ki3.org.cn Open in urlscan Pro
123.57.4.190  Public Scan

Form analysis
0 forms found in the DOM

Text Content

We're sorry but KI3 doesn't work properly without JavaScript enabled. Please
enable it to continue.
Communication Infrastructure
IP Address Resource
Internet Routing
Domain Name System
Application Infrastructure
Paper/Presentation
Home
Contact
 * 简体中文
 * English

Login

Paper/Presentation

Paper / Presentation

No.
Type
Title
Authors
Date
Source
Tags
Access
   
 * Paper
 * Report
 * RFC





-

   
 * KI3 Published
 * Routing
 * Encrypted DNS
 * IP Spoofing
 * IP Alias
 * Internet Topology
 * Root Server
 * DNS DDoS
 * Domain Hijacking
 * HTTPS
 * AS
 * IP Geolocation
 * Submarine Cable
 * IXP
 * BGP Hijacking
 * DNS resolver
 * RPKI
 * Traceroute
 * IP Address
 * DNS Resolver
 * Satellite
 * Authoriative Server
 * DNS
 * CDN
 * Web PKI
 * AS Relationship
 * NTP
 * TLS
 * Domain Name
 * DNS Infrastructure
 * Active IP
 * Anycast
 * Traceroute
 * Open Port



   
 * PDF
 * Slides




1
Report
Measuring SAV deployment with SAV-T
Ruifeng Li
2024-07-23
IETF 120
IP Address IP Spoofing KI3 Published

2
Report
Identifying the Presence of Outbound Source Address Validation (OSAV) Remotely
Shuai Wang
2024-07-23
IETF 120
IP Address IP Spoofing KI3 Published

3
Paper
Robust or Risky: Measurement and Analysis of Domain Resolution Dependency
Abstract:
DNS relies on domain delegation for good scalability, where domains delegate
their resolution service to authoritative nameservers. However, such delegations
could lead to complex inter-dependencies between DNS zones. While the complex
dependency might improve the robustness of domain resolution, it could also
introduce security risks unexpectedly. In this work, we perform a large-scale
measurement on nearly 217M domains to analyze their resolution dependencies at
both zone level and infrastructure level. According to our analysis, domains
under country-code TLDs and new generic TLDs present a more complex dependency
relationship. For robustness consideration, popular domains prefer to configure
more complex dependencies. However, centralized hosting of nameservers and the
silent outsourcing of DNS providers could lead to the false redundancy at
infrastructure level. Worse, considerable domain configurations in the wild are
"not robust but risky": a complex dependency is also likely to bring
vulnerabilities, e.g., domains with a 2 times higher dependency complexity have
a 2.87 times larger proportion suffering from the hijacking risk via lame
delegation.
Shuhan Zhang
Shuai Wang
Dan Li
2024-05-21
INFOCOM
DNS Domain Name KI3 Published

4
Paper
A System to Detect Forged-Origin BGP Hijacks
Abstract:
Despite global efforts to secure Internet routing, attackers still successfully
exploit the lack of strong BGP security mechanisms. This paper focuses on an
attack vector that is frequently used: Forged-origin hijacks, a type of BGP
hijack where the attacker manipulates the AS path to make it immune to RPKI-ROV
filters and appear as legitimate routing updates from a BGP monitoring
standpoint. Our contribution is DFOH, a system that quickly and consistently
detects forged-origin hijacks in the whole Internet. Detecting forged-origin
hijacks boils down to inferring whether the AS path in a BGP route is legitimate
or has been manipulated. We demonstrate that current state-of-art approaches to
detect BGP anomalies are insufficient to deal with forged-origin hijacks. We
identify the key properties that make the inference of forged AS paths
challenging, and design DFOH to be robust against real-world factors. Our
inference pipeline includes two key ingredients: (i) a set of strategically
selected features, and (ii) a training scheme adapted to topological biases.
DFOH detects 90.9% of the forged-origin hijacks within only ≈5min. In addition,
it only reports ≈17.5 suspicious cases every day for the whole Internet, a small
number that allows operators to investigate the reported cases and take
countermeasures.
Thomas Holterbach
Thomas Alfroy
Amreesh Phokeer
et al.
2024-04-16
NSDI
Routing BGP Hijacking

5
Report
More Methods to Measure IP Source Outbound Spoofing on the Internet
Shuai Wang
2024-03-19
IETF 119
IP Address IP Spoofing KI3 Published

6
Paper
IRRedicator: Pruning IRR with RPKI-Valid BGP Insights
Abstract:
Border Gateway Protocol (BGP) provides a way of exchanging routing information
to help routers construct their routing tables. However, due to the lack of
security considerations, BGP has been suffering from vulnerabilities such as BGP
hijacking attacks. To mitigate these issues, two data sources have been used,
Internet Routing Registry (IRR) and Resource Public Key Infrastructure (RPKI),
to provide reliable mappings between IP prefixes and their authorized Autonomous
Systems (ASes). Each of the data sources, however, has its own limitations. IRR
has been well-known for its stale Route objects with outdated AS information
since network operators do not have enough incentives to keep them up to date,
and RPKI has been slowly deployed due to its operational complexities. In this
paper, we measure the prevalent inconsistencies between Route objects in IRR and
ROA objects in RPKI. We next characterize inconsistent and consistent Route
objects, respectively, by focusing on their BGP announcement patterns. Based on
this insight, we develop a technique that identifies stale Route objects by
leveraging a machine learning algorithm and evaluate its performance. From real
trace-based experiments, we show that our technique can offer advantages against
the status quo by reducing the percentage of potentially stale Route objects
from 72% to 40% (of the whole IRR Route objects). In this way, we achieve 93% of
the accuracy of validating BGP announcements while covering 87% of BGP
announcements.
Minhyeok Kang
Weitong Li
Roland van Rijswijk-Deij
et al.
2024-02-26
NDSS
Routing RPKI BGP Hijacking

7
Paper
Understanding Route Origin Validation (ROV) Deployment in the Real World and Why
MANRS Action 1 Is Not Followed
Abstract:
BGP hijacking is one of the most important threats to routing security. To
improve the reliability and availability of inter-domain routing, a lot of work
has been done to defend against BGP hijacking, and Route Origin Validation (ROV)
has become the best current practice. However, although the Mutually Agreed
Norms for Routing Security (MANRS) has been encouraging network operators to at
least validate announcements of their customers, recent research indicates that
a large number of networks still do not fully deploy ROV or propagate
illegitimate announcements of their customers. To understand ROV deployment in
the real world and why network operators are not following the action proposed
by MANRS, we make a long-term measurement for ROV deployment and further find
that many non-compliant networks may deploy ROV only at part of customer
interfaces, or at provider or peer interfaces. Then, we present the first
notification experiment to investigate the impact of notifications on ROV
remediation. However, our analysis indicates that none of the notification
treatments has a significant effect. After that, we conduct a survey among
network operators and find that economical and technical problems are the two
major classes of reasons for non-compliance. Seeking a realistic ROV deployment
strategy, we perform large-scale simulations, and, to our surprise, find that
not following MANRS Action 1 can lead to better defense of prefix hijacking.
Finally, with all our findings, we provide practical recommendations and outline
future directions to help promote ROV deployment.
Lancheng Qin
Li Chen
Dan Li
et al.
2024-02-26
NDSS
Routing RPKI KI3 Published

8
Paper
Certificate Transparency Revisited: The Public Inspections on Third-party
Monitors
Abstract:
The certificate transparency (CT) framework has been deployed to improve the
accountability of the TLS certificate ecosystem. However, the current
implementation of CT does not enforce or guarantee the correct behavior of
third-party monitors, which are essential components of the CT framework, and
raises security and reliability concerns. For example, recent studies reported
that 5 popular third-party CT monitors cannot always return the complete set of
certificates inquired by users, which fundamentally impairs the protection that
CT aims to offer. This work revisits the CT design and proposes an additional
component of the CT framework, CT watchers. A watcher acts as an inspector of
third-party CT monitors to detect any misbehavior by inspecting the certificate
search services of a third-party monitor and detecting any inconsistent results
returned by multiple monitors. It also semi-automatically analyzes potential
causes of the inconsistency, e.g., a monitor’s misconfiguration, implementation
flaws, etc. We implemented a prototype of the CT watcher and conducted a 52-day
trial operation and several confirmation experiments involving 8.26M unique
certificates of about 6,000 domains. From the results returned by 6 active
third-party monitors in the wild, the prototype detected 14 potential design or
implementation issues of these monitors, demonstrating its effectiveness in
public inspections on third-party monitors and the potential to improve the
overall reliability of CT.
Aozhuo Sun
Jingqiang Lin
Wei Wang
et al.
2024-02-26
NDSS
HTTPS Web PKI

9
Paper
Deep Dive into NTP Pool Popularity and Mapping
Abstract:
Time synchronization is of paramount importance on the Internet, with the
Network Time Protocol (NTP) serving as the primary synchronization protocol. The
NTP Pool, a volunteer-driven initiative launched two decades ago, facilitates
connections between clients and NTP servers. Our analysis of root DNS queries
reveals that the NTP Pool has consistently been the most popular time service.
We further investigate the DNS component (GeoDNS) of the NTP Pool, which is
responsible for mapping clients to servers. Our findings indicate that the
current algorithm is heavily skewed, leading to the emergence of time monopolies
for entire countries. For instance, clients in the US are served by 551 NTP
servers, while clients in Cameroon and Nigeria are served by only one and two
servers, respectively, out of the 4k+ servers available in the NTP Pool. We
examine the underlying assumption behind GeoDNS for these mappings and discover
that time servers located far away can still provide accurate clock time
information to clients. We have shared our findings with the NTP Pool operators,
who acknowledge them and plan to revise their algorithm to enhance security.
Giovane C. M. Moura
Marco Davids
Caspar Schutijser
et al.
2024-02-21
SIGMETRICS
NTP

10
Paper
Nautilus: A Framework for Cross-Layer Cartography of Submarine Cables and IP
Links
Abstract:
Submarine cables constitute the backbone of the Internet. However, these
critical infrastructure components are vulnerable to several natural and
man-made threats, and during failures, are difficult to repair in remote oceans.
In spite of their crucial role, we have a limited understanding of the impact of
submarine cable failures on global connectivity, particularly on the higher
layers of the Internet. In this paper, we present Nautilus, a framework for
cross-layer cartography of submarine cables and IP links. Using a corpus of
public datasets and Internet cartographic techniques, Nautilus identifies IP
links that are likely traversing submarine cables and maps them to one or more
potential cables. Nautilus also gives each IP to cable assignment a prediction
score that reflects the confidence in the mapping. Nautilus generates a mapping
for 3.05 million and 1.43 million IPv4 and IPv6 links, respectively, spanning
91% of all active cables. In the absence of ground truth data, we validate
Nautilus mapping using three techniques: analyzing past cable failures, using
targeted traceroute measurements, and comparing with public network maps of two
operators.
Alagappan Ramanathan
Sangeetha Abdu Jyothi
2023-12-12
SIGMETRICS
Submarine Cable

11
Paper
TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers
Abstract:
In this paper, we present a new DNS amplification attack, named TsuKing. Instead
of exploiting individual DNS resolvers independently to achieve an amplification
effect, TsuKing deftly coordinates numerous vulnerable DNS resolvers and crafted
queries together to form potent DoS amplifiers. We demconstrate that with
TsuKing, an initial small amplification factor can inrease exponentially through
the internal layers of coordinated amplifiers, resulting in an extremely
powerful amplification attack. TsuKing has three variants, including DNSRetry,
DNSChain, and DNSLoop, all of which exploit a suite of inconsistent DNS
implementations to achieve enormous amplification effect. With comprehensive
measurements, we found that about 14.5% of 1.3M open DNS resolvers are
potentially vulnerable to TsuKing. Real-world controlled evaluations indicated
that attackers can achieve a packet amplification factor of at least 3,700X
(DNSChain). We have reported vulnerabilities to affected vendors and provided
them with mitigation recommendations. We have received positive responses from 6
vendors, including Unbound, MikroTik, and AliDNS, and 3 CVEs were assigned. Some
of them are implementing our recommendations.
Wei Xu
Xiang Li
Chaoyi Lu
et al.
2023-11-21
CCS
DNS DNS Resolver DNS DDoS

12
Paper
Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS
Servers
Abstract:
Authoritative nameservers are delegated to provide the final resource record.
Since the security and robustness of DNS are critical to the general operation
of the Internet, domain name owners are required to deploy multiple candidate
nameservers for traffic load balancing. Once the load balancing mechanism is
compromised, an adversary can manipulate a large number of legitimate DNS
requests to a specified candidate nameserver. As a result, it may not only
bypass the defense mechanisms used to filter malicious traffic that can overload
the victim nameserver, but also lowers the bar for DNS traffic hijacking and
cache poisoning attacks.In this study, we report a class of DNS vulnerabilities
and present a novel attack named Disablance. Our proposed attack allows
adversaries to stealthily sabotage the DNS load balancing for authoritative
nameservers at a low cost. By just performing a handful of crafted requests, an
adversary can manipulate a given DNS resolver to overload a specific
authoritative server for a period of time. Therefore, Disablance can redirect
benign DNS requests for all hosted domains to the specific nameserver and
disrupts the load balancing mechanism. The above attack undermines the
robustness of DNS resolution and increases the security threat of single point
of failure. Our extensive study proves the security threat of Disablance is
realistic and prevalent. First, we demonstrated that mainstream DNS
implementations, including BIND9, PowerDNS and Microsoft DNS, are vulnerable to
Disablance. Second, we developed a measurement framework to measure vulnerable
authoritative servers in the wild. 22.24% of top 1M FQDNs and 3.94% of top 1M
SLDs were proven can be the victims of Disablance. Our measurement results also
show that 37.88% of stable open resolvers and 10 of 14 popular public DNS
services can be exploited to conduct Disablance, including Cloudflare and Quad9.
Furthermore, the critical security threats of Disablance were observed and
acknowledged through in-depth discussion with a world-leading DNS service
provider. We have reported discovered vulnerabilities and provided
recommendations to the affected vendors. Until now, Tencent Cloud (DNSPod) and
Amazon have taken action to fix this issue according to our suggestions.
Fenglu Zhang
Baojun Liu
Eihal Alowaisheq
et al.
2023-11-21
CCS
DNS DNS DDoS

13
Report
A Large-scale Measurement of IP Source Spoofing on the Internet
Shuai Wang
2023-11-08
IETF 118
IP Address IP Spoofing KI3 Published

14
Paper
IPv6 Hitlists at Scale: Be Careful What You Wish For
Abstract:
Today's network measurements rely heavily on Internet-wide scanning, employing
tools like ZMap that are capable of quickly iterating over the entire IPv4
address space. Unfortunately, IPv6's vast address space poses an existential
threat for Internet-wide scans and traditional network measurement techniques.
To address this reality, efforts are underway to develop "hitlists" of
known-active IPv6 addresses to reduce the search space for would-be scanners. As
a result, there is an inexorable push for constructing as large and complete a
hitlist as possible.This paper asks: what are the potential benefits and harms
when IPv6 hitlists grow larger? To answer this question, we obtain the largest
IPv6 active-address list to date: 7.9 billion addresses, 898 times larger than
the current state-of-the-art hitlist. Although our list is not comprehensive, it
is a significant step forward and provides a glimpse into the type of analyses
possible with more complete hitlists.We compare our dataset to prior IPv6
hitlists and show both benefits and dangers. The benefits include improved
insight into client devices (prior datasets consist primarily of routers),
outage detection, IPv6 roll-out, previously unknown aliased networks, and
address assignment strategies. The dangers, unfortunately, are severe: we expose
widespread instances of addresses that permit user tracking and device
geolocation, and a dearth of firewalls in home networks. We discuss ethics and
security guidelines to ensure a safe path towards more complete hitlists.
Erik Rye
Dave Levin
2023-11-01
IMC
IP Address Active IP

15
Paper
Pushing Alias Resolution to the Limit
Abstract:
In this paper, we show that utilizing multiple protocols offers a unique
opportunity to improve IP alias resolution and dual-stack inference
substantially. Our key observation is that prevalent protocols, e.g., SSH and
BGP, reply to unsolicited requests with a set of values that can be combined to
form a unique device identifier. More importantly, this is possible by just
completing the TCP handshake. Our empirical study shows that utilizing readily
available scans and our active measurements can double the discovered IPv4 alias
sets and more than 30× the dual-stack sets compared to the state-of-the-art
techniques. We provide insights into our method’s accuracy and performance
compared to popular techniques.
Aha Albakour
Oliver Gasser
Georgios Smaragdakis
2023-10-24
IMC
IP Address IP Alias

16
Paper
Regional IP Anycast: Deployments, Performance, and Potentials
Abstract:
Recent studies show that an end system's traffic may reach a distant anycast
site within a global IP anycast system, resulting in high latency. To address
this issue, some private and public CDNs have implemented regional IP anycast, a
technique that involves dividing content-hosting sites into geographic regions,
announcing a unique IP anycast prefix for each region, and utilizing DNS and
IP-geolocation to direct clients to CDN sites in their corresponding geographic
regions. In this work, we aim to understand how a regional anycast CDN
partitions its sites and maps its customers' clients to its sites, and how a
regional anycast CDN performs compared to its global anycast counterpart. We
study the deployment strategies and the performance of two CDNs (Edgio and
Imperva) that currently deploy regional IP anycast. We find that both Edgio and
Imperva partition their sites and clients following continent or country
borders. Furthermore, we compare the client latency distribution in Imperva's
regional anycast CDN with its similar-scale DNS global anycast network, while
accounting for and mitigating the relevant deployment differences between the
two networks. We find that regional anycast can effectively alleviate the
pathology in global IP anycast where BGP routes clients' traffic to distant CDN
sites. However, DNS mapping inefficiencies, where DNS returns a sub-optimal
regional IP anycast address that does not cover a client's low-latency CDN
sites, can harm regional anycast's performance. Finally, we show what
performance benefits regional IP anycast can achieve with a latency-based region
partition method using the Tangled testbed. When compared to global anycast,
regional anycast significantly reduces the 90th percentile client latency by
58.7% to 78.6% for clients across different geographic areas.
Zhou Minyuan
Zhang Xiao
Hao Shuai
et al.
2023-09-01
SIGCOMM
IP Address Anycast

17
Paper
Q-Scanner: A Fast Scanning Tool for Large-Scale SSL/TLS Configurations
Measurement
Abstract:
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are used
to encrypt data, protect privacy, and authenticate. However, the security of
SSL/TLS itself depends on its configurations. While some scanning tools are used
to measure SSL/TLS configurations, their performance is far from meeting the
requirement of large-scale measurements. In this paper, we propose a fast
SSL/TLS configuration scanning tool, Q-Scanner, which can generate a lightweight
scanning solution based on the characteristics of the configurations to be
scanned. The experiment shows Q-Scanner achieves a speedup of over 30,000 times
compared to SSL Pulse without loss of accuracy.
Rui Yan
Shuai Wang
Dan Li
2023-09-01
SIGCOMM
HTTPS TLS KI3 Published

18
Paper
Impact of International Submarine Cable on Internet Routing
Abstract:
International submarine cables (ISCs) connect various countries/regions
worldwide, and serve as the foundation of Internet routing. However, little
attention has been paid to studying the impact of ISCs on Internet routing. This
study addresses two questions to bridge the gap between ISCs and Internet
routing: (1) For a given ISC, which Autonomous Systems (ASes) are using it, and
(2) How dependent is Internet routing on ISCs. To tackle the first question, we
propose Topology to Topology (or T2T), a framework for the large-scale
measurement of static mapping between ASes and ISCs, and apply T2T to the
Internet to reveal the status, trends, and preferences of ASes using ISCs. We
find that ISCs used by Tier-1 ASes are more than 30× of stub ASes. For the
second question, we design an Internet routing simulator, and evaluate the
behavior change of Internet routing when an ISC fails based on the mapping
between ASes and ISCs. The results show that benefited from the complex mesh of
ISCs, the failures of most ISCs have limited impact on Internet routing, while a
few ISCs can have a significant impact. Finally, we analyze severely affected
ASes and recommend how to improve the resilience of the Internet.
Honglin Ye
Shuai Wang
Dan Li
2023-08-29
INFOCOM
Submarine Cable Routing KI3 Published

19
Paper
Target Acquired? Evaluating Target Generation Algorithms for IPv6
Abstract:
Internet measurements are a crucial foundation of IPv6-related research. Due to
the infeasibility of full address space scans for IPv6 however, those
measurements rely on collections of reliably responsive, unbiased addresses, as
provided e.g., by the IPv6 Hitlist service. Although used for various use cases,
the hitlist provides an unfiltered list of responsive addresses, the hosts
behind which can come from a range of different networks and devices, such as
web servers, customer-premises equipment (CPE) devices, and Internet
infrastructure. In this paper, we demonstrate the importance of tailoring
hitlists in accordance with the research goal in question. By using PeeringDB we
classify hitlist addresses into six different network categories, uncovering
that 42% of hitlist addresses are in ISP networks. Moreover, we show the
different behavior of those addresses depending on their respective category,
e.g., ISP addresses exhibiting a relatively low lifetime. Furthermore, we
analyze different Target Generation Algorithms (TGAs), which are used to
increase the coverage of IPv6 measurements by generating new responsive targets
for scans. We evaluate their performance under various conditions and find
generated addresses to show vastly differing responsiveness levels for different
TGAs.
Lion Steger
Liming Kuang
Johannes Zirngibl
et al.
2023-06-01
TMA
IP Address Active IP

20
Paper
A Longitudinal and Comprehensive Measurement of DNS Strict Privacy
Abstract:
The DNS privacy protection mechanisms, DNS over TLS (DoT) and DNS over HTTPS
(DoH), only work correctly if both the server and client support the Strict
Privacy profile and no vulnerability exists in the implemented TLS/HTTPS. A
natural question then arises: what is the landscape of DNS Strict Privacy? To
this end, we provide the first longitudinal and comprehensive measurement of
DoT/DoH deployments in recursive resolvers, authoritative servers, and browsers.
With the collected data, we find the number of DoT/DoH servers increased
substantially during our ten-month-long scan. However, around 60% of DoT and 44%
of DoH recursive resolver certificates are invalid. Worryingly, our measurements
confirm the centralization problem of DoT/DoH. Furthermore, we classify DNS
Strict Privacy servers into four levels according to daily scanning results on
TLS/HTTPS-related security features. Unfortunately, around 25% of DoH Strict
Privacy recursive resolvers fail to meet the minimum level requirements. To help
the Internet community better perceive the landscape of DNS Strict Privacy, we
implement a DoT/DoH server search engine and recommender system. Additionally,
we investigate five popular browsers across four operating systems and find some
inconsistent behavior with their DNS privacy implementations. For example,
Firefox in Windows, Linux, and Android allows DoH communication with the server
without the SAN certificate. At last, we advocate that all participants head
together for a bright DNS Strict Privacy landscape by discussing current
hindrances and controversies in DNS privacy.
Ruixuan Li
Xiaofeng Jia
Jun Shao
2023-04-03
ToN
DNS Encrypted DNS




Total 131
   
 * 10/page
 * 20/page
 * 50/page
 * 100/page



 * 1
   
 * 2
 * 3
 * 4
 * 5
 * 6
   
 * 7

Go to

Cite
Give feedback

How was your experience with us?



What do you want to show us?
Click here to upload files.
Send feedback