Date: Thursday, 10 November 2022, Session II 1300-1500
Webex link: https://meetings.conf.meetecho.com/ietf115/?group=&short=&item=1
Room: Richmond 4
IRTF Note-well: https://irtf.org/policies/irtf-note-well-2019-11.pdf
In this paper, we study the potentials of passive measurements to gain advanced knowledge about QUIC deployments. By analyzing one month backscatter traffic of the /9 CAIDA network telescope, we are able to make the following observations. First, we can identify different off-net deployments of hypergiants, using packet features such as QUIC source connection IDs (SCID), packet coalescence, and packet lengths. Second, Facebook and Google configure significantly different retransmission timeouts and maximum number of retransmissions. Third, SCIDs allow further insights into load balancer deployments such as number of servers per load balancer. We bolster our results by active measurements.
Link to preprint: https://arxiv.org/abs/2209.00965
Over the last decade, Web traffic has significantly shifted towards HTTPS due to an increased awareness for privacy. However, DNS traffic is still largely unencrypted, which allows user profiles to be derived from plaintext DNS queries. While DNS over TLS (DoT) and DNS over HTTPS (DoH) address this problem by leveraging transport encryption for DNS, both protocols are constrained by the underlying transport (TCP) and encryption (TLS) protocols, requiring multiple round-trips to establish a secure connection. In contrast, QUIC combines the transport and cryptographic hand- shake into a single round-trip, which allows the recently standard- ized DNS over QUIC (DoQ) to provide DNS privacy with minimal latency. In the first study of its kind, we perform distributed DoQ measurements across multiple vantage points to evaluate the im- pact of DoQ on Web performance. We find that DoQ excels over DoH, leading to significant improvements with up to 10% faster loads for simple webpages. With increasing complexity of web- pages, DoQ even catches up to DNS over UDP (DoUDP) as the cost of encryption amortizes: With DoQ being only ∼2% slower than DoUDP, encrypted DNS becomes much more appealing for the Web.
In the proceedings of the 22nd ACM Internet Measurement Conference (IMC), October 2022
https://dl.acm.org/doi/10.1145/3517745.3561445
With new Low Earth Orbit satellite constellations such as Starlink, satellite-based Internet access is becoming an alternative to traditional fixed and wireless technologies with comparable throughputs and latencies. In this paper, we investigate the user- perceived performance of Starlink. Our measurements show that latency remains low and does not vary significantly under idle or lightly loaded links. Compared to another commercial Internet access using a geostationary satellite, Starlink achieves higher TCP throughput and provides faster web browsing. To avoid interference from performance enhancing proxies commonly used in satellite networks, we also use QUIC to assess performance under load and packet loss. Our results indicate that delay and packet loss increase slightly under load for both upload and download.
In the proceedings of the 22nd ACM Internet Measurement Conference (IMC), October 2022
https://dl.acm.org/doi/10.1145/3517745.3561416
While scans of the IPv4 space are ubiquitous, today little is known about scanning activity in the IPv6 Internet. In this work, we present a longitudinal and detailed empirical study on large-scale IPv6 scanning behavior in the Internet, based on firewall logs captured at some 230,000 hosts of a major Content Distribution Network (CDN). We develop methods to identify IPv6 scans, assess current and past levels of IPv6 scanning activity, and study dominant characteristics of scans, including scanner origins, targeted services, and insights on how scanners find target IPv6 addresses. Where possible, we compare our findings to what can be assessed from publicly available traces.
In the proceedings of the 22nd ACM Internet Measurement Conference (IMC), October 2022
https://dl.acm.org/doi/10.1145/3517745.3561452
More than half of the active Internet connections in 2022 are from IoT devices, and that proportion is only going to increase in the coming years. Their security is of key importance – not only for their own working, but also to ensure they aren’t marshaled into botnets that undermine all Internet security. The Global Cyber Alliance (GCA) has been collecting IoT attack data for over 4 years, and recently carried out a study using specific device emulations to compare and contrast the attacks against devices that were in default or hardened configurations. This talk will report on our findings – both at the level of device configuration and software stack. Much of what we see relates to the implementation (hardware and software), but should provide a data-based starting point for discussion of whether or not there are protocol considerations to take into account for ensuring better IoT security in practice going forward.
Is the IETF becoming ossified? Our findings suggest that publishing RFCs is increasingly harder, discussions are more complex and new participants struggle to gain influence.
These findings are part of our ongoing effort to understand and support IETF activities and debates by leveraging the wealth of data accumulated throughout the history of the IETF. We analyse drafts, RFCs and mail-lists to quantifying how the IETF evolves and identify trends, bottlenecks and opportunities to alleviate them. In this talk we will present and discuss these findings, our plans to continue this effort and how can the IETF benefit from it.
AAAI Conference on Web and Social Media (ICWSM), 2022: https://ojs.aaai.org/index.php/ICWSM/article/view/19310 ACM Internet Measurement Conference (IMC), 2021: https://dl.acm.org/doi/abs/10.1145/3487552.3487821
The hostilities in Ukraine have driven unprecedented forces, both from third-party countries and in Russia, to create economic barriers. In the Internet, these manifest both as internal pressures on Russian sites to (re-)patriate the infrastructure they depend on (e.g., naming and hosting) and external pressures arising from Western providers disassociating from some or all Russian customers. While quite a bit has been written about this both from a policy perspective and anecdotally, our paper places the question on an empirical footing and directly measures longitudinal changes in the makeup of naming, hosting and certificate issuance for domains in the Russian Federation.
In the proceedings of the 22nd ACM Internet Measurement Conference (IMC), October 2022
https://dl.acm.org/doi/10.1145/3517745.3561423
The Internet is a critical resource in the day-to-day life of billions of users. To support the growing number of users and their increasing demands, operators have to continuously scale their network footprint -- e.g., by joining Internet Exchange Points -- and adopt relevant technologies -- such as IPv6. IPv6, however, has a vastly larger address space compared to its predecessor, which allows for new kinds of attacks on the Internet routing infrastructure.
In this paper, we present Kirin: a BGP attack that sources millions of IPv6 routes and distributes them via thousands of sessions across various IXPs to overflow the memory of border routers within thousands of remote ASes. Kirin's highly distributed nature allows it to bypass traditional route-flooding defense mechanisms, such as per-session prefix limits or route flap damping. We analyze the theoretical feasibility of the attack by formulating it as a Integer Linear Programming problem, test for practical hurdles by deploying the infrastructure required to perform a small-scale Kirin attack using 4 IXPs, and validate our assumptions via BGP data analysis, real-world measurements, and router testbed experiments. Despite its low deployment cost, we find Kirin capable of injecting lethal amounts of IPv6 routes in the routers of thousands of ASes.
Link to preprint: https://arxiv.org/abs/2210.10676