely compromise of those credentials. In the news last week, the somewhat humorous story of a developer who outsourced his job to programmers in China, and allowed said programmers to access his company's systems via VPN, highlights the need for detection systems like that we described. Had the firm in question been using a system with such a detection algorithm, the breach of corporate security and policy could have been detected two years earlier. Of course, insider complicity makes such a "breach" more difficult to guard against when the attacker is determined, but this story reminds us that there are many simple steps and defenses that network operators can take to improve IT security in practice. Analysis of access logs, either manually or by a system such as ours, is a key to securely managing infrastructure and is one of the well-received 20 Critical Security Controls put forward recently by a consortium of government and industry experts under the auspices of the Center for Strategic and Policy Studies.
Our paper with the University of North Carolina at Chapel Hill entitled "Clear and Present Data: Opaque Traffic and its Security Implications for the Future" has been accepted to be published in the Proceedings of the 20th Annual Network & Distributed System Security Symposium (NDSS 2013).