IRTF MAPRG agenda for IETF-109 - online

Date: Monday, November 16, 14:30-15:30 Bangkok time

Meetecho link: https://meetings.conf.meetecho.com/ietf109/?group=maprg&short=&item=1

Overview & Status - Mirja (5 min)

Network Fingerprinting: Routers under Attack - Emeline Marechal (20 mins)

ODoH Measurements - Sudheesh Singanamalla (20 min)

Clouding up the Internet: how centralized is DNS traffic becoming? (IMC2020) - Sebastian Castro (5 min)

Paper: [https://dl.acm.org/doi/pdf/10.1145/3419394.3423625]

Video: [https://dl.acm.org/action/downloadSupplement?doi=10.1145%2F3419394.3423625&file=imc2020-paper80-long_01.mp4]

The Lockdown Effect (IMC paper) - Oliver Gasser (5 min)

Paper: [https://dl.acm.org/doi/pdf/10.1145/3419394.3423658]

Video: [https://dl.acm.org/action/downloadSupplement?doi=10.1145%2F3419394.3423658&file=imc2020-410-long.mp4]

Internet-wide OPC UA security configuration analysis (IMC paper) - Markus Dahlmanns (5 min)

Paper: [https://dl.acm.org/doi/pdf/10.1145/3419394.3423666]

Video: [https://dl.acm.org/action/downloadSupplement?doi=10.1145%2F3419394.3423666&file=imc2020-612-long.mp4]


Abstracts

Network Fingerprinting: Routers under Attack - Emeline Marechal, Donnet Benoît

WTMC (Workshop on Traffic Measurements for Cybersecurity) paper

Nowadays, simple tools such as traceroute can be used by attackers to acquire topology knowledge remotely. Worse still, attackers can use a lightweight fingerprinting technique, based on traceroute and ping, to retrieve the routers brand, and use that knowledge to launch targeted attacks. In our paper, we show that, although Cisco largely dominates the overall market, the same distribution is not reflected when looking on a per autonomous system (AS) basis, with the hardware ecosystem of network operators varying greatly from one to another. These different hardware infrastructures bring different security implications for each AS. Indeed, depending on the AS, not all brands play the same role in terms of network connectivity. An attacker seeking to cause a lot of damage, with the least amount of effort, could find an interest in targeting a specific brand that plays a vital role in network connectivity in a particular AS, if known defects are present in this hardware. In particular, we show that it is enough for an attacker to target an AS and a few devices of a given brand to greatly affect its connectivity. Given the benefit and simplicity for an attacker to use fingerprinting to focus the scope of their attack on carefully selected nodes, we hope this paper will raise awareness among manufacturers and operators to anonymize their hardware.

ODoH Measurements - Sudheesh Singanamalla, Chris Wood, Kurtis Heimerl, Nick Sullivan, Marwan Fayed

DNS is the foundation of a human-usable Internet, responding to client queries for hostnames with corresponding IP addresses and records. Traditional DNS is unencrypted, and leaks user information to network operators. Recent efforts to secure DNS using DNS over TLS (DoT) and DNS over HTTPS (DoH) have been training traction, ostensibly protecting traffic and hiding the content of the traffic from on-lookers. However, one of the criticisms of DoT and DoH is brought to bear by the small number of large scale deployments (e.g., Comcast, Google, Cloudflare etc..,): DNS resolvers can associate query contents with client identities in the form of IP addresses. Oblivious DNS over HTTPS (ODoH) safeguards against this problem and was proposed in an IETF draft. We implement and deploy the protocol, perform measurements to show that ODoH has comparable performance to protocols like DoH and DoT which are gaining widespread adoption while improving client privacy. We perform measurements of page load times, DNS response times and identify various causes impacting the performance of the protocol while laying down a practical roadmap for its adoption.

Clouding up the Internet: how centralized is DNS traffic becoming? - Giovane C. M. Moura

Paper: [https://dl.acm.org/doi/pdf/10.1145/3419394.3423625]

Video: [https://dl.acm.org/action/downloadSupplement?doi=10.1145%2F3419394.3423625&file=imc2020-paper80-long_01.mp4]

Abstract: Concern has been mounting about Internet centralization over the few last years – consolidation of traffic/users/infrastructure into the hands of a few market players. We measure DNS and computing centralization by analyzing DNS traffic collected at a DNS root server and two country-code top-level domains (ccTLDs) – one in Europe and the other in Oceania – and show evidence of concentration. More than 30% of all queries to both ccTLDs are sent from 5 large cloud providers. We compare the clouds’ resolver infrastructure and highlight a discrepancy in behavior: some cloud providers heavily employ IPv6, DNSSEC, and DNS over TCP, while others simply use unsecured DNS over UDP over IPv4. We show one positive side to centralization: once a cloud provider deploys a security feature – such as QNAME minimization – it quickly benefits a large number of users.

The Lockdown Effect - Oliver Gasser

Paper: [https://dl.acm.org/doi/pdf/10.1145/3419394.3423658]

Video: [https://dl.acm.org/action/downloadSupplement?doi=10.1145%2F3419394.3423658&file=imc2020-410-long.mp4]

Due to the COVID-19 pandemic, many governments imposed lockdowns that forced hundred millions to stay at home. As a result of these measures, Internet traffic of residential users increased, in particular, for remote working, entertainment, commerce, and education. In turn, traffic demands in the Internet core shifted as well.

In this presentation, we show findings from our measurement study on Internet traffic shifts due to the COVID-19 pandemic using data from a diverse set of vantage points (one ISP, three IXPs, a metropolitan educational network, and a mobile operator). We observe that the traffic volume increased by 15-20% almost within a week—while overall still modest, this constitutes a large increase within this short time period. However, despite this surge, we observe that the Internet infrastructure is able to handle the new volume, as most traffic shifts occur outside of traditional peak hours. When looking directly at the traffic sources, it turns out that, while hypergiants still contribute a significant fraction of traffic, we see (1) a higher percentage increase in traffic of non-hypergiants, and (2) traffic increases in applications that people use when at home, such as Web conferencing, VPN, and gaming. While many networks see increased traffic demands, in particular, those providing services to residential users, academic networks experience major overall decreases. Yet, in these networks, we can observe substantial increases when considering applications associated to remote working and lecturing. With this presentation we want to highlight findings from our vantage points and engage in discussions with the IRTF measurement community regarding the effects that the pandemic had on different aspects of the Internet.

Internet-wide OPC UA security configuration analysis - Markus Dahlmanns

Paper: [https://dl.acm.org/doi/pdf/10.1145/3419394.3423666]

Video: [https://dl.acm.org/action/downloadSupplement?doi=10.1145%2F3419394.3423666&file=imc2020-612-long.mp4]

Due to increasing digitalization, formerly isolated industrial networks, e.g., for factory and process automation, move closer and closer to the Internet, mandating secure communication. However, securely setting up OPC UA, the prime candidate for secure industrial communication, is challenging due to a large variety of insecure options. To study whether Internet-facing OPC UA appliances are configured securely, we actively scan the IPv4 address space for publicly reachable OPC UA systems and assess the security of their configurations. We observe problematic security configurations such as missing access control (on 44% of hosts), disabled security functionality (24%), or use of deprecated cryptographic primitives (25%) on in total 92% of the reachable deployments. Furthermore, we discover several hundred devices in multiple autonomous systems sharing the same security certificate, opening the door for impersonation attacks. Overall, we highlight commonly found security misconfigurations and underline the importance of appropriate configuration for security-featuring protocols. Although OPC UA is no IETF protocol, our findings might have impact on several aspects related to other protocols, especially in the IoT. In general, we would like to see a shift from secure-by-design to secure-by-default protocols forcing operators to use secure configurations. Furthermore, our findings underpin that security settings must be updated regularly according to up-to-date guidelines that account for security primitives losing their security benefits.