{"data":[{"paperType":2,"author":[{"name":"Ruifeng Li","tag":"1"}],"origin":{"url":"https://youtu.be/jncMVIjPbpM?si=nMuWmWaERPVnoq3i&t=7431","info":"IETF 120"},"publishDate":"2024-07-23","uri":"2024_measuring_sav_deployment_with_sav_t","tags":["IP Address","IP Spoofing","KI3 Published"],"titleEn":"Measuring SAV deployment with SAV-T","affiliation":[{"name":"Zhongguancun Laboratory","tag":1}],"titleCn":"Measuring SAV deployment with SAV-T","cite":{"template":[{"template":"Ruifeng L. Measuring SAV Deployment with SAV-T[DB/OL]. [2024-07-23]. https://ki3.org.cn/public/publications/2024_measuring_sav_deployment_with_sav_t.","type":"GB/T 7714"},{"template":"Ruifeng Li. \"Measuring SAV Deployment with SAV-T.\" IETF. 2024. ki3.org.cn/public/publications/2024_measuring_sav_deployment_with_sav_t, PDF download.","type":"MLA"},{"template":"Li, R. (2024, July 23). Measuring SAV Deployment with SAV-T. IETF. https://ki3.org.cn/public/publications/2024_measuring_sav_deployment_with_sav_t.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":530,"keyword":[""],"fileType":3},{"paperType":2,"author":[{"name":"Shuai Wang","tag":"1"}],"origin":{"url":"https://youtu.be/jncMVIjPbpM?t=2240","info":"IETF 120"},"publishDate":"2024-07-23","uri":"2024_identifying_the_presence_of_outbound_source_address_validation_osav_remotely","tags":["IP Address","IP Spoofing","KI3 Published"],"titleEn":"Identifying the Presence of Outbound Source Address Validation (OSAV) Remotely","affiliation":[{"name":"Zhongguancun Laboratory","tag":1}],"titleCn":"Identifying the Presence of Outbound Source Address Validation (OSAV) Remotely","cite":{"template":[{"template":"Shuai W. Identifying the Presence of OSAV Remotely[DB/OL]. [2024-07-23]. https://ki3.org.cn/public/publications/2024_identifying_the_presence_of_outbound_source_address_validation_osav_remotely.slides.pdf.","type":"GB/T 7714"},{"template":"Shuai Wang. \"Identifying the Presence of OSAV Remotely.\" IETF. 2024. ki3.org.cn/public/publications/2024_identifying_the_presence_of_outbound_source_address_validation_osav_remotely.slides.pdf, PDF download.","type":"MLA"},{"template":"Wang, S. (2024, July 23). Identifying the Presence of OSAV Remotely. IETF. https://ki3.org.cn/public/publications/2024_identifying_the_presence_of_outbound_source_address_validation_osav_remotely.slides.pdf.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":529,"keyword":[""],"fileType":3},{"paperType":1,"abstracts":"DNS relies on domain delegation for good scalability, where domains delegate their resolution service to authoritative nameservers. However, such delegations could lead to complex inter-dependencies between DNS zones. While the complex dependency might improve the robustness of domain resolution, it could also introduce security risks unexpectedly. In this work, we perform a large-scale measurement on nearly 217M domains to analyze their resolution dependencies at both zone level and infrastructure level. According to our analysis, domains under country-code TLDs and new generic TLDs present a more complex dependency relationship. For robustness consideration, popular domains prefer to configure more complex dependencies. However, centralized hosting of nameservers and the silent outsourcing of DNS providers could lead to the false redundancy at infrastructure level. Worse, considerable domain configurations in the wild are \"not robust but risky\": a complex dependency is also likely to bring vulnerabilities, e.g., domains with a 2 times higher dependency complexity have a 2.87 times larger proportion suffering from the hijacking risk via lame delegation.","author":[{"name":"Shuhan Zhang","tag":"1"},{"name":"Shuai Wang","tag":"2"},{"name":"Dan Li","tag":"1,2"}],"origin":{"url":"https://www.infocom.info/day/1","info":"INFOCOM"},"publishDate":"2024-05-21","uri":"2024_robust_or_risky_measurement_and_analysis_of_domain_resolution_dependency","tags":["DNS","Domain Name","KI3 Published"],"titleEn":"Robust or Risky: Measurement and Analysis of Domain Resolution Dependency","affiliation":[{"name":"Tsinghua University","tag":1},{"name":"Zhongguancun Laboratory","tag":2}],"titleCn":"Robust or Risky: Measurement and Analysis of Domain Resolution Dependency","cite":{"template":[{"template":"Zhang S, Wang S, Li D. Robust or Risky: Measurement and Analysis of Domain Resolution Dependency[J].","type":"GB/T 7714"},{"template":"Zhang, Shuhan, Shuai Wang, and Dan Li. \"Robust or Risky: Measurement and Analysis of Domain Resolution Dependency.\"","type":"MLA"},{"template":"Zhang, S., Wang, S., & Li, D. Robust or Risky: Measurement and Analysis of Domain Resolution Dependency.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":472,"keyword":[""],"fileType":3},{"paperType":1,"abstracts":"Despite global efforts to secure Internet routing, attackers still successfully exploit the lack of strong BGP security mechanisms. This paper focuses on an attack vector that is frequently used: Forged-origin hijacks, a type of BGP hijack where the attacker manipulates the AS path to make it immune to RPKI-ROV filters and appear as legitimate routing updates from a BGP monitoring standpoint. Our contribution is DFOH, a system that quickly and consistently detects forged-origin hijacks in the whole Internet. Detecting forged-origin hijacks boils down to inferring whether the AS path in a BGP route is legitimate or has been manipulated. We demonstrate that current state-of-art approaches to detect BGP anomalies are insufficient to deal with forged-origin hijacks. We identify the key properties that make the inference of forged AS paths challenging, and design DFOH to be robust against real-world factors. Our inference pipeline includes two key ingredients: (i) a set of strategically selected features, and (ii) a training scheme adapted to topological biases. DFOH detects 90.9% of the forged-origin hijacks within only ≈5min. In addition, it only reports ≈17.5 suspicious cases every day for the whole Internet, a small number that allows operators to investigate the reported cases and take countermeasures.","author":[{"name":"Thomas Holterbach","tag":"3"},{"name":"Thomas Alfroy","tag":"3"},{"name":"Amreesh Phokeer","tag":"4"},{"name":"Alberto Dainotti","tag":"1"},{"name":" Cristel Pelsser","tag":"2"}],"origin":{"url":"https://www.usenix.org/conference/nsdi24/presentation/holterbach","info":"NSDI"},"publishDate":"2024-04-16","uri":"2024_a_system_to_detect_forged_origin_bgp_hijacks","tags":["Routing","BGP Hijacking"],"titleEn":"A System to Detect Forged-Origin BGP Hijacks","affiliation":[{"name":"Georgia Tech","tag":1},{"name":"UCLouvain","tag":2},{"name":"University of Strasbourg","tag":3},{"name":"Internet Society","tag":4}],"titleCn":"A System to Detect Forged-Origin BGP Hijacks","cite":{"template":[{"template":"Holterbach T, Alfroy T, Phokeer A, et al. A System to Detect {Forged-Origin}{BGP} Hijacks[C]//21st USENIX Symposium on Networked Systems Design and Implementation (NSDI 24). 2024: 1751-1770.","type":"GB/T 7714"},{"template":"Holterbach, Thomas, et al. \"A System to Detect {Forged-Origin}{BGP} Hijacks.\" 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI 24). 2024.","type":"MLA"},{"template":"Holterbach, T., Alfroy, T., Phokeer, A., Dainotti, A., & Pelsser, C. (2024). A System to Detect {Forged-Origin}{BGP} Hijacks. In 21st USENIX Symposium on Networked Systems Design and Implementation (NSDI 24) (pp. 1751-1770).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":469,"keyword":[""],"fileType":4},{"paperType":2,"author":[{"name":"Shuai Wang","tag":"1"}],"origin":{"url":"https://datatracker.ietf.org/meeting/119/materials/agenda-119-savnet-03","info":"IETF 119"},"publishDate":"2024-03-19","uri":"2024_more_methods_to_measure_ip_source_outbound_spoofing_on_the_internet","tags":["IP Address","IP Spoofing","KI3 Published"],"titleEn":"More Methods to Measure IP Source Outbound Spoofing on the Internet","affiliation":[{"name":"Zhongguancun Laboratory","tag":1}],"titleCn":"More Methods to Measure IP Source Outbound Spoofing on the Internet","cite":{"template":[{"template":"Shuai W. More Methods to Measure IP Source Outbound Spoofing on the Internet[DB/OL]. [2024-03-19]. https://ki3.org.cn/public/publications/2024_more_methods_to_measure_ip_source_outbound_spoofing_on_the_internet.slides.pdf.","type":"GB/T 7714"},{"template":"Shuai Wang. \"More Methods to Measure IP Source Outbound Spoofing on the Internet.\" IETF. 2024. ki3.org.cn/public/publications/2024_more_methods_to_measure_ip_source_outbound_spoofing_on_the_internet.slides.pdf, PDF download.","type":"MLA"},{"template":"Wang, S. (2024, March 19). More Methods to Measure IP Source Outbound Spoofing on the Internet. IETF. https://ki3.org.cn/public/publications/2024_more_methods_to_measure_ip_source_outbound_spoofing_on_the_internet.slides.pdf.","type":"APA"}],"export":[""]},"id":523,"keyword":[""],"fileType":3},{"paperType":1,"abstracts":"Border Gateway Protocol (BGP) provides a way of exchanging routing information to help routers construct their routing tables. However, due to the lack of security considerations, BGP has been suffering from vulnerabilities such as BGP hijacking attacks. To mitigate these issues, two data sources have been used, Internet Routing Registry (IRR) and Resource Public Key Infrastructure (RPKI), to provide reliable mappings between IP prefixes and their authorized Autonomous Systems (ASes). Each of the data sources, however, has its own limitations. IRR has been well-known for its stale Route objects with outdated AS information since network operators do not have enough incentives to keep them up to date, and RPKI has been slowly deployed due to its operational complexities. In this paper, we measure the prevalent inconsistencies between Route objects in IRR and ROA objects in RPKI. We next characterize inconsistent and consistent Route objects, respectively, by focusing on their BGP announcement patterns. Based on this insight, we develop a technique that identifies stale Route objects by leveraging a machine learning algorithm and evaluate its performance. From real trace-based experiments, we show that our technique can offer advantages against the status quo by reducing the percentage of potentially stale Route objects from 72% to 40% (of the whole IRR Route objects). In this way, we achieve 93% of the accuracy of validating BGP announcements while covering 87% of BGP announcements.","author":[{"name":"Minhyeok Kang","tag":"1"},{"name":"Weitong Li","tag":"2"},{"name":"Roland van Rijswijk-Deij","tag":"3"},{"name":"Ted \"Taekyoung\" Kwon","tag":"1"},{"name":"Taejoong Chung","tag":"2"}],"origin":{"url":"https://www.ndss-symposium.org/ndss-paper/irredicator-pruning-irr-with-rpki-valid-bgp-insights/","info":"NDSS"},"publishDate":"2024-02-26","uri":"2024_irredicator_pruning_irr_with_rpki_valid_bgp_insights","tags":["Routing","RPKI","BGP Hijacking"],"titleEn":"IRRedicator: Pruning IRR with RPKI-Valid BGP Insights","affiliation":[{"name":"Seoul National University","tag":1},{"name":"Virginia Tech","tag":2},{"name":"University of Twente","tag":3}],"titleCn":"IRRedicator: Pruning IRR with RPKI-Valid BGP Insights","cite":{"template":[{"template":"KANG M, LI W, VAN RIJSWIJK-DEIJ R, etal. IRRedicator: Pruning IRR with RPKI-Valid BGP Insights[C/OL]//Proceedings 2024 Network and Distributed System Security Symposium. San Diego, CA, USA: Internet Society, 2024[2024-07-04]. https://www.ndss-symposium.org/wp-content/uploads/2024-524-paper.pdf. DOI:10.14722/ndss.2024.24524.","type":"GB/T 7714"},{"template":"Kang, Minhyeok, et al. \"IRRedicator: Pruning IRR with RPKI-Valid BGP Insights.\" Proceedings 2024 Network and Distributed System Security Symposium, Internet Society, 2024. DOI.org (Crossref), https://doi.org/10.14722/ndss.2024.24524.","type":"MLA"},{"template":"Kang, M., Li, W., Van Rijswijk-Deij, R., Kwon, T. \"Taekyoung,\" & Chung, T. (2024). IRRedicator: Pruning IRR with RPKI-Valid BGP Insights. Proceedings 2024 Network and Distributed System Security Symposium. Network and Distributed System Security Symposium, San Diego, CA, USA. https://doi.org/10.14722/ndss.2024.24524","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":528,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"BGP hijacking is one of the most important threats to routing security. To improve the reliability and availability of inter-domain routing, a lot of work has been done to defend against BGP hijacking, and Route Origin Validation (ROV) has become the best current practice. However, although the Mutually Agreed Norms for Routing Security (MANRS) has been encouraging network operators to at least validate announcements of their customers, recent research indicates that a large number of networks still do not fully deploy ROV or propagate illegitimate announcements of their customers. To understand ROV deployment in the real world and why network operators are not following the action proposed by MANRS, we make a long-term measurement for ROV deployment and further find that many non-compliant networks may deploy ROV only at part of customer interfaces, or at provider or peer interfaces. Then, we present the first notification experiment to investigate the impact of notifications on ROV remediation. However, our analysis indicates that none of the notification treatments has a significant effect. After that, we conduct a survey among network operators and find that economical and technical problems are the two major classes of reasons for non-compliance. Seeking a realistic ROV deployment strategy, we perform large-scale simulations, and, to our surprise, find that not following MANRS Action 1 can lead to better defense of prefix hijacking. Finally, with all our findings, we provide practical recommendations and outline future directions to help promote ROV deployment.","author":[{"name":"Lancheng Qin","tag":"2"},{"name":" Li Chen","tag":"3"},{"name":" Dan Li","tag":"2,3"},{"name":" Honglin Ye","tag":"2"},{"name":" Yutian Wang","tag":"2"}],"origin":{"url":"https://www.ndss-symposium.org/ndss-paper/understanding-route-origin-validation-rov-deployment-in-the-real-world-and-why-manrs-action-1-is-not-followed","info":"NDSS"},"publishDate":"2024-02-26","uri":"2024_understanding_route_origin_validation_rov_deployment_in_the_real_world_and_why_manrs_action_1_is_not_followed","tags":["Routing","RPKI","KI3 Published"],"titleEn":"Understanding Route Origin Validation (ROV) Deployment in the Real World and Why MANRS Action 1 Is Not Followed","affiliation":[{"name":"Tsinghua University and Zhongguancun Laboratory","tag":1},{"name":"Tsinghua University","tag":2},{"name":"Zhongguancun Laboratory","tag":3}],"titleCn":"Understanding Route Origin Validation (ROV) Deployment in the Real World and Why MANRS Action 1 Is Not Followed","cite":{"template":[{"template":"Qin L, Chen L, Li D, et al. Understanding Route Origin Validation (ROV) Deployment in the Real World and Why MANRS Action 1 Is Not Followed[J].","type":"GB/T 7714"},{"template":"Qin, Lancheng, et al. \"Understanding Route Origin Validation (ROV) Deployment in the Real World and Why MANRS Action 1 Is Not Followed.\"","type":"MLA"},{"template":"Qin, L., Chen, L., Li, D., Ye, H., & Wang, Y. Understanding Route Origin Validation (ROV) Deployment in the Real World and Why MANRS Action 1 Is Not Followed.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":525,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"The certificate transparency (CT) framework has been deployed to improve the accountability of the TLS certificate ecosystem. However, the current implementation of CT does not enforce or guarantee the correct behavior of third-party monitors, which are essential components of the CT framework, and raises security and reliability concerns. For example, recent studies reported that 5 popular third-party CT monitors cannot always return the complete set of certificates inquired by users, which fundamentally impairs the protection that CT aims to offer. This work revisits the CT design and proposes an additional component of the CT framework, CT watchers. A watcher acts as an inspector of third-party CT monitors to detect any misbehavior by inspecting the certificate search services of a third-party monitor and detecting any inconsistent results returned by multiple monitors. It also semi-automatically analyzes potential causes of the inconsistency, e.g., a monitor’s misconfiguration, implementation flaws, etc. We implemented a prototype of the CT watcher and conducted a 52-day trial operation and several confirmation experiments involving 8.26M unique certificates of about 6,000 domains. From the results returned by 6 active third-party monitors in the wild, the prototype detected 14 potential design or implementation issues of these monitors, demonstrating its effectiveness in public inspections on third-party monitors and the potential to improve the overall reliability of CT.","author":[{"name":"Aozhuo Sun","tag":"6"},{"name":"Jingqiang Lin","tag":"1"},{"name":"Wei Wang","tag":"3"},{"name":"Zeyan Liu","tag":"4"},{"name":"Bingyu Li","tag":"2"},{"name":"Shushang Wen","tag":"1"},{"name":"Qiongxiao Wang","tag":"5"},{"name":"Fengjun Li","tag":"4"}],"origin":{"url":"https://www.ndss-symposium.org/ndss-paper/certificate-transparency-revisited-the-public-inspections-on-third-party-monitors/","info":"NDSS"},"publishDate":"2024-02-26","uri":"2024_certificate_transparency_revisited_the_public_inspections_on_third_party_monitors","tags":["HTTPS","Web PKI"],"titleEn":"Certificate Transparency Revisited: The Public Inspections on Third-party Monitors","affiliation":[{"name":"School of Cyber Science and Technology, University of Science and Technology of China, China","tag":1},{"name":"School of Cyber Science and Technology, Beihang University, China","tag":2},{"name":"Institute of Information Engineering, Chinese Academy of Sciences, China","tag":3},{"name":"The University of Kansas, USA","tag":4},{"name":"Beijing Certificate Authority Co., Ltd, China","tag":5},{"name":"Institute of Information Engineering, Chinese Academy of Sciences, China, School of Cyber Security, University of Chinese Academy of Sciences, China","tag":6}],"titleCn":"Certificate Transparency Revisited: The Public Inspections on Third-party Monitors","cite":{"template":[{"template":"Sun A, Lin J, Wang W, et al. Certificate Transparency Revisited: The Public Inspections on Third-party Monitors[J].","type":"GB/T 7714"},{"template":"Sun, Aozhuo, et al. \"Certificate Transparency Revisited: The Public Inspections on Third-party Monitors.\"","type":"MLA"},{"template":"Sun, A., Lin, J., Wang, W., Liu, Z., Li, B., Wen, S., & Li, Q. W. F. Certificate Transparency Revisited: The Public Inspections on Third-party Monitors.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":415,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Time synchronization is of paramount importance on the Internet, with the Network Time Protocol (NTP) serving as the primary synchronization protocol. The NTP Pool, a volunteer-driven initiative launched two decades ago, facilitates connections between clients and NTP servers. Our analysis of root DNS queries reveals that the NTP Pool has consistently been the most popular time service. We further investigate the DNS component (GeoDNS) of the NTP Pool, which is responsible for mapping clients to servers. Our findings indicate that the current algorithm is heavily skewed, leading to the emergence of time monopolies for entire countries. For instance, clients in the US are served by 551 NTP servers, while clients in Cameroon and Nigeria are served by only one and two servers, respectively, out of the 4k+ servers available in the NTP Pool. We examine the underlying assumption behind GeoDNS for these mappings and discover that time servers located far away can still provide accurate clock time information to clients. We have shared our findings with the NTP Pool operators, who acknowledge them and plan to revise their algorithm to enhance security.","author":[{"name":"Giovane C. M. Moura","tag":"1"},{"name":"Marco Davids","tag":"3"},{"name":"Caspar Schutijser","tag":"3"},{"name":"Cristian Hesselman","tag":"4"},{"name":"John Heidemann","tag":"5"},{"name":"Georgios Smaragdakis","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3639041","info":"SIGMETRICS"},"publishDate":"2024-02-21","uri":"2024_deep_dive_into_ntp_pool_popularity_and_mapping","tags":["NTP"],"titleEn":"Deep Dive into NTP Pool Popularity and Mapping","affiliation":[{"name":"SIDN Labs and Delft University of Technology","tag":1},{"name":"Delft University of Technology","tag":2},{"name":"SIDN Labs","tag":3},{"name":"SIDN Labs and University of Twente","tag":4},{"name":"USC/ISI and CS Dept.","tag":5}],"titleCn":"Deep Dive into NTP Pool Popularity and Mapping","cite":{"template":[{"template":"Moura G C M, Davids M, Schutijser C, et al. Deep Dive into NTP Pool's Popularity and Mapping[J]. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 2024, 8(1): 1-30.","type":"GB/T 7714"},{"template":"Moura, Giovane CM, et al. \"Deep Dive into NTP Pool's Popularity and Mapping.\" Proceedings of the ACM on Measurement and Analysis of Computing Systems 8.1 (2024): 1-30.","type":"MLA"},{"template":"Moura, G. C., Davids, M., Schutijser, C., Hesselman, C., Heidemann, J., & Smaragdakis, G. (2024). Deep Dive into NTP Pool's Popularity and Mapping. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 8(1), 1-30.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":444,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Submarine cables constitute the backbone of the Internet. However, these critical infrastructure components are vulnerable to several natural and man-made threats, and during failures, are difficult to repair in remote oceans. In spite of their crucial role, we have a limited understanding of the impact of submarine cable failures on global connectivity, particularly on the higher layers of the Internet. In this paper, we present Nautilus, a framework for cross-layer cartography of submarine cables and IP links. Using a corpus of public datasets and Internet cartographic techniques, Nautilus identifies IP links that are likely traversing submarine cables and maps them to one or more potential cables. Nautilus also gives each IP to cable assignment a prediction score that reflects the confidence in the mapping. Nautilus generates a mapping for 3.05 million and 1.43 million IPv4 and IPv6 links, respectively, spanning 91% of all active cables. In the absence of ground truth data, we validate Nautilus mapping using three techniques: analyzing past cable failures, using targeted traceroute measurements, and comparing with public network maps of two operators.","author":[{"name":"Alagappan Ramanathan","tag":"3"},{"name":" Sangeetha Abdu Jyothi","tag":"3,1,2"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3626777","info":"SIGMETRICS"},"publishDate":"2023-12-12","uri":"2023_nautilus_a_framework_for_cross_layer_cartography_of_submarine_cables_and_ip_links","tags":["Submarine Cable"],"titleEn":"Nautilus: A Framework for Cross-Layer Cartography of Submarine Cables and IP Links","affiliation":[{"name":" Irvine","tag":1},{"name":" VMware Research","tag":2},{"name":"University of California","tag":3}],"titleCn":"Nautilus: A Framework for Cross-Layer Cartography of Submarine Cables and IP Links","cite":{"template":[{"template":"Ramanathan A, Abdu Jyothi S. Nautilus: A Framework for Cross-Layer Cartography of Submarine Cables and IP Links[J]. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 2023, 7(3): 1-34.","type":"GB/T 7714"},{"template":"Ramanathan, Alagappan, and Sangeetha Abdu Jyothi. \"Nautilus: A Framework for Cross-Layer Cartography of Submarine Cables and IP Links.\" Proceedings of the ACM on Measurement and Analysis of Computing Systems 7.3 (2023): 1-34.","type":"MLA"},{"template":"Ramanathan, A., & Abdu Jyothi, S. (2023). Nautilus: A Framework for Cross-Layer Cartography of Submarine Cables and IP Links. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 7(3), 1-34.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":452,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"In this paper, we present a new DNS amplification attack, named TsuKing. Instead of exploiting individual DNS resolvers independently to achieve an amplification effect, TsuKing deftly coordinates numerous vulnerable DNS resolvers and crafted queries together to form potent DoS amplifiers. We demconstrate that with TsuKing, an initial small amplification factor can inrease exponentially through the internal layers of coordinated amplifiers, resulting in an extremely powerful amplification attack. TsuKing has three variants, including DNSRetry, DNSChain, and DNSLoop, all of which exploit a suite of inconsistent DNS implementations to achieve enormous amplification effect. With comprehensive measurements, we found that about 14.5% of 1.3M open DNS resolvers are potentially vulnerable to TsuKing. Real-world controlled evaluations indicated that attackers can achieve a packet amplification factor of at least 3,700X (DNSChain). We have reported vulnerabilities to affected vendors and provided them with mitigation recommendations. We have received positive responses from 6 vendors, including Unbound, MikroTik, and AliDNS, and 3 CVEs were assigned. Some of them are implementing our recommendations.","author":[{"name":"Wei Xu","tag":"2"},{"name":"Xiang Li","tag":"2"},{"name":"Chaoyi Lu","tag":"2"},{"name":"Baojun Liu","tag":"2"},{"name":"Haixin Duan","tag":"2,3,1"},{"name":"Jia Zhang","tag":"2,3"},{"name":"Jianjun Chen","tag":"2,3"},{"name":"Tao Wan","tag":"4"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3576915.3616668","info":"CCS"},"publishDate":"2023-11-21","uri":"2023_tsuking_coordinating_dns_resolvers_and_queries_into_potent_dos_amplifiers","tags":["DNS","DNS Resolver","DNS DDoS"],"titleEn":"TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers","affiliation":[{"name":"Quancheng Laboratory","tag":1},{"name":"Tsinghua University","tag":2},{"name":"Zhongguancun Laboratory","tag":3},{"name":"CableLabs","tag":4}],"titleCn":"TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers","cite":{"template":[{"template":"Xu W, Li X, Lu C, et al. TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers[C]//Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023: 311-325.","type":"GB/T 7714"},{"template":"Xu, Wei, et al. \"TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers.\" Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023.","type":"MLA"},{"template":"Xu, W., Li, X., Lu, C., Liu, B., Duan, H., Zhang, J., ... & Wan, T. (2023, November). TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (pp. 311-325).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":479,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"Authoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain name owners are required to deploy multiple candidate nameservers for traffic load balancing. Once the load balancing mechanism is compromised, an adversary can manipulate a large number of legitimate DNS requests to a specified candidate nameserver. As a result, it may not only bypass the defense mechanisms used to filter malicious traffic that can overload the victim nameserver, but also lowers the bar for DNS traffic hijacking and cache poisoning attacks.In this study, we report a class of DNS vulnerabilities and present a novel attack named Disablance. Our proposed attack allows adversaries to stealthily sabotage the DNS load balancing for authoritative nameservers at a low cost. By just performing a handful of crafted requests, an adversary can manipulate a given DNS resolver to overload a specific authoritative server for a period of time. Therefore, Disablance can redirect benign DNS requests for all hosted domains to the specific nameserver and disrupts the load balancing mechanism. The above attack undermines the robustness of DNS resolution and increases the security threat of single point of failure. Our extensive study proves the security threat of Disablance is realistic and prevalent. First, we demonstrated that mainstream DNS implementations, including BIND9, PowerDNS and Microsoft DNS, are vulnerable to Disablance. Second, we developed a measurement framework to measure vulnerable authoritative servers in the wild. 22.24% of top 1M FQDNs and 3.94% of top 1M SLDs were proven can be the victims of Disablance. Our measurement results also show that 37.88% of stable open resolvers and 10 of 14 popular public DNS services can be exploited to conduct Disablance, including Cloudflare and Quad9. Furthermore, the critical security threats of Disablance were observed and acknowledged through in-depth discussion with a world-leading DNS service provider. We have reported discovered vulnerabilities and provided recommendations to the affected vendors. Until now, Tencent Cloud (DNSPod) and Amazon have taken action to fix this issue according to our suggestions.","author":[{"name":"Fenglu Zhang","tag":"2"},{"name":"Baojun Liu","tag":"2"},{"name":"Eihal Alowaisheq","tag":"5"},{"name":"Jianjun Chen","tag":"2,4"},{"name":"Chaoyi Lu","tag":"2"},{"name":"Linjian Song","tag":"6"},{"name":"Yong Ma","tag":"6"},{"name":"Ying Liu","tag":"2"},{"name":"Haixin Duan","tag":"2,1"},{"name":"Min Yang","tag":"3"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3576915.3616647","info":"CCS"},"publishDate":"2023-11-21","uri":"2023_silence_is_not_golden_disrupting_the_load_balancing_of_authoritative_dns_servers","tags":["DNS","DNS DDoS"],"titleEn":"Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers","affiliation":[{"name":"Quancheng Laboratory","tag":1},{"name":"Tsinghua University","tag":2},{"name":"Fudan University","tag":3},{"name":"Zhongguancun Laboratory","tag":4},{"name":"King Saud University","tag":5},{"name":"Alibaba Group","tag":6}],"titleCn":"Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers","cite":{"template":[{"template":"Zhang F, Liu B, Alowaisheq E, et al. Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers[C]//Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023: 296-310.","type":"GB/T 7714"},{"template":"Zhang, Fenglu, et al. \"Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers.\" Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023.","type":"MLA"},{"template":"Zhang, F., Liu, B., Alowaisheq, E., Chen, J., Lu, C., Song, L., ... & Yang, M. (2023, November). Silence is not Golden: Disrupting the Load Balancing of Authoritative DNS Servers. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (pp. 296-310).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":478,"keyword":[""],"fileType":2},{"paperType":2,"author":[{"name":"Shuai Wang","tag":"1"}],"origin":{"url":"https://youtu.be/_1WfCDWVPTI?t=3552","info":"IETF 118"},"publishDate":"2023-11-08","uri":"2023_a_large_scale_measurement_of_ip_source_spoofing_on_the_internet","tags":["IP Address","IP Spoofing","KI3 Published"],"titleEn":"A Large-scale Measurement of IP Source Spoofing on the Internet","affiliation":[{"name":"Zhongguancun Laboratory","tag":1}],"titleCn":"A Large-scale Measurement of IP Source Spoofing on the Internet","cite":{"template":[{"template":"Shuai W. A Large-scale Measurement of IP Source Spoofing on the Internet[DB/OL]. [2023-11-08]. https://ki3.org.cn/public/publications/2023_a_large_scale_measurement_of_ip_source_spoofing_on_the_internet.slides.pdf.","type":"GB/T 7714"},{"template":"Shuai Wang. \"A Large-scale Measurement of IP Source Spoofing on the Internet.\" IETF. 2023. ki3.org.cn/public/publications/2023_a_large_scale_measurement_of_ip_source_spoofing_on_the_internet.slides.pdf, PDF download.","type":"MLA"},{"template":"Wang, S. (2023, November 8). A Large-scale Measurement of IP Source Spoofing on the Internet. IETF. https://ki3.org.cn/public/publications/2023_a_large_scale_measurement_of_ip_source_spoofing_on_the_internet.slides.pdf.","type":"APA"}],"export":[""]},"id":524,"keyword":[""],"fileType":3},{"paperType":1,"abstracts":"Today's network measurements rely heavily on Internet-wide scanning, employing tools like ZMap that are capable of quickly iterating over the entire IPv4 address space. Unfortunately, IPv6's vast address space poses an existential threat for Internet-wide scans and traditional network measurement techniques. To address this reality, efforts are underway to develop \"hitlists\" of known-active IPv6 addresses to reduce the search space for would-be scanners. As a result, there is an inexorable push for constructing as large and complete a hitlist as possible.This paper asks: what are the potential benefits and harms when IPv6 hitlists grow larger? To answer this question, we obtain the largest IPv6 active-address list to date: 7.9 billion addresses, 898 times larger than the current state-of-the-art hitlist. Although our list is not comprehensive, it is a significant step forward and provides a glimpse into the type of analyses possible with more complete hitlists.We compare our dataset to prior IPv6 hitlists and show both benefits and dangers. The benefits include improved insight into client devices (prior datasets consist primarily of routers), outage detection, IPv6 roll-out, previously unknown aliased networks, and address assignment strategies. The dangers, unfortunately, are severe: we expose widespread instances of addresses that permit user tracking and device geolocation, and a dearth of firewalls in home networks. We discuss ethics and security guidelines to ensure a safe path towards more complete hitlists.","author":[{"name":"Erik Rye","tag":"1"},{"name":"Dave Levin","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3603269.3604829","info":"IMC"},"publishDate":"2023-11-01","uri":"2023_ipv6_hitlists_at_scale_be_careful_what_you_wish_for","tags":["IP Address","Active IP"],"titleEn":"IPv6 Hitlists at Scale: Be Careful What You Wish For","affiliation":[{"name":"University of Maryland","tag":1}],"titleCn":"IPv6 Hitlists at Scale: Be Careful What You Wish For","cite":{"template":[{"template":"Rye E, Levin D. IPv6 Hitlists at Scale: Be Careful What You Wish For[C]//Proceedings of the ACM SIGCOMM 2023 Conference. 2023: 904-916.","type":"GB/T 7714"},{"template":"Rye, Erik, and Dave Levin. \"IPv6 Hitlists at Scale: Be Careful What You Wish For.\" Proceedings of the ACM SIGCOMM 2023 Conference. 2023.","type":"MLA"},{"template":"Rye, E., & Levin, D. (2023, September). IPv6 Hitlists at Scale: Be Careful What You Wish For. In Proceedings of the ACM SIGCOMM 2023 Conference (pp. 904-916).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":429,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"In this paper, we show that utilizing multiple protocols offers a unique opportunity to improve IP alias resolution and dual-stack inference substantially. Our key observation is that prevalent protocols, e.g., SSH and BGP, reply to unsolicited requests with a set of values that can be combined to form a unique device identifier. More importantly, this is possible by just completing the TCP handshake. Our empirical study shows that utilizing readily available scans and our active measurements can double the discovered IPv4 alias sets and more than 30× the dual-stack sets compared to the state-of-the-art techniques. We provide insights into our method’s accuracy and performance compared to popular techniques.","author":[{"name":"Aha Albakour","tag":"1"},{"name":"Oliver Gasser","tag":"2"},{"name":"Georgios Smaragdakis","tag":"3"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3618257.3624840","info":"IMC"},"publishDate":"2023-10-24","uri":"2023_pushing_alias_resolution_to_the_limit","tags":["IP Address"," IP Alias"],"titleEn":"Pushing Alias Resolution to the Limit","affiliation":[{"name":"TU Berlin","tag":1},{"name":"Max Planck Institute for Informatics","tag":2},{"name":"Delft University of Technology","tag":3}],"titleCn":"Pushing Alias Resolution to the Limit","cite":{"template":[{"template":"Albakour T, Gasser O, Smaragdakis G. Pushing Alias Resolution to the Limit[C]//Proceedings of the 2023 ACM on Internet Measurement Conference. 2023: 584-590.","type":"GB/T 7714"},{"template":"Albakour, Taha, Oliver Gasser, and Georgios Smaragdakis. \"Pushing Alias Resolution to the Limit.\" Proceedings of the 2023 ACM on Internet Measurement Conference. 2023.","type":"MLA"},{"template":"Albakour, T., Gasser, O., & Smaragdakis, G. (2023, October). Pushing Alias Resolution to the Limit. In Proceedings of the 2023 ACM on Internet Measurement Conference (pp. 584-590).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":516,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Recent studies show that an end system's traffic may reach a distant anycast site within a global IP anycast system, resulting in high latency. To address this issue, some private and public CDNs have implemented regional IP anycast, a technique that involves dividing content-hosting sites into geographic regions, announcing a unique IP anycast prefix for each region, and utilizing DNS and IP-geolocation to direct clients to CDN sites in their corresponding geographic regions. In this work, we aim to understand how a regional anycast CDN partitions its sites and maps its customers' clients to its sites, and how a regional anycast CDN performs compared to its global anycast counterpart. We study the deployment strategies and the performance of two CDNs (Edgio and Imperva) that currently deploy regional IP anycast. We find that both Edgio and Imperva partition their sites and clients following continent or country borders. Furthermore, we compare the client latency distribution in Imperva's regional anycast CDN with its similar-scale DNS global anycast network, while accounting for and mitigating the relevant deployment differences between the two networks. We find that regional anycast can effectively alleviate the pathology in global IP anycast where BGP routes clients' traffic to distant CDN sites. However, DNS mapping inefficiencies, where DNS returns a sub-optimal regional IP anycast address that does not cover a client's low-latency CDN sites, can harm regional anycast's performance. Finally, we show what performance benefits regional IP anycast can achieve with a latency-based region partition method using the Tangled testbed. When compared to global anycast, regional anycast significantly reduces the 90th percentile client latency by 58.7% to 78.6% for clients across different geographic areas.","author":[{"name":"Zhou Minyuan","tag":"2"},{"name":" Zhang Xiao","tag":"3"},{"name":" Hao Shuai","tag":"3"},{"name":" Yang Xiaowei","tag":"1"},{"name":" Zheng Jiaqi","tag":"2"},{"name":" Chen Guihai","tag":"2"},{"name":" Dou Wanchun","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3603269.3604846","info":"SIGCOMM"},"publishDate":"2023-09-01","uri":"2023_regional_ip_anycast_deployments_performance_and_potentials","tags":["IP Address","Anycast"],"titleEn":"Regional IP Anycast: Deployments, Performance, and Potentials","affiliation":[{"name":"Duke University","tag":1},{"name":"State Key Laboratory for Novel Software Technology, Nanjing University","tag":2},{"name":"Old Dominion University","tag":3}],"titleCn":"Regional IP Anycast: Deployments, Performance, and Potentials","cite":{"template":[{"template":"Zhou M, Zhang X, Hao S, et al. Regional IP Anycast: Deployments, Performance, and Potentials[C]//Proceedings of the ACM SIGCOMM 2023 Conference. 2023: 917-931.","type":"GB/T 7714"},{"template":"Zhou, Minyuan, et al. \"Regional IP Anycast: Deployments, Performance, and Potentials.\" Proceedings of the ACM SIGCOMM 2023 Conference. 2023.","type":"MLA"},{"template":"Zhou, M., Zhang, X., Hao, S., Yang, X., Zheng, J., Chen, G., & Dou, W. (2023, September). Regional IP Anycast: Deployments, Performance, and Potentials. In Proceedings of the ACM SIGCOMM 2023 Conference (pp. 917-931).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":506,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are used to encrypt data, protect privacy, and authenticate. However, the security of SSL/TLS itself depends on its configurations. While some scanning tools are used to measure SSL/TLS configurations, their performance is far from meeting the requirement of large-scale measurements. In this paper, we propose a fast SSL/TLS configuration scanning tool, Q-Scanner, which can generate a lightweight scanning solution based on the characteristics of the configurations to be scanned. The experiment shows Q-Scanner achieves a speedup of over 30,000 times compared to SSL Pulse without loss of accuracy.","author":[{"name":"Rui Yan","tag":"1"},{"name":" Shuai Wang","tag":"2"},{"name":" Dan Li","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3603269.3610858","info":"SIGCOMM"},"publishDate":"2023-09-01","uri":"2023_q_scanner_a_fast_scanning_tool_for_large_scale_ssl_tls_configurations_measurement","tags":["HTTPS","TLS","KI3 Published"],"titleEn":"Q-Scanner: A Fast Scanning Tool for Large-Scale SSL/TLS Configurations Measurement","affiliation":[{"name":"Tsinghua University","tag":1},{"name":"Zhongguancun Laboratory","tag":2}],"titleCn":"Q-Scanner: A Fast Scanning Tool for Large-Scale SSL/TLS Configurations Measurement","cite":{"template":[{"template":"Yan R, Wang S, Li D. Poster: Q-Scanner: A Fast Scanning Tool for Large-Scale SSL/TLS Configurations Measurement[C]//Proceedings of the ACM SIGCOMM 2023 Conference. 2023: 1135-1137.","type":"GB/T 7714"},{"template":"Yan, Rui, Shuai Wang, and Dan Li. \"Poster: Q-Scanner: A Fast Scanning Tool for Large-Scale SSL/TLS Configurations Measurement.\" Proceedings of the ACM SIGCOMM 2023 Conference. 2023.","type":"MLA"},{"template":"Yan, R., Wang, S., & Li, D. (2023, September). Poster: Q-Scanner: A Fast Scanning Tool for Large-Scale SSL/TLS Configurations Measurement. In Proceedings of the ACM SIGCOMM 2023 Conference (pp. 1135-1137).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":400,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"International submarine cables (ISCs) connect various countries/regions worldwide, and serve as the foundation of Internet routing. However, little attention has been paid to studying the impact of ISCs on Internet routing. This study addresses two questions to bridge the gap between ISCs and Internet routing: (1) For a given ISC, which Autonomous Systems (ASes) are using it, and (2) How dependent is Internet routing on ISCs. To tackle the first question, we propose Topology to Topology (or T2T), a framework for the large-scale measurement of static mapping between ASes and ISCs, and apply T2T to the Internet to reveal the status, trends, and preferences of ASes using ISCs. We find that ISCs used by Tier-1 ASes are more than 30× of stub ASes. For the second question, we design an Internet routing simulator, and evaluate the behavior change of Internet routing when an ISC fails based on the mapping between ASes and ISCs. The results show that benefited from the complex mesh of ISCs, the failures of most ISCs have limited impact on Internet routing, while a few ISCs can have a significant impact. Finally, we analyze severely affected ASes and recommend how to improve the resilience of the Internet.","author":[{"name":"Honglin Ye","tag":"1,3"},{"name":" Shuai Wang","tag":"2"},{"name":" Dan Li","tag":"1,4"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/10229024","info":"INFOCOM"},"publishDate":"2023-08-29","uri":"2023_impact_of_international_submarine_cable_on_internet_routing","tags":["Submarine Cable","Routing","KI3 Published"],"titleEn":"Impact of International Submarine Cable on Internet Routing","affiliation":[{"name":"Tsinghua University","tag":1},{"name":"Zhongguancun Laboratory","tag":2},{"name":" Tsinghua Shenzhen International Graduate School","tag":3},{"name":" Zhongguancun Laboratory","tag":4}],"titleCn":"Impact of International Submarine Cable on Internet Routing","cite":{"template":[{"template":"Ye H, Wang S, Li D. Impact of International Submarine Cable on Internet Routing[C]//IEEE INFOCOM 2023-IEEE Conference on Computer Communications. IEEE, 2023: 1-10.","type":"GB/T 7714"},{"template":"Ye, Honglin, Shuai Wang, and Dan Li. \"Impact of International Submarine Cable on Internet Routing.\" IEEE INFOCOM 2023-IEEE Conference on Computer Communications. IEEE, 2023.","type":"MLA"},{"template":"Ye, H., Wang, S., & Li, D. (2023, May). Impact of International Submarine Cable on Internet Routing. In IEEE INFOCOM 2023-IEEE Conference on Computer Communications (pp. 1-10). IEEE.","type":"\nAPA"}],"export":["BibTeX","EndNote","RefMan"]},"id":453,"keyword":[""],"fileType":3},{"paperType":1,"abstracts":"Internet measurements are a crucial foundation of IPv6-related research. Due to the infeasibility of full address space scans for IPv6 however, those measurements rely on collections of reliably responsive, unbiased addresses, as provided e.g., by the IPv6 Hitlist service. Although used for various use cases, the hitlist provides an unfiltered list of responsive addresses, the hosts behind which can come from a range of different networks and devices, such as web servers, customer-premises equipment (CPE) devices, and Internet infrastructure. In this paper, we demonstrate the importance of tailoring hitlists in accordance with the research goal in question. By using PeeringDB we classify hitlist addresses into six different network categories, uncovering that 42% of hitlist addresses are in ISP networks. Moreover, we show the different behavior of those addresses depending on their respective category, e.g., ISP addresses exhibiting a relatively low lifetime. Furthermore, we analyze different Target Generation Algorithms (TGAs), which are used to increase the coverage of IPv6 measurements by generating new responsive targets for scans. We evaluate their performance under various conditions and find generated addresses to show vastly differing responsiveness levels for different TGAs.","author":[{"name":"Lion Steger","tag":"1"},{"name":"Liming Kuang","tag":"1"},{"name":"Johannes Zirngibl","tag":"1"},{"name":"Georg Carle","tag":"1"},{"name":"Oliver Gasser","tag":"2"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/10199073","info":"TMA"},"publishDate":"2023-06-01","uri":"2023_target_acquired_evaluating_target_generation_algorithms_for_ipv6","tags":["IP Address","Active IP"],"titleEn":"Target Acquired? Evaluating Target Generation Algorithms for IPv6","affiliation":[{"name":"Technical University of Munich","tag":1},{"name":"Max Planck Institute for Informatics","tag":2}],"titleCn":"Target Acquired? Evaluating Target Generation Algorithms for IPv6","cite":{"template":[{"template":"Steger L, Kuang L, Zirngibl J, et al. Target acquired? evaluating target generation algorithms for ipv6[C]//2023 7th Network Traffic Measurement and Analysis Conference (TMA). IEEE, 2023: 1-10.","type":"GB/T 7714"},{"template":"Steger, Lion, et al. \"Target acquired? evaluating target generation algorithms for ipv6.\" 2023 7th Network Traffic Measurement and Analysis Conference (TMA). IEEE, 2023.","type":"MLA"},{"template":"Steger, L., Kuang, L., Zirngibl, J., Carle, G., & Gasser, O. (2023, June). Target acquired? evaluating target generation algorithms for ipv6. In 2023 7th Network Traffic Measurement and Analysis Conference (TMA) (pp. 1-10). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":422,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"The DNS privacy protection mechanisms, DNS over TLS (DoT) and DNS over HTTPS (DoH), only work correctly if both the server and client support the Strict Privacy profile and no vulnerability exists in the implemented TLS/HTTPS. A natural question then arises: what is the landscape of DNS Strict Privacy? To this end, we provide the first longitudinal and comprehensive measurement of DoT/DoH deployments in recursive resolvers, authoritative servers, and browsers. With the collected data, we find the number of DoT/DoH servers increased substantially during our ten-month-long scan. However, around 60% of DoT and 44% of DoH recursive resolver certificates are invalid. Worryingly, our measurements confirm the centralization problem of DoT/DoH. Furthermore, we classify DNS Strict Privacy servers into four levels according to daily scanning results on TLS/HTTPS-related security features. Unfortunately, around 25% of DoH Strict Privacy recursive resolvers fail to meet the minimum level requirements. To help the Internet community better perceive the landscape of DNS Strict Privacy, we implement a DoT/DoH server search engine and recommender system. Additionally, we investigate five popular browsers across four operating systems and find some inconsistent behavior with their DNS privacy implementations. For example, Firefox in Windows, Linux, and Android allows DoH communication with the server without the SAN certificate. At last, we advocate that all participants head together for a bright DNS Strict Privacy landscape by discussing current hindrances and controversies in DNS privacy.","author":[{"name":"Ruixuan Li","tag":"1"},{"name":" Xiaofeng Jia","tag":"1"},{"name":"Jun Shao","tag":"1"}],"origin":{"url":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10091202","info":"ToN"},"publishDate":"2023-04-03","uri":"2023_a_longitudinal_and_comprehensive_measurement_of_dns_strict_privacy","tags":["DNS","Encrypted DNS"],"titleEn":"A Longitudinal and Comprehensive Measurement of DNS Strict Privacy","affiliation":[{"name":" School of Computer Science and Technology, Zhejiang Gongshang University, Hangzhou 310018, China","tag":1}],"titleCn":"A Longitudinal and Comprehensive Measurement of DNS Strict Privacy","cite":{"template":[{"template":"Li R, Jia X, Zhang Z, et al. A longitudinal and comprehensive measurement of dns strict privacy[J]. IEEE/ACM Transactions on Networking, 2023.","type":"GB/T 7714"},{"template":"Li, Ruixuan, et al. \"A longitudinal and comprehensive measurement of dns strict privacy.\" IEEE/ACM Transactions on Networking (2023).","type":"MLA"},{"template":"Li, R., Jia, X., Zhang, Z., Shao, J., Lu, R., Lin, J., ... & Wei, G. (2023). A longitudinal and comprehensive measurement of dns strict privacy. IEEE/ACM Transactions on Networking.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":448,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Futuristic integrated space and terrestrial networks (ISTN) not only hold new opportunities for pervasive, low-latency Internet services, but also face new challenges caused by satellite dynamics on a global scale. It should be useful for researchersto run various experiments to systematically explore new problems in ISTNs. However, existing experimentation methods either attain realism but lack flexibility (e.g., live satellites), or achieve flexibility but lack realism (e.g., ISTN simulators). This paper presents STARRYNET, a novel experimentation framework that enables researchers to conveniently build credible and flexible experimental network environments (ENE) mimicking satellite dynamics and network behaviors of large-scale ISTNs. STARRYNET simultaneously achieves constellation-consistency, networked system realism and flexibility, by adopting a real-data-driven, lightweight-emulationaided approach to build a digital twin of physical ISTNs in the terrestrial virtual environment. Driven by public and real constellation-relevant information, we show STARRYNET’s acceptable fidelity and demonstrate its flexibility to support various ISTN experiments, such as evaluating different internetworking mechanisms for space-ground integration, and assessing the network resilience of futuristic ISTNs.","author":[{"name":"Zeqi Lai","tag":"1,2"},{"name":" Hewu Li","tag":"1,2"},{"name":" Yangtao Deng","tag":"1"},{"name":" Qian Wu","tag":"1,2"},{"name":" Jun Liu","tag":"1,2"},{"name":" Yuanjie Li","tag":"1,2"},{"name":" Jihao Li","tag":"1"},{"name":" Lixin Liu","tag":"1"},{"name":"Weisen Liu","tag":"1"},{"name":" Jianping Wu","tag":"1,2"}],"origin":{"url":"https://www.usenix.org/conference/nsdi23/presentation/lai-zeqi","info":"NSDI"},"publishDate":"2023-04-01","uri":"2023_starrynet_empowering_researchers_to_evaluate_futuristic_integrated_space_and_terrestrial_networks","tags":["Satellite"],"titleEn":"StarryNet: Empowering Researchers to Evaluate Futuristic Integrated Space and Terrestrial Networks","affiliation":[{"name":"Tsinghua University","tag":1},{"name":" Zhongguancun Laboratory","tag":2}],"titleCn":"StarryNet: Empowering Researchers to Evaluate Futuristic Integrated Space and Terrestrial Networks","cite":{"template":[{"template":"Lai Z, Li H, Deng Y, et al. {StarryNet}: Empowering researchers to evaluate futuristic integrated space and terrestrial networks[C]//20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23). 2023: 1309-1324.","type":"GB/T 7714"},{"template":"Lai, Zeqi, et al. \"{StarryNet}: Empowering researchers to evaluate futuristic integrated space and terrestrial networks.\" 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23). 2023.","type":"MLA"},{"template":"Lai, Z., Li, H., Deng, Y., Wu, Q., Liu, J., Li, Y., ... & Wu, J. (2023). {StarryNet}: Empowering researchers to evaluate futuristic integrated space and terrestrial networks. In 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23) (pp. 1309-1324).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":463,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"Collecting metadata from Transport Layer Security (TLS) servers on a large scale allows to draw conclusions about their capabilities and configuration. This provides not only insights into the Internet but it enables use cases like detecting malicious Command and Control (C &C) servers. However, active scanners can only observe and interpret the behavior of TLS servers, the underlying configuration and implementation causing the behavior remains hidden. Existing approaches struggle between resource intensive scans that can reconstruct this data and light-weight fingerprinting approaches that aim to differentiate servers without making any assumptions about their inner working. With this work we propose DissecTLS, an active TLS scanner that is both light-weight enough to be used for Internet measurements and able to reconstruct the configuration and capabilities of the TLS stack. This was achieved by modeling the parameters of the TLS stack and derive an active scan that dynamically creates scanning probes based on the model and the previous responses from the server. We provide a comparison of five active TLS scanning and fingerprinting approaches in a local testbed and on toplist targets. We conducted a measurement study over nine weeks to fingerprint C &C servers and analyzed popular and deprecated TLS parameter usage. Similar to related work, the fingerprinting achieved a maximum precision of 99 % for a conservative detection threshold of 100 %; and at the same time, we improved the recall by a factor of 2.8.","author":[{"name":"Markus Sosnowski","tag":"1"},{"name":"Johannes Zirngibl","tag":"1"},{"name":"Patrick Sattler","tag":"1"},{"name":"Georg Carle","tag":"1"}],"origin":{"url":"https://link.springer.com/chapter/10.1007/978-3-031-28486-1_6","info":"PAM"},"publishDate":"2023-03-10","uri":"2023_dissectls_a_scalable_active_scanner_for_tls_server_configurations_capabilities_and_tls_fingerprinting","tags":["HTTPS","TLS"],"titleEn":"DissecTLS: A Scalable Active Scanner for TLS Server Configurations, Capabilities, and TLS Fingerprinting","affiliation":[{"name":"Technical University of Munich, Munich, Germany","tag":1}],"titleCn":"DissecTLS: A Scalable Active Scanner for TLS Server Configurations, Capabilities, and TLS Fingerprinting","cite":{"template":[{"template":"Sosnowski M, Zirngibl J, Sattler P, et al. Dissectls: A scalable active scanner for tls server configurations, capabilities, and tls fingerprinting[C]//International Conference on Passive and Active Network Measurement. Cham: Springer Nature Switzerland, 2023: 110-126.","type":"GB/T 7714"},{"template":"Sosnowski, Markus, et al. \"Dissectls: A scalable active scanner for tls server configurations, capabilities, and tls fingerprinting.\" International Conference on Passive and Active Network Measurement. Cham: Springer Nature Switzerland, 2023.","type":"MLA"},{"template":"Sosnowski, M., Zirngibl, J., Sattler, P., & Carle, G. (2023, March). Dissectls: A scalable active scanner for tls server configurations, capabilities, and tls fingerprinting. In International Conference on Passive and Active Network Measurement (pp. 110-126). Cham: Springer Nature Switzerland.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":399,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Public hosting services provide convenience for domain owners to build web applications with better scalability and security. However, if a domain name points to released service endpoints (e.g., nameservers allocated by a provider), adversaries can take over the domain by applying the same endpoints. Such a security threat is called \"hosting-based domain takeover''. In recent years, a large number of domain takeover incidents have occurred; even well-known websites like the subdomains of microsoft.com have been impacted. However, until now, there has been no effective detection system to identify these vulnerable domains on a large scale. In this paper, we fill this research gap by presenting a novel framework, HostingChecker, for detecting domain takeovers. Compared with previous work, HostingChecker expands the detection scope and improves the detection efficiency by: (i) systematically identifying vulnerable hosting services using a semi-automated method; and (ii) effectively detecting vulnerable domains through passive reconstruction of domain dependency chains. The framework enables us to detect the subdomains of Tranco sites on a daily basis. We evaluate the effectiveness of HostingChecker and eventually detect 10,351 subdomains from Tranco Top-1M apex domains vulnerable to domain takeover, which are over 8× more than previous findings. Furthermore, we conduct an in-depth security analysis on the affected vendors, like Amazon and Alibaba, and gain a suite of new insights, including flawed implementation of domain ownership validation. Following responsible disclosure processes, we have reported issues to the security response centers of affected vendors, and some (e.g., Baidu and Tencent) have adopted our mitigation.","author":[{"name":"Mingming Zhang","tag":"2"},{"name":"Xiang Li","tag":"2"},{"name":"Baojun Liu","tag":"2,1"},{"name":"Jianyu Lu","tag":"4"},{"name":"Yiming Zhang","tag":"2"},{"name":"Jianjun Chen","tag":"2,3"},{"name":"Haixin Duan","tag":"2,1"},{"name":"Shuang Hao","tag":"5"},{"name":"Xiaofeng Zheng","tag":"2,4"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3606376.3593534","info":"SIGMETRICS"},"publishDate":"2023-03-02","uri":"2023_detecting_and_measuring_security_risks_of_hosting_based_dangling_domains","tags":["DNS","Domain Hijacking"],"titleEn":"Detecting and Measuring Security Risks of Hosting-Based Dangling Domains","affiliation":[{"name":"Quancheng Laboratory","tag":1},{"name":"Tsinghua University","tag":2},{"name":"Zhongguancun Laboratory","tag":3},{"name":"QI-ANXIN Technology Research Institute","tag":4},{"name":"University of Texas at Dallas","tag":5}],"titleCn":"Detecting and Measuring Security Risks of Hosting-Based Dangling Domains","cite":{"template":[{"template":"Zhang M, Li X, Liu B, et al. Detecting and measuring security risks of hosting-based dangling domains[J]. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 2023, 7(1): 1-28.","type":"GB/T 7714"},{"template":"Zhang, Mingming, et al. \"Detecting and measuring security risks of hosting-based dangling domains.\" Proceedings of the ACM on Measurement and Analysis of Computing Systems 7.1 (2023): 1-28.","type":"MLA"},{"template":"Zhang, M., Li, X., Liu, B., Lu, J., Zhang, Y., Chen, J., ... & Zheng, X. (2023). Detecting and measuring security risks of hosting-based dangling domains. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 7(1), 1-28.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":487,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Ingress filtering, commonly referred to as Source Address Validation (SAV), is a practice aimed at discarding packets with spoofed source IP addresses at the network periphery. Outbound SAV, i.e., dropping traffic with spoofed source IP addresses as it leaves its source network, has received widespread attention in operational and research communities. It is one of the most effective ways to prevent Reflection-based Distributed Denial-of-Service (DDoS) attacks. Contrariwise, inbound SAV, i.e., dropping incoming spoofed traffic at the destination network edge, has received less attention, even though it provides protection for the deploying network. In this paper, we present the results of the Closed Resolver Project, our initiative aimed at finding networks without inbound SAV and raising awareness of the issue. We perform the first Internet-wide active measurement study to enumerate networks that enforce (or not) inbound SAV. We reach open and closed Domain Name System (DNS) resolvers in tested networks and determine whether they resolve requests with spoofed source IP addresses. Our method provides unprecedented insight into inbound SAV deployment by network operators, revealing 49% IPv4 and 26% IPv6 Autonomous Systems (AS) that suffer from a consistent or partial absence of inbound filtering. By identifying dual-stack DNS resolvers and ASes, we further show that inbound filtering is generally deployed consistently across IPv4 and IPv6. Finally, the lack of inbound SAV exposes 2.5M IPv4 and 100K IPv6 purportedly closed DNS resolvers to many types of external attacks, including NXNSAttack, zone poisoning, or zero-day vulnerabilities in DNS software.","author":[{"name":"Yevheniya Nosyk","tag":"2"},{"name":"Maciej Korczy´nski","tag":"2"},{"name":"Qasim Lone","tag":"1"},{"name":"Marcin Skwarek","tag":"2"},{"name":"Baptiste Jonglez","tag":"2"},{"name":"Andrzej Duda","tag":"2"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/10082958","info":"ToN"},"publishDate":"2023-03-01","uri":"2023_the_closed_resolver_project_measuring_the_deployment_of_inbound_source_address_validation","tags":["IP Address","IP Spoofing"],"titleEn":"The Closed Resolver Project: Measuring the Deployment of Inbound Source Address Validation","affiliation":[{"name":"RIPE NCC","tag":1},{"name":"Université Grenoble Alpes","tag":2}],"titleCn":"The Closed Resolver Project: Measuring the Deployment of Inbound Source Address Validation","cite":{"template":[{"template":"Nosyk Y, Korczyński M, Lone Q, et al. The Closed Resolver Project: Measuring the Deployment of Inbound Source Address Validation[J]. IEEE/ACM Transactions on Networking, 2023.","type":"GB/T 7714"},{"template":"Nosyk, Yevheniya, et al. \"The Closed Resolver Project: Measuring the Deployment of Inbound Source Address Validation.\" IEEE/ACM Transactions on Networking (2023).","type":"MLA"},{"template":"Nosyk, Y., Korczyński, M., Lone, Q., Skwarek, M., Jonglez, B., & Duda, A. (2023). The Closed Resolver Project: Measuring the Deployment of Inbound Source Address Validation. IEEE/ACM Transactions on Networking.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":438,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Active Internet measurements face challenges when some measurements require many remote vantage points. In this paper, we propose a novel technique for measuring remote IPv6 networks via side channels in ICMP rate limiting, a required function for IPv6 nodes to limit the rate at which ICMP error messages are generated. This technique, iVantage, can to some extent use 1.1M remote routers distributed in 9.5k autonomous systems and 182 countries as our \"vantage points\". We apply iVantage to two different, but both challenging measurement tasks: 1) measuring the deployment of inbound source address validation (ISAV) and 2) measuring reachability between arbitrary Internet nodes. We accomplish these two tasks from only one local vantage point without controlling the targets or relying on other services within the target networks. Our large-scale ISAV measurements cover ~50% of all IPv6 autonomous systems and find ~79% of them are vulnerable to spoofing, which is the most large-scale measurement study of IPv6 ISAV to date. Our method for reachability measurements achieves over 80% precision and recall in our evaluation. Finally, we perform an Internet-wide measurement of the ICMP rate limiting implementations, present a detailed discussion on ICMP rate limiting, particularly the potential security and privacy risks in the mechanism of ICMP rate limiting, and provide possible mitigation measures. We make our code available to the community.","author":[{"name":"Long Pan","tag":"3,1"},{"name":"Jiahai Yang","tag":"3,1,2"},{"name":"Lin He","tag":"3,1,2"},{"name":"Zhiliang Wang","tag":"3,1,2"},{"name":"Leyao Nie","tag":"3,1"},{"name":"Guanglei Song","tag":"3,1"},{"name":"Yaozhong Liu","tag":"3,1"}],"origin":{"url":"https://www.ndss-symposium.org/wp-content/uploads/2023/02/ndss2023_s49_paper.pdf","info":"NDSS"},"publishDate":"2023-02-01","uri":"2023_your_router_is_my_prober_measuring_ipv6_networks_via_icmp_rate_limiting_side_channels","tags":["IP Address","IP Spoofing"],"titleEn":"Your router is my prober: Measuring ipv6 networks via icmp rate limiting side channels","affiliation":[{"name":"Zhongguancun Laboratory","tag":1},{"name":"Quan Cheng Laboratory","tag":2},{"name":"Institute for Network Sciences and Cyberspace BNRist Tsinghua University","tag":3}],"titleCn":"Your router is my prober: Measuring ipv6 networks via icmp rate limiting side channels","cite":{"template":[{"template":"Pan L, Yang J, He L, et al. Your router is my prober: Measuring ipv6 networks via icmp rate limiting side channels[J]. arXiv preprint arXiv:2210.13088, 2022.","type":"GB/T 7714"},{"template":"Pan, Long, et al. \"Your router is my prober: Measuring ipv6 networks via icmp rate limiting side channels.\" arXiv preprint arXiv:2210.13088 (2022).","type":"MLA"},{"template":"Pan, L., Yang, J., He, L., Wang, Z., Nie, L., Song, G., & Liu, Y. (2022). Your router is my prober: Measuring ipv6 networks via icmp rate limiting side channels. arXiv preprint arXiv:2210.13088.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":434,"keyword":[""],"fileType":2},{"paperType":2,"abstracts":"作为全球网络基础设施的一个重要组成部分，海底光缆组成了错综复杂的网络。全球95%以上的跨洋流量都需要经过海底光缆进行传输[1]。根据Telegeography公开的全球海缆数据[2]，截止到2022年12月，全球共有460条已投入使用的海底光缆，1255个登陆站，海缆总长度超过139万km，连接了179个国家。这个位于海底的巨大光缆网络构成了全球数据通信的基础。然而，海底光缆作为如此重要的通信基础设施，由于架设位置的特殊性，经常受到人为或自然灾害等（如渔船抛锚、海底火山爆发等）的影响而出现故障，影响地区间的数据传输。据Telegeography统计，全球每年平均会发生100多起海缆事故，导致地区之间通信延迟增加，甚至导致某个地区与外界断联[3]。例如2021年12月汤加海底火山喷发导致海底光缆Tonga Cable发生故障，汤加与外界的所有通信都受到影响[4]。为了更好地理解海底光缆网络在全球数据通信中扮演的重要角色，我们融合了多方公开海底光缆信息[2,5]，构建了一个更加全面的全球海底光缆地图并进行了可视化展示(https://ki3.org.cn/)。此外，我们结合CAIDA全球路由器级别拓扑信息[6]，从宏观层面对目前全球海缆部署情况、关键节点以及故障影响进行了测量、分析和模拟。相关成果已被计算机网络领域A类会议IEEE INFOCOM 2023录用，被INFOCOM评审人评价为“业界首个关于全球海缆影响的大规模分析研究”（The first large-scale analysis of ISC impact compared to prior work that looked at specific ISCs），测量方法的细节请参考论文[15]。","author":[{"name":"叶洪琳","tag":"1"}],"origin":{"url":"https://mp.weixin.qq.com/s/9xNsFW8alzdpZlngHL3Hng","info":"NASP Lab"},"publishDate":"2023-01-07","uri":"2023_global_submarine_cable_deploy_fault_report","tags":["Submarine Cable","KI3 Published"],"titleEn":"全球海缆部署及故障影响分析（2022年）","affiliation":[{"name":"清华大学","tag":1}],"titleCn":"全球海缆部署及故障影响分析（2022年）","cite":{"template":[{"template":"叶洪琳.全球海缆部署及故障影响分析报告[EB/OL].https://mp.weixin.qq.com/s/9xNsFW8alzdpZlngHL3Hng","type":"GB/T 7714"}],"export":[""]},"id":526,"keyword":[""],"fileType":2},{"paperType":3,"abstracts":"Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are used to protect data exchanged over a wide range of application protocols and can also form the basis for secure transport protocols. Over the years, the industry has witnessed several serious attacks on TLS and DTLS, including attacks on the most commonly used cipher suites and their modes of operation. This document provides the latest recommendations for ensuring the security of deployed services that use TLS and DTLS. These recommendations are applicable to the majority of use cases. RFC 7525, an earlier version of the TLS recommendations, was published when the industry was transitioning to TLS 1.2. Years later, this transition is largely complete, and TLS 1.3 is widely available. This document updates the guidance given the new environment and obsoletes RFC 7525. In addition, this document updates RFCs 5288 and 6066 in view of recent attacks.","author":[{"name":"Sheffer Y","tag":"2"},{"name":"Saint-Andre P","tag":"1"},{"name":"Fossati T","tag":"3"}],"origin":{"url":"https://www.rfc-editor.org/info/rfc9325","info":"IETF"},"publishDate":"2022-11-01","uri":"2022_rfc_9325","tags":["HTTPS","TLS"],"titleEn":"RFC 9325","affiliation":[{"name":"Independent","tag":1},{"name":"Intuit","tag":2},{"name":"ARM Limited","tag":3}],"titleCn":"RFC 9325","cite":{"template":[{"template":"Sheffer Y, Saint-Andre P, Fossati T. RFC 9325: Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)[J]. 2022.","type":"GB/T 7714"},{"template":"Sheffer, Yaron, P. Saint-Andre, and T. Fossati. \"RFC 9325: Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS).\" (2022).","type":"MLA"},{"template":"Sheffer, Y., Saint-Andre, P., & Fossati, T. (2022). RFC 9325: Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":404,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"In 2019, the US Department of Homeland Security issued an emergency warning about DNS infrastructure tampering. This alert, in response to a series of attacks against foreign government websites, highlighted how a sophisticated attacker could leverage access to key DNS infrastructure to then hijack traffic and harvest valid login credentials for target organizations. However, even armed with this knowledge, identifying the existence of such incidents has been almost entirely via post hoc forensic reports (i.e., after a breach was found via some other method). Indeed, such attacks are particularly challenging to detect because they can be very short lived, bypass the protections of TLS and DNSSEC, and are imperceptible to users. Identifying them retroactively is even more complicated by the lack of fine-grained Internet-scale forensic data. This paper is a first attempt to make progress at this latter goal. Combining a range of longitudinal data from Internet-wide scans, passive DNS records, and Certificate Transparency logs, we have constructed a methodology for identifying potential victims of sophisticated DNS infrastructure hijacking and have used it to identify a range of victims (primarily government agencies), both those named in prior reporting, and others previously unknown.","author":[{"name":"Gautam Akiwate","tag":"3"},{"name":"Raffaele Sommese","tag":"5"},{"name":"Mattijs Jonker","tag":"5"},{"name":"Zakir Durumeric","tag":"2,1"},{"name":"KC Claffy","tag":"4"},{"name":"Geoffrey M. Voelker","tag":"3"},{"name":"Stefan Savage","tag":"3"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3517745.3561425","info":"IMC"},"publishDate":"2022-10-25","uri":"2022_retroactive_identification_of_targeted_dns_infrastructure_hijacking","tags":["DNS","Domain Hijacking"],"titleEn":"Retroactive Identification of Targeted DNS Infrastructure Hijacking","affiliation":[{"name":"Stanford University","tag":1},{"name":"Cesys","tag":2},{"name":"UC San Diego","tag":3},{"name":"caida/UC San Diego","tag":4},{"name":"University of Twente","tag":5}],"titleCn":"Retroactive Identification of Targeted DNS Infrastructure Hijacking","cite":{"template":[{"template":"Akiwate G, Sommese R, Jonker M, et al. Retroactive identification of targeted DNS infrastructure hijacking[C]//Proceedings of the 22nd ACM Internet Measurement Conference. 2022: 14-32.","type":"GB/T 7714"},{"template":"Akiwate, Gautam, et al. \"Retroactive identification of targeted DNS infrastructure hijacking.\" Proceedings of the 22nd ACM Internet Measurement Conference. 2022.","type":"MLA"},{"template":"Akiwate, G., Sommese, R., Jonker, M., Durumeric, Z., Claffy, K. C., Voelker, G. M., & Savage, S. (2022, October). Retroactive identification of targeted DNS infrastructure hijacking. In Proceedings of the 22nd ACM Internet Measurement Conference (pp. 14-32).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":477,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Over the last decade, Web traffic has significantly shifted towards HTTPS due to an increased awareness for privacy. However, DNS traffic is still largely unencrypted, which allows user profiles to be derived from plaintext DNS queries. While DNS over TLS (DoT) and DNS over HTTPS (DoH) address this problem by leveraging transport encryption for DNS, both protocols are constrained by the underlying transport (TCP) and encryption (TLS) protocols, requiring multiple round-trips to establish a secure connection. In contrast, QUIC combines the transport and cryptographic handshake into a single round-trip, which allows the recently standardized DNS over QUIC (DoQ) to provide DNS privacy with minimal latency. In the first study of its kind, we perform distributed DoQ measurements across multiple vantage points to evaluate the impact of DoQ on Web performance. We find that DoQ excels over DoH, leading to significant improvements with up to 10% faster loads for simple webpages. With increasing complexity of webpages, DoQ even catches up to DNS over UDP (DoUDP) as the cost of encryption amortizes: With DoQ being only ∼2% slower than DoUDP, encrypted DNS becomes much more appealing for the Web.","author":[{"name":"Mike Kosek","tag":"1"},{"name":"Luca Schumann","tag":"1"},{"name":"Trinh Viet Doan","tag":"1"}],"origin":{"url":"https://arxiv.org/pdf/2305.00790.pdf","info":"IMC"},"publishDate":"2022-10-25","uri":"2022_dns_privacy_with_speed_evaluating_dns_over_quic_and_its_impact_on_web_performance","tags":["DNS","Encrypted DNS"],"titleEn":"DNS Privacy with Speed? Evaluating DNS over QUIC and its Impact on Web Performance","affiliation":[{"name":" Technical University of Munich","tag":1}],"titleCn":"DNS Privacy with Speed? Evaluating DNS over QUIC and its Impact on Web Performance","cite":{"template":[{"template":"Kosek M, Schumann L, Marx R, et al. DNS privacy with speed? Evaluating DNS over QUIC and its impact on web performance[C]//Proceedings of the 22nd ACM Internet Measurement Conference. 2022: 44-50.","type":"GB/T 7714"},{"template":"Kosek, Mike, et al. \"DNS privacy with speed? Evaluating DNS over QUIC and its impact on web performance.\" Proceedings of the 22nd ACM Internet Measurement Conference. 2022.","type":"MLA"},{"template":"Kosek, M., Schumann, L., Marx, R., Doan, T. V., & Bajpai, V. (2022, October). DNS privacy with speed? Evaluating DNS over QUIC and its impact on web performance. In Proceedings of the 22nd ACM Internet Measurement Conference (pp. 44-50).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":451,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Denial of Service (DDoS) attacks both abuse and target core Internet infrastructures and services, including the Domain Name System (DNS). To characterize recent DDoS attacks against authoritative DNS infrastructure, we join two existing data sets - DoS activity inferred from a sizable darknet, and contemporaneous DNS measurement data - for a 17-month period (Nov. 20 - Mar. 22). Our measurements reveal evidence that millions of domains (up to 5% of the DNS namespace) experienced a DoS attack during our observation window. Most attacks did not substantially harm DNS performance, but in some cases we saw 100-fold increases in DNS resolution time, or complete unreachability. Our measurements captured a devastating attack against a large provider in the Netherlands (TransIP), and attacks against Russian infrastructure. Our data corroborates the value of known best practices to improve DNS resilience to attacks, including the use of anycast and topological redundancy in nameserver infrastructure. We discuss the strengths and weaknesses of our data sets for DDoS tracking and impact on the DNS, and promising next steps to improve our understanding of the evolving DDoS ecosystem.","author":[{"name":"Raffaele Sommese","tag":"2"},{"name":"KC Claffy","tag":"1"},{"name":"Roland van Rijswijk-Deij","tag":"2"},{"name":"Arnab Chattopadhyay","tag":"2"},{"name":"Alberto Dainotti","tag":"3"},{"name":"Anna Sperotto","tag":"2"},{"name":"Mattijs Jonker","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3517745.3561458","info":"IMC"},"publishDate":"2022-10-25","uri":"2022_investigating_the_impact_of_ddos_attacks_on_dns_infrastructure","tags":["DNS","DNS DDoS"],"titleEn":"Investigating the impact of DDoS attacks on DNS infrastructure","affiliation":[{"name":"caida/UC San Diego","tag":1},{"name":"University of Twente","tag":2},{"name":"Georgia Institute of Technology","tag":3}],"titleCn":"Investigating the impact of DDoS attacks on DNS infrastructure","cite":{"template":[{"template":"Sommese R, Claffy K C, van Rijswijk-Deij R, et al. Investigating the impact of DDoS attacks on DNS infrastructure[C]//proceedings of the 22nd ACM Internet Measurement Conference. 2022: 51-64.","type":"GB/T 7714"},{"template":"Sommese, Raffaele, et al. \"Investigating the impact of DDoS attacks on DNS infrastructure.\" proceedings of the 22nd ACM Internet Measurement Conference. 2022.","type":"MLA"},{"template":"Sommese, R., Claffy, K. C., van Rijswijk-Deij, R., Chattopadhyay, A., Dainotti, A., Sperotto, A., & Jonker, M. (2022, October). Investigating the impact of DDoS attacks on DNS infrastructure. In proceedings of the 22nd ACM Internet Measurement Conference (pp. 51-64).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":476,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Active DNS measurement is fundamental to understanding and improving the DNS ecosystem. However, the absence of an extensible, high-performance, and easy-to-use DNS toolkit has limited both the reproducibility and coverage of DNS research. In this paper, we introduce ZDNS, a modular and open-source active DNS measurement framework optimized for large-scale research studies of DNS on the public Internet. We describe ZDNS's architecture, evaluate its performance, and present two case studies that highlight how the tool can be used to shed light on the operational complexities of DNS. We hope that ZDNS will enable researchers to better---and in a more reproducible manner---understand Internet behavior.","author":[{"name":"Liz Izhikevich","tag":"1"},{"name":"Gautam Akiwate","tag":"1"},{"name":"Briana Berger","tag":"1"},{"name":"Spencer Drakontaidis","tag":"1"},{"name":"Anna Ascheman","tag":"1"},{"name":"Paul Pearce","tag":"2"},{"name":"David Adrian","tag":"1"},{"name":"Zakir Durumeric","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3517745.3561434","info":"IMC"},"publishDate":"2022-10-25","uri":"2022_zdns_a_fast_dns_toolkit_for_internet_measurement","tags":["DNS Infrastructure"],"titleEn":"ZDNS: A Fast DNS Toolkit for Internet Measurement","affiliation":[{"name":"Stanford University","tag":1},{"name":"Georgia Institute of Technology","tag":2}],"titleCn":"ZDNS: A Fast DNS Toolkit for Internet Measurement","cite":{"template":[{"template":"Izhikevich L, Akiwate G, Berger B, et al. ZDNS: a fast DNS toolkit for internet measurement[C]//Proceedings of the 22nd ACM Internet Measurement Conference. 2022: 33-43.","type":"GB/T 7714"},{"template":"Izhikevich, Liz, et al. \"ZDNS: a fast DNS toolkit for internet measurement.\" Proceedings of the 22nd ACM Internet Measurement Conference. 2022.","type":"MLA"},{"template":"Izhikevich, L., Akiwate, G., Berger, B., Drakontaidis, S., Ascheman, A., Pearce, P., ... & Durumeric, Z. (2022, October). ZDNS: a fast DNS toolkit for internet measurement. In Proceedings of the 22nd ACM Internet Measurement Conference (pp. 33-43).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":495,"keyword":[""],"fileType":2},{"paperType":2,"abstracts":"Accurate timekeeping is crucial for the functioning of applications and protocols in distributed networks - especially the Internet. The default protocol used for synchronizing time among servers and peers in the Internet is the Network Time Protocol. NTP is usually unauthenticated and is therefore prone to attacks though there have been multiple extensions and additions to the protocol to make it more secure. There are multiple public time providers that provide NTP servers that clients can use to synchronize time. NTPPool is one such volunteer run project that uses DNS to map clients to NTP servers that are closest to them. This is done by using an open source software named GeoDNS in the authoritative DNS servers of NTPPool. SIDN Labs contributes multiple NTP servers to the NTPPool project. One of these servers is deployed in 30 sites through Anycast and serves millions of clients. There has been little research into the characteristics of traffic that is received at a public NTP server. This research aims at analyzing the traffic received at the anycast NTP server that SIDN contributes to NTPPool in order to analyze the characteristics of the traffic that it receives. This includes information such as type of clients that use the NTP service, the catchment of the anycast sites, presence of anomalies in the NTP traffic, etc. This research will provide valuable insight into the the current state of the NTP ecosystem.","author":[{"name":"Rushvanth Bhaskar","tag":"1"}],"origin":{"url":"https://www.sidnlabs.nl/downloads/2F7MA8sBibhmqv0T7rIorf/79ea0f8903ab4560365c66a83d9fcf9b/A_Day_in_the_Life_of_NTP_Analysis_of_NTP_Pool_Traffic.pdf","info":"SIDN Lab"},"publishDate":"2022-09-29","uri":"2022_a_day_in_the_life_of_ntp_analysis_of_ntppool_traffic","tags":["NTP"],"titleEn":"A Day in the Life of NTP: Analysis of NTPPool Traffic","affiliation":[{"name":"University of Twente & SIDN Labs","tag":1}],"titleCn":"A Day in the Life of NTP: Analysis of NTPPool Traffic","cite":{"template":[{"template":"Bhaskar R. A Day in the Life of NTP: Analysis of NTPPool Traffic[D]. University of Twente, 2022.","type":"GB/T 7714"},{"template":"Bhaskar, Rushvanth. A Day in the Life of NTP: Analysis of NTPPool Traffic. MS thesis. University of Twente, 2022.","type":"MLA"},{"template":"Bhaskar, R. (2022). A Day in the Life of NTP: Analysis of NTPPool Traffic (Master's thesis, University of Twente).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":443,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Internet-wide scanning is commonly used to understand the topology and security of the Internet. However, IPv4 Internet scans have been limited to scanning only a subset of services---exhaustively scanning all IPv4 services is too costly and no existing bandwidth-saving frameworks are designed to scan IPv4 addresses across all ports. In this work we introduce GPS, a system that efficiently discovers Internet services across all ports. GPS runs a predictive framework that learns from extremely small sample sizes and is highly parallelizable, allowing it to quickly find patterns between services across all 65K ports and a myriad of features. GPS computes service predictions in 13 minutes (four orders of magnitude faster than prior work) and finds 92.5% of services across *all* ports with 131× less bandwidth, and 204× more precision, compared to exhaustive scanning. GPS is the first work to show that, given at least two responsive IP addresses on a port to train from, predicting the majority of services across all ports is possible and practical.","author":[{"name":"Liz Izhikevich","tag":"1"},{"name":"Renata Teixeira","tag":"2"},{"name":"Zakir Durumeric","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3544216.3544249","info":"SIGCOMM"},"publishDate":"2022-08-01","uri":"2022_predicting_ipv4_services_across_all_ports","tags":["IP Address","Open Port"],"titleEn":"Predicting IPv4 services across all ports","affiliation":[{"name":"Stanford University","tag":1},{"name":"Inria Paris","tag":2}],"titleCn":"Predicting IPv4 services across all ports","cite":{"template":[{"template":"Izhikevich L, Teixeira R, Durumeric Z. Predicting ipv4 services across all ports[C]//Proceedings of the ACM SIGCOMM 2022 Conference. 2022: 503-515.","type":"GB/T 7714"},{"template":"Izhikevich, Liz, Renata Teixeira, and Zakir Durumeric. \"Predicting ipv4 services across all ports.\" Proceedings of the ACM SIGCOMM 2022 Conference. 2022.","type":"MLA"},{"template":"Izhikevich, L., Teixeira, R., & Durumeric, Z. (2022, August). Predicting ipv4 services across all ports. In Proceedings of the ACM SIGCOMM 2022 Conference (pp. 503-515).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":439,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Route hijacking is one of the most severe security problems in today's Internet, and route origin hijacking is the most common. While origin hijacking detection systems are already available, they suffer from tremendous pressures brought by frequent legitimate Multiple origin ASes (MOAS) conflicts. They detect MOAS conflicts on the control plane and then identify origin hijackings by data-plane probing or even manual verification. However, legitimate changes in prefix ownership can also cause MOAS conflicts, which are the majority of MOAS conflicts daily. Massive legitimate MOAS conflicts consume many resources for probing and identification, resulting in high verification costs and high verification latency in practice. In this paper, we propose a new origin hijacking system Themis to accelerate the detection of origin hijacking. Based on the ground truth dataset we built, we analyze the characteristics of different MOAS conflicts and train a classifier to filter out legitimate MOAS conflicts on the control plane. The accuracy and recall of the MOAS classifier are 95.49% and 99.20%, respectively. Using the MOAS classifier, Themis reduces 56.69% of verification costs than Argus, the state-of-the-art, and significantly accelerates the detection when many concurrent MOAS conflicts occur. The overall accuracy of Themis is almost the same as Argus.","author":[{"name":"Lancheng Qin","tag":"1"},{"name":" Dan Li","tag":"1,0"},{"name":"Ruifeng Li","tag":"3"},{"name":"Kang Wang","tag":"1"}],"origin":{"url":"https://www.usenix.org/conference/usenixsecurity22/presentation/qin","info":"Security"},"publishDate":"2022-08-01","uri":"2022_themis_accelerating_the_detection_of_route_origin_hijacking_by_distinguishing_legitimate_and_illegitimate_moas","tags":["Routing","BGP Hijacking","KI3 Published"],"titleEn":"Themis: Accelerating the Detection of Route Origin Hijacking by Distinguishing Legitimate and Illegitimate MOAS","affiliation":[{"name":"Tsinghua University","tag":1},{"name":"Zhongguancun Laboratory","tag":2},{"name":"Tsinghua Shenzhen International Graduate School","tag":3}],"titleCn":"Themis: Accelerating the Detection of Route Origin Hijacking by Distinguishing Legitimate and Illegitimate MOAS","cite":{"template":[{"template":"Qin L, Li D, Li R, et al. Themis: Accelerating the detection of route origin hijacking by distinguishing legitimate and illegitimate {MOAS}[C]//31st USENIX Security Symposium (USENIX Security 22). 2022: 4509-4524.","type":"GB/T 7714"},{"template":"Qin, Lancheng, et al. \"Themis: Accelerating the detection of route origin hijacking by distinguishing legitimate and illegitimate {MOAS}.\" 31st USENIX Security Symposium (USENIX Security 22). 2022.","type":"MLA"},{"template":"Qin, L., Li, D., Li, R., & Wang, K. (2022). Themis: Accelerating the detection of route origin hijacking by distinguishing legitimate and illegitimate {MOAS}. In 31st USENIX Security Symposium (USENIX Security 22) (pp. 4509-4524).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":468,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"The DNS is one of the most crucial parts of the Internet.Since the original DNS specifications defined UDP and TCP as the underlying transport protocols, DNS queries are inherently unencrypted, making them vulnerable to eavesdropping and on-path manipulations.Consequently, concerns about DNS privacy have gained attention in recent years, which resulted in the introduction of the encrypted protocols DNS over TLS (DoT) and DNS over HTTPS (DoH). Although these protocols address the key issues of adding privacy to the DNS, they are inherently restrained by their underlying transport protocols, which are at strife with, e.g., IP fragmentation or multi-RTT handshakes— challenges which are addressed by QUIC. As such, the recent addition of DNS over QUIC (DoQ) promises to improve upon the established DNS protocols. However, no studies focusing on DoQ, its adoption, or its response times exist to this date—a gap we close with our study. Our active measurements show a slowly but steadily increasing adoption of DoQ and reveal a high week-over-week fluctuation, which reflects the ongoing development process: As DoQ is still in standardization, implementations and services undergo rapid changes. Analyzing the response times of DoQ, we find that roughly 40% of measurements show considerably higher handshake times than expected, which traces back to the enforcement of the traffic amplification limit despite successful validation of the client’s address. However, DoQ already outperforms DoT as well as DoH, which makes it the best choice for encrypted DNS to date.","author":[{"name":"Mike Kosek","tag":"1"},{"name":"Trinh Viet Doan","tag":"1"},{"name":"Malte Granderath","tag":"1"}],"origin":{"url":"https://arxiv.org/pdf/2202.02987.pdf","info":"PAM"},"publishDate":"2022-03-22","uri":"2022_one_to_rule_them_all_a_first_look_at_dns_over_quic","tags":["DNS","Encrypted DNS"],"titleEn":"One to Rule Them All? A First Look at DNS over QUIC","affiliation":[{"name":" Technical University of Munich, Munich, Germany","tag":1}],"titleCn":"One to Rule Them All? A First Look at DNS over QUIC","cite":{"template":[{"template":"Kosek M, Doan T V, Granderath M, et al. One to rule them all? a first look at dns over quic[C]//International Conference on Passive and Active Network Measurement. Cham: Springer International Publishing, 2022: 537-551.","type":"GB/T 7714"},{"template":"Kosek, Mike, et al. \"One to rule them all? a first look at dns over quic.\" International Conference on Passive and Active Network Measurement. Cham: Springer International Publishing, 2022.","type":"MLA"},{"template":"Kosek, M., Doan, T. V., Granderath, M., & Bajpai, V. (2022, March). One to rule them all? a first look at dns over quic. In International Conference on Passive and Active Network Measurement (pp. 537-551). Cham: Springer International Publishing.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":449,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"While the DNS protocol encompasses both UDP and TCP as its underlying transport, UDP is commonly used in practice. At the same time, increasingly large DNS responses and concerns over amplification denial of service attacks have heightened interest in conducting DNS interactions over TCP. This paper surveys the support for DNS-overTCP in the deployed DNS infrastructure from several angles. First, we assess resolvers responsible for over 66.2% of the external DNS queries that arrive at a major content delivery network (CDN). We find that 2.7% to 4.8% of the resolvers, contributing around 1.1% to 4.4% of all queries arriving at the CDN from the resolvers we study, do not properly fallback to TCP when instructed by authoritative DNS servers. Should a content provider decide to employ TCP-fallback as the means of switching to DNS-over-TCP, it faces the corresponding loss of its customers. Second, we assess authoritative DNS servers (ADNS) for over 10M domains and many CDNs and find some ADNS, serving some popular websites and a number of CDNs, that do not support DNS-overTCP. These ADNS would deny service to (RFC-compliant) resolvers that choose to switch to TCP-only interactions. Third, we study the TCP connection reuse behavior of DNS actors and describe a race condition in TCP connection reuse by DNS actors that may become a significant issue should DNS-over-TCP and other TCP-based DNS protocols, such as DNS-over-TLS, become widely used.","author":[{"name":"Jiarun Mao","tag":"1"},{"name":"Michael Rabinovich","tag":"1"}],"origin":{"url":"https://par.nsf.gov/servlets/purl/10320040","info":"PAM"},"publishDate":"2022-03-22","uri":"2022_assessing_support_for_dns_over_tcp_in_the_wild","tags":["DNS","DNS Resolver"],"titleEn":"Assessing Support for DNS-over-TCP in the Wild","affiliation":[{"name":" Case Western Reserve University","tag":1}],"titleCn":"Assessing Support for DNS-over-TCP in the Wild","cite":{"template":[{"template":"Mao J, Rabinovich M, Schomp K. Assessing Support for DNS-over-TCP in the Wild[C]//International Conference on Passive and Active Network Measurement. Cham: Springer International Publishing, 2022: 487-517.","type":"GB/T 7714"},{"template":"Mao, Jiarun, Michael Rabinovich, and Kyle Schomp. \"Assessing Support for DNS-over-TCP in the Wild.\" International Conference on Passive and Active Network Measurement. Cham: Springer International Publishing, 2022.","type":"MLA"},{"template":"Mao, J., Rabinovich, M., & Schomp, K. (2022, March). Assessing Support for DNS-over-TCP in the Wild. In International Conference on Passive and Active Network Measurement (pp. 487-517). Cham: Springer International Publishing.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":447,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Most online communications rely on DNS to map domain names to their hosting IP address(es). Previous work has shown that DNS-based network interference is widespread due to the unencrypted and unauthenticated nature of the original DNS protocol. In addition to DNS, accessed domain names can also be monitored by on-path observers during the TLS handshake when the SNI extension is used. These lingering issues with exposed plaintext domain names have led to the development of a new generation of protocols that keep accessed domain names hidden. DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) hide the domain names of DNS queries, while Encrypted Server Name Indication (ESNI) encrypts the domain name in the SNI extension.We present DNEye, a measurement system built on top of a network of distributed vantage points, which we used to study the accessibility of DoT/DoH and ESNI, and to investigate whether these protocols are tampered with by network providers (e.g., for censorship). Moreover, we evaluate the efficacy of these protocols in circumventing network interference when accessing content blocked by traditional DNS manipulation.We find evidence of blocking efforts against domain name encryption technologies in several countries, including China, Russia, and Saudi Arabia. At the same time, we discover that domain name encryption can help with unblocking more than 55% and 95% of censored domains in China and other countries where DNS-based filtering is heavily employed.","author":[{"name":"Nguyen Phong Hoang","tag":"2"},{"name":"Michalis Polychronakis","tag":"1"}],"origin":{"url":"https://arxiv.org/pdf/2202.00663.pdf","info":"PAM"},"publishDate":"2022-03-22","uri":"2022_measuring_the_accessibility_of_domain_name_encryption_and_its_impact_on_internet_filtering","tags":["DNS","Encrypted DNS"],"titleEn":"Measuring the Accessibility of Domain Name Encryption and Its Impact on Internet Filtering","affiliation":[{"name":"Stony Brook University","tag":1},{"name":" University of Chicago","tag":2}],"titleCn":"Measuring the Accessibility of Domain Name Encryption and Its Impact on Internet Filtering","cite":{"template":[{"template":"Hoang N P, Polychronakis M, Gill P. Measuring the accessibility of domain name encryption and its impact on internet filtering[C]//International Conference on Passive and Active Network Measurement. Cham: Springer International Publishing, 2022: 518-536.","type":"GB/T 7714"},{"template":"Hoang, Nguyen Phong, Michalis Polychronakis, and Phillipa Gill. \"Measuring the accessibility of domain name encryption and its impact on internet filtering.\" International Conference on Passive and Active Network Measurement. Cham: Springer International Publishing, 2022.","type":"MLA"},{"template":"Hoang, N. P., Polychronakis, M., & Gill, P. (2022, March). Measuring the accessibility of domain name encryption and its impact on internet filtering. In International Conference on Passive and Active Network Measurement (pp. 518-536). Cham: Springer International Publishing.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":450,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"DNS root servers are deployed using multiple globally distributed anycast instances, and the scale of instances across the globe has been rapidly growing. This paper presents a measurement study that investigates the practical effect of root server instances deployed in the Chinese mainland. Our analysis of this issue includes two-fold. First, we measure the catchment area of the root server instances and answer the question about which domestic networks are served. Our results show that some of the instances are not accessible from major ISP networks due to limits of BGP routing policies, and a number of root queries still turn to further instances outside the international gateway. Second, we evaluate the impact of deploying new instances on query performance and root server selection in resolvers. We confirm that root instances contribute to lowered query delay from networks within their catchment area. Through reviewing source code of mainstream DNS implementations, we find that less-latent root servers are generally preferred thus deploying root server instances increase their possibilities to absorb DNS root requests from nearby resolvers. We make recommendations to improve the operational status of the DNS root server system.","author":[{"name":"Fenglu Zhang","tag":"1"},{"name":"Chaoyi Lu","tag":"1"},{"name":"Baojun Liu","tag":"1,4"},{"name":"Haixin Duan","tag":"1,3,2"},{"name":"Ying Liu","tag":"1"}],"origin":{"url":"https://link.springer.com/chapter/10.1007/978-3-030-98785-5_11","info":"PAM"},"publishDate":"2022-03-22","uri":"2022_measuring_the_practical_effect_of_dns_root_server_instances_a_china_wide_case_study","tags":["DNS","Root Server"],"titleEn":"Measuring the Practical Effect of DNS Root Server Instances: A China-Wide Case Study","affiliation":[{"name":"Tsinghua University","tag":1},{"name":"Peng Cheng Laboratory","tag":2},{"name":"Qi An Xin Group","tag":3},{"name":"Beijing National Research Center for Information Science and Technology (BNRist)","tag":4}],"titleCn":"Measuring the Practical Effect of DNS Root Server Instances: A China-Wide Case Study","cite":{"template":[{"template":"Zhang F, Lu C, Liu B, et al. Measuring the practical effect of dns root server instances: A china-wide case study[C]//International Conference on Passive and Active Network Measurement. Cham: Springer International Publishing, 2022: 247-263.","type":"GB/T 7714"},{"template":"Zhang, Fenglu, et al. \"Measuring the practical effect of dns root server instances: A china-wide case study.\" International Conference on Passive and Active Network Measurement. Cham: Springer International Publishing, 2022.","type":"MLA"},{"template":"Zhang, F., Lu, C., Liu, B., Duan, H., & Liu, Y. (2022, March). Measuring the practical effect of dns root server instances: A china-wide case study. In International Conference on Passive and Active Network Measurement (pp. 247-263). Cham: Springer International Publishing.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":473,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Fast IPv4 scanning significantly improves network measurement and security research. Nevertheless, it is infeasible to perform brute-force scanning of the IPv6 address space. Alternatively, one can find active IPv6 addresses through scanning the candidate addresses generated by state-of-the-art algorithms. However, the probing efficiency of such algorithms is often very low. In this paper, our objective is to improve the probing efficiency of IPv6 addresses. We first perform a longitudinal active measurement study and build a high-quality dataset, hitlist, including more than 1.95B IPv6 addresses distributed in 58.2K BGP prefixes and collected over 17 months period. Different from the previous works, we probe the announced BGP prefixes using a pattern-based algorithm. This results in a dataset without uneven address distribution and low active rates. Further, we propose an efficient address generation algorithm, DET, which builds a density space tree to learn high-density address regions of the seed addresses with linear time complexity and improves the active addresses’ probing efficiency. We then compare our algorithm DET against state-of-the-art algorithms on the public hitlist and our hitlist by scanning 50M addresses. Our analysis shows that DET increases the de-aliased active address ratio and active address (including aliased addresses) ratio by 10%, and 14%, respectively. Furthermore, we develop a fingerprint-based method to detect aliased prefixes. The proposed method for the first time directly verifies whether the prefix is aliased or not. Our method finds that 10.64% of the public aliased prefixes are false positive.","author":[{"name":"Guanglei Song","tag":"2,1"},{"name":"Jiahai Yang","tag":"2,1"},{"name":"Zhiliang Wang","tag":"2,1"},{"name":"Lin He","tag":"2,1"},{"name":"Jinlei Lin","tag":"2,1"},{"name":"Long Pan","tag":"2,1"},{"name":"Chenxin Duan","tag":"2,1"},{"name":"Xiaowen Quan","tag":"2,1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1109/TNET.2022.3145040","info":"ToN"},"publishDate":"2022-02-01","uri":"2022_det_enabling_efficient_probing_of_ipv6_active_addresses","tags":["IP Address","Active IP"],"titleEn":"DET: Enabling Efficient Probing of IPv6 Active Addresses","affiliation":[{"name":"Institute for Network Sciences and Cyberspace Tsinghua University","tag":1},{"name":"Beijing National Research Center for Information Science and Technology Tsinghua University","tag":2}],"titleCn":"DET: Enabling Efficient Probing of IPv6 Active Addresses","cite":{"template":[{"template":"Song G, Yang J, Wang Z, et al. Det: Enabling efficient probing of ipv6 active addresses[J]. IEEE/ACM Transactions on Networking, 2022, 30(4): 1629-1643.","type":"GB/T 7714"},{"template":"Song, Guanglei, et al. \"Det: Enabling efficient probing of ipv6 active addresses.\" IEEE/ACM Transactions on Networking 30.4 (2022): 1629-1643.","type":"MLA"},{"template":"Song, G., Yang, J., Wang, Z., He, L., Lin, J., Pan, L., ... & Quan, X. (2022). Det: Enabling efficient probing of ipv6 active addresses. IEEE/ACM Transactions on Networking, 30(4), 1629-1643.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":426,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Securing inter-domain routing systems of the Internet from illegitimate prefix annoucements has been a great concern for the researchers and network operators. After the failure of many BGP (Border Gateway Protocol) security enSecuring inter-domain routing systems of the Internet from illegitimate prefix annoucements has been a great concern for the researchers and network operators. After the failure of many BGP (Border Gateway Protocol) security enhancement mechanisms to achieve broad deployment, it is encouraging to see that the deployment of RPKI (Resource Public Key Infrastructure) is gradually increasing worldwide. For a deeper understanding of the impact of RPKI, many studies have been devoted to measuring the deployment of RPKI, including the deployment of ROA (Route Origin Authorization) and ROV (Route Origin Validation). Unlike the measurement of ROA deployment which can be directly derived from the data in RPKI repository, the measurement of ROV deployment requires more sophisticated measurement and inference techniques. However, existing work has limited measurement range, and the inference methods are either inaccurate or inefficient.hancement mechanisms to achieve broad deployment, it is encouraging to see that the deployment of RPKI (Resource Public Key Infrastructure) is gradually increasing worldwide. For a deeper understanding of the impact of RPKI, many studies have been devoted to measuring the deployment of RPKI, including the deployment of ROA (Route Origin Authorization) and ROV (Route Origin Validation). Unlike the measurement of ROA deployment which can be directly derived from the data in RPKI repository, the measurement of ROV deployment requires more sophisticated measurement and inference techniques. However, existing work has limited measurement range, and the inference methods are either inaccurate or inefficient.In this paper, we propose a new framework, ROV-MI, for the measurement of ROV deployment, which consist of a large-scale measurement infrastructure driven by in-the-wild invalid prefixes in the control plane to detect filtering of invalid updates with active probing in the data plane, and an efficient and accurate inference algorithm based on Bayesian inference techniques. We implement ROV-MI for measuring real-world ROV deployment and compare it to prior works, and the results show that ROVMI can accurately infer ROV adoption of ~10 times more ASes (Autonomous Systems) with less than 20% of the execution time compared to current state-of-the-art methods.","author":[{"name":"Wenqi Chen","tag":"1"},{"name":" Zhiliang Wang","tag":"1"},{"name":" Dongqi Han","tag":"1"},{"name":" Chenxin Duan","tag":"1"},{"name":" Xia Yin","tag":"1"},{"name":" Jiahai Yang","tag":"1"},{"name":" Xingang Shi","tag":"1"}],"origin":{"url":"https://www.ndss-symposium.org/ndss-paper/auto-draft-183/","info":"NDSS"},"publishDate":"2022-01-01","uri":"2022_rov_mi_large_scale_accurate_and_efficient_measurement_of_rov_deployment","tags":["Routing","RPKI"],"titleEn":"ROV-MI: Large-Scale, Accurate and Efficient Measurement of ROV Deployment","affiliation":[{"name":"Tsinghua University","tag":1}],"titleCn":"ROV-MI: Large-Scale, Accurate and Efficient Measurement of ROV Deployment","cite":{"template":[{"template":"Chen W, Wang Z, Han D, et al. ROV-MI: Large-Scale, Accurate and Efficient Measurement of ROV Deployment[C]//NDSS. 2022.","type":"GB/T 7714"},{"template":"Chen, Wenqi, et al. \"ROV-MI: Large-Scale, Accurate and Efficient Measurement of ROV Deployment.\" NDSS. 2022.","type":"MLA"},{"template":"Chen, W., Wang, Z., Han, D., Duan, C., Yin, X., Yang, J., & Shi, X. (2022). ROV-MI: Large-Scale, Accurate and Efficient Measurement of ROV Deployment. In NDSS.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":459,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"The long-running *IPv6 Hitlist* service is an important foundation for IPv6 measurement studies. It helps to overcome infeasible, complete address space scans by collecting valuable, unbiased IPv6 address candidates and regularly testing their responsiveness. However, the Internet itself is a quickly changing ecosystem that can affect long-running services, potentially inducing biases and obscurities into ongoing data collection means. Frequent analyses but also updates are necessary to enable a valuable service to the community.In this paper, we show that the existing hitlist is highly impacted by the Great Firewall of China, and we offer a cleaned view on the development of responsive addresses. While the accumulated input shows an increasing bias towards some networks, the cleaned set of responsive addresses is well distributed and shows a steady increase.Although it is a best practice to remove aliased prefixes from IPv6 hitlists, we show that this also removes major content delivery networks. More than 98% of all IPv6 addresses announced by Fastly were labeled as aliased and Cloudflare prefixes hosting more than 10 M domains were excluded. Depending on the hitlist usage, *e.g.*, higher layer protocol scans, inclusion of addresses from these providers can be valuable.Lastly, we evaluate different new address candidate sources, including target generation algorithms to improve the coverage of the current *IPv6 Hitlist.* We show that a combination of different methodologies is able to identify 5.6 M new, responsive addresses. This accounts for an increase by 174% and combined with the current *IPv6 Hitlist*, we identify 8.8 M responsive addresses.","author":[{"name":"Johannes Zirngibl","tag":"1"},{"name":"Lion Steger","tag":"1"},{"name":"Patrick Sattler","tag":"1"},{"name":"Oliver Gasser","tag":"2"},{"name":"Georg Carle","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3517745.3561440","info":"IMC"},"publishDate":"2022-01-01","uri":"2022_rusty_clusters_dusting_an_ipv6_research_foundation","tags":["IP Address","Active IP"],"titleEn":"Rusty clusters?: dusting an IPv6 research foundation","affiliation":[{"name":"Technical University of Munich","tag":1},{"name":"Max Planck Institute for Informatics","tag":2}],"titleCn":"Rusty clusters?: dusting an IPv6 research foundation","cite":{"template":[{"template":"Zirngibl J, Steger L, Sattler P, et al. Rusty clusters? dusting an IPv6 research foundation[C]//Proceedings of the 22nd ACM Internet Measurement Conference. 2022: 395-409.","type":"GB/T 7714"},{"template":"Zirngibl, Johannes, et al. \"Rusty clusters? dusting an IPv6 research foundation.\" Proceedings of the 22nd ACM Internet Measurement Conference. 2022.","type":"MLA"},{"template":"Zirngibl, J., Steger, L., Sattler, P., Gasser, O., & Carle, G. (2022, October). Rusty clusters? dusting an IPv6 research foundation. In Proceedings of the 22nd ACM Internet Measurement Conference (pp. 395-409).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":421,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"In this paper, we revisit the open DNS (ODNS) infrastructure and, for the first time, systematically measure and analyze transparent forwarders, DNS components that transparently relay between stub resolvers and recursive resolvers. Our key findings include four takeaways. First, transparent forwarders contribute 26% (563k) to the current ODNS infrastructure. Unfortunately, common periodic scanning campaigns such as Shadowserver do not capture transparent forwarders and thus underestimate the current threat potential of the ODNS. Second, we find an increased deployment of transparent forwarders in Asia and South America. In India alone, the ODNS consists of 80% transparent forwarders. Third, many transparent forwarders relay to a few selected public resolvers such as Google and Cloudflare, which confirms a consolidation trend of DNS stakeholders. Finally, we introduce DNSRoute++, a new traceroute approach to understand the network infrastructure connecting transparent forwarders and resolvers.","author":[{"name":"Marcin Nawrocki","tag":"1"},{"name":"Mattijs Jonker","tag":"2"},{"name":"Thomas C. Schmidt","tag":"3"},{"name":"Matthias Wählisch","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3485983.3494872","info":"CoNEXT"},"publishDate":"2021-12-07","uri":"2021_transparent_forwarders_an_unnoticed_component_of_the_open_dns_infrastructure","tags":["DNS","DNS resolver"],"titleEn":"Transparent Forwarders: An Unnoticed Component of the Open DNS Infrastructure","affiliation":[{"name":"Freie Universität Berlin","tag":1},{"name":"University of Twente","tag":2},{"name":"HAW Hamburg","tag":3}],"titleCn":"Transparent Forwarders: An Unnoticed Component of the Open DNS Infrastructure","cite":{"template":[{"template":"Nawrocki M, Koch M, Schmidt T C, et al. Transparent forwarders: an unnoticed component of the open DNS infrastructure[C]//Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies. 2021: 454-462.","type":"GB/T 7714"},{"template":"Nawrocki, Marcin, et al. \"Transparent forwarders: an unnoticed component of the open DNS infrastructure.\" Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies. 2021.","type":"MLA"},{"template":"Nawrocki, M., Koch, M., Schmidt, T. C., & Wählisch, M. (2021, December). Transparent forwarders: an unnoticed component of the open DNS infrastructure. In Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies (pp. 454-462).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":507,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14×). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making.","author":[{"name":"Marcin Nawrocki","tag":"1"},{"name":"Mattijs Jonker","tag":"2"},{"name":"Thomas C. Schmidt","tag":"3"},{"name":"Matthias Wählisch","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3487552.3487835","info":"IMC"},"publishDate":"2021-11-02","uri":"2021_the_far_side_of_dns_amplification_tracing_the_ddos_attack_ecosystem_from_the_internet_core","tags":["DNS","DNS DDoS"],"titleEn":"The Far Side of DNS Amplification: Tracing the DDoS Attack Ecosystem from the Internet Core","affiliation":[{"name":"Freie Universität Berlin","tag":1},{"name":"University of Twente","tag":2},{"name":"HAW Hamburg","tag":3}],"titleCn":"The Far Side of DNS Amplification: Tracing the DDoS Attack Ecosystem from the Internet Core","cite":{"template":[{"template":"Nawrocki M, Jonker M, Schmidt T C, et al. The far side of DNS amplification: tracing the DDoS attack ecosystem from the Internet core[C]//Proceedings of the 21st ACM Internet Measurement Conference. 2021: 419-434.","type":"GB/T 7714"},{"template":"Nawrocki, Marcin, et al. \"The far side of DNS amplification: tracing the DDoS attack ecosystem from the Internet core.\" Proceedings of the 21st ACM Internet Measurement Conference. 2021.","type":"MLA"},{"template":"Nawrocki, M., Jonker, M., Schmidt, T. C., & Wählisch, M. (2021, November). The far side of DNS amplification: tracing the DDoS attack ecosystem from the Internet core. In Proceedings of the 21st ACM Internet Measurement Conference (pp. 419-434).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":475,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Secure TLS server authentication depends on reliable trust anchors. The fault intolerant design of today's system---where a single compromised trust anchor can impersonate nearly all web entities---necessitates the careful assessment of each trust anchor found in a root store. In this work, we present a first look at the root store ecosystem that underlies the accelerating deployment of TLS. Our broad collection of TLS user agents, libraries, and operating systems reveals a surprisingly condensed root store ecosystem, with nearly all user agents ultimately deriving their roots from one of three root programs: Apple, Microsoft, and NSS. This inverted pyramid structure further magnifies the importance of judicious root store management by these foundational root programs. Our analysis of root store management presents evidence of NSS's relative operational agility, transparency, and rigorous inclusion policies. Unsurprisingly, all derivative root stores in our dataset (e.g., Linuxes, Android, NodeJS) draw their roots from NSS. Despite this solid footing, derivative root stores display lax update routines and often customize their root stores in questionable ways. By scrutinizing these practices, we highlight two fundamental obstacles to existing NSS-derived root stores: rigid on-or-off trust and multi-purpose root stores. Taken together, our study highlights the concentration of root store trust in TLS server authentication, exposes questionable root management practices, and proposes improvements for future TLS root stores.","author":[{"name":"Zane Ma","tag":"3"},{"name":"James Austgen","tag":"2"},{"name":"Joshua Mason","tag":"2"},{"name":"Zakir Durumeric","tag":"1"},{"name":"Michael Bailey","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3487552.3487813","info":"IMC"},"publishDate":"2021-11-02","uri":"2021_tracing_your_roots_exploring_the_tls_trust_anchor_ecosystem","tags":["HTTPS","Web PKI"],"titleEn":"Tracing your roots: exploring the TLS trust anchor ecosystem","affiliation":[{"name":"Stanford University","tag":1},{"name":"University of Illinois at Urbana-Champaign","tag":2},{"name":"Georgia Institute of Technology","tag":3}],"titleCn":"Tracing your roots: exploring the TLS trust anchor ecosystem","cite":{"template":[{"template":"Ma Z, Austgen J, Mason J, et al. Tracing your roots: exploring the TLS trust anchor ecosystem[C]//Proceedings of the 21st ACM Internet Measurement Conference. 2021: 179-194.","type":"GB/T 7714"},{"template":"Ma, Zane, et al. \"Tracing your roots: exploring the TLS trust anchor ecosystem.\" Proceedings of the 21st ACM Internet Measurement Conference. 2021.","type":"MLA"},{"template":"Ma, Z., Austgen, J., Mason, J., Durumeric, Z., & Bailey, M. (2021, November). Tracing your roots: exploring the TLS trust anchor ecosystem. In Proceedings of the 21st ACM Internet Measurement Conference (pp. 179-194).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":409,"keyword":[""],"fileType":3},{"paperType":1,"abstracts":"The Internet's Domain Name System (DNS) is a part of every web request and e-mail exchange, so DNS failures can be catastrophic, taking out major websites and services. This paper identifies TsuNAME, a vulnerability where some recursive resolvers can greatly amplify queries, potentially resulting in a denial-of-service to DNS services. TsuNAME is caused by cyclical dependencies in DNS records. A recursive resolver repeatedly follows these cycles, coupled with insufficient caching and application-level retries greatly amplify an initial query, stressing authoritative servers. Although issues with cyclic dependencies are not new, the scale of amplification has not previously been understood. We document real-world events in .nz (a country-level domain), where two misconfigured domains resulted in a 50% increase on overall traffic. We reproduce and document root causes of this event through experiments, and demostrate a 500× amplification factor. In response to our disclosure, several DNS software vendors have documented their mitigations, including Google public DNS and Cisco OpenDNS. For operators of authoritative DNS services we have developed and released CycleHunter, an open-source tool that detects cyclic dependencies and prevents attacks. We use CycleHunter to evaluate roughly 184 million domain names in 7 large, top-level domains (TLDs), finding 44 cyclic dependent NS records used by 1.4k domain names. The TsuNAME vulnerability is weaponizable, since an adversary can easily create cycles to attack the infrastructure of a parent domains. Documenting this threat and its solutions is an important step to ensuring it is fully addressed.","author":[{"name":"Giovane C. M. Moura","tag":"2"},{"name":"Sebastian Castro","tag":"1"},{"name":"John Heidemann","tag":"3"},{"name":"Wes Hardaker","tag":"3"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3487552.3487824","info":"IMC"},"publishDate":"2021-11-02","uri":"2021_tsuname_exploiting_misconfiguration_and_vulnerability_to_ddos_dns","tags":["DNS","DNS DDoS"],"titleEn":"TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS","affiliation":[{"name":"InternetNZ","tag":1},{"name":"SIDN Labs","tag":2},{"name":"USC/ISI","tag":3}],"titleCn":"TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS","cite":{"template":[{"template":"Moura G C M, Castro S, Heidemann J, et al. TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS[C]//Proceedings of the 21st ACM Internet Measurement Conference. 2021: 398-418.","type":"GB/T 7714"},{"template":"Moura, Giovane CM, et al. \"TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS.\" Proceedings of the 21st ACM Internet Measurement Conference. 2021.","type":"MLA"},{"template":"Moura, G. C., Castro, S., Heidemann, J., & Hardaker, W. (2021, November). TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS. In Proceedings of the 21st ACM Internet Measurement Conference (pp. 398-418).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":491,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"In recent years, DNS-over-HTTPS (DoH) has gained significant traction as a privacy-preserving alternative to unencrypted DNS. While several studies have measured DoH performance relative to traditional DNS and other encrypted DNS schemes, they often provide incomplete insights, either by conducting measurements from single countries or by being unable to compare encrypted DNS to default client behavior. To expand on existing research, we utilized the BrightData proxy network to gather a dataset consisting of 22,052 unique clients across 224 countries and territories. Our data shows that the performance impact of switching to DoH is mixed, with a median slowdown of 65ms per query across a 10-query connection, but with 28% of clients experiencing a speedup over that same interval. We compared four public DoH providers, noting that Cloudflare excels in both DoH resolution time (265ms) and global points-of-presence (146). Furthermore, we analyzed geographic differences between DoH and Do53 resolution times and provided analysis on possible causes, finding that clients from countries with low internet infrastructure investment are almost twice as likely to experience a slowdown when switching to DoH as those with high internet infrastructure investment. We conclude with possible improvements to the DoH ecosystem. We hope that our findings can help to inform continuing DoH deployments.","author":[{"name":"Rishabh Chhabra","tag":"1"},{"name":"Paul Murley","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/pdf/10.1145/3487552.3487849","info":"IMC"},"publishDate":"2021-11-02","uri":"2021_measuring_dns_over_https_performance_around_the_world","tags":["DNS","Encrypted DNS"],"titleEn":"Measuring DNS-over-HTTPS Performance Around the World","affiliation":[{"name":"University of Illinois at Urbana-Champaign IL, USA","tag":1}],"titleCn":"Measuring DNS-over-HTTPS Performance Around the World","cite":{"template":[{"template":"Chhabra R, Murley P, Kumar D, et al. Measuring DNS-over-HTTPS Performance around the World[C]//Proceedings of the 21st ACM Internet Measurement Conference. 2021: 351-365.","type":"GB/T 7714"},{"template":"Chhabra, Rishabh, et al. \"Measuring DNS-over-HTTPS Performance around the World.\" Proceedings of the 21st ACM Internet Measurement Conference. 2021.","type":"MLA"},{"template":"Chhabra, R., Murley, P., Kumar, D., Bailey, M., & Wang, G. (2021, November). Measuring DNS-over-HTTPS Performance around the World. In Proceedings of the 21st ACM Internet Measurement Conference (pp. 351-365).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":446,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"IPv6's large address space allows ample freedom for choosing and assigning addresses. To improve client privacy and resist IP-based tracking, standardized techniques leverage this large address space, including privacy extensions and provider prefix rotation. Ephemeral and dynamic IPv6 addresses confound not only tracking and traffic correlation attempts, but also traditional network measurements, logging, and defense mechanisms. We show that the intended anti-tracking capability of these widely deployed mechanisms is unwittingly subverted by edge routers using legacy IPv6 addressing schemes that embed unique identifiers.We develop measurement techniques that exploit these legacy devices to make tracking such moving IPv6 clients feasible by combining intelligent search space reduction with modern high-speed active probing. Via an Internet-wide measurement campaign, we discover more than 9M affected edge routers and approximately 13k/48 prefixes employing prefix rotation in hundreds of ASes worldwide. We mount a six-week campaign to characterize the size and dynamics of these deployed IPv6 rotation pools, and demonstrate via a case study the ability to remotely track client address movements over time. We responsibly disclosed our findings to equipment manufacturers, at least one of which subsequently changed their default addressing logic.","author":[{"name":"Erik Rye","tag":"2"},{"name":"Robert Beverly","tag":"1"},{"name":"kc claffy","tag":"3"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3487552.3487829","info":"IMC"},"publishDate":"2021-11-01","uri":"2021_follow_the_scent_defeating_ipv6_prefix_rotation_privacy","tags":["IP Address","Active IP"],"titleEn":"Follow the Scent: Defeating IPv6 Prefix Rotation Privacy","affiliation":[{"name":"Naval Postgraduate School","tag":1},{"name":"CMAND","tag":2},{"name":"caida/UC San Diego","tag":3}],"titleCn":"Follow the Scent: Defeating IPv6 Prefix Rotation Privacy","cite":{"template":[{"template":"Rye E, Beverly R, Claffy K C. Follow the scent: Defeating IPv6 prefix rotation privacy[C]//Proceedings of the 21st ACM Internet Measurement Conference. 2021: 739-752.","type":"GB/T 7714"},{"template":"Rye, Erik, Robert Beverly, and Kimberly C. Claffy. \"Follow the scent: Defeating IPv6 prefix rotation privacy.\" Proceedings of the 21st ACM Internet Measurement Conference. 2021.","type":"MLA"},{"template":"Rye, E., Beverly, R., & Claffy, K. C. (2021, November). Follow the scent: Defeating IPv6 prefix rotation privacy. In Proceedings of the 21st ACM Internet Measurement Conference (pp. 739-752).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":428,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Anycast has proven to be an effective mechanism to enhance resilience in the DNS ecosystem and for scaling DNS nameserver capacity, both in authoritative and the recursive resolver infrastructure. Since its adoption for root servers, anycast has mitigated the impact of failures and DDoS attacks on the DNS ecosystem. In this work, we quantify the adoption of anycast to support authoritative domain name service for toplevel and second-level domains (TLDs and SLDs). Comparing two comprehensive anycast census datasets in 2017 and 2021, with DNS measurements captured over the same period, reveals that anycast adoption is increasing, driven by a few large operators. While anycast offers compelling resilience advantage, it also shifts some resilience risk to other aspects of the infrastructure. We discuss these aspects, and how the pervasive use of anycast merits a re-evaluation of how to measure DNS resilience.","author":[{"name":"Raffaele Sommese","tag":"4"},{"name":"Gautam Akiwate","tag":"1"},{"name":"Mattijs Jonker","tag":"4"},{"name":"Giovane C. M. Moura","tag":"2"},{"name":"Marco Davids","tag":"2"},{"name":"Roland van Rijswijk-Deij","tag":"4"},{"name":"Geoffrey M. Voelker","tag":"1"},{"name":"Stefan Savage","tag":"1"},{"name":"K.C. Claffy","tag":"3"},{"name":"Anna Sperotto","tag":"4"}],"origin":{"url":"https://par.nsf.gov/biblio/10287364","info":"TMA"},"publishDate":"2021-09-14","uri":"2021_characterization_of_anycast_adoption_in_the_dns_authoritative_infrastructure","tags":["DNS","Authoriative Server","Anycast"],"titleEn":"Characterization of Anycast Adoption in the DNS Authoritative Infrastructure","affiliation":[{"name":"UC San Diego","tag":1},{"name":"SIDN Labs","tag":2},{"name":"caida/UC San Diego","tag":3},{"name":"University of Twente","tag":4}],"titleCn":"Characterization of Anycast Adoption in the DNS Authoritative Infrastructure","cite":{"template":[{"template":"Sommese R, Akiwate G, Jonker M, et al. Characterization of anycast adoption in the DNS authoritative infrastructure[C]//Network Traffic Measurement and Analysis Conference (TMA'21). 2021.","type":"GB/T 7714"},{"template":"Sommese, Raffaele, et al. \"Characterization of anycast adoption in the DNS authoritative infrastructure.\" Network Traffic Measurement and Analysis Conference (TMA'21). 2021.","type":"MLA"},{"template":"Sommese, R., Akiwate, G., Jonker, M., Moura, G. C., Davids, M., Rijswijk-Deij, R. V., ... & Sperotto, A. (2021, September). Characterization of anycast adoption in the DNS authoritative infrastructure. In Network Traffic Measurement and Analysis Conference (TMA'21).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":474,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Open DNS resolvers are resolvers that perform recursive resolution on behalf of any user. They can be exploited by adversaries because they are open to the public and require no authorization to use. Therefore, it is important to understand the state of open resolvers to gauge their potentially negative impact on the security and stability of the Internet. In this study, we conducted a comprehensive probing over the entire IPv4 address space and found that more than 3 million IP addresses of open resolvers still exist in the wild. Moreover, we found that many of them work in a way that deviates from the standard. More importantly, we found that many open resolvers answer queries with incorrect, even malicious, responses. Contrasting to results obtained in 2013, we found that while the number of open resolvers has decreased significantly, the number of resolvers providing incorrect responses is almost the same, while the number of open resolvers providing malicious responses has increased, highlighting the prevalence of their threat. Through an extended analysis, we also empirically show that the use of forwarders in the open resolver ecosystem and the possibility that incorrect or malicious responses can be manipulated by these forwarders.","author":[{"name":"Jeman Park","tag":"1"},{"name":" Rhongho Jang","tag":"2"},{"name":" Manar Mohaisen","tag":"3"},{"name":" David Mohaisen","tag":"4"}],"origin":{"url":"https://ieeexplore.ieee.org/document/9523630","info":"ToN"},"publishDate":"2021-08-26","uri":"2021_a_large_scale_behavioral_analysis_of_the_open_dns_resolvers_on_the_internet","tags":["DNS","DNS resolver"],"titleEn":"A Large-Scale Behavioral Analysis of the Open DNS Resolvers on the Internet","affiliation":[{"name":"School of Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta, GA, USA","tag":1},{"name":"Department of Computer Science, Wayne State University, Detroit, MI, USA","tag":2},{"name":"Department of Computer Science, Northeastern Illinois University, Chicago, IL, USA","tag":3},{"name":"Department of Computer Science, University of Central Florida, Orlando, FL, USA","tag":4}],"titleCn":"A Large-Scale Behavioral Analysis of the Open DNS Resolvers on the Internet","cite":{"template":[{"template":"Park J, Jang R, Mohaisen M, et al. A large-scale behavioral analysis of the open DNS resolvers on the internet[J]. IEEE/ACM Transactions on Networking, 2021, 30(1): 76-89.","type":"GB/T 7714"},{"template":"Park, Jeman, et al. \"A large-scale behavioral analysis of the open DNS resolvers on the internet.\" IEEE/ACM Transactions on Networking 30.1 (2021): 76-89.","type":"MLA"},{"template":"Park, J., Jang, R., Mohaisen, M., & Mohaisen, D. (2021). A large-scale behavioral analysis of the open DNS resolvers on the internet. IEEE/ACM Transactions on Networking, 30(1), 76-89.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":510,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Anycast is used to serve content including web pages and DNS, and anycast deployments are growing. However, prior work examining root DNS suggests anycast deployments incur significant inflation, with users often routed to suboptimal sites. We reassess anycast performance, first extending prior analysis on inflation in the root DNS. We show that inflation is very common in root DNS, affecting more than 95\\% of users. However, we then show root DNS latency \\emph{hardly matters} to users because caching is so effective. These findings lead us to question: is inflation inherent to anycast, or can inflation be limited when it matters? To answer this question, we consider Microsoft's anycast CDN serving latency-sensitive content. Here, latency matters orders of magnitude more than for root DNS. Perhaps because of this need, only 35\\% of CDN users experience any inflation, and the amount they experience is smaller than root DNS. We show that CDN anycast latency has little inflation due to extensive peering and engineering. These results suggest prior claims of anycast inefficiency reflect experiments on a single application rather than anycast's technical potential, and they demonstrate the importance of context when measuring system performance.","author":[{"name":"Koch Thomas","tag":"1"},{"name":" Katz-Bassett Ethan","tag":"1"},{"name":" Heidemann John","tag":"4"},{"name":" Calder Matt","tag":"2,0"},{"name":" Ardi Calvin","tag":"4"},{"name":" Li Ke","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3452296.3472891","info":"SIGCOMM"},"publishDate":"2021-08-23","uri":"2021_anycast_in_context_a_tale_of_two_systems","tags":["IP Address","Anycast"],"titleEn":"Anycast in Context: A Tale of Two Systems","affiliation":[{"name":"Columbia University","tag":1},{"name":"Microsoft","tag":2},{"name":"Columbia University","tag":3},{"name":"USC/ISI","tag":4}],"titleCn":"Anycast in Context: A Tale of Two Systems","cite":{"template":[{"template":"Koch T, Katz-Bassett E, Heidemann J, et al. Anycast in context: A tale of two systems[C]//Proceedings of the 2021 ACM SIGCOMM 2021 Conference. 2021: 398-417.","type":"GB/T 7714"},{"template":"Koch, Thomas, et al. \"Anycast in context: A tale of two systems.\" Proceedings of the 2021 ACM SIGCOMM 2021 Conference. 2021.","type":"MLA"},{"template":"Koch, T., Katz-Bassett, E., Heidemann, J., Calder, M., Ardi, C., & Li, K. (2021, August). Anycast in context: A tale of two systems. In Proceedings of the 2021 ACM SIGCOMM 2021 Conference (pp. 398-417).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":499,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Internet-wide scanning is a commonly used research technique that has helped uncover real-world attacks, find cryptographic weaknesses, and understand both operator and miscreant behavior. Studies that employ scanning have largely assumed that services are hosted on their IANA-assigned ports, overlooking the study of services on unusual ports. In this work, we investigate where Internet services are deployed in practice and evaluate the security posture of services on unexpected ports. We show protocol deployment is more diffuse than previously believed and that protocols run on many additional ports beyond their primary IANA-assigned port. For example, only 3% of HTTP and 6% of TLS services run on ports 80 and 443, respectively. Services on non-standard ports are more likely to be insecure, which results in studies dramatically underestimating the security posture of Internet hosts. Building on our observations, we introduce LZR (\"Laser\"), a system that identifies 99% of identifiable unexpected services in five handshakes and dramatically reduces the time needed to perform application-layer scans on ports with few responsive expected services (e.g., 5500% speedup on 27017/MongoDB). We conclude with recommendations for future studies.","author":[{"name":"Liz Izhikevich","tag":"1"},{"name":"Renata Teixeira","tag":"2"},{"name":"Zakir Durumeric","tag":"1"}],"origin":{"url":"https://www.usenix.org/conference/usenixsecurity21/presentation/izhikevich","info":"IMC"},"publishDate":"2021-08-11","uri":"2021_lzr_identifying_unexpected_internet_services","tags":["IP Address","Open Port"],"titleEn":"LZR: Identifying Unexpected Internet Services","affiliation":[{"name":"Stanford University","tag":1},{"name":"Inria Paris","tag":2}],"titleCn":"LZR: Identifying Unexpected Internet Services","cite":{"template":[{"template":"Izhikevich L, Teixeira R, Durumeric Z. {LZR}: Identifying unexpected internet services[C]//30th USENIX Security Symposium (USENIX Security 21). 2021: 3111-3128.","type":"GB/T 7714"},{"template":"Izhikevich, Liz, Renata Teixeira, and Zakir Durumeric. \"{LZR}: Identifying unexpected internet services.\" 30th USENIX Security Symposium (USENIX Security 21). 2021.","type":"MLA"},{"template":"Izhikevich, L., Teixeira, R., & Durumeric, Z. (2021). {LZR}: Identifying unexpected internet services. In 30th USENIX Security Symposium (USENIX Security 21) (pp. 3111-3128).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":430,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"TLS clients rely on a supporting PKI in which certificate authorities (CAs)—trusted organizations—validate and cryptographically attest to the identities of web servers. A client's confidence that it is connecting to the right server depends entirely on the set of CAs that it trusts. However, as we demonstrate in this work, the identity specified in CA certificates is frequently inaccurate due to lax naming requirements, ownership changes, and long-lived certificates. This not only muddles client selection of trusted CAs, but also prevents PKI operators and researchers from correctly attributing CA certificate issues to CA organizations. To help Web PKI participants understand the organizations that control each CA certificate, we develop Fides, a system that models and clusters CA operational behavior in order to detect CA certificates under shared operational control. We label the clusters that Fides uncovers, and build a new database of CA ownership that corrects the CA operator for 241 CA certificates, and expands coverage to 651 new CA certificates, leading to a more complete picture of CA certificate control.","author":[{"name":"Zane Ma","tag":"2"},{"name":"Joshua Mason","tag":"2"},{"name":"Manos Antonakakis","tag":"3"},{"name":"Zakir Durumeric","tag":"1"},{"name":"Michael Bailey","tag":"2"}],"origin":{"url":"https://www.usenix.org/conference/usenixsecurity21/presentation/ma","info":"Security"},"publishDate":"2021-08-11","uri":"2021_what_s_in_a_name_exploring_ca_certificate_control","tags":["HTTPS","Web PKI"],"titleEn":"What's in a Name? Exploring CA Certificate Control","affiliation":[{"name":"Stanford University","tag":1},{"name":"University of Illinois at Urbana-Champaign","tag":2},{"name":"Georgia Institute of Technology","tag":3}],"titleCn":"What's in a Name? Exploring CA Certificate Control","cite":{"template":[{"template":"Ma Z, Mason J, Patel S, et al. What's in a Name? Exploring {CA} Certificate Control[C]//30th USENIX Security Symposium (USENIX Security 21). 2021: 4383-4400.","type":"GB/T 7714"},{"template":"Ma, Zane, et al. \"What's in a Name? Exploring {CA} Certificate Control.\" 30th USENIX Security Symposium (USENIX Security 21). 2021.","type":"MLA"},{"template":"Ma, Z., Mason, J., Patel, S., Antonakakis, M., Raykova, M., Durumeric, Z., ... & Wang, T. (2021). What's in a Name? Exploring {CA} Certificate Control. In 30th USENIX Security Symposium (USENIX Security 21) (pp. 4383-4400).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":410,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"Internet service based on low Earth orbit satellites is generating immense excitement in the networking community due to its potential for global low-latency connectivity. Despite the promise of LEO satellite networks, the security of their operation has so far been largely neglected. In this context, we present ICARUS, a new class of denial of service attacks on LEO networks. ICARUS turns these networks’key benefits into vulnerabilities: an adversary can leverage the direct global accessibility to launch an attack from numerous locations, while the quest for low latency constrains routing, and provides predictability to the adversary. We explore how the adversary can exploit other unique features, including the path structure of such networks, and the public knowledge of the locations and connectivity of the satellite-routers. We find that a small amount of attack bandwidth can hamper communications between large terrestrial areas. Finally, we lay out open problems in this direction, and provide a framework to enable further research on attacks and defenses in this context.","author":[{"name":"Giacomo Giuliari","tag":"1"},{"name":" Tommaso Ciussani","tag":"1"},{"name":" Adrian Perrig","tag":"1"},{"name":"Ankit Singla","tag":"1"}],"origin":{"url":"https://www.usenix.org/conference/atc21/presentation/giuliari","info":"ATC"},"publishDate":"2021-07-01","uri":"2021_icarus_attacking_low_earth_orbit_satellite_networks","tags":["Satellite"],"titleEn":"ICARUS: Attacking low Earth orbit satellite networks","affiliation":[{"name":"ETH Zürich","tag":1}],"titleCn":"ICARUS: Attacking low Earth orbit satellite networks","cite":{"template":[{"template":"Giuliari G, Ciussani T, Perrig A, et al. {ICARUS}: Attacking low earth orbit satellite networks[C]//2021 USENIX Annual Technical Conference (USENIX ATC 21). 2021: 317-331.","type":"GB/T 7714"},{"template":"Giuliari, Giacomo, et al. \"{ICARUS}: Attacking low earth orbit satellite networks.\" 2021 USENIX Annual Technical Conference (USENIX ATC 21). 2021.","type":"MLA"},{"template":"Giuliari, G., Ciussani, T., Perrig, A., & Singla, A. (2021). {ICARUS}: Attacking low earth orbit satellite networks. In 2021 USENIX Annual Technical Conference (USENIX ATC 21) (pp. 317-331).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":464,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"Global IPv6 scanning has always been a challenge for researchers because of the limited network speed and computational power. Target generation algorithms are recently proposed to overcome the problem for Internet assessments by predicting a candidate set to scan. However, IPv6 custom address configuration emerges diverse addressing patterns discouraging algorithmic inference. Widespread IPv6 alias could also mislead the algorithm to discover aliased regions rather than valid host targets. In this paper, we introduce 6GAN, a novel architecture built with Generative Adversarial Net (GAN) and reinforcement learning for multi-pattern target generation. 6GAN forces multiple generators to train with a multi-class discriminator and an alias detector to generate non-aliased active targets with different addressing pattern types. The rewards from the discriminator and the alias detector help supervise the address sequence decision-making process. After adversarial training, 6GAN's generators could keep a strong imitating ability for each pattern and 6GAN's discriminator obtains outstanding pattern discrimination ability with a 0.966 accuracy. Experiments indicate that our work outperformed the state-of-the-art target generation algorithms by reaching a higher-quality candidate set.","author":[{"name":"Tianyu Cui","tag":"1,2"},{"name":"Gaopeng Gou","tag":"1,2"},{"name":"Gang Xiong","tag":"1,2"},{"name":"Chang Liu","tag":"1,2"},{"name":"Peipei Fu","tag":"1,2"},{"name":"Zhen Li","tag":"1,2"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/9488912","info":"INFOCOM"},"publishDate":"2021-05-01","uri":"2021_6gan_ipv6_multi_pattern_target_generation_via_generative_adversarial_nets_with_reinforcement_learning","tags":["IP Address","Active IP"],"titleEn":"6GAN: IPv6 Multi-Pattern Target Generation via Generative Adversarial Nets with Reinforcement Learning","affiliation":[{"name":"Institute of Information Engineering Chinese Academy of Sciences","tag":1},{"name":"School of Cyber Security University of Chinese Academy of Sciences","tag":2}],"titleCn":"6GAN: IPv6 Multi-Pattern Target Generation via Generative Adversarial Nets with Reinforcement Learning","cite":{"template":[{"template":"Cui T, Gou G, Xiong G, et al. 6gan: Ipv6 multi-pattern target generation via generative adversarial nets with reinforcement learning[C]//IEEE INFOCOM 2021-IEEE Conference on Computer Communications. IEEE, 2021: 1-10.","type":"GB/T 7714"},{"template":"Cui, Tianyu, et al. \"6gan: Ipv6 multi-pattern target generation via generative adversarial nets with reinforcement learning.\" IEEE INFOCOM 2021-IEEE Conference on Computer Communications. IEEE, 2021.","type":"MLA"},{"template":"Cui, T., Gou, G., Xiong, G., Liu, C., Fu, P., & Li, Z. (2021, May). 6gan: Ipv6 multi-pattern target generation via generative adversarial nets with reinforcement learning. In IEEE INFOCOM 2021-IEEE Conference on Computer Communications (pp. 1-10). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":424,"keyword":[""],"fileType":1},{"paperType":3,"abstracts":"This document formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents have been moved to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance. This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC 4347) but not DTLS version 1.2, and there is no DTLS version 1.1. This document updates many RFCs that normatively refer to TLS version 1.0 or TLS version 1.1, as described herein. This document also updates the best practices for TLS usage in RFC 7525; hence, it is part of BCP 195.","author":[{"name":"Moriarty K","tag":"1"},{"name":"Farrell S","tag":"2"}],"origin":{"url":"https://www.rfc-editor.org/info/rfc8996","info":"IETF"},"publishDate":"2021-03-01","uri":"2021_rfc_8996","tags":["HTTPS","TLS"],"titleEn":"RFC 8996","affiliation":[{"name":"Center for Internet Security (CIS)","tag":1},{"name":"Trinity College Dublin","tag":2}],"titleCn":"RFC 8996","cite":{"template":[{"template":"Moriarty K, Farrell S. RFC 8996 Deprecating TLS 1.0 and TLS 1.1[J]. Internet Eng. Task Force,(IETF), 2021.","type":"GB/T 7714"},{"template":"Moriarty, K., and S. Farrell. \"RFC 8996 Deprecating TLS 1.0 and TLS 1.1.\" Internet Eng. Task Force,(IETF) (2021).","type":"MLA"},{"template":"Moriarty, K., & Farrell, S. (2021). RFC 8996 Deprecating TLS 1.0 and TLS 1.1. Internet Eng. Task Force,(IETF).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":405,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Internet eXchange Points (IXPs) are Internet hubs that mainly provide the switching infrastructure to interconnect networks and exchange traffic. While the initial goal of IXPs was to bring together networks residing in the same city or country, and thus keep local traffic local, this model is gradually shifting. Many networks connect to IXPs without having physical presence at their switching infrastructure. This practice, called Remote Peering, is changing the Internet topology and economy, and has become the subject of a contentious debate within the network operators’ community. However, despite the increasing attention it attracts, the understanding of the characteristics and impact of remote peering is limited. In this work, we introduce and validate a heuristic methodology for discovering remote peers at IXPs. We (i) identify critical remote peering inference challenges, (ii) infer remote peers with high accuracy (>97%) and coverage (94%) per IXP, and (iii) characterize different aspects of the remote peering ecosystem by applying our methodology to 30 large IXPs. We observe that remote peering is a significantly common practice in all the studied IXPs; for the largest IXPs, remote peers account for 40% of their member base. We also show that today, IXP growth is mainly driven by remote peering, which contributes two times more than local peering.","author":[{"name":"Simon Kassing","tag":"1"},{"name":" Debopam Bhattacherjee","tag":"1"},{"name":" André Baptista águas","tag":"1"},{"name":" Jens Eirik Saethre","tag":"1"},{"name":"Ankit Singla","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3419394.3423635","info":"ToN"},"publishDate":"2021-02-01","uri":"2021_peer_where_art_thou_uncovering_remote_peering_interconnections_at_ixps_","tags":["IXP"],"titleEn":"Peer, Where Art Thou? Uncovering Remote Peering Interconnections at IXPs","affiliation":[{"name":"Lancaster University","tag":1}],"titleCn":"Peer, Where Art Thou? Uncovering Remote Peering Interconnections at IXPs","cite":{"template":[{"template":"Nomikos G, Kotronis V, Sermpezis P, et al. O peer, where art thou? Uncovering remote peering interconnections at IXPs[C]//Proceedings of the Internet Measurement Conference 2018. 2018: 265-278.","type":"GB/T 7714"},{"template":"Nomikos, George, et al. \"O peer, where art thou? Uncovering remote peering interconnections at IXPs.\" Proceedings of the Internet Measurement Conference 2018. 2018.","type":"MLA"},{"template":"Nomikos, G., Kotronis, V., Sermpezis, P., Gigis, P., Manassakis, L., Dietzel, C., ... & Giotsas, V. (2018, October). O peer, where art thou? Uncovering remote peering interconnections at IXPs. In Proceedings of the Internet Measurement Conference 2018 (pp. 265-278).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":465,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Many websites rely on third parties for services (e.g., DNS, CDN, etc.). However, it also exposes them to shared risks from attacks (e.g., Mirai DDoS attack) or cascading failures (e.g., GlobalSign revocation error). Motivated by such incidents, we analyze the prevalence and impact of third-party dependencies, focusing on three critical infrastructure services: DNS, CDN, and certificate revocation checking by CA. We analyze both direct (e.g., Twitter uses Dyn) and indirect (e.g., Netflix uses Symantec as CA which uses Verisign for DNS) dependencies. We also take two snapshots in 2016 and 2020 to understand how the dependencies evolved. Our key findings are: (1) 89% of the Alexa top-100K websites critically depend on third-party DNS, CDN, or CA providers i.e., if these providers go down, these websites could suffer service disruption; (2) the use of third-party services is concentrated, and the top-3 providers of CDN, DNS, or CA services can affect 50%-70% of the top-100K websites; (3) indirect dependencies amplify the impact of popular CDN and DNS providers by up to 25X; and (4) some third-party dependencies and concentration increased marginally between 2016 to 2020. Based on our findings, we derive key implications for different stakeholders in the web ecosystem.","author":[{"name":"Aqsa Kashaf","tag":"1"},{"name":"Vyas Sekar","tag":"1"},{"name":"Yuvraj Agarwal","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3419394.3423664","info":"IMC"},"publishDate":"2020-10-27","uri":"2020_analyzing_third_party_service_dependencies_in_modern_web_services_have_we_learned_from_the_mirai_dyn_incident_","tags":["DNS","Domain Name"],"titleEn":"Analyzing Third Party Service Dependencies in Modern Web Services: Have We Learned from the Mirai-Dyn Incident?","affiliation":[{"name":"Carnegie Mellon University","tag":1}],"titleCn":"Analyzing Third Party Service Dependencies in Modern Web Services: Have We Learned from the Mirai-Dyn Incident?","cite":{"template":[{"template":"Kashaf A, Sekar V, Agarwal Y. Analyzing third party service dependencies in modern web services: Have we learned from the mirai-dyn incident?[C]//Proceedings of the ACM Internet Measurement Conference. 2020: 634-647.","type":"GB/T 7714"},{"template":"Kashaf, Aqsa, Vyas Sekar, and Yuvraj Agarwal. \"Analyzing third party service dependencies in modern web services: Have we learned from the mirai-dyn incident?.\" Proceedings of the ACM Internet Measurement Conference. 2020.","type":"MLA"},{"template":"Kashaf, A., Sekar, V., & Agarwal, Y. (2020, October). Analyzing third party service dependencies in modern web services: Have we learned from the mirai-dyn incident?. In Proceedings of the ACM Internet Measurement Conference (pp. 634-647).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":484,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Nearly all international data is carried by a mesh of submarine cables connecting virtually every region in the world. It is generally assumed that Internet services rely on this submarine cable network (SCN) for backend traffic, but that most users do not directly depend on it, as popular resources are either local or cached nearby. In this paper, we study the criticality of the SCN from the perspective of end users. We present a general methodology for analyzing the reliance on the SCN for a given region, and apply it to the most popular web resources accessed by users in 63 countries from every inhabited continent, collectively capturing ≈80% of the global Internet population. We find that as many as 64.33% of all web resources accessed from a specific country rely on the SCN. Despite the explosive growth of data center and CDN infrastructure around the world, at least 28.22% of the CDN-hosted resources traverse a submarine cable.","author":[{"name":"Shucheng Liu","tag":"1"},{"name":" Zachary S. Bischof","tag":"2"},{"name":" Ishaan Madan","tag":"1"},{"name":" Peter K. Chan","tag":"1"},{"name":" Fabián E. Bustamante","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3419394.3423633","info":"IMC"},"publishDate":"2020-10-27","uri":"2020_out_of_sight_not_out_of_mind_a_user_view_on_the_criticality_of_the_submarine_cable_network","tags":["Submarine Cable"],"titleEn":"Out of Sight, Not Out of Mind - A User-View on the Criticality of the Submarine Cable Network","affiliation":[{"name":"Northwestern University","tag":1},{"name":"IIJ Research Lab","tag":2}],"titleCn":"Out of Sight, Not Out of Mind - A User-View on the Criticality of the Submarine Cable Network","cite":{"template":[{"template":"Liu S, Bischof Z S, Madan I, et al. Out of sight, not out of mind: A user-view on the criticality of the submarine cable network[C]//Proceedings of the ACM Internet Measurement Conference. 2020: 194-200.","type":"GB/T 7714"},{"template":"Liu, Shucheng, et al. \"Out of sight, not out of mind: A user-view on the criticality of the submarine cable network.\" Proceedings of the ACM Internet Measurement Conference. 2020.","type":"MLA"},{"template":"Liu, S., Bischof, Z. S., Madan, I., Chan, P. K., & Bustamante, F. E. (2020, October). Out of sight, not out of mind: A user-view on the criticality of the submarine cable network. In Proceedings of the ACM Internet Measurement Conference (pp. 194-200).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":456,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Concern has been mounting about Internet centralization over the few last years – consolidation of traffic/users/infrastructure into the hands of a few market players. We measure DNS and computing centralization by analyzing DNS traffic collected at a DNS root server and two country-code top-level domains (ccTLDs) – one in Europe and the other in Oceania – and show evidence of concentration. More than 30% of all queries to both ccTLDs are sent from 5 large cloud providers. We compare the clouds’ resolver infrastructure and highlight a discrepancy in behavior: some cloud providers heavily employ IPv6, DNSSEC, and DNS over TCP, while others simply use unsecured DNS over UDP over IPv4. We show one positive side to centralization: once a cloud provider deploys a security feature – such as QNAME minimization – it quickly benefits a large number of users.","author":[{"name":"Giovane C. M. Moura","tag":"2"},{"name":"Sebastian Castro","tag":"1"},{"name":"Wes Hardaker","tag":"4"},{"name":"Maarten Wullink","tag":"2"},{"name":"Cristian Hesselman","tag":"2,3"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3419394.3423625","info":"IMC"},"publishDate":"2020-10-27","uri":"2020_clouding_up_the_internet_how_centralized_is_dns_traffic_becoming_","tags":["DNS Infrastructure"],"titleEn":"Clouding up the Internet: how centralized is DNS traffic becoming?","affiliation":[{"name":"Internet NZ","tag":1},{"name":"SIDN Labs","tag":2},{"name":"University of Twente","tag":3},{"name":"USC/ISI","tag":4}],"titleCn":"Clouding up the Internet: how centralized is DNS traffic becoming?","cite":{"template":[{"template":"Moura G C M, Castro S, Hardaker W, et al. Clouding up the internet: How centralized is dns traffic becoming?[C]//Proceedings of the ACM Internet Measurement Conference. 2020: 42-49.","type":"GB/T 7714"},{"template":"Moura, Giovane CM, et al. \"Clouding up the internet: How centralized is dns traffic becoming?.\" Proceedings of the ACM Internet Measurement Conference. 2020.","type":"MLA"},{"template":"Moura, G. C., Castro, S., Hardaker, W., Wullink, M., & Hesselman, C. (2020, October). Clouding up the internet: How centralized is dns traffic becoming?. In Proceedings of the ACM Internet Measurement Conference (pp. 42-49).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":485,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"The modern Internet relies on the Domain Name System (DNS) to convert between human-readable domain names and IP addresses. However, the correct and efficient implementation of this function is jeopardized when the configuration data binding domains, nameservers and glue records is faulty. In particular lame delegations, which occur when a nameserver responsible for a domain is unable to provide authoritative information about it, introduce both performance and security risks. We perform a broad-based measurement study of lame delegations, using both longitudinal zone data and active querying. We show that lame delegations of various kinds are common (affecting roughly 14% of domains we queried), that they can significantly degrade lookup latency (when they do not lead to outright failure), and that they expose hundreds of thousands of domains to adversarial takeover. We also explore circumstances that give rise to this surprising prevalence of lame delegations, including unforeseen interactions between the operational procedures of registrars and registries.","author":[{"name":"Gautam Akiwate","tag":"2"},{"name":"Mattijs Jonker","tag":"4"},{"name":"Raffaele Sommese","tag":"4"},{"name":"Ian Foster","tag":"1"},{"name":"Geoffrey M. Voelker","tag":"2"},{"name":"Stefan Savage","tag":"2"},{"name":"KC Claffy","tag":"3"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3419394.3423623","info":"IMC"},"publishDate":"2020-10-27","uri":"2020_unresolved_issues_prevalence_persistence_and_perils_of_lame_delegations","tags":["DNS","Domain Hijacking"],"titleEn":"Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations","affiliation":[{"name":"DNS Coffee","tag":1},{"name":"UC San Diego","tag":2},{"name":"caida/UC San Diego","tag":3},{"name":"University of Twente","tag":4}],"titleCn":"Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations","cite":{"template":[{"template":"Akiwate G, Jonker M, Sommese R, et al. Unresolved issues: prevalence, persistence, and perils of lame delegations[C]//Proceedings of the ACM Internet Measurement Conference. 2020: 281-294.","type":"GB/T 7714"},{"template":"Akiwate, Gautam, et al. \"Unresolved issues: prevalence, persistence, and perils of lame delegations.\" Proceedings of the ACM Internet Measurement Conference. 2020.","type":"MLA"},{"template":"Akiwate, G., Jonker, M., Sommese, R., Foster, I., Voelker, G. M., Savage, S., & Claffy, K. C. (2020, October). Unresolved issues: prevalence, persistence, and perils of lame delegations. In Proceedings of the ACM Internet Measurement Conference (pp. 281-294).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":489,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"This paper presents and evaluates Trufflehunter, a DNS cache snooping tool for estimating the prevalence of rare and sensitive Internet applications. Unlike previous efforts that have focused on small, misconfigured open DNS resolvers, Trufflehunter models the complex behavior of large multi-layer distributed caching infrastructures (e.g., such as Google Public DNS). In particular, using controlled experiments, we have inferred the caching strategies of the four most popular public DNS resolvers (Google Public DNS, Cloudflare Quad1, OpenDNS and Quad9). The large footprint of such resolvers presents an opportunity to observe rare domain usage, while preserving the privacy of the users accessing them. Using a controlled testbed, we evaluate how accurately Trufflehunter can estimate domain name usage across the U.S. Applying this technique in the wild, we provide a lower-bound estimate of the popularity of several rare and sensitive applications (most notably smartphone stalkerware) which are otherwise challenging to survey.","author":[{"name":"Audrey Randall","tag":"1"},{"name":"Enze Liu","tag":"1"},{"name":"Gautam Akiwate","tag":"1"},{"name":"Ramakrishna Padmanabhan","tag":"2"},{"name":"Geoffrey M. Voelker","tag":"1"},{"name":"Stefan Savage","tag":"1"},{"name":"Aaron Schulman","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3419394.3423640","info":"IMC"},"publishDate":"2020-10-27","uri":"2020_trufflehunter_cache_snooping_rare_domains_at_large_public_dns_resolvers","tags":["DNS","DNS Resolver"],"titleEn":"Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers","affiliation":[{"name":"UC San Diego","tag":1},{"name":"caida/UC San Diego","tag":2}],"titleCn":"Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers","cite":{"template":[{"template":"Randall A, Liu E, Akiwate G, et al. Trufflehunter: cache snooping rare domains at large public DNS resolvers[C]//Proceedings of the ACM Internet Measurement Conference. 2020: 50-64.","type":"GB/T 7714"},{"template":"Randall, Audrey, et al. \"Trufflehunter: cache snooping rare domains at large public DNS resolvers.\" Proceedings of the ACM Internet Measurement Conference. 2020.","type":"MLA"},{"template":"Randall, A., Liu, E., Akiwate, G., Padmanabhan, R., Voelker, G. M., Savage, S., & Schulman, A. (2020, October). Trufflehunter: cache snooping rare domains at large public DNS resolvers. In Proceedings of the ACM Internet Measurement Conference (pp. 50-64).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":494,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"SpaceX, Amazon, and others plan to put thousands of satellites in low Earth orbit to provide global low-latency broadband Internet. SpaceX’s plans have matured quickly, such that their underdeployment satellite constellation is already the largest in history, and may start offering service in 2020. The proposed constellations hold great promise, but also present new challenges for networking. To enable research in this exciting space, we present Hypatia, a framework for simulating and visualizing the network behavior of these constellations by incorporating their unique characteristics, such as high-velocity orbital motion. Using publicly available design details for the upcoming networks to drive our simulator, we characterize the expected behavior of these networks, including latency and link utilization fluctuations over time, and the implications of these variations for congestion control and routing.","author":[{"name":"Simon Kassing","tag":"1"},{"name":"Debopam Bhattacherjee","tag":"1"},{"name":"André Baptista águas","tag":"1"},{"name":"Jens Eirik Saethre","tag":"1"},{"name":"Ankit Singla","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3419394.3423635","info":"IMC"},"publishDate":"2020-10-01","uri":"2020_exploring_the_internet_from_space_with_hypatia","tags":["Satellite"],"titleEn":"Exploring the “Internet from space” with Hypatia","affiliation":[{"name":"ETH Zürich","tag":1}],"titleCn":"Exploring the “Internet from space” with Hypatia","cite":{"template":[{"template":"Kassing S, Bhattacherjee D, Águas A B, et al. Exploring the\" Internet from space\" with Hypatia[C]//Proceedings of the ACM Internet Measurement conference. 2020: 214-229.","type":"GB/T 7714"},{"template":"Kassing, Simon, et al. \"Exploring the\" Internet from space\" with Hypatia.\" Proceedings of the ACM Internet Measurement conference. 2020.","type":"MLA"},{"template":"Kassing, S., Bhattacherjee, D., Águas, A. B., Saethre, J. E., & Singla, A. (2020, October). Exploring the\" Internet from space\" with Hypatia. In Proceedings of the ACM Internet Measurement conference (pp. 214-229).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":461,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Newspace” mega-constellations, such as Starlink and OneWeb are gaining tremendous popularity, with the promising potential to provide high-capacity and low-latency communication globally. However, very little is known about the architecture and performance of such emerging systems, the workload they have to face, as well as the impact of topological options on the attainable network performance. This paper presents STARPERF, a mega-constellation performance simulation platform that enables constellation manufacturers and content providers to estimate and understand the achievable performance under a variety of constellation options. The proposed platform integrates two key techniques: (1) performance simulation for mega-constellation, which captures the impact of the inherent high mobility in satellite networks and profiles the area-to-area attainable network performance; (2) constellation scaling, which synthesizes various topological options by scaling the space resource and enables exploration on multiple operating conditions that can not be easily reproduced. To demonstrate the effectiveness of STARPERF on understanding and optimizing satellite networks, we leverage STARPERF to evaluate and compare the performance of several state-of-theart low earth orbit (LEO) constellations and obtain insights on optimizing the architectural design to improve area-to-area network performance. Finally, to further show how applications can benefit from the proposed simulator, we propose an adaptive relay selection algorithm that can intelligently choose the optimal relay on cloud platforms and LEO satellites to achieve reduced latency. Evaluation results show that by properly selecting a relay in the satellite-cloud integrated infrastructure, end-to-end communication latency can be reduced by up to 62% for typical interactive traffic.","author":[{"name":"Zeqi Lai","tag":"1"},{"name":" Hewu Li","tag":"1"},{"name":" Jihao Li","tag":"1"}],"origin":{"url":"https://ieeexplore.ieee.org/document/9259357","info":"ICNP"},"publishDate":"2020-10-01","uri":"2020_starperf_characterizing_network_performance_for_emerging_mega_constellations_","tags":["Satellite"],"titleEn":"STARPERF: Characterizing Network Performance for Emerging Mega-Constellations","affiliation":[{"name":"Tsinghua University","tag":1}],"titleCn":"STARPERF: Characterizing Network Performance for Emerging Mega-Constellations","cite":{"template":[{"template":"Lai Z, Li H, Li J. Starperf: Characterizing network performance for emerging mega-constellations[C]//2020 IEEE 28th International Conference on Network Protocols (ICNP). IEEE, 2020: 1-11.","type":"GB/T 7714"},{"template":"Lai, Zeqi, Hewu Li, and Jihao Li. \"Starperf: Characterizing network performance for emerging mega-constellations.\" 2020 IEEE 28th International Conference on Network Protocols (ICNP). IEEE, 2020.","type":"MLA"},{"template":"Lai, Z., Li, H., & Li, J. (2020, October). Starperf: Characterizing network performance for emerging mega-constellations. In 2020 IEEE 28th International Conference on Network Protocols (ICNP) (pp. 1-11). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":462,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"This paper exposes a new vulnerability and introduces a corresponding attack, the NoneXistent Name Server Attack (NXNSAttack), that disrupts and may paralyze the DNS system, making it difficult or impossible for Internet users to access websites, web e-mail, online video chats, or any other online resource. The NXNSAttack generates a storm of packets between DNS resolvers and DNS authoritative name servers. The storm is produced by the response of resolvers to unrestricted referral response messages of authoritative name servers. The attack is significantly more destructive than NXDomain attacks (e.g., the Mirai attack): i) It reaches an amplification factor of more than 1620x on the number of packets exchanged by the recursive resolver. ii) In addition to the negative cache, the attack also saturates the 'NS' section of the resolver caches. To mitigate the attack impact, we propose an enhancement to the recursive resolver algorithm, MaxFetch(k), that prevents unnecessary proactive fetches. We implemented the MaxFetch(1) mitigation enhancement on a BIND resolver and tested it on real-world DNS query datasets. Our results show that MaxFetch(1) degrades neither the recursive resolver throughput nor its latency. Following the discovery of the attack, a responsible disclosure procedure was carried out, and several DNS vendors and public providers have issued a CVE and patched their systems.","author":[{"name":"Yehuda Afek","tag":"2"},{"name":"Anat Bremler-Barr","tag":"1"},{"name":"Lior Shafir","tag":"2"}],"origin":{"url":"https://www.usenix.org/conference/usenixsecurity20/presentation/afek","info":"Security"},"publishDate":"2020-08-12","uri":"2020_nxnsattack_recursive_dns_inefficiencies_and_vulnerabilities","tags":["DNS","DNS DDoS"],"titleEn":"NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities","affiliation":[{"name":"The Interdisciplinary Center","tag":1},{"name":"Tel Aviv University","tag":2}],"titleCn":"NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities","cite":{"template":[{"template":"Afek Y, Bremler-Barr A, Shafir L. {NXNSAttack}: Recursive {DNS} Inefficiencies and Vulnerabilities[C]//29th USENIX Security Symposium (USENIX Security 20). 2020: 631-648.","type":"GB/T 7714"},{"template":"Afek, Yehuda, Anat Bremler-Barr, and Lior Shafir. \"{NXNSAttack}: Recursive {DNS} Inefficiencies and Vulnerabilities.\" 29th USENIX Security Symposium (USENIX Security 20). 2020.","type":"MLA"},{"template":"Afek, Y., Bremler-Barr, A., & Shafir, L. (2020). {NXNSAttack}: Recursive {DNS} Inefficiencies and Vulnerabilities. In 29th USENIX Security Symposium (USENIX Security 20) (pp. 631-648).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":486,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"Transport Layer Security (TLS) 1.3 is a redesign of the Web's most important security protocol. It was standardized in August 2018 after a four year-long, unprecedented design process involving many cryptographers and industry stakeholders. We use the rare opportunity to track deployment, uptake, and use of a new mission-critical security protocol from the early design phase until well over a year after standardization. For a profound view, we combine and analyze data from active domain scans, passive monitoring of large networks, and a crowd-sourcing effort on Android devices. In contrast to TLS 1.2, where adoption took more than five years and was prompted by severe attacks on previous versions, TLS 1.3 is deployed surprisingly speedily and without security concerns calling for it. Just 15 months after standardization, it is used in about 20% of connections we observe. Deployment on popular domains is at 30% and at about 10% across the com/net/org top-level domains (TLDs). We show that the development and fast deployment of TLS 1.3 is best understood as a story of experimentation and centralization. Very few giant, global actors drive the development. We show that Cloudflare alone brings deployment to sizable numbers and describe how actors like Facebook and Google use their control over both client and server endpoints to experiment with the protocol and ultimately deploy it at scale. This story cannot be captured by a single dataset alone, highlighting the need for multi-perspective studies on Internet evolution.","author":[{"name":"Ralph Holz","tag":"6,4"},{"name":"Jens Hiller","tag":"5"},{"name":"Johanna Amann","tag":"4,1"},{"name":"Thomas Jost","tag":"5"},{"name":"Narseo Vallina-Rodriguez","tag":"1,3"},{"name":"Oliver Hohlfeld","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3411740.3411742","info":"SIGCOMM"},"publishDate":"2020-07-22","uri":"2020_tracking_the_deployment_of_tls_1_3_on_the_web_a_story_of_experimentation_and_centralization","tags":["HTTPS","TLS"],"titleEn":"Tracking the deployment of TLS 1.3 on the web: a story of experimentation and centralization","affiliation":[{"name":"ICSI","tag":1},{"name":"Brandenburg University of Technology","tag":2},{"name":"IMDEA Networks","tag":3},{"name":"University of Sydney","tag":4},{"name":"RWTH Aachen University","tag":5},{"name":"University of Twente","tag":6}],"titleCn":"Tracking the deployment of TLS 1.3 on the web: a story of experimentation and centralization","cite":{"template":[{"template":"Holz R, Hiller J, Amann J, et al. Tracking the deployment of TLS 1.3 on the Web: A story of experimentation and centralization[J]. ACM SIGCOMM Computer Communication Review, 2020, 50(3): 3-15.","type":"GB/T 7714"},{"template":"Holz, Ralph, et al. \"Tracking the deployment of TLS 1.3 on the Web: A story of experimentation and centralization.\" ACM SIGCOMM Computer Communication Review 50.3 (2020): 3-15.","type":"MLA"},{"template":"Holz, R., Hiller, J., Amann, J., Razaghpanah, A., Jost, T., Vallina-Rodriguez, N., & Hohlfeld, O. (2020). Tracking the deployment of TLS 1.3 on the Web: A story of experimentation and centralization. ACM SIGCOMM Computer Communication Review, 50(3), 3-15.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":406,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"We present an active measurement test (netflix) that downloads content from the Netflix content delivery network. The test measures latency and achievable throughput as key performance indicators when downloading the content from Netflix. We deployed the test on ~100 SamKnows probes connected to dual-stacked networks representing 74 different origin ASes. Using a ~2.75 year-long (Jul 2016-Apr 2019) dataset, we observe Netflix Open Connect Appliance (OCA) infrastructure to be highly available, although some vantage points experience low success rates connecting over IPv6. We witness that clients prefer connecting to Netflix OCAs over IPv6, although the preference over IPv6 tends to drop over certain peak hours during the day. The TCP connect times toward the OCAs have reduced by ~40% and the achievable throughput has increased by 20% over the measurement duration. We also provision scamper right after the netflix test to capture the forwarding path toward the Netflix OCAs. We observe that the Netflix OCA caches deployed inside the ISP are reachable within six IP hops and can reduce IP path lengths by 40% over IPv4 and by half over IPv6. Consequently, TCP connect times are reduced by 64% over both address families. The achieved throughput can~ also increase by a factor of three when such ISP caches are used to stream content. This is the first study to measure Netflix content delivery from residential networks, since the inception of the Netflix CDN infrastructure in 2011. To encourage reproducibility of our work, an anonymized version of the entire longitudinal dataset is publicly released.","author":[{"name":"Doan Trinh Viet","tag":"1"},{"name":" Vaibhav Bajpai","tag":"1"},{"name":" Sam Crawford","tag":"2"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/9155367","info":"INFOCOM"},"publishDate":"2020-07-06","uri":"2020_a_longitudinal_view_of_netflix_content_delivery_over_ipv6_and_content_cache_deployments","tags":["CDN"],"titleEn":"A Longitudinal View of Netflix: Content Delivery over IPv6 and Content Cache Deployments","affiliation":[{"name":"Technical University of Munich","tag":1},{"name":"SamKnows","tag":2}],"titleCn":"A Longitudinal View of Netflix: Content Delivery over IPv6 and Content Cache Deployments","cite":{"template":[{"template":"Doan T V, Bajpai V, Crawford S. A longitudinal view of Netflix: Content delivery over IPv6 and content cache deployments[C]//IEEE INFOCOM 2020-IEEE Conference on Computer Communications. IEEE, 2020: 1073-1082.","type":"GB/T 7714"},{"template":"Doan, Trinh Viet, Vaibhav Bajpai, and Sam Crawford. \"A longitudinal view of Netflix: Content delivery over IPv6 and content cache deployments.\" IEEE INFOCOM 2020-IEEE Conference on Computer Communications. IEEE, 2020.","type":"MLA"},{"template":"Doan, T. V., Bajpai, V., & Crawford, S. (2020, July). A longitudinal view of Netflix: Content delivery over IPv6 and content cache deployments. In IEEE INFOCOM 2020-IEEE Conference on Computer Communications (pp. 1073-1082). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":496,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"We use traceroute and BGP data from globally distributed Internet measurement infrastructures to study the impact of a noteworthy submarine cable launch connecting Africa to South America. We leverage archived data from RIPE Atlas and CAIDA Ark platforms, as well as custom measurements from strategic vantage points, to quantify the differences in end-to-end latency and path lengths before and after deployment of this new South-Atlantic cable. We find that ASes operating in South America significantly benefit from this new cable, with reduced latency to all measured African countries. More surprising is that end-to-end latency to/from some regions of the world, including intra-African paths towards Angola, increased after switching to the cable. We track these unintended consequences to suboptimally circuitous IP paths that traveled from Africa to Europe, possibly North America, and South America before traveling back to Africa over the cable. Although some suboptimalities are expected given the lack of peering among neighboring ASes in the developing world, we found two other causes: (i) problematic intra-domain routing within a single Angolese network, and (ii) suboptimal routing/traffic engineering by its BGP neighbors. After notifying the operating AS of our results, we found that most of these suboptimalities were subsequently resolved. We designed our method to generalize to the study of other cable deployments or outages and share our code to promote reproducibility and extension of our work.","author":[{"name":"Rodérick Fanou","tag":"1"},{"name":" Bradley Huffaker","tag":"1"},{"name":" Ricky Mok","tag":"1"},{"name":" K. C. Claffy","tag":"1"}],"origin":{"url":"https://link.springer.com/chapter/10.1007/978-3-030-44081-7_13","info":"PAM"},"publishDate":"2020-03-18","uri":"2020_unintended_consequences_effects_of_submarine_cable_deployment_on_internet_routing","tags":["Submarine Cable","Routing"],"titleEn":"Unintended Consequences: Effects of Submarine Cable Deployment on Internet Routing","affiliation":[{"name":"CAIDA/UC San Diego","tag":1}],"titleCn":"Unintended Consequences: Effects of Submarine Cable Deployment on Internet Routing","cite":{"template":[{"template":"Fanou R, Huffaker B, Mok R, et al. Unintended consequences: Effects of submarine cable deployment on Internet routing[C]//Passive and Active Measurement: 21st International Conference, PAM 2020, Eugene, Oregon, USA, March 30–31, 2020, Proceedings 21. Springer International Publishing, 2020: 211-227.","type":"GB/T 7714"},{"template":"Fanou, Rodérick, et al. \"Unintended consequences: Effects of submarine cable deployment on Internet routing.\" Passive and Active Measurement: 21st International Conference, PAM 2020, Eugene, Oregon, USA, March 30–31, 2020, Proceedings 21. Springer International Publishing, 2020.","type":"MLA"},{"template":"Fanou, R., Huffaker, B., Mok, R., & Claffy, K. C. (2020). Unintended consequences: Effects of submarine cable deployment on Internet routing. In Passive and Active Measurement: 21st International Conference, PAM 2020, Eugene, Oregon, USA, March 30–31, 2020, Proceedings 21 (pp. 211-227). Springer International Publishing.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":454,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Despite the well-known existence of load-balanced forwarding paths in the Internet, current active topology Internet-wide mapping efforts are multipath agnostic – largely because of the probing volume and time required for existing multipath discovery techniques. This paper introduces D-Miner, a system that marries previous work on high-speed probing with multipath discovery to make Internet-wide topology mapping, inclusive of load-balanced paths, feasible. We deploy D-Miner and collect multiple IPv4 interface-level topology snapshots, where we find >64% more edges, and significantly more complex topologies relative to existing systems. We further scrutinize topological changes between snapshots and attribute forwarding differences not to routing or policy changes, but to load balancer “remapping” events. We precisely categorize remapping events and find that they are a much more frequent contributor of path changes than previously recognized. By making D-Miner and our collected Internet-wide topologies publicly available, we hope to help facilitate better understanding of the Internet’s true structure and resilience.","author":[{"name":"Kevin Vermeulen","tag":"2"},{"name":"Justin P. Rohrer","tag":"1"},{"name":"Robert Beverly","tag":"1"},{"name":"Olivier Fourmaux","tag":"2"},{"name":"Timur Friedman","tag":"2"}],"origin":{"url":"https://www.usenix.org/conference/nsdi20/presentation/vermeulen","info":"NSDI"},"publishDate":"2020-02-25","uri":"2020_diamond_miner_comprehensive_discovery_of_the_internet_s_topology_diamonds","tags":["IP Address"," Internet Topology"],"titleEn":"Diamond-Miner: Comprehensive Discovery of the Internet’s Topology Diamonds","affiliation":[{"name":"Naval Postgraduate School","tag":1},{"name":"Sorbonne Université","tag":2}],"titleCn":"Diamond-Miner: Comprehensive Discovery of the Internet’s Topology Diamonds","cite":{"template":[{"template":"Vermeulen K, Rohrer J P, Beverly R, et al. {Diamond-Miner}: Comprehensive Discovery of the Internet's Topology Diamonds[C]//17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20). 2020: 479-493.","type":"GB/T 7714"},{"template":"Vermeulen, Kevin, et al. \"{Diamond-Miner}: Comprehensive Discovery of the Internet's Topology Diamonds.\" 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20). 2020.","type":"MLA"},{"template":"Vermeulen, K., Rohrer, J. P., Beverly, R., Fourmaux, O., & Friedman, T. (2020). {Diamond-Miner}: Comprehensive Discovery of the Internet's Topology Diamonds. In 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20) (pp. 479-493).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":521,"keyword":[""],"fileType":4},{"paperType":2,"abstracts":"SSL/TLS is a deceptively simple technology. It is easy to deploy, and it just works... except when it does not. The main problem is that encryption is not often easy to deploy correctly. To ensure that TLS provides the necessary security, system administrators and developers must put extra effort into properly configuring their servers and developing their applications. In 2009, we began our work on SSL Labs because we wanted to understand how TLS was used and to remedy the lack of easy-to-use TLS tools and documentation. We have achieved some of our goals through our global surveys of TLS usage, as well as the online assessment tool, but the lack of documentation is still evident. This document is a step toward addressing that problem. Our aim here is to provide clear and concise instructions to help overworked administrators and programmers spend the minimum time possible to deploy a secure site or web application. In pursuit of clarity, we sacrifice completeness, foregoing certain advanced topics. The focus is on advice that is practical and easy to follow. For those who want more information, Section 6 gives useful pointers.","author":[{"name":"Ivan Ristić","tag":"1"}],"origin":{"url":"https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices","info":"Qualys. SSL Labs"},"publishDate":"2020-01-15","uri":"2020_ssl_and_tls_deployment_best_practices","tags":["HTTPS","TLS"],"titleEn":"SSL and TLS Deployment Best Practices","affiliation":[{"name":"SSL Labs","tag":1}],"titleCn":"SSL and TLS Deployment Best Practices","cite":{"template":[{"template":"Ristić I. SSL/TLS deployment best practices[J]. Internet: https://www. ssllabs. com/downloads/SSL_TLS_Deployment_Best_Practices_1, 2012, 3.","type":"GB/T 7714"},{"template":"Ristić, Ivan. \"SSL/TLS deployment best practices.\" Internet: https://www. ssllabs. com/downloads/SSL_TLS_Deployment_Best_Practices_1 3 (2012).","type":"MLA"},{"template":"Ristić, I. (2012). SSL/TLS deployment best practices. Internet: https://www. ssllabs. com/downloads/SSL_TLS_Deployment_Best_Practices_1, 3.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":403,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Knowledge of the Internet topology and the business relationships between Autonomous Systems (ASes) is the basis for studying many aspects of the Internet. Despite the significant progress achieved by latest inference algorithms, their inference results still suffer from errors on some critical links due to limited data, thus hindering many applications that rely on the inferred relationships. We take an in-depth analysis on the challenges inherent in the data, especially the limited coverage and biased concentration of the vantage points (VPs). Some aspects of them have been largely overlooked but will become more exacerbated when the Internet further grows. Then we develop TopoScope, a framework for accurately recovering AS relationships from such fragmentary observations. TopoScope uses ensemble learning and Bayesian Network to mitigate the observation bias originating not only from a single VP, but also from the uneven distribution of available VPs. It also discovers the intrinsic similarities between groups of adjacent links, and infers the relationships on hidden links that are not directly observable. Compared to state-of-the-art inference algorithms, TopoScope reduces the inference error by up to 2.7-4 times, discovers the relationships for around 30,000 upper layer hidden AS links, and is still more accurate and stable under more incomplete or biased observations.","author":[{"name":"Zitong Jin","tag":"4,2"},{"name":" Xingang Shi","tag":"1,2"},{"name":" Yan Yang","tag":"4,2"},{"name":" Xia Yin","tag":"4,2"},{"name":" Zhiliang Wang","tag":"1,2"},{"name":" Jianping Wu","tag":"3,2"}],"origin":{"url":"https://dl.acm.org/doi/pdf/10.1145/3419394.3423627","info":"IMC"},"publishDate":"2020-01-01","uri":"2020_toposcope_recover_as_relationships_from_fragmentary_observations","tags":["Routing","AS Relationship"],"titleEn":"TopoScope: Recover AS Relationships From Fragmentary Observations","affiliation":[{"name":"INSC&BNRist","tag":1},{"name":" Tsinghua University","tag":2},{"name":"DCST&INSC","tag":3},{"name":"DCST","tag":4}],"titleCn":"TopoScope: Recover AS Relationships From Fragmentary Observations","cite":{"template":[{"template":"Jin Z, Shi X, Yang Y, et al. Toposcope: Recover as relationships from fragmentary observations[C]//Proceedings of the ACM Internet Measurement Conference. 2020: 266-280.","type":"GB/T 7714"},{"template":"Jin, Zitong, et al. \"Toposcope: Recover as relationships from fragmentary observations.\" Proceedings of the ACM Internet Measurement Conference. 2020.","type":"MLA"},{"template":"Jin, Z., Shi, X., Yang, Y., Yin, X., Wang, Z., & Wu, J. (2020, October). Toposcope: Recover as relationships from fragmentary observations. In Proceedings of the ACM Internet Measurement Conference (pp. 266-280).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":419,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Anycast addressing - assigning the same IP address to multiple, distributed devices - has become a fundamental approach to improving the resilience and performance of Internet services, but its conventional deployment model makes it impossible to infer from the address itself that it is anycast. Existing methods to detect anycast IPv4 prefixes present accuracy challenges stemming from routing and latency dynamics, and efficiency and scalability challenges related to measurement load. We review these challenges and introduce a new technique we call \"MAnycast2\" that can help overcome them. Our technique uses a distributed measurement platform of anycast vantage points as sources to probe potential anycast destinations. This approach eliminates any sensitivity to latency dynamics, and greatly improves efficiency and scalability. We discuss alternatives to overcome remaining challenges relating to routing dynamics, suggesting a path toward establishing the capability to complete, in under 3 hours, a full census of which IPv4 prefixes in the ISI hitlist are anycast.","author":[{"name":"Sommese Raffaele","tag":"3"},{"name":" Bertholdo Leandro","tag":"3"},{"name":" Akiwate Gautam","tag":"1"},{"name":" Jonker Mattijs","tag":"3"},{"name":" van Rijswijk-Deij Roland","tag":"3"},{"name":" Dainotti Alberto","tag":"2"},{"name":" Claffy KC","tag":"2"},{"name":" Sperotto Anna","tag":"3"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3419394.3423646","info":"IMC"},"publishDate":"2020-01-01","uri":"2020_manycast_2_using_anycast_to_measure_anycast","tags":["IP Address","Anycast"],"titleEn":"MAnycast 2 – Using Anycast to Measure Anycast","affiliation":[{"name":"UC San Diego","tag":1},{"name":"caida/UC San Diego","tag":2},{"name":"University of Twente","tag":3}],"titleCn":"MAnycast 2 – Using Anycast to Measure Anycast","cite":{"template":[{"template":"Sommese R, Bertholdo L, Akiwate G, et al. Manycast2: Using anycast to measure anycast[C]//Proceedings of the ACM Internet Measurement Conference. 2020: 456-463.","type":"GB/T 7714"},{"template":"Sommese, Raffaele, et al. \"Manycast2: Using anycast to measure anycast.\" Proceedings of the ACM Internet Measurement Conference. 2020.","type":"MLA"},{"template":"Sommese, R., Bertholdo, L., Akiwate, G., Jonker, M., van Rijswijk-Deij, R., Dainotti, A., ... & Sperotto, A. (2020, October). Manycast2: Using anycast to measure anycast. In Proceedings of the ACM Internet Measurement Conference (pp. 456-463).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":504,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Ascertaining that a network will forward spoofed traffic usually requires an active probing vantage point in that network, effectively preventing a comprehensive view of this global Internet vulnerability. Recently, researchers have proposed using Internet Exchange Points (IXPs) as observatories to detect spoofed packets, by leveraging Autonomous System (AS) topology knowledge extracted from Border Gateway Protocol (BGP) data to infer which source addresses should legitimately appear across parts of the IXP switch fabric. We demonstrate that the existing literature does not capture several fundamental challenges to this approach, including noise in BGP data sources, heuristic AS relationship inference, and idiosyncrasies in IXP interconnectivity fabrics. We propose a novel method to navigate these challenges, leveraging *customer cone* semantics of AS relationships to guide precise classification of inter-domain traffic as in-cone, out-of-cone (*spoofed*), unverifiable, bogon, and unassigned. We apply our method to a mid-size IXP with approximately 200 members, and find an upper bound volume of out-of-cone traffic to be more than an order of magnitude less than the previous method inferred on the same data. Our work illustrates the subtleties of scientific assessments of operational Internet infrastructure, and the need for a community focus on reproducing and repeating previous methods.","author":[{"name":"Lucas Müller","tag":"1,2"},{"name":"Matthew Luckie","tag":"4"},{"name":"Bradley Huffaker","tag":"3"},{"name":"kc claffy","tag":"3"},{"name":"Marinho Barcellos","tag":"1,4"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3359989.3365422","info":"CoNEXT"},"publishDate":"2019-12-01","uri":"2019_challenges_in_inferring_spoofed_traffic_at_ixps","tags":["IP Address","IP Spoofing"],"titleEn":"Challenges in inferring spoofed traffic at IXPs","affiliation":[{"name":"UFRGS","tag":1},{"name":"CAIDA","tag":2},{"name":"caida/UC San Diego","tag":3},{"name":"University of Waikato","tag":4}],"titleCn":"Challenges in inferring spoofed traffic at IXPs","cite":{"template":[{"template":"Müller L, Luckie M, Huffaker B, et al. Challenges in inferring spoofed traffic at IXPs[C]//Proceedings of the 15th International Conference on Emerging Networking Experiments and Technologies. 2019: 96-109.","type":"GB/T 7714"},{"template":"Müller, Lucas, et al. \"Challenges in inferring spoofed traffic at IXPs.\" Proceedings of the 15th International Conference on Emerging Networking Experiments and Technologies. 2019.","type":"MLA"},{"template":"Müller, L., Luckie, M., Huffaker, B., Claffy, K., & Barcellos, M. (2019, December). Challenges in inferring spoofed traffic at IXPs. In Proceedings of the 15th International Conference on Emerging Networking Experiments and Technologies (pp. 96-109).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":437,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"To detect fraudulent TLS server certificates and improve the accountability of certification authorities (CAs), certificate transparency (CT) is proposed to record certificates in publicly-visible logs, from which the monitors fetch all certificates and watch for suspicious ones. However, if the monitors, either domain owners themselves or third-party services, fail to return a complete set of certificates issued for a domain of interest, potentially fraudulent certificates may not be detected and then the CT framework becomes less reliable. This paper presents the first systematic study on CT monitors. We analyze the data in 88 public logs and the services of 5 active third-party monitors regarding 3,000,431 certificates of 6,000 selected Alexa Top-1M websites. We find that although CT allows ordinary domain owners to act as monitors, it is impractical for them to perform reliable processing by themselves, due to the rapidly increasing volume of certificates in public logs (e.g., on average 5 million records or 28.29 GB daily for the minimal set of logs that need to be monitored). Moreover, our study discloses that (a) none of the third-party monitors guarantees to return the complete set of certificates for a domain, and (b) for some domains, even the union of the certificates returned by the five third-party monitors can probably be incomplete. As a result, the certificates accepted by CT-enabled browsers are not absolutely visible to the claimed domain owners, even when CT is adopted with well-functioning logs. The risk of invisible fraudulent certificates in public logs raises doubts on the reliability of CT in practice.","author":[{"name":"Bingyu Li","tag":"5"},{"name":" Jingqiang Lin","tag":"5"},{"name":"Fengjun Li","tag":"4"},{"name":" Qiongxiao Wang","tag":"3"},{"name":" Qi Li","tag":"2"},{"name":" Jiwu Jing","tag":"1"},{"name":"Congli Wang","tag":"5"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3319535.3345653","info":"CCS"},"publishDate":"2019-11-11","uri":"2019_certificate_transparency_in_the_wild_exploring_the_reliability_of_monitors","tags":["HTTPS","Web PKI"],"titleEn":"Certificate Transparency in the Wild: Exploring the Reliability of Monitors","affiliation":[{"name":"School of Computer Science and Technology, University of Chinese Academy of Sciences","tag":1},{"name":"Institute for Network Sciences and Cyberspace, Tsinghua University, China","tag":2},{"name":"State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Data Assurance and Communication Security Center, Chinese Academy of Sciences","tag":3},{"name":"Department of Electrical Engineering and Computer Science, the University of Kansas, USA","tag":4},{"name":"State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Data Assurance and Communication Security Center, Chinese Academy of Sciences, School of Cyber Security, University of Chinese Academy of Sciences","tag":5}],"titleCn":"Certificate Transparency in the Wild: Exploring the Reliability of Monitors","cite":{"template":[{"template":"Li B, Lin J, Li F, et al. Certificate transparency in the wild: Exploring the reliability of monitors[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: 2505-2520.","type":"GB/T 7714"},{"template":"Li, Bingyu, et al. \"Certificate transparency in the wild: Exploring the reliability of monitors.\" Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019.","type":"MLA"},{"template":"Li, B., Lin, J., Li, F., Wang, Q., Li, Q., Jing, J., & Wang, C. (2019, November). Certificate transparency in the wild: Exploring the reliability of monitors. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (pp. 2505-2520).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":414,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"The Spoofer project has collected data on the deployment and characteristics of IP source address validation on the Internet since 2005. Data from the project comes from participants who install an active probing client that runs in the background. The client automatically runs tests both periodically and when it detects a new network attachment point. We analyze the rich dataset of Spoofer tests in multiple dimensions: across time, networks, autonomous systems, countries, and by Internet protocol version. In our data for the year ending August 2019, at least a quarter of tested ASes did not filter packets with spoofed source addresses leaving their networks. We show that routers performing Network Address Translation do not always filter spoofed packets, as 6.4% of IPv4/24 tested in the year ending August 2019 did not filter. Worse, at least two thirds of tested ASes did not filter packets entering their networks with source addresses claiming to be from within their network that arrived from outside their network. We explore several approaches to encouraging remediation and the challenges of evaluating their impact. While we have been able to remediate 352 IPv4/24, we have found an order of magnitude more IPv4/24 that remains unremediated, despite myriad remediation strategies, with 21% unremediated for more than six months. Our analysis provides the most complete and confident picture of the Internet's susceptibility to date of this long-standing vulnerability. Although there is no simple solution to address the remaining long-tail of unremediated networks, we conclude with a discussion of possible non-technical interventions, and demonstrate how the platform can support evaluation of the impact of such interventions over time.","author":[{"name":"Matthew Luckie","tag":"3"},{"name":"Robert Beverly","tag":"2"},{"name":"Ryan Koga","tag":"1"},{"name":"Ken Keys","tag":"1"},{"name":"Joshua A. Kroll","tag":"2"},{"name":"k claffy","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3319535.3354232","info":"CCS"},"publishDate":"2019-11-01","uri":"2019_network_hygiene_incentives_and_regulation_deployment_of_source_address_validation_in_the_internet","tags":["IP Address","IP Spoofing"],"titleEn":"Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet","affiliation":[{"name":"CAIDA/UC San Diego","tag":1},{"name":"Naval Postgraduate School","tag":2},{"name":"University of Waikato","tag":3}],"titleCn":"Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet","cite":{"template":[{"template":"Luckie M, Beverly R, Koga R, et al. Network hygiene, incentives, and regulation: deployment of source address validation in the internet[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019: 465-480.","type":"GB/T 7714"},{"template":"Luckie, Matthew, et al. \"Network hygiene, incentives, and regulation: deployment of source address validation in the internet.\" Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019.","type":"MLA"},{"template":"Luckie, M., Beverly, R., Koga, R., Keys, K., Kroll, J. A., & Claffy, K. (2019, November). Network hygiene, incentives, and regulation: deployment of source address validation in the internet. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (pp. 465-480).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":435,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"DNS packets are designed to travel in unencrypted form through the Internet based on its initial standard. Recent discoveries show that real-world adversaries are actively exploiting this design vulnerability to compromise Internet users’ security and privacy. To mitigate such threats, several protocols have been proposed to encrypt DNS queries between DNS clients and servers, which we jointly term as DNS-over-Encryption. While some proposals have been standardized and are gaining strong support from the industry, little has been done to understand their status from the view of global users.This paper performs by far the first end-to-end and large-scale analysis on DNS-over-Encryption. By collecting data from Internet scanning, user-end measurement and passive monitoring logs, we have gained several unique insights. In general, the service quality of DNS-over-Encryption is satisfying, in terms of accessibility and latency. For DNS clients, DNS-over-Encryption queries are less likely to be disrupted by in-path interception compared to traditional DNS, and the extra overhead is tolerable. However, we also discover several issues regarding how the services are operated.As an example, we find 25% DNS-over-TLS service providers use invalid SSL certificates. Compared to traditional DNS, DNS-overEncryption is used by far fewer users but we have witnessed a growing trend. As such, we believe the community should push broader adoption of DNS-over-Encryption and we also suggest the service providers carefully review their implementations.","author":[{"name":"Chaoyi Lu","tag":"1"},{"name":"Baojun Liu","tag":"1"},{"name":"Zhou Li","tag":"1"},{"name":"Haixin Duan","tag":"1"}],"origin":{"url":"https://www.researchgate.net/profile/Zhou-Li-19/publication/336083700_An_End-to-End_Large-Scale_Measurement_of_DNS-over-Encryption_How_Far_Have_We_Come/links/5d8d7468458515202b6cef72/An-End-to-End-Large-Scale-Measurement-of-DNS-over-Encryption-How-Far-Have","info":"IMC"},"publishDate":"2019-10-21","uri":"2019_an_end_to_end_large_scale_measurement_of_dns_over_encryption_how_far_have_we_come_","tags":["DNS","Encrypted DNS"],"titleEn":"An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?","affiliation":[{"name":"Tsinghua University","tag":1}],"titleCn":"An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?","cite":{"template":[{"template":"Lu C, Liu B, Li Z, et al. An end-to-end, large-scale measurement of dns-over-encryption: How far have we come?[C]//Proceedings of the Internet Measurement Conference. 2019: 22-35.","type":"GB/T 7714"},{"template":"Lu, Chaoyi, et al. \"An end-to-end, large-scale measurement of dns-over-encryption: How far have we come?.\" Proceedings of the Internet Measurement Conference. 2019.","type":"MLA"},{"template":"Lu, C., Liu, B., Li, Z., Hao, S., Duan, H., Zhang, M., ... & Wu, J. (2019, October). An end-to-end, large-scale measurement of dns-over-encryption: How far have we come?. In Proceedings of the Internet Measurement Conference (pp. 22-35).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":445,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"Despite its critical role in Internet connectivity, the Border Gateway Protocol (BGP) remains highly vulnerable to attacks such as prefix hijacking, where an Autonomous System (AS) announces routes for IP space it does not control. To address this issue, the Resource Public Key Infrastructure (RPKI) was developed starting in 2008, with deployment beginning in 2011. This paper performs the first comprehensive, longitudinal study of the deployment, coverage, and quality of RPKI.We use a unique dataset containing all RPKI Route Origin Authorizations (ROAs) from the moment RPKI was first deployed, more than 8 years ago. We combine this dataset with BGP announcements from more than 3,300 BGP collectors worldwide. Our analysis shows the after a gradual start, RPKI has seen a rapid increase in adoption over the past two years. We also show that although misconfigurations were rampant when RPKI was first deployed (causing many announcements to appear as invalid) they are quite rare today. We develop a taxonomy of invalid RPKI announcements, then quantify their prevalence. We further identify suspicious announcements indicative of prefix hijacking and present case studies of likely hijacks.Overall, we conclude that while misconfigurations still do occur, RPKI is \"ready for the big screen,\" and routing security can be increased by dropping invalid announcements. To foster reproducibility and further studies, we release all RPKI data and the tools we used to analyze it into the public domain.","author":[{"name":"Taejoong Chung","tag":"1"},{"name":" Emile Aben","tag":"8"},{"name":" Tim Bruijnzeels","tag":"7"},{"name":" Balakrishnan Chandrasekaran","tag":"4"},{"name":" David Choffnes","tag":"12"},{"name":" Dave Levin","tag":"5"},{"name":" Bruce M. Maggs","tag":"3,9"},{"name":" Alan Mislove","tag":"12"},{"name":" Roland van Rijswijk-Deij","tag":"10,2"},{"name":" John Rula","tag":"6"},{"name":" Nick Sullivan","tag":"11"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3355369.3355596","info":"IMC"},"publishDate":"2019-10-21","uri":"2019_rpki_is_coming_of_age_a_longitudinal_study_of_rpki_deployment_and_invalid_route_origins","tags":["Routing","RPKI"],"titleEn":"RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins","affiliation":[{"name":"Rochester Institute of Technology","tag":1},{"name":" NLNetLabs","tag":2},{"name":"Duke University","tag":3},{"name":"Max Planck Institute for Informatics","tag":4},{"name":"University of Maryland","tag":5},{"name":"Akamai Technologies","tag":6},{"name":"NLNetLabs","tag":7},{"name":"RIPE NCC","tag":8},{"name":" Akamai Technologies","tag":9},{"name":"University of Twente","tag":10},{"name":"Cloudflare","tag":11},{"name":"Northeastern University","tag":12}],"titleCn":"RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and Invalid Route Origins","cite":{"template":[{"template":"Chung T, Aben E, Bruijnzeels T, et al. RPKI is coming of age: A longitudinal study of RPKI deployment and invalid route origins[C]//Proceedings of the Internet Measurement Conference. 2019: 406-419.","type":"GB/T 7714"},{"template":"Chung, Taejoong, et al. \"RPKI is coming of age: A longitudinal study of RPKI deployment and invalid route origins.\" Proceedings of the Internet Measurement Conference. 2019.","type":"MLA"},{"template":"Chung, T., Aben, E., Bruijnzeels, T., Chandrasekaran, B., Choffnes, D., Levin, D., ... & Sullivan, N. (2019, October). RPKI is coming of age: A longitudinal study of RPKI deployment and invalid route origins. In Proceedings of the Internet Measurement Conference (pp. 406-419).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":460,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Content delivery networks (CDNs) commonly use DNS to map end-users to the best edge servers. A recently proposed EDNS0-Client-Subnet (ECS) extension allows recursive resolvers to include end-user subnet information in DNS queries, so that authoritative DNS servers, especially those belonging to CDNs, could use this information to improve user mapping. In this paper, we study the ECS behavior of ECS-enabled recursive resolvers from the perspectives of the opposite sides of a DNS interaction, the authoritative DNS servers of a major CDN and a busy DNS resolution service. We find a range of erroneous (i.e., deviating from the protocol specification) and detrimental (even if compliant) behaviors that may unnecessarily erode client privacy, reduce the effectiveness of DNS caching, diminish ECS benefits, and in some cases turn ECS from facilitator into an obstacle to authoritative DNS servers' ability to optimize user-to-edge-server mappings.","author":[{"name":"Rami Al-Dalky","tag":"1"},{"name":"Michael Rabinovich","tag":"1"},{"name":"Kyle Schomp","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3355369.3355586","info":"IMC"},"publishDate":"2019-10-21","uri":"2019_a_look_at_the_ecs_behavior_of_dns_resolvers","tags":["DNS","DNS Resolver"],"titleEn":"A Look at the ECS Behavior of DNS Resolvers","affiliation":[{"name":"Case Western Reserve University","tag":1},{"name":"Akamai Technologies","tag":2}],"titleCn":"A Look at the ECS Behavior of DNS Resolvers","cite":{"template":[{"template":"Al-Dalky R, Rabinovich M, Schomp K. A Look at the ECS Behavior of DNS Resolvers[C]//Proceedings of the Internet Measurement Conference. 2019: 116-129.","type":"GB/T 7714"},{"template":"Al-Dalky, Rami, Michael Rabinovich, and Kyle Schomp. \"A Look at the ECS Behavior of DNS Resolvers.\" Proceedings of the Internet Measurement Conference. 2019.","type":"MLA"},{"template":"Al-Dalky, R., Rabinovich, M., & Schomp, K. (2019, October). A Look at the ECS Behavior of DNS Resolvers. In Proceedings of the Internet Measurement Conference (pp. 116-129).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":493,"keyword":[""],"fileType":1},{"paperType":2,"abstracts":"Transport Layer Security (TLS) provides mechanisms to protect data during electronic dissemination across the Internet. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms. It requires that TLS 1.2 configured with FIPS-based cipher suites be supported by all government TLS servers and clients and requires support for TLS 1.3 by January 1, 2024. This Special Publication also provides guidance on certificates and TLS extensions that impact security.","author":[{"name":"Kerry A. McKay","tag":"1"},{"name":"David A. Cooper","tag":"1"}],"origin":{"url":"https://doi.org/10.6028/NIST.SP.800-52r2","info":"NIST"},"publishDate":"2019-08-29","uri":"2019_guidelines_for_the_selection_configuration_and_use_of_transport_layer_security_tls_implementations","tags":["HTTPS","TLS"],"titleEn":"Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations","affiliation":[{"name":"Computer Security Division Information Technology Laboratory","tag":1}],"titleCn":"Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations","cite":{"template":[{"template":"McKay K, Cooper D. Guidelines for the selection, configuration, and use of transport layer security (TLS) implementations[R]. National Institute of Standards and Technology, 2017.","type":"GB/T 7714"},{"template":"McKay, Kerry, and David Cooper. Guidelines for the selection, configuration, and use of transport layer security (TLS) implementations. No. NIST Special Publication (SP) 800-52 Rev. 2 (Draft). National Institute of Standards and Technology, 2017.","type":"MLA"},{"template":"McKay, K., & Cooper, D. (2017). Guidelines for the selection, configuration, and use of transport layer security (TLS) implementations (No. NIST Special Publication (SP) 800-52 Rev. 2 (Draft)). National Institute of Standards and Technology.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":402,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Certificate Transparency (CT) is an emerging system for enabling the rapid discovery of malicious or misissued certificates. Initially standardized in 2013, CT is now finally beginning to see widespread support. Although CT provides desirable security benefits, web browsers cannot begin requiring all websites to support CT at once, due to the risk of breaking large numbers of websites. We discuss challenges for deployment, analyze the adoption of CT on the web, and measure the error rates experienced by users of the Google Chrome web browser. We find that CT has so far been widely adopted with minimal breakage and warnings. Security researchers often struggle with the tradeoff between security and user frustration: rolling out new security requirements often causes breakage. We view CT as a case study for deploying ecosystem-wide change while trying to minimize end user impact. We discuss the design properties of CT that made its success possible, as well as draw lessons from its risks and pitfalls that could be avoided in future large-scale security deployments.","author":[{"name":"Emily Stark","tag":"1"},{"name":"Ryan Sleevi","tag":"1"},{"name":"Rijad Muminovic","tag":"2"},{"name":"Devon O’Brien","tag":"1"},{"name":"Eran Messeri","tag":"1"},{"name":"Adrienne Porter Felt","tag":"1"},{"name":"Brendan McMillion","tag":"3"},{"name":"Parisa Tabriz","tag":"1"}],"origin":{"url":"https://ieeexplore.ieee.org/document/8835212","info":"S&P"},"publishDate":"2019-05-19","uri":"2019_does_certificate_transparency_break_the_web_measuring_adoption_and_error_rate","tags":["HTTPS","Web PKI"],"titleEn":"Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate","affiliation":[{"name":"Google","tag":1},{"name":"University of Sarajevo","tag":2},{"name":"Cloudflare","tag":3}],"titleCn":"Does Certificate Transparency Break the Web? Measuring Adoption and Error Rate","cite":{"template":[{"template":"Stark E, Sleevi R, Muminovic R, et al. Does certificate transparency break the web? Measuring adoption and error rate[C]//2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019: 211-226.","type":"GB/T 7714"},{"template":"Stark, Emily, et al. \"Does certificate transparency break the web? Measuring adoption and error rate.\" 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019.","type":"MLA"},{"template":"Stark, E., Sleevi, R., Muminovic, R., O'Brien, D., Messeri, E., Felt, A. P., ... & Tabriz, P. (2019, May). Does certificate transparency break the web? Measuring adoption and error rate. In 2019 IEEE Symposium on Security and Privacy (SP) (pp. 211-226). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":411,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"HTTPS is one of the most important protocols used to secure communication and is, fortunately, becoming more pervasive. However, especially the long tail of websites is still not sufficiently secured. HTTPS involves different types of users, e.g., end users who are forced to make critical security decisions when faced with warnings or administrators who are required to deal with cryptographic fundamentals and complex decisions concerning compatibility. In this work, we present the first qualitative study of both end user and administrator mental models of HTTPS. We interviewed 18 end users and 12 administrators; our findings reveal misconceptions about security benefits and threat models from both groups. We identify protocol components that interfere with secure configurations and usage behavior and reveal differences between administrator and end user mental models. Our results suggest that end user mental models are more conceptual while administrator models are more protocol-based. We also found that end users often confuse encryption with authentication, significantly underestimate the security benefits of HTTPS, and ignore and distrust security indicators while administrators often do not understand the interplay of functional protocol components. Based on the different mental models, we discuss implications and provide actionable recommendations for future designs of user interfaces and protocols.","author":[{"name":"Katharina Krombholz","tag":"1"},{"name":" Karoline Busse","tag":"4"},{"name":" Katharina Pfeffer","tag":"2"},{"name":" Matthew Smith","tag":"3"},{"name":" Emanuel von Zezschwitz","tag":"3"}],"origin":{"url":"https://ieeexplore.ieee.org/document/8835228","info":"S&P"},"publishDate":"2019-05-19","uri":"2019_if_https_were_secure_i_wouldn_t_need_2fa_end_user_and_administrator_mental_models_of_https","tags":["HTTPS","TLS"],"titleEn":"If HTTPS Were Secure, I Wouldn't Need 2FA - End User and Administrator Mental Models of HTTPS","affiliation":[{"name":"CISPA Helmholtz Center for Information Security","tag":1},{"name":"SBA Research","tag":2},{"name":"Bonn University FhG FKIE","tag":3},{"name":"Bonn University","tag":4}],"titleCn":"If HTTPS Were Secure, I Wouldn't Need 2FA - End User and Administrator Mental Models of HTTPS","cite":{"template":[{"template":"Krombholz K, Busse K, Pfeffer K, et al. \"If HTTPS Were Secure, I Wouldn't Need 2FA\"-End User and Administrator Mental Models of HTTPS[C]//2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019: 246-263.","type":"GB/T 7714"},{"template":"Krombholz, Katharina, et al. \"\"If HTTPS Were Secure, I Wouldn't Need 2FA\"-End User and Administrator Mental Models of HTTPS.\" 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019.","type":"MLA"},{"template":"Krombholz, K., Busse, K., Pfeffer, K., Smith, M., & Von Zezschwitz, E. (2019, May). \" If HTTPS Were Secure, I Wouldn't Need 2FA\"-End User and Administrator Mental Models of HTTPS. In 2019 IEEE Symposium on Security and Privacy (SP) (pp. 246-263). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":407,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Anycast is a popular tool for deploying global, widely available systems, including DNS infrastructure and content delivery networks (CDNs). The optimization of these networks often focuses on the deployment and management of anycast sites. However, such approaches fail to consider one of the primary configurations of a large anycast network: the set of networks that receive anycast announcements at each site (i.e., an announcement configuration). Altering these configurations, even without the deployment of additional sites, can have profound impacts on both anycast site selection and round-trip times.In this study, we explore the operation and optimization of any-cast networks through the lens of deployments that have a large number of upstream service providers. We demonstrate that these many-provider anycast networks exhibit fundamentally different properties when interacting with the Internet, having a greater number of single AS hop paths and reduced dependency on each provider, compared with few-provider networks. We further examine the impact of announcement configuration changes, demonstrating that in nearly 30% of vantage point groups, round-trip time performance can be improved by more than 25%, solely by manipulating which providers receive anycast announcements. Finally, we propose DailyCatch, an empirical measurement methodology for testing and validating announcement configuration changes, and demonstrate its ability to influence user-experienced performance on a global anycast CDN.","author":[{"name":"McQuistin Stephen","tag":"1"},{"name":" Uppu Sree Priyanka","tag":"2"},{"name":" Flores Marcel","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3355369.3355573","info":"IMC"},"publishDate":"2019-01-01","uri":"2019_taming_anycast_in_the_wild_internet","tags":["IP Address","Anycast"],"titleEn":"Taming Anycast in the Wild Internet","affiliation":[{"name":"University of Glasgow","tag":1},{"name":"Verizon Digital Media Services","tag":2}],"titleCn":"Taming Anycast in the Wild Internet","cite":{"template":[{"template":"McQuistin S, Uppu S P, Flores M. Taming anycast in the wild internet[C]//Proceedings of the Internet Measurement Conference. 2019: 165-178.","type":"GB/T 7714"},{"template":"McQuistin, Stephen, Sree Priyanka Uppu, and Marcel Flores. \"Taming anycast in the wild internet.\" Proceedings of the Internet Measurement Conference. 2019.","type":"MLA"},{"template":"McQuistin, S., Uppu, S. P., & Flores, M. (2019, October). Taming anycast in the wild internet. In Proceedings of the Internet Measurement Conference (pp. 165-178).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":503,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Border gateway protocol BGP prefix hijacking is a critical threat to Internet organizations and users. Despite the availability of several defense approaches ranging from RPKI to popular third-party services, none of them solves the problem adequately in practice. In fact, they suffer from: i lack of detection comprehensiveness, allowing sophisticated attackers to evade detection; ii limited accuracy, especially in the case of third-party detection; iii delayed verification and mitigation of incidents, reaching up to days; and iv lack of privacy and of flexibility in post-hijack counteractions, on the side of network operators. In this paper, we propose ARTEMIS, a defense approach a based on accurate and fast detection operated by the autonomous system itself, leveraging the pervasiveness of publicly available BGP monitoring services and their recent shift towards real-time streaming and thus b enabling flexible and fast mitigation of hijacking events. Compared to the previous work, our approach combines characteristics desirable to network operators, such as comprehensiveness, accuracy, speed, privacy, and flexibility. Finally, we show through real-world experiments that with the ARTEMIS approach, prefix hijacking can be neutralized within a minute.","author":[{"name":"Pavlos Sermpezis","tag":"5"},{"name":"Vasileios Kotronis","tag":"5"},{"name":"Petros Gigis","tag":"5"},{"name":"Xenofontas Dimitropoulos","tag":"5"},{"name":"Danilo Cicalese","tag":"6"},{"name":"Alistair King","tag":"2,3,4"},{"name":"Alberto Dainotti","tag":"6,1"}],"origin":{"url":"https://dl.acm.org/doi/10.1109/TNET.2018.2869798","info":"ToN"},"publishDate":"2018-12-01","uri":"2018_artemis_neutralizing_bgp_hijacking_within_a_minute","tags":["Routing","BGP Hijacking"],"titleEn":"ARTEMIS: Neutralizing BGP Hijacking Within a Minute","affiliation":[{"name":"USA","tag":1},{"name":"Center for Applied Internet Data Analysis","tag":2},{"name":"SDSC","tag":3},{"name":"UC San Diego","tag":4},{"name":"Foundation for Research and Technology-Hellas","tag":5},{"name":"University of California at San Diego","tag":6}],"titleCn":"ARTEMIS: Neutralizing BGP Hijacking Within a Minute","cite":{"template":[{"template":"Sermpezis P, Kotronis V, Gigis P, et al. ARTEMIS: Neutralizing BGP hijacking within a minute[J]. IEEE/ACM transactions on networking, 2018, 26(6): 2471-2486.","type":"GB/T 7714"},{"template":"Sermpezis, Pavlos, et al. \"ARTEMIS: Neutralizing BGP hijacking within a minute.\" IEEE/ACM transactions on networking 26.6 (2018): 2471-2486.","type":"MLA"},{"template":"Sermpezis, P., Kotronis, V., Gigis, P., Dimitropoulos, X., Cicalese, D., King, A., & Dainotti, A. (2018). ARTEMIS: Neutralizing BGP hijacking within a minute. IEEE/ACM transactions on networking, 26(6), 2471-2486.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":467,"keyword":[""],"fileType":3},{"paperType":1,"abstracts":"The growth of global Internet traffic has driven an exponential expansion of the submarine cable network, both in terms of the sheer number of links and its total capacity. Today, a complex mesh of hundreds of cables, stretching over 1 million kilometers, connects nearly every corner of the earth and is instrumental in closing the remaining connectivity gaps. Despite the scale and critical role of the submarine network for both business and society at large, our community has mostly ignored it, treating it as a black box in most Internet studies, from connectivity to inter-domain traffic and reliability. We make the case for a new research agenda focused on characterizing the global submarine network and the critical role it plays as a basic component of any inter-continental end-to-end connection.","author":[{"name":"Zachary S. Bischof","tag":"2"},{"name":" Romain Fontugne","tag":"2"},{"name":" Fabián E. Bustamante","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3286062.3286074","info":"HotNets"},"publishDate":"2018-11-15","uri":"2018_untangling_the_world_wide_mesh_of_undersea_cables","tags":["Submarine Cable"],"titleEn":"Untangling the world-wide mesh of undersea cables","affiliation":[{"name":"Northwestern University","tag":1},{"name":"IIJ Research Lab","tag":2}],"titleCn":"Untangling the world-wide mesh of undersea cables","cite":{"template":[{"template":"Bischof Z S, Fontugne R, Bustamante F E. Untangling the world-wide mesh of undersea cables[C]//Proceedings of the 17th ACM Workshop on Hot Topics in Networks. 2018: 78-84.","type":"GB/T 7714"},{"template":"Bischof, Zachary S., Romain Fontugne, and Fabián E. Bustamante. \"Untangling the world-wide mesh of undersea cables.\" Proceedings of the 17th ACM Workshop on Hot Topics in Networks. 2018.","type":"MLA"},{"template":"Bischof, Z. S., Fontugne, R., & Bustamante, F. E. (2018, November). Untangling the world-wide mesh of undersea cables. In Proceedings of the 17th ACM Workshop on Hot Topics in Networks (pp. 78-84).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":457,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"The Domain Name System (DNS) maps human-friendly names into the network addresses necessary for network communication. Therefore, the robustness of the DNS is crucial to the general operation of the Internet. As such, the DNS protocol and architecture were designed to facilitate structural robustness within system. For instance, a domain can depend on authoritative nameservers in several topologically disparate datacenters to aid robustness. However, the actual operation of the system need not utilize these robustness tools. In this paper we provide an initial analysis of the structural robustness of the DNS ecosystem over the last nine years.","author":[{"name":"Mark Allman","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3278532.3278541","info":"IMC"},"publishDate":"2018-10-31","uri":"2018_comments_on_dns_robustness","tags":["DNS Infrastructure"],"titleEn":"Comments on DNS Robustness","affiliation":[{"name":"International Computer Science Institute","tag":1}],"titleCn":"Comments on DNS Robustness","cite":{"template":[{"template":"Allman M. Comments on DNS robustness[C]//Proceedings of the Internet Measurement Conference 2018. 2018: 84-90.","type":"GB/T 7714"},{"template":"Allman, Mark. \"Comments on DNS robustness.\" Proceedings of the Internet Measurement Conference 2018. 2018.","type":"MLA"},{"template":"Allman, M. (2018, October). Comments on DNS robustness. In Proceedings of the Internet Measurement Conference 2018 (pp. 84-90).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":488,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"DNS queries from end users are handled by recursive DNS servers for scalability. For convenience, Internet Service Providers (ISPs) assign recursive servers for their clients automatically when the clients choose the default network settings. But users should also have flexibility to use their preferred recursive servers, like public DNS servers. This kind of trust, however, can be broken by the hidden interception of the DNS resolution path (which we term as DNSIntercept). Specifically, on-path devices could spoof the IP addresses of user-specified DNS servers and intercept the DNS queries surreptitiously, introducing privacy and security issues.In this paper, we perform a large-scale analysis of on-path DNS interception and shed light on its scope and characteristics. We design novel approaches to detect DNS interception and leverage 148,478 residential and cellular IP addresses around the world for analysis. As a result, we find that 259 of the 3,047 ASes (8.5%) that we inspect exhibit DNS interception behavior, including large providers, such as China Mobile. Moreover, we find that the DNS servers of the ASes which intercept requests may use outdated vulnerable software (deprecated before 2009) and lack security-related functionality, such as handling DNSSEC requests. Our work highlights the issues around on-path DNS interception and provides new insights for addressing such issues.","author":[{"name":"Baojun Liu","tag":"2"},{"name":"Chaoyi Lu","tag":"2"},{"name":"Haixin Duan","tag":"2"},{"name":"Ying Liu","tag":"2"},{"name":"Zhou Li","tag":"1"},{"name":"Shuang Hao","tag":"4"},{"name":"Min Yang","tag":"3"}],"origin":{"url":"https://www.usenix.org/conference/usenixsecurity18/presentation/liu-baojun","info":"Security"},"publishDate":"2018-08-15","uri":"2018_who_is_answering_my_queries_understanding_and_characterizing_interception_of_the_dns_resolution_path","tags":["DNS","DNS Resolver"],"titleEn":"Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path","affiliation":[{"name":"IEEE member","tag":1},{"name":"Tsinghua University","tag":2},{"name":"Fudan University","tag":3},{"name":"University of Texas at Dallas","tag":4}],"titleCn":"Who Is Answering My Queries: Understanding and Characterizing Interception of the DNS Resolution Path","cite":{"template":[{"template":"Liu B, Lu C, Duan H, et al. Who is answering my queries: Understanding and characterizing interception of the {DNS} resolution path[C]//27th USENIX Security Symposium (USENIX Security 18). 2018: 1113-1128.","type":"GB/T 7714"},{"template":"Liu, Baojun, et al. \"Who is answering my queries: Understanding and characterizing interception of the {DNS} resolution path.\" 27th USENIX Security Symposium (USENIX Security 18). 2018.","type":"MLA"},{"template":"Liu, B., Lu, C., Duan, H., Liu, Y., Li, Z., Hao, S., & Yang, M. (2018). Who is answering my queries: Understanding and characterizing interception of the {DNS} resolution path. In 27th USENIX Security Symposium (USENIX Security 18) (pp. 1113-1128).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":492,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"Internet anycast depends on inter-domain routing to direct clients to their “closest” sites. Using data collected from a root DNS server for over a year (400M+ queries/day from 100+ sites), we characterize the load balancing and latency performance of global anycast. Our analysis shows that site loads are often unbalanced, and that most queries travel longer than necessary, many by over 5000 km. Investigating the root causes of these inefficiencies, we can attribute path inflation to two causes. Like unicast, anycast routes are subject to inter-domain routing topology and policies that can increase path length compared to theoretical shortest (e.g., great-circle distance). Unlike unicast, anycast routes are also affected by poor route selection when paths to multiple sites are available, subjecting anycast routes to an additional, unnecessary, penalty. Unfortunately, BGP provides no information about the number or goodness of reachable anycast sites. We propose an additional hint in BGP advertisements for anycast routes that can enable ISPs to make better choices when multiple “equally good” routes are available. Our results show that use of such routing hints can eliminate much of the anycast path inflation, enabling anycast to approach the performance of unicast routing.","author":[{"name":"Zhihao Li","tag":"1"},{"name":"Dave Levin","tag":"1"},{"name":"Neil Spring","tag":"1"},{"name":"Bobby Bhattacharjee","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3230543.3230547","info":"SIGCOMM"},"publishDate":"2018-08-07","uri":"2018_internet_anycast_performance_problems_potential","tags":["IP Address","Anycast"],"titleEn":"Internet Anycast: Performance, Problems, & Potential","affiliation":[{"name":"University of Maryland","tag":1}],"titleCn":"Internet Anycast: Performance, Problems, & Potential","cite":{"template":[{"template":"Li Z, Levin D, Spring N, et al. Internet anycast: performance, problems, & potential[C]//Proceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication. 2018: 59-73.","type":"GB/T 7714"},{"template":"Li, Zhihao, et al. \"Internet anycast: performance, problems, & potential.\" Proceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication. 2018.","type":"MLA"},{"template":"Li, Z., Levin, D., Spring, N., & Bhattacharjee, B. (2018, August). Internet anycast: performance, problems, & potential. In Proceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication (pp. 59-73).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":471,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"The Domain Name System (DNS) is a hierarchical distributed system organized through top-down zone delegation. Consequently resolution of a zone depends on its ancestors. However, since the delegation in DNS is designed by name rather than address, the dependency could further extend to other zones. If not configured well, the dependency of a zone could be large and complicated, potentially harmful to its availability and integrity. In this paper, we propose a graph-based model to comprehensively analyze zone dependency in DNS. Our approach classifies zone dependency into four different relations: general dependency, explicit dependency, critical dependency and essential dependency. We also propose an empirical method to quantitatively measure the zone dependencies of given zones. Our survey with over 1 million DNS zones shows that more than 99% of the zones depend on some 3-rd party zone; about 41% of the zones critically rely on more than 2 zones except their ancestors; some TLDs such as .org, .info and .cn tend to have more dependencies than others.","author":[{"name":"Jian Jiang","tag":"1,2"},{"name":"Jia Zhang","tag":"1"},{"name":"Haixin Duan","tag":"1"},{"name":"Kang Li","tag":"3"},{"name":"Wu Liu","tag":"1"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/8422602","info":"ICC"},"publishDate":"2018-07-30","uri":"2018_analysis_and_measurement_of_zone_dependency_in_the_domain_name_system","tags":["DNS","Domain Name"],"titleEn":"Analysis and Measurement of Zone Dependency in the Domain Name System","affiliation":[{"name":"Tsinghua University","tag":1},{"name":"University of California Berkeley","tag":2},{"name":"University of Georgia","tag":3}],"titleCn":"Analysis and Measurement of Zone Dependency in the Domain Name System","cite":{"template":[{"template":"Jiang J, Zhang J, Duan H, et al. Analysis and measurement of zone dependency in the domain name system[C]//2018 IEEE International Conference on Communications (ICC). IEEE, 2018: 1-7.","type":"GB/T 7714"},{"template":"Jiang, Jian, et al. \"Analysis and measurement of zone dependency in the domain name system.\" 2018 IEEE International Conference on Communications (ICC). IEEE, 2018.","type":"MLA"},{"template":"Jiang, J., Zhang, J., Duan, H., Li, K., & Liu, W. (2018, May). Analysis and measurement of zone dependency in the domain name system. In 2018 IEEE International Conference on Communications (ICC) (pp. 1-7). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":483,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"The Network Time Protocol (NTP) is currently the most commonly used approach to keeping the clocks of computing devices accurate. It operates in the background of many systems; however, it is often important because if NTP fails in providing the correct time, multiple applications such as security protocols like TLS can fail. Despite its crucial practical role, only a limited number of measurement studies have focused on the NTP ecosystem. In this paper, we report the results of an in-depth longitudinal study of the services provided by the NTP Pool Project, which enables volunteers to offer their NTP services to other Internet users in a straightforward manner. We supplement these observations with an analysis of other readily available NTP servers, such as those offered by OS vendors or those that can be freely found on the Internet. The analysis indicates a reliance on a small set of servers that are (at least indirectly) responsible for providing the time for the Internet. Furthermore, this paper considers the impact of several incidents that the authors observed between December 2016 and April 2017. To complement this study, we also perform an analysis of multiple geographical regions from the operator's perspective, spanning a period of 5 months. A coarse-grained categorization of client requests allows us to categorize 95 percent of our incoming traffic as NTP- and SNTP-like traffic (the latter being a simpler, but more error-prone, form of NTP); we observe that up to 75 percent of all requests originated from SNTPlike clients. With this in mind, we consider what kind of harm a rogue server administrator could cause to users.","author":[{"name":"Teemu Rytilahti","tag":"1"},{"name":"Dennis Tatang","tag":"1"},{"name":"Janosch Köpper","tag":"1"},{"name":"Thorsten Holz","tag":"1"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/8406595","info":"S&P"},"publishDate":"2018-07-09","uri":"2018_masters_of_time_an_overview_of_the_ntp_ecosystem","tags":["NTP"],"titleEn":"Masters of Time: An Overview of the NTP Ecosystem","affiliation":[{"name":"Ruhr-University Bochum","tag":1}],"titleCn":"Masters of Time: An Overview of the NTP Ecosystem","cite":{"template":[{"template":"Rytilahti T, Tatang D, Köpper J, et al. Masters of time: An overview of the NTP ecosystem[C]//2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2018: 122-136.","type":"GB/T 7714"},{"template":"Rytilahti, Teemu, et al. \"Masters of time: An overview of the NTP ecosystem.\" 2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2018.","type":"MLA"},{"template":"Rytilahti, T., Tatang, D., Köpper, J., & Holz, T. (2018, April). Masters of time: An overview of the NTP ecosystem. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P) (pp. 122-136). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":442,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Certificate Authorities (CAs) regularly make mechanical errors when issuing certificates. To quantify these errors, we introduce ZLint, a certificate linter that codifies the policies set forth by the CA/Browser Forum Baseline Requirements and RFC 5280 that can be tested in isolation. We run ZLint on browser-trusted certificates in Censys and systematically analyze how well CAs construct certificates. We find that the number errors has drastically reduced since 2012. In 2017, only 0.02% of certificates have errors. However, this is largely due to a handful of large authorities that consistently issue correct certificates. There remains a long tail of small authorities that regularly issue non-conformant certificates. We further find that issuing certificates with errors is correlated with other types of mismanagement and for large authorities, browser action. Drawing on our analysis, we conclude with a discussion on how the community can best use lint data to identify authorities with worrisome organizational practices and ensure long-term health of the Web PKI.","author":[{"name":"Deepak Kumar","tag":"3"},{"name":" Zhengping Wang","tag":"3"},{"name":" Matthew Hyder","tag":"3"},{"name":" Joseph Dickinson","tag":"3"},{"name":" Gabrielle Beck","tag":"1"},{"name":" David Adrian","tag":"1"},{"name":" Joshua Mason","tag":"3"},{"name":"Zakir Durumeric","tag":"3,1,2"},{"name":"J. Alex Halderman","tag":"1"},{"name":"Michael Bailey","tag":"3"}],"origin":{"url":"https://ieeexplore.ieee.org/document/8418638","info":"S&P"},"publishDate":"2018-05-20","uri":"2018_tracking_certificate_misissuance_in_the_wild","tags":["HTTPS","Web PKI"],"titleEn":"Tracking Certificate Misissuance in the Wild","affiliation":[{"name":"University of Michigan","tag":1},{"name":"Stanford University","tag":2},{"name":"University of Illinois Urbana-Champaign","tag":3}],"titleCn":"Tracking Certificate Misissuance in the Wild","cite":{"template":[{"template":"Kumar D, Wang Z, Hyder M, et al. Tracking certificate misissuance in the wild[C]//2018 IEEE Symposium on Security and Privacy (SP). IEEE, 2018: 785-798.","type":"GB/T 7714"},{"template":"Kumar, Deepak, et al. \"Tracking certificate misissuance in the wild.\" 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 2018.","type":"MLA"},{"template":"Kumar, D., Wang, Z., Hyder, M., Dickinson, J., Beck, G., Adrian, D., ... & Bailey, M. (2018, May). Tracking certificate misissuance in the wild. In 2018 IEEE Symposium on Security and Privacy (SP) (pp. 785-798). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":412,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Network measurements are an important tool in understanding the Internet. Due to the expanse of the IPv6 address space, exhaustive scans as in IPv4 are not possible for IPv6. In recent years, several studies have proposed the use of target lists of IPv6 addresses, called IPv6 hitlists.In this paper, we show that addresses in IPv6 hitlists are heavily clustered. We present novel techniques that allow IPv6 hitlists to be pushed from quantity to quality. We perform a longitudinal active measurement study over 6 months, targeting more than 50 M addresses. We develop a rigorous method to detect aliased prefixes, which identifies 1.5 % of our prefixes as aliased, pertaining to about half of our target addresses. Using entropy clustering, we group the entire hitlist into just 6 distinct addressing schemes. Furthermore, we perform client measurements by leveraging crowdsourcing.To encourage reproducibility in network measurement research and to serve as a starting point for future IPv6 studies, we publish source code, analysis tools, and data.","author":[{"name":"Oliver Gasser","tag":"1"},{"name":"Quirin Scheitle","tag":"1"},{"name":"Pawel Foremski","tag":"2"},{"name":"Qasim Lone","tag":"3"},{"name":"Maciej Korczyński","tag":"3"},{"name":"Grenoble Alps University","tag":"4"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3278532.3278564","info":"IMC"},"publishDate":"2018-01-01","uri":"2018_clusters_in_the_expanse_understanding_and_unbiasing_ipv6_hitlists","tags":["IP Address","Active IP"],"titleEn":"Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists","affiliation":[{"name":"Technical University of Munich","tag":1},{"name":"IITiS PAN","tag":2},{"name":"Grenoble Alps University","tag":3},{"name":"RIPE NCC","tag":4}],"titleCn":"Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists","cite":{"template":[{"template":"Gasser O, Scheitle Q, Foremski P, et al. Clusters in the expanse: Understanding and unbiasing IPv6 hitlists[C]//Proceedings of the Internet Measurement Conference 2018. 2018: 364-378.","type":"GB/T 7714"},{"template":"Gasser, Oliver, et al. \"Clusters in the expanse: Understanding and unbiasing IPv6 hitlists.\" Proceedings of the Internet Measurement Conference 2018. 2018.","type":"MLA"},{"template":"Gasser, O., Scheitle, Q., Foremski, P., Lone, Q., Korczyński, M., Strowes, S. D., ... & Carle, G. (2018, October). Clusters in the expanse: Understanding and unbiasing IPv6 hitlists. In Proceedings of the Internet Measurement Conference 2018 (pp. 364-378).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":420,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Fast IPv4 scanning has enabled researchers to answer a wealth of new security and measurement questions. However, while increased network speeds and computational power have enabled comprehensive scans of the IPv4 address space, a brute-force approach does not scale to IPv6. Systems are limited to scanning a small fraction of the IPv6 address space and require an algorithmic approach to determine a small set of candidate addresses to probe. In this paper, we first explore the considerations that guide designing such algorithms. We introduce a new approach that identifies dense address space regions from a set of known \"seed\" addresses and generates a set of candidates to scan. We compare our algorithm 6Gen against Entropy/IP---the current state of the art---finding that we can recover between 1--8 times as many addresses for the five candidate datasets considered in the prior work. However, during our analysis, we uncover widespread IP aliasing in IPv6 networks. We discuss its effect on target generation and explore preliminary approaches for detecting aliased regions.","author":[{"name":"Austin Murdock","tag":"2"},{"name":"Frank Li","tag":"2"},{"name":"Paul Bramsen","tag":"3"},{"name":"Zakir Durumeric","tag":"1"},{"name":"Vern Paxson","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3131365.3131405","info":"IMC"},"publishDate":"2017-11-01","uri":"2017_target_generation_for_internet_wide_ipv6_scanning","tags":["IP Address","Active IP"],"titleEn":"Target generation for internet-wide IPv6 scanning","affiliation":[{"name":"International Computer Science Institute","tag":1},{"name":"University of California Berkeley,International Computer Science Insititute","tag":2},{"name":"University of California Berkeley","tag":3}],"titleCn":"Target generation for internet-wide IPv6 scanning","cite":{"template":[{"template":"Murdock A, Li F, Bramsen P, et al. Target generation for internet-wide IPv6 scanning[C]//Proceedings of the 2017 Internet Measurement Conference. 2017: 242-253.","type":"GB/T 7714"},{"template":"Murdock, Austin, et al. \"Target generation for internet-wide IPv6 scanning.\" Proceedings of the 2017 Internet Measurement Conference. 2017.","type":"MLA"},{"template":"Murdock, A., Li, F., Bramsen, P., Durumeric, Z., & Paxson, V. (2017, November). Target generation for internet-wide IPv6 scanning. In Proceedings of the 2017 Internet Measurement Conference (pp. 242-253).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":427,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"IP traffic with forged source addresses (i.e., spoofed traffic) enables a series of threats ranging from the impersonation of remote hosts to massive denial-of-service attacks. Consequently, IP address spoofing received considerable attention with efforts to either suppress spoofing, to mitigate its consequences, or to actively measure the ability to spoof in individual networks. However, as of today, we still lack a comprehensive understanding both of the prevalence and the characteristics of spoofed traffic \"in the wild\" as well as of the networks that inject spoofed traffic into the Internet.In this paper, we propose and evaluate a method to passively detect spoofed packets in traffic exchanged between networks in the inter-domain Internet. Our detection mechanism identifies both source IP addresses that should never be visible in the inter-domain Internet (i.e., unrouted and bogon sources) as well as source addresses that should not be sourced by individual networks, as inferred from BGP routing information. We apply our method to classify the traffic exchanged between more than 700 networks at a large European IXP. We find that the majority of connected networks do not, or not consistently, filter their outgoing traffic. Filtering strategies and contributions of spoofed traffic vary heavily across networks of different types and sizes. Finally, we study qualitative characteristics of spoofed traffic, regarding both application popularity as well as structural properties of addresses. Combining our observations, we identify and study dominant attack patterns.","author":[{"name":"Franziska Lichtblau","tag":"1"},{"name":"Florian Streibelt","tag":"1"},{"name":"Thorben Krüger","tag":"1"},{"name":"Philipp Richter","tag":"1"},{"name":"Anja Feldmann","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3131365.3131367","info":"IMC"},"publishDate":"2017-11-01","uri":"2017_detection_classification_and_analysis_of_inter_domain_traffic_with_spoofed_source_ip_addresses","tags":["IP Address","IP Spoofing"],"titleEn":"Detection, Classification, and Analysis of Inter-Domain Traffic with Spoofed Source IP Addresses","affiliation":[{"name":"TU Berlin","tag":1}],"titleCn":"Detection, Classification, and Analysis of Inter-Domain Traffic with Spoofed Source IP Addresses","cite":{"template":[{"template":"Lichtblau F, Streibelt F, Krüger T, et al. Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses[C]//Proceedings of the 2017 Internet Measurement Conference. 2017: 86-99.","type":"GB/T 7714"},{"template":"Lichtblau, Franziska, et al. \"Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses.\" Proceedings of the 2017 Internet Measurement Conference. 2017.","type":"MLA"},{"template":"Lichtblau, F., Streibelt, F., Krüger, T., Richter, P., & Feldmann, A. (2017, November). Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses. In Proceedings of the 2017 Internet Measurement Conference (pp. 86-99).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":436,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"IP anycast provides DNS operators and CDNs with automatic fail-over and reduced latency by breaking the Internet into catchments, each served by a different anycast site. Unfortunately, understanding and predicting changes to catchments as anycast sites are added or removed has been challenging. Current tools such as RIPE Atlas or commercial equivalents map from thousands of vantage points (VPs), but their coverage can be inconsistent around the globe. This paper proposes Verfploeter, a new method that maps anycast catchments using active probing. Verfploeter provides around 3.8M passive VPs, 430x the 9k physical VPs in RIPE Atlas, providing coverage of the vast majority of networks around the globe. We then add load information from prior service logs to provide calibrated predictions of anycast changes. Verfploeter has been used to evaluate the new anycast deployment for B-Root, and we also report its use of a nine-site anycast testbed. We show that the greater coverage made possible by Verfploeter's active probing is necessary to see routing differences in regions that have sparse coverage from RIPE Atlas, like South America and China.","author":[{"name":"De Vries Wouter B","tag":"2"},{"name":" de O. Schmidt Ricardo","tag":"2"},{"name":" Hardaker Wes","tag":"1"},{"name":" Heidemann John","tag":"1"},{"name":" de Boer Pieter-Tjerk","tag":"2"},{"name":" Pras Aiko","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/3131365.3131371","info":"IMC"},"publishDate":"2017-11-01","uri":"2017_broad_and_load_aware_anycast_mapping_with_verfploeter","tags":["IP Address","Anycast"],"titleEn":"Broad and Load-Aware Anycast Mapping with Verfploeter","affiliation":[{"name":"USC/ISI","tag":1},{"name":"University of Twente","tag":2}],"titleCn":"Broad and Load-Aware Anycast Mapping with Verfploeter","cite":{"template":[{"template":"De Vries W B, de O. Schmidt R, Hardaker W, et al. Broad and load-aware anycast mapping with verfploeter[C]//Proceedings of the 2017 Internet Measurement Conference. 2017: 477-488.","type":"GB/T 7714"},{"template":"De Vries, Wouter B., et al. \"Broad and load-aware anycast mapping with verfploeter.\" Proceedings of the 2017 Internet Measurement Conference. 2017.","type":"MLA"},{"template":"De Vries, W. B., de O. Schmidt, R., Hardaker, W., Heidemann, J., de Boer, P. T., & Pras, A. (2017, November). Broad and load-aware anycast mapping with verfploeter. In Proceedings of the 2017 Internet Measurement Conference (pp. 477-488).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":502,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"The functionality and security of all domain names are contingent upon their nameservers. When these nameservers, or requests to them, are compromised, all domains that rely on them are affected. In this paper, we study the exploitation of configuration issues (typosquatting and outdated WHOIS records) and hardware errors (bitsquatting) to seize control over nameservers' requests to hijack domains. We perform a large-scale analysis of 10,000 popular nameserver domains, in which we map out existing abuse and vulnerable entities. We confirm the capabilities of these attacks through real-world measurements. Overall, we find that over 12,000 domains are susceptible to near-immediate compromise, while 52.8M domains are being targeted by nameserver bitsquatters that respond with rogue IP addresses. Additionally, we determine that 1.28M domains are at risk of a denial-of-service attack by relying on an outdated nameserver.","author":[{"name":"Thomas Vissers","tag":"2"},{"name":"Timothy Barron","tag":"1"},{"name":"Tom Van Goethem","tag":"2"},{"name":"Wouter Joosen","tag":"2"},{"name":"Nick Nikiforakis","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/3133956.3133988","info":"CCS"},"publishDate":"2017-10-30","uri":"2017_the_wolf_of_name_street_hijacking_domains_through_their_nameservers","tags":["DNS","Domain Hijacking"],"titleEn":"The Wolf of Name Street: Hijacking Domains Through Their Nameservers","affiliation":[{"name":"Stony Brook University","tag":1},{"name":"imec-DistriNet KU Leuven","tag":2}],"titleCn":"The Wolf of Name Street: Hijacking Domains Through Their Nameservers","cite":{"template":[{"template":"Vissers T, Barron T, Van Goethem T, et al. The wolf of name street: Hijacking domains through their nameservers[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017: 957-970.","type":"GB/T 7714"},{"template":"Vissers, Thomas, et al. \"The wolf of name street: Hijacking domains through their nameservers.\" Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017.","type":"MLA"},{"template":"Vissers, T., Barron, T., Van Goethem, T., Joosen, W., & Nikiforakis, N. (2017, October). The wolf of name street: Hijacking domains through their nameservers. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 957-970).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":490,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Protecting communication content at scale is a difficult task, and TLS is the protocol most commonly used to do so. However, it has been shown that deploying it in a truly secure fashion is challenging for a large fraction of online service operators. While Let’s Encrypt was specifically built and launched to promote the adoption of HTTPS, this paper aims to understand the reasons for why it has been so hard to deploy TLS correctly and studies the usability of the deployment process for HTTPS. We performed a series of experiments with 28 knowledgable participants and revealed significant usability challenges that result in weak TLS configurations. Additionally, we conducted expert interviews with 7 experienced security auditors. Our results suggest that the deployment process is far too complex even for people with proficient knowledge in the field, and that server configurations should have stronger security by default. While the results from our expert interviews confirm the ecological validity of the lab study results, they additionally highlight that even educated users prefer solutions that are easy to use. An improved and less vulnerable workflow would be very beneficial to finding stronger configurations in the wild.","author":[{"name":"Katharina Krombholz","tag":"1"},{"name":" Wilfried Mayer","tag":"1"},{"name":" Martin Schmiedecker","tag":"1"},{"name":" Edgar Weippl","tag":"1"}],"origin":{"url":"https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/krombholz","info":"Security"},"publishDate":"2017-08-16","uri":"2017__i_have_no_idea_what_i_m_doing_on_the_usability_of_deploying_https","tags":["HTTPS","Web PKI"],"titleEn":"“I Have No Idea What I’m Doing” – On the Usability of Deploying HTTPS","affiliation":[{"name":"SBA Research","tag":1}],"titleCn":"“I Have No Idea What I’m Doing” – On the Usability of Deploying HTTPS","cite":{"template":[{"template":"Krombholz K, Mayer W, Schmiedecker M, et al. \" I Have No Idea What I'm Doing\"-On the Usability of Deploying {HTTPS}[C]//26th USENIX Security Symposium (USENIX Security 17). 2017: 1339-1356.","type":"GB/T 7714"},{"template":"Krombholz, Katharina, et al. \"\" I Have No Idea What I'm Doing\"-On the Usability of Deploying {HTTPS}.\" 26th USENIX Security Symposium (USENIX Security 17). 2017.","type":"MLA"},{"template":"Krombholz, K., Mayer, W., Schmiedecker, M., & Weippl, E. (2017). \" I Have No Idea What I'm Doing\"-On the Usability of Deploying {HTTPS}. In 26th USENIX Security Symposium (USENIX Security 17) (pp. 1339-1356).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":408,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"Despite source IP address spoofing being a known vulnerability for at least 25 years, and despite many efforts to shed light on the problem, spoofing remains a popular attack method for redirection, amplification, and anonymity. To defeat these attacks requires operators to ensure their networks filter packets with spoofed source IP addresses, known as source address validation (SAV), best deployed at the edge of the network where traffic originates. In this paper, we present a new method using routing loops appearing in traceroute data to infer inadequate SAV at the transit provider edge, where a provider does not filter traffic that should not have come from the customer. Our method does not require a vantage point within the customer network. We present and validate an algorithm that identifies at Internet scale which loops imply a lack of ingress filtering by providers. We found 703 provider ASes that do not implement ingress filtering on at least one of their links for 1,780 customer ASes. Most of these observations are unique compared to the existing methods of the Spoofer and Open Resolver projects. By increasing the visibility of the networks that allow spoofing, we aim to strengthen the incentives for the adoption of SAV.","author":[{"name":"Qasim Lone","tag":"1"},{"name":"Matthew Luckie","tag":"2"},{"name":"Maciej Korczy´nski","tag":"1"},{"name":"Michel van Eeten","tag":"1"}],"origin":{"url":"https://link.springer.com/chapter/10.1007/978-3-319-54328-4_17","info":"PAM"},"publishDate":"2017-02-01","uri":"2017_using_loops_observed_in_traceroute_to_infer_the_ability_to_spoof","tags":["IP Address","IP Spoofing"],"titleEn":"Using Loops Observed in Traceroute to Infer the Ability to Spoof","affiliation":[{"name":"Delft University of Technology","tag":1},{"name":"University of Waikato","tag":2}],"titleCn":"Using Loops Observed in Traceroute to Infer the Ability to Spoof","cite":{"template":[{"template":"Lone Q, Luckie M, Korczyński M, et al. Using loops observed in traceroute to infer the ability to spoof[C]//Passive and Active Measurement: 18th International Conference, PAM 2017, Sydney, NSW, Australia, March 30-31, 2017, Proceedings 18. Springer International Publishing, 2017: 229-241.","type":"GB/T 7714"},{"template":"Lone, Qasim, et al. \"Using loops observed in traceroute to infer the ability to spoof.\" Passive and Active Measurement: 18th International Conference, PAM 2017, Sydney, NSW, Australia, March 30-31, 2017, Proceedings 18. Springer International Publishing, 2017.","type":"MLA"},{"template":"Lone, Q., Luckie, M., Korczyński, M., & Van Eeten, M. (2017). Using loops observed in traceroute to infer the ability to spoof. In Passive and Active Measurement: 18th International Conference, PAM 2017, Sydney, NSW, Australia, March 30-31, 2017, Proceedings 18 (pp. 229-241). Springer International Publishing.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":433,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Obtaining a “snapshot” of the Internet topology remains an elusive task. Existing active topology discovery techniques and systems require significant probing time – time during which the underlying network may experience transient dynamics. This work considers how active probing can gather the Internet topology in minutes rather than days. Conventional approaches to active topology mapping face two primary speed and scale impediments: i) per-trace state maintenance; and ii) a low-degree of parallelism. Based on this observation, we develop Yarrp (Yelling at Random Routers Progressively), a new traceroute technique designed for highrate, Internet-scale probing. Yarrp is stateless, reconstituting all necessary information from ICMP replies as they arrive asynchronously. To avoid overloading routers or links with probe trac, Yarrp randomly permutes an input IP ⇥ TTL space. We run Yarrp at 100Kpps, a rate at which the paths to all IPv4 /24’s can be mapped in approximately one hour from a single vantage point. We compare Yarrp against existing systems, and present examples of topological dynamics exposed via the high sampling rates Yarrp enables.","author":[{"name":"Robert Beverly","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/2987443.2987479","info":"IMC"},"publishDate":"2016-11-14","uri":"2016_yarrp_ing_the_internet_randomized_high_speed_active_topology_discovery","tags":["IP Address"," Internet Topology"],"titleEn":"Yarrp’ing the Internet: Randomized High-Speed Active Topology Discovery","affiliation":[{"name":"Naval Postgraduate School","tag":1}],"titleCn":"Yarrp’ing the Internet: Randomized High-Speed Active Topology Discovery","cite":{"template":[{"template":"Beverly R. Yarrp'ing the Internet: Randomized high-speed active topology discovery[C]//Proceedings of the 2016 Internet Measurement Conference. 2016: 413-420.","type":"GB/T 7714"},{"template":"Beverly, Robert. \"Yarrp'ing the Internet: Randomized high-speed active topology discovery.\" Proceedings of the 2016 Internet Measurement Conference. 2016.","type":"MLA"},{"template":"Beverly, R. (2016, November). Yarrp'ing the Internet: Randomized high-speed active topology discovery. In Proceedings of the 2016 Internet Measurement Conference (pp. 413-420).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":511,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"In this paper, we introduce Entropy/IP: a system that discovers Internet address structure based on analyses of a subset of IPv6 addresses known to be active, i.e., training data, gleaned by readily available passive and active means. The system is completely automated and employs a combination of information-theoretic and machine learning techniques to probabilistically model IPv6 addresses. We present results showing that our system is effective in exposing structural characteristics of portions of the active IPv6 Internet address space, populated by clients, services, and routers.In addition to visualizing the address structure for exploration, the system uses its models to generate candidate addresses for scanning. For each of 15 evaluated datasets, we train on 1K addresses and generate 1M candidates for scanning. We achieve some success in 14 datasets, finding up to 40% of the generated addresses to be active. In 11 of these datasets, we find active network identifiers (e.g., /64 prefixes or \"subnets\") not seen in training. Thus, we provide the first evidence that it is practical to discover subnets and hosts by scanning probabilistically selected areas of the IPv6 address space not known to contain active hosts a priori.","author":[{"name":"Powel Foremski","tag":"2"},{"name":" David Plonka","tag":"1"},{"name":"Arthur Berger","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/2987443.2987445","info":"IMC"},"publishDate":"2016-11-01","uri":"2016_entropy_ip_uncovering_structure_in_ipv6_addresses","tags":["IP Address","Active IP"],"titleEn":"Entropy/IP: Uncovering Structure in IPv6 Addresses","affiliation":[{"name":"Akamai Technologies, Cambridge, MA, USA","tag":1},{"name":"Akamai Technologies, Institute of Theoretical and Applied Informatics, Polish Academy of Sciences, Gliwice, Poland","tag":2}],"titleCn":"Entropy/IP: Uncovering Structure in IPv6 Addresses","cite":{"template":[{"template":"Foremski P, Plonka D, Berger A. Entropy/ip: Uncovering structure in ipv6 addresses[C]//Proceedings of the 2016 Internet Measurement Conference. 2016: 167-181.","type":"GB/T 7714"},{"template":"Foremski, Pawel, David Plonka, and Arthur Berger. \"Entropy/ip: Uncovering structure in ipv6 addresses.\" Proceedings of the 2016 Internet Measurement Conference. 2016.","type":"MLA"},{"template":"Foremski, P., Plonka, D., & Berger, A. (2016, November). Entropy/ip: Uncovering structure in ipv6 addresses. In Proceedings of the 2016 Internet Measurement Conference (pp. 167-181).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":425,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"We tackle the tedious and unsolved problem of auto matically and correctly inferring network boundaries in traceroute. We explain why such a conceptually simple task is so hard in the real world, and how lack of progress has impeded a wide range of research and development e orts for decades. We develop and validate a method that uses targeted traceroutes, knowledge of traceroute idiosyncrasies, and codi cation of topological constraints in a structured set of heuristics, to correctly identify interdomain links at the granularity of individual border routers. In this study we focus on the network boundaries we have most con dence we can accurately infer in the presence of sampling bias: interdomain links attached to the network launching the traceroute. We develop a scalable implementation of our algorithm and validate it against ground truth information provided by four networks on 3,277 links, which showed 96.3% 98.9% of our inferences were correct. With 19 vantage points (VPs) distributed across a large U.S. broadband provider, we use our method to reveal the tremendous density of router-level interconnection between some ASes. In January 2016, the broad band provider had 45 router-level links with a Tier-1 peer. We also quantify the VP deployment required to observe this ISPs interdomain connectivity, with 17 VPs required to observe all 45 links. Our method forms the cornerstone of the system we are building to map interdomain performance, and we release our code.","author":[{"name":"Matthew Luckie","tag":"3"},{"name":" Amogh Dhamdhere","tag":"1"},{"name":" Bradley Huffaker","tag":"1"},{"name":" David Clark","tag":"2"},{"name":" kc claffy","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/pdf/10.1145/2987443.2987467","info":"IMC"},"publishDate":"2016-11-01","uri":"2016_bdrmap_inference_of_borders_between_ip_networks","tags":["Routing","AS"],"titleEn":"bdrmap: Inference of Borders Between IP Networks","affiliation":[{"name":" CAIDA/UC San Diego","tag":1},{"name":"MIT","tag":2},{"name":"University of Waikato","tag":3}],"titleCn":"bdrmap: Inference of Borders Between IP Networks","cite":{"template":[{"template":"Luckie M, Dhamdhere A, Huffaker B, et al. Bdrmap: Inference of borders between IP networks[C]//Proceedings of the 2016 Internet Measurement Conference. 2016: 381-396.","type":"GB/T 7714"},{"template":"Luckie, Matthew, et al. \"Bdrmap: Inference of borders between IP networks.\" Proceedings of the 2016 Internet Measurement Conference. 2016.","type":"MLA"},{"template":"Luckie, M., Dhamdhere, A., Huffaker, B., Clark, D., & Claffy, K. C. (2016, November). Bdrmap: Inference of borders between IP networks. In Proceedings of the 2016 Internet Measurement Conference (pp. 381-396).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":416,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"We explore the risk that network attackers can exploit unauthenticated Network Time Protocol (NTP) traffic to alter the time on client systems. We first discuss how an on-path attacker, that hijacks traffic to an NTP server, can quickly shift time on the server's clients. Then, we present a extremely low-rate (single packet) denial-of-service attack that an off-path attacker, located anywhere on the network, can use to disable NTP clock synchronization on a client.  Next, we show how an off-path attacker can exploit IPv4 packet fragmentation to shift time on a client.  We discuss the implications on these attacks on other core Internet protocols, quantify their attack surface using Internet measurements, and suggest a few simple countermeasures that can improve the security of NTP.","author":[{"name":"Aanchal Malhotra","tag":"1"},{"name":"Isaac E. Cohen","tag":"1"},{"name":"Erik Brakke","tag":"1"},{"name":"Sharon Goldberg","tag":"1"}],"origin":{"url":"https://www.ndss-symposium.org/wp-content/uploads/2017/09/attacking-network-time-protocol.pdf","info":"NDSS"},"publishDate":"2016-02-01","uri":"2016_attacking_the_network_time_protocol","tags":["NTP"],"titleEn":"Attacking the Network Time Protocol","affiliation":[{"name":"Boston University","tag":1}],"titleCn":"Attacking the Network Time Protocol","cite":{"template":[{"template":"Malhotra A, Cohen I E, Brakke E, et al. Attacking the network time protocol[J]. Cryptology ePrint Archive, 2015.","type":"GB/T 7714"},{"template":"Malhotra, Aanchal, et al. \"Attacking the network time protocol.\" Cryptology ePrint Archive (2015).","type":"MLA"},{"template":"Malhotra, A., Cohen, I. E., Brakke, E., & Goldberg, S. (2015). Attacking the network time protocol. Cryptology ePrint Archive.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":441,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"There is growing operational awareness of the challenges in securely operating IPv6 networks. Through a measurement study of 520,000 dual-stack servers and 25,000 dual-stack routers, we examine the extent to which security policy codified in IPv4 has also been deployed in IPv6. We find several high-value target applications with a comparatively open security policy in IPv6 including: (i) SSH, Telnet, SNMP, are more than twice as open on routers in IPv6 as they are in IPv4; (ii) nearly half of routers with BGP open were only open in IPv6; and (iii) in the server dataset, SNMP was twice as open in IPv6 as in IPv4. We conduct a detailed study of where port blocking policy is being applied and find that protocol openness discrepancies are consistent within network boundaries, suggesting a systemic failure in organizations to deploy consistent security policy. We successfully communicate our findings with twelve network operators and all twelve confirm that the relative openness was unintentional. Ten of the twelve immediately moved to deploy a congruent IPv6 security policy, reflecting real operational concern. Finally, we revisit the belief that the security impact of this comparative openness in IPv6 is mitigated by the infeasibility of IPv6 network-wide scanning—we find that, for both of our datasets, host addressing practices make discovering these high-value hosts feasible by scanning alone. To help operators accurately measure their own IPv6 security posture, we make our probing system publicly available.","author":[{"name":"Jakub Czyz","tag":"1,2"},{"name":"Matthew Luckie","tag":"3"},{"name":"Mark Allman","tag":"4"},{"name":"Michael Bailey","tag":"5"}],"origin":{"url":"https://www.ndss-symposium.org/wp-content/uploads/2017/09/dont-forget-lock-back-door-characterization-ipv6-network-security-policy.pdf","info":"NDSS"},"publishDate":"2016-02-01","uri":"2016_don_t_forget_to_lock_the_back_door_a_characterization_of_ipv6_network_security_policy","tags":["IP Address","Open Port"],"titleEn":"Don't forget to lock the back door! A characterization of IPv6 network security policy","affiliation":[{"name":"University of Michigan","tag":1},{"name":"QuadMetrics Inc","tag":2},{"name":"University of Waikato","tag":3},{"name":"International Computer Science Institute","tag":4},{"name":"University of Illinois at Urbana-Champaign","tag":5}],"titleCn":"Don't forget to lock the back door! A characterization of IPv6 network security policy","cite":{"template":[{"template":"Czyz J, Luckie M, Allman M, et al. Don't forget to lock the back door! A characterization of IPv6 network security policy[C]//Network and Distributed Systems Security (NDSS). 2016.","type":"GB/T 7714"},{"template":"Czyz, Jakub, et al. \"Don't forget to lock the back door! A characterization of IPv6 network security policy.\" Network and Distributed Systems Security (NDSS). 2016.","type":"MLA"},{"template":"Czyz, J., Luckie, M., Allman, M., & Bailey, M. (2016). Don't forget to lock the back door! A characterization of IPv6 network security policy. In Network and Distributed Systems Security (NDSS).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":431,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"This paper provides a comprehensive picture of IP-layer anycast adoption in the current Internet. We carry on multiple IPv4 anycast censuses, relying on latency measurement from PlanetLab. Next, we leverage our novel technique for anycast detection, enumeration, and geolocation [17] to quantify anycast adoption in the Internet. Our technique is scalable and, unlike previous efforts that are bound to exploiting DNS, is protocol-agnostic. Our results show that major Internet companies (including tier-1 ISPs, over-the-top operators, Cloud providers and equipment vendors) use anycast: we find that a broad range of TCP services are offered over anycast, the most popular of which include HTTP and HTTPS by anycast CDNs that serve websites from the top-100k Alexa list. Additionally, we complement our characterization of IPv4 anycast with a description of the challenges we faced to collect and analyze large-scale delay measurements, and the lessons learned.","author":[{"name":"Cicalese Danilo","tag":"1"},{"name":" Auge Jordan","tag":"1"},{"name":" Joumblatt Diana","tag":"1"},{"name":" Friedman Timur","tag":"2"},{"name":" Rossi Dario","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/2716281.2836101","info":"CoNEXT"},"publishDate":"2015-12-01","uri":"2015_characterizing_ipv4_anycast_adoption_and_deployment","tags":["IP Address","Anycast"],"titleEn":"Characterizing IPv4 Anycast Adoption and Deployment","affiliation":[{"name":"Telecom ParisTech","tag":1},{"name":"UPMC Sorbonne Universités","tag":2}],"titleCn":"Characterizing IPv4 Anycast Adoption and Deployment","cite":{"template":[{"template":"Cicalese D, Augé J, Joumblatt D, et al. Characterizing IPv4 anycast adoption and deployment[C]//Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies. 2015: 1-13.","type":"GB/T 7714"},{"template":"Cicalese, Danilo, et al. \"Characterizing IPv4 anycast adoption and deployment.\" Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies. 2015.","type":"MLA"},{"template":"Cicalese, D., Augé, J., Joumblatt, D., Friedman, T., & Rossi, D. (2015, December). Characterizing IPv4 anycast adoption and deployment. In Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies (pp. 1-13).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":501,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Since several years, millions of recursive DNS resolvers are-deliberately or not-open to the public. This, however, is counter-intuitive, since the operation of such openly accessible DNS resolvers is necessary in rare cases only. Furthermore, open resolvers enable both amplification DDoS and cache snooping attacks, and can be abused by attackers in multiple other ways. We thus find open recursive DNS resolvers to remain one critical phenomenon on the Internet.In this paper, we illuminate this phenomenon by analyzing it from two different angles. On the one hand, we study the landscape of DNS resolvers based on empirical data we collected for over a year. We analyze the changes over time and classify the resolvers according to device type and software version. On the other hand, we take the viewpoint of a client and measure the response authenticity of these resolvers. Besides legitimate redirections (e.g., to captive portals or router login pages), we find millions of resolvers to deliberately manipulate DNS resolutions (i.e., return bogus IP address information). To understand this threat in more detail, we systematically analyze non-legitimate DNS responses and reveal open DNS resolvers that manipulate DNS resolutions to censor communication channels, inject advertisements, serve malicious files, perform phishing, or redirect to other kinds of suspicious or malicious activities.","author":[{"name":"Marc Kührer","tag":"1"},{"name":"Thomas Hupperich","tag":"1"},{"name":"Jonas Bushart","tag":"2"},{"name":"Christian Rossow","tag":"2"},{"name":"Thorsten Holz","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/2815675.2815683","info":"IMC"},"publishDate":"2015-10-28","uri":"2015_going_wild_large_scale_classification_of_open_dns_resolvers","tags":["DNS","DNS resolver"],"titleEn":"Going Wild: Large-Scale Classification of Open DNS Resolvers","affiliation":[{"name":"Ruhr-University Bochum","tag":1},{"name":"Saarland University","tag":2}],"titleCn":"Going Wild: Large-Scale Classification of Open DNS Resolvers","cite":{"template":[{"template":"Kührer M, Hupperich T, Bushart J, et al. Going wild: Large-scale classification of open DNS resolvers[C]//Proceedings of the 2015 Internet Measurement Conference. 2015: 355-368.","type":"GB/T 7714"},{"template":"Kührer, Marc, et al. \"Going wild: Large-scale classification of open DNS resolvers.\" Proceedings of the 2015 Internet Measurement Conference. 2015.","type":"MLA"},{"template":"Kührer, M., Hupperich, T., Bushart, J., Rossow, C., & Holz, T. (2015, October). Going wild: Large-scale classification of open DNS resolvers. In Proceedings of the 2015 Internet Measurement Conference (pp. 355-368).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":509,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Critical to the security of any public key infrastructure (PKI) is the ability to revoke previously issued certificates. While the overall SSL ecosystem is well-studied, the frequency with which certificates are revoked and the circumstances under which clients (e.g., browsers) check whether certificates are revoked are still not well-understood. In this paper, we take a close look at certificate revocations in the Web's PKI. Using 74 full IPv4 HTTPS scans, we find that a surprisingly large fraction (8%) of the certificates served have been revoked, and that obtaining certificate revocation information can often be expensive in terms of latency and bandwidth for clients. We then study the revocation checking behavior of 30 different combinations of web browsers and operating systems; we find that browsers often do not bother to check whether certificates are revoked (including mobile browsers, which uniformly never check). We also examine the CRLSet infrastructure built into Google Chrome for disseminating revocations; we find that CRLSet only covers 0.35% of all revocations. Overall, our results paint a bleak picture of the ability to effectively revoke certificates today.","author":[{"name":"Yabing Liu","tag":"4"},{"name":"Will Tome","tag":"4"},{"name":" Liang Zhang","tag":"4"},{"name":" David Choffnes","tag":"4"},{"name":"Dave Levin","tag":"3"},{"name":" Bruce Maggs","tag":"2"},{"name":" Alan Mislove","tag":"4"},{"name":"Aaron Schulman","tag":"1"},{"name":" Christo Wilson","tag":"4"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/2815675.2815685","info":"IMC"},"publishDate":"2015-10-28","uri":"2015_an_end_to_end_measurement_of_certificate_revocation_in_the_web_s_pki","tags":["HTTPS","Web PKI"],"titleEn":"An End-to-End Measurement of Certificate Revocation in the Web's PKI","affiliation":[{"name":"Stanford University","tag":1},{"name":"Duke University and Akamai Technologies","tag":2},{"name":"University of Maryland","tag":3},{"name":"Northeastern University","tag":4}],"titleCn":"An End-to-End Measurement of Certificate Revocation in the Web's PKI","cite":{"template":[{"template":"Liu Y, Tome W, Zhang L, et al. An end-to-end measurement of certificate revocation in the web's PKI[C]//Proceedings of the 2015 Internet Measurement Conference. 2015: 183-196.","type":"GB/T 7714"},{"template":"Liu, Yabing, et al. \"An end-to-end measurement of certificate revocation in the web's PKI.\" Proceedings of the 2015 Internet Measurement Conference. 2015.","type":"MLA"},{"template":"Liu, Y., Tome, W., Zhang, L., Choffnes, D., Levin, D., Maggs, B., ... & Wilson, C. (2015, October). An end-to-end measurement of certificate revocation in the web's PKI. In Proceedings of the 2015 Internet Measurement Conference (pp. 183-196).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":413,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"The goal of our work is to characterize the current state of Cuba's access to the wider Internet. This work is motivated by recent improvements in connectivity to the island and the growing commercial interest following the ease of restrictions on travel and trade with the US. In this paper, we profile Cuba's networks, their connections to the rest of the world, and the routes of international traffic going to and from the island. Despite the addition of the ALBA-1 submarine cable, we find that round trip times to websites hosted off the island remain very high; pings to popular websites frequently took over 300 ms. We also find a high degree of path asymmetry in traffic to/from Cuba. Specifically, in our analysis we find that traffic going out of Cuba typically travels through the ALBA-1 cable, but, surprisingly, traffic on the reverse path often traverses high-latency satellite links, adding over 200 ms to round trip times. Last, we analyze queries to public DNS servers and SSL certificate requests to characterize the availability of network services in Cuba.","author":[{"name":"Zachary S. Bischof","tag":"1"},{"name":" John P. Rula","tag":"1"},{"name":" Fabian E. Bustamante","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/2815675.2815718","info":"IMC"},"publishDate":"2015-10-28","uri":"2015_in_and_out_of_cuba_characterizing_cuba_s_connectivity","tags":["Submarine Cable"],"titleEn":"In and Out of Cuba: Characterizing Cuba's Connectivity","affiliation":[{"name":"Northwestern University","tag":1}],"titleCn":"In and Out of Cuba: Characterizing Cuba's Connectivity","cite":{"template":[{"template":"Bischof Z S, Rula J P, Bustamante F E. In and out of Cuba: Characterizing Cuba's connectivity[C]//Proceedings of the 2015 Internet Measurement Conference. 2015: 487-493.","type":"GB/T 7714"},{"template":"Bischof, Zachary S., John P. Rula, and Fabián E. Bustamante. \"In and out of Cuba: Characterizing Cuba's connectivity.\" Proceedings of the 2015 Internet Measurement Conference. 2015.","type":"MLA"},{"template":"Bischof, Z. S., Rula, J. P., & Bustamante, F. E. (2015, October). In and out of Cuba: Characterizing Cuba's connectivity. In Proceedings of the 2015 Internet Measurement Conference (pp. 487-493).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":458,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Fast Internet-wide scanning has opened new avenues for security research, ranging from uncovering widespread vulnerabilities in random number generators to tracking the evolving impact of Heartbleed. However, this technique still requires significant effort: even simple questions, such as, \"What models of embedded devices prefer CBC ciphers?\", require developing an application scanner, manually identifying and tagging devices, negotiating with network administrators, and responding to abuse complaints. In this paper, we introduce Censys, a public search engine and data processing facility backed by data collected from ongoing Internet-wide scans. Designed to help researchers answer security-related questions, Censys supports full-text searches on protocol banners and querying a wide range of derived fields (e.g., 443.https.cipher). It can identify specific vulnerable devices and networks and generate statistical reports on broad usage patterns and trends. Censys returns these results in sub-second time, dramatically reducing the effort of understanding the hosts that comprise the Internet. We present the search engine architecture and experimentally evaluate its performance. We also explore Censys's applications and show how questions asked in recent studies become simple to answer.","author":[{"name":"Zakir Durumeric","tag":"1"},{"name":"David Adrian","tag":"1"},{"name":"Ariana Mirian","tag":"1"},{"name":"Michael Bailey","tag":"2"},{"name":"J. Alex Halderman","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/2810103.2813703","info":"CCS"},"publishDate":"2015-10-12","uri":"2015_a_search_engine_backed_by_internet_wide_scanning","tags":["HTTPS","TLS"],"titleEn":"A Search Engine Backed by Internet-Wide Scanning","affiliation":[{"name":"University of Michigan","tag":1},{"name":"University of Illinois Urbana Champaign","tag":2}],"titleCn":"A Search Engine Backed by Internet-Wide Scanning","cite":{"template":[{"template":"Durumeric Z, Adrian D, Mirian A, et al. A search engine backed by Internet-wide scanning[C]//Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. 2015: 542-553.","type":"GB/T 7714"},{"template":"Durumeric, Zakir, et al. \"A search engine backed by Internet-wide scanning.\" Proceedings of the 22nd ACM SIGSAC conference on computer and communications security. 2015.","type":"MLA"},{"template":"Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., & Halderman, J. A. (2015, October). A search engine backed by Internet-wide scanning. In Proceedings of the 22nd ACM SIGSAC conference on computer and communications security (pp. 542-553).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":401,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Use of IP-layer anycast has increased in the last few years: once relegated to DNS root and top-level domain servers, anycast is now commonly used to assist distribution of general purpose content by CDN providers. Yet, the measurement techniques for discovering anycast replicas have been designed around DNS, limiting their usefulness to this particular service. This raises the need for protocol agnostic methodologies, that should additionally be as lightweight as possible in order to scale up anycast service discovery. This is precisely the aim of this paper, which proposes a new method for exhaustive and accurate enumeration and city-level geolocation of anycast instances, requiring only a handful of latency measurements from a set of known vantage points. Our method exploits an iterative workflow that enumerates (an optimization problem) and geolocates (a classification problem) anycast replicas. We thoroughly validate our methodology on available ground truth (several DNS root servers), using multiple measurement infrastructures (PlanetLab, RIPE), obtaining extremely accurate results (even with simple algorithms, that we compare with the global optimum), that we make available to the scientific community. Compared to the state of the art work that appeared in INFOCOM 2013 and IMC 2013, our technique (i) is not bound to a specific protocol, (ii) requires 1000 times fewer vantage points, not only (iii) achieves over 50% recall but also (iv) accurately identifies the city-level geolocation for over 78% of the enumerated servers, with (v) a mean geolocation error of 361 km for all enumerated servers.","author":[{"name":"Cicalese Danilo","tag":"1"},{"name":" Joumblatt Diana","tag":"1"},{"name":" Rossi Dario","tag":"1"},{"name":" Buob Marc-Olivier","tag":"2"},{"name":" Auge Jordan","tag":"2"},{"name":" Friedman Timur","tag":"2"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/7218670","info":"INFOCOM"},"publishDate":"2015-05-01","uri":"2015_a_fistful_of_pings_accurate_and_lightweight_anycast_enumeration_and_geolocation","tags":["IP Address","Anycast"],"titleEn":"A Fistful of Pings: Accurate and Lightweight Anycast Enumeration and Geolocation","affiliation":[{"name":"Telecom ParisTech","tag":1},{"name":"UPMC Sorbonne Universit´es","tag":2}],"titleCn":"A Fistful of Pings: Accurate and Lightweight Anycast Enumeration and Geolocation","cite":{"template":[{"template":"Cicalese D, Joumblatt D, Rossi D, et al. A fistful of pings: Accurate and lightweight anycast enumeration and geolocation[C]//2015 IEEE Conference on Computer Communications (INFOCOM). IEEE, 2015: 2776-2784.","type":"GB/T 7714"},{"template":"Cicalese, Danilo, et al. \"A fistful of pings: Accurate and lightweight anycast enumeration and geolocation.\" 2015 IEEE Conference on Computer Communications (INFOCOM). IEEE, 2015.","type":"MLA"},{"template":"Cicalese, D., Joumblatt, D., Rossi, D., Buob, M. O., Augé, J., & Friedman, T. (2015, April). A fistful of pings: Accurate and lightweight anycast enumeration and geolocation. In 2015 IEEE Conference on Computer Communications (INFOCOM) (pp. 2776-2784). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":505,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Distributed Denial of Service (DDoS) attacks based on Network Time Protocol (NTP) amplification, which became prominent in December 2013, have received significant global attention. We chronicle how this attack rapidly rose from obscurity to become the dominant large DDoS vector. Via the lens of five distinct datasets, we characterize the advent and evolution of these attacks. Through a dataset that measures a large fraction of global Internet traffic, we show a three order of magnitude rise in NTP. Using a large darknet, we observe a similar rise in global scanning activity, both malicious and research. We then dissect an active probing dataset, which reveals that the pool of amplifiers totaled 2.2M unique IPs and includes a small number of \"mega amplifiers,\" servers that replied to a single tiny probe packet with gigabytes of data. This dataset also allows us, for the first time, to analyze global DDoS attack victims (including ports attacked) and incidents, where we show 437K unique IPs targeted with at least 3 trillion packets, totaling more than a petabyte. Finally, ISP datasets shed light on the local impact of these attacks. In aggregate, we show the magnitude of this major Internet threat, the community's response, and the effect of that response.","author":[{"name":"Jakub Czyz","tag":"1"},{"name":"Michael Kallitsis","tag":"2"},{"name":" Manaf Gharaibeh","tag":"4"},{"name":"Christos Papadopoulos","tag":"4"},{"name":"Michael Bailey","tag":"3"},{"name":"and Manish Karir","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/2663716.2663717","info":"IMC"},"publishDate":"2014-09-05","uri":"2014_taming_the_800_pound_gorilla_the_rise_and_decline_of_ntp_ddos_attacks","tags":["NTP"],"titleEn":"Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks","affiliation":[{"name":"University of Michigan","tag":1},{"name":"Merit Network","tag":2},{"name":"University of Michigan and University of Illinois","tag":3},{"name":"Colorado State University","tag":4}],"titleCn":"Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks","cite":{"template":[{"template":"Czyz J, Kallitsis M, Gharaibeh M, et al. Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks[C]//Proceedings of the 2014 Conference on Internet Measurement Conference. 2014: 435-448.","type":"GB/T 7714"},{"template":"Czyz, Jakub, et al. \"Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks.\" Proceedings of the 2014 Conference on Internet Measurement Conference. 2014.","type":"MLA"},{"template":"Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., & Karir, M. (2014, November). Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 435-448).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":440,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Amplification vulnerabilities in many UDP-based network protocols have been abused by miscreants to launch Distributed Denial-of-Service (DDoS) attacks that exceed hundreds of Gbps in traffic volume. However, up to now little is known about the nature of the amplification sources and about countermeasures one can take to remediate these vulnerable systems. Is there any hope in mitigating the amplification problem?In this paper, we aim to answer this question and tackle the problem from four different angles. In a first step, we monitored and classified amplification sources, showing that amplifiers have a high diversity in terms of operating systems and architectures. Based on these results, we then collaborated with the security community in a large-scale campaign to reduce the number of vulnerable NTP servers by more than 92%. To assess possible next steps of attackers, we evaluate amplification vulnerabilities in the TCP handshake and show that attackers can abuse millions of hosts to achieve 20x amplification. Lastly, we analyze the root cause for amplification attacks: networks that allow IP address spoofing. We deploy a method to identify spoofing-enabled networks *from remote* and reveal up to 2,692 Autonomous Systems that lack egress filtering.","author":[{"name":"Marc Kuhrer","tag":"2"},{"name":"Thomas Hupperich","tag":"3,1"},{"name":"Christian Rossow","tag":"3,1"},{"name":"Thorsten Holz","tag":"3,1"}],"origin":{"url":"https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kuhrer","info":"Security"},"publishDate":"2014-08-01","uri":"2014_exit_from_hell_reducing_the_impact_of_ampli_cation_ddos_attacks","tags":["IP Address","IP Spoofing"],"titleEn":"Exit from Hell? Reducing the Impact of Amplification DDoS Attacks","affiliation":[{"name":" Ruhr-University Bochum","tag":1},{"name":"Horst Gortz Institute for IT-Security Ruhr-University Bochum","tag":2},{"name":"Horst Gortz Institute for IT-Security","tag":3}],"titleCn":"Exit from Hell? Reducing the Impact of Amplification DDoS Attacks","cite":{"template":[{"template":"Kührer M, Hupperich T, Rossow C, et al. Exit from Hell? Reducing the Impact of {Amplification}{DDoS} Attacks[C]//23rd USENIX security symposium (USENIX security 14). 2014: 111-125.","type":"GB/T 7714"},{"template":"Kührer, Marc, et al. \"Exit from Hell? Reducing the Impact of {Amplification}{DDoS} Attacks.\" 23rd USENIX security symposium (USENIX security 14). 2014.","type":"MLA"},{"template":"Kührer, M., Hupperich, T., Rossow, C., & Holz, T. (2014). Exit from Hell? Reducing the Impact of {Amplification}{DDoS} Attacks. In 23rd USENIX security symposium (USENIX security 14) (pp. 111-125).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":432,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"Modern content-distribution networks both provide bulk content and act as \"serving infrastructure\" for web services in order to reduce user-perceived latency. Serving infrastructures such as Google's are now critical to the online economy, making it imperative to understand their size, geographic distribution, and growth strategies. To this end, we develop techniques that enumerate IP addresses of servers in these infrastructures, find their geographic location, and identify the association between clients and clusters of servers. While general techniques for server enumeration and geolocation can exhibit large error, our techniques exploit the design and mechanisms of serving infrastructure to improve accuracy. We use the EDNS-client-subnet DNS extension to measure which clients a service maps to which of its serving sites. We devise a novel technique that uses this mapping to geolocate servers by combining noisy information about client locations with speed-of-light constraints. We demonstrate that this technique substantially improves geolocation accuracy relative to existing approaches. We also cluster server IP addresses into physical sites by measuring RTTs and adapting the cluster thresholds dynamically. Google's serving infrastructure has grown dramatically in the ten months, and we use our methods to chart its growth and understand its content serving strategy. We find that the number of Google serving sites has increased more than sevenfold, and most of the growth has occurred by placing servers in large and small ISPs across the world, not by expanding Google's backbone.","author":[{"name":"Calder Matt","tag":"2"},{"name":" Fan Xun","tag":"1"},{"name":" Hu Zi","tag":"1"},{"name":" Katz-Bassett Ethan","tag":"2"},{"name":" Heidemann John","tag":"1"},{"name":" Govindan Ramesh","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/2504730.2504754","info":"IMC"},"publishDate":"2013-10-23","uri":"2013_mapping_the_expansion_of_google_s_serving_infrastructure","tags":["CDN"],"titleEn":"Mapping the Expansion of Google’s Serving Infrastructure","affiliation":[{"name":"USC/ISI","tag":1},{"name":"University of Southern California","tag":2}],"titleCn":"Mapping the Expansion of Google’s Serving Infrastructure","cite":{"template":[{"template":"Calder M, Fan X, Hu Z, et al. Mapping the expansion of Google's serving infrastructure[C]//Proceedings of the 2013 conference on Internet measurement conference. 2013: 313-326.","type":"GB/T 7714"},{"template":"Calder, Matt, et al.\"Mapping the expansion of Google's serving infrastructure.\" Proceedings of the 2013 conference on Internet measurement conference. 2013.","type":"MLA"},{"template":"Calder, M., Fan, X., Hu, Z., Katz-Bassett, E., Heidemann, J., & Govindan, R. (2013, October). Mapping the expansion of Google's serving infrastructure. In Proceedings of the 2013 conference on Internet measurement conference (pp. 313-326).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":498,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"The Domain Name System (DNS) is a critical component of the Internet infrastructure. It allows users to interact with Web sites using human-readable names and provides a foundation for transparent client request distribution among servers in Web platforms, such as content delivery networks. In this paper, we present methodologies for efficiently discovering the complex client-side DNS infrastructure. We further develop measurement techniques for isolating the behavior of the distinct actors in the infrastructure. Using these strategies, we study various aspects of the client-side DNS infrastructure and its behavior with respect to caching, both in aggregate and separately for different actors.","author":[{"name":"Kyle Schomp","tag":"2"},{"name":"Tom Callahan","tag":"2"},{"name":"Michael Rabinovich","tag":"2"},{"name":"Mark Allman","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/2504730.2504734","info":"IMC"},"publishDate":"2013-10-23","uri":"2013_on_measuring_the_client_side_dns_infrastructure","tags":["DNS","DNS resolver"],"titleEn":"On Measuring the Client-Side DNS Infrastructure","affiliation":[{"name":"International Computer Science Institute","tag":1},{"name":"Case Western Reserve University","tag":2}],"titleCn":"On Measuring the Client-Side DNS Infrastructure","cite":{"template":[{"template":"Schomp K, Callahan T, Rabinovich M, et al. On measuring the client-side DNS infrastructure[C]//Proceedings of the 2013 conference on Internet measurement conference. 2013: 77-90.","type":"GB/T 7714"},{"template":"Schomp, Kyle, et al. \"On measuring the client-side DNS infrastructure.\" Proceedings of the 2013 conference on Internet measurement conference. 2013.","type":"MLA"},{"template":"Schomp, K., Callahan, T., Rabinovich, M., & Allman, M. (2013, October). On measuring the client-side DNS infrastructure. In Proceedings of the 2013 conference on Internet measurement conference (pp. 77-90).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":508,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Internet-wide network scanning has numerous security applications, including exposing new vulnerabilities and tracking the adoption of defensive mechanisms, but probing the entire public address space with existing tools is both difficult and slow. We introduce ZMap, a modular, open-source network scanner specifically architected to perform Internet-wide scans and capable of surveying the entire IPv4 address space in under 45 minutes from user space on a single machine, approaching the theoretical maximum speed of gigabit Ethernet. We present the scanner architecture, experimentally characterize its performance and accuracy, and explore the security implications of high speed Internet-scale network surveys, both offensive and defensive. We also discuss best practices for good Internet citizenship when performing Internet-wide surveys, informed by our own experiences conducting a long-term research survey over the past year.","author":[{"name":"Zakir Durumeric","tag":"1"},{"name":"Eric Wustrow","tag":"1"},{"name":"J. Alex Halderman","tag":"1"}],"origin":{"url":"https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/durumeric","info":"Security"},"publishDate":"2013-08-01","uri":"2013_zmap_fast_internet_wide_scanning_and_its_security_applications","tags":["IP Address","Active IP"],"titleEn":"ZMap: Fast Internet-wide Scanning and Its Security Applications","affiliation":[{"name":"University of Michigan","tag":1}],"titleCn":"ZMap: Fast Internet-wide Scanning and Its Security Applications","cite":{"template":[{"template":"Durumeric Z, Wustrow E, Halderman J A. {ZMap}: Fast internet-wide scanning and its security applications[C]//22nd USENIX Security Symposium (USENIX Security 13). 2013: 605-620.","type":"GB/T 7714"},{"template":"Durumeric, Zakir, Eric Wustrow, and J. Alex Halderman. \"{ZMap}: Fast internet-wide scanning and its security applications.\" 22nd USENIX Security Symposium (USENIX Security 13). 2013.","type":"MLA"},{"template":"Durumeric, Z., Wustrow, E., & Halderman, J. A. (2013). {ZMap}: Fast internet-wide scanning and its security applications. In 22nd USENIX Security Symposium (USENIX Security 13) (pp. 605-620).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":423,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"IP anycast is a central part of production DNS. While prior work has explored proximity, affinity and load balancing for some anycast services, there has been little attention to third-party discovery and enumeration of components of an anycast service. Enumeration can reveal abnormal service configurations, benign masquerading or hostile hijacking of anycast services, and help characterize anycast deployment. In this paper, we discuss two methods to identify and characterize anycast nodes. The first uses an existing anycast diagnosis method based on CHAOS-class DNS records but augments it with traceroute to resolve ambiguities. The second proposes Internet-class DNS records which permit accurate discovery through the use of existing recursive DNS infrastructure. We validate these two methods against three widely-used anycast DNS services, using a very large number (60k and 300k) of vantage points, and show that they can provide excellent precision and recall. Finally, we use these methods to evaluate anycast deployments in top-level domains (TLDs), and find one case where a third-party operates a server masquerading as a root DNS anycast node as well as a noticeable proportion of unusual DNS proxies. We also show that, across all TLDs, up to 72% use anycast.","author":[{"name":"Fan Xun","tag":"1"},{"name":" Heidemann John","tag":"1"},{"name":" Govindan Ramesh","tag":"1"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/6566965","info":"INFOCOM"},"publishDate":"2013-04-14","uri":"2013_evaluating_anycast_in_the_domain_name_system","tags":["IP Address","Anycast"],"titleEn":"Evaluating Anycast in the Domain Name System","affiliation":[{"name":"University of Southern California","tag":1}],"titleCn":"Evaluating Anycast in the Domain Name System","cite":{"template":[{"template":"Fan X, Heidemann J, Govindan R. Evaluating anycast in the domain name system[C]//2013 Proceedings IEEE INFOCOM. IEEE, 2013: 1681-1689.","type":"GB/T 7714"},{"template":"Fan, Xun, John Heidemann, and Ramesh Govindan. \"Evaluating anycast in the domain name system.\" 2013 Proceedings IEEE INFOCOM. IEEE, 2013.","type":"MLA"},{"template":"Fan, X., Heidemann, J., & Govindan, R. (2013, April). Evaluating anycast in the domain name system. In 2013 Proceedings IEEE INFOCOM (pp. 1681-1689). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":500,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Business relationships between ASes in the Internet are typically confidential, yet knowledge of them is essential to understand many aspects of Internet structure, performance, dynamics, and evolution. We present a new algorithm to infer these relationships using BGP paths. Unlike previous approaches, our algorithm does not assume the presence (or seek to maximize the number) of valley-free paths, instead relying on three assumptions about the Internet's inter-domain structure: (1) an AS enters into a provider relationship to become globally reachable; and (2) there exists a peering clique of ASes at the top of the hierarchy, and (3) there is no cycle of p2c links. We assemble the largest source of validation data for AS-relationship inferences to date, validating 34.6% of our 126,082 c2p and p2p inferences to be 99.6% and 98.7% accurate, respectively. Using these inferred relationships, we evaluate three algorithms for inferring each AS's customer cone, defined as the set of ASes an AS can reach using customer links. We demonstrate the utility of our algorithms for studying the rise and fall of large transit providers over the last fifteen years, including recent claims about the flattening of the AS-level topology and the decreasing influence of tier-1 ASes on the global Internet.","author":[{"name":"Matthew Luckie","tag":"2"},{"name":" Bradley Huffaker","tag":"3"},{"name":" Amogh Dhamdhere","tag":"3"},{"name":" Vasileios Giotsas","tag":"1"},{"name":" kc claffy","tag":"3"}],"origin":{"url":"https://core.ac.uk/download/pdf/151212609.pdf","info":"IMC"},"publishDate":"2013-01-01","uri":"2013_as_relationships_customer_cones_and_validation","tags":["Routing","AS Relationship"],"titleEn":"AS relationships, customer cones, and validation","affiliation":[{"name":"University College London","tag":1},{"name":"University of Waikato","tag":2},{"name":" caida/UC San Diego","tag":3}],"titleCn":"AS relationships, customer cones, and validation","cite":{"template":[{"template":"Luckie M, Huffaker B, Dhamdhere A, et al. AS relationships, customer cones, and validation[C]//Proceedings of the 2013 conference on Internet measurement conference. 2013: 243-256.","type":"GB/T 7714"},{"template":"Luckie, Matthew, et al. \"AS relationships, customer cones, and validation.\" Proceedings of the 2013 conference on Internet measurement conference. 2013.","type":"MLA"},{"template":"Luckie, M., Huffaker, B., Dhamdhere, A., Giotsas, V., & Claffy, K. C. (2013, October). AS relationships, customer cones, and validation. In Proceedings of the 2013 conference on Internet measurement conference (pp. 243-256).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":418,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Border Gateway Protocol (BGP) plays a critical role in the Internet inter-domain routing reliability. Invalid routes generated by mis-configurations or forged by malicious attacks may hijack the traffic and devastate the Internet routing system, but it is unlikely that a secure BGP can be deployed in the near future to completely prevent them. Although many hijacking detection systems have been developed, they more or less have weaknesses such as long detection delay, high false alarm rate and deployment difficulty, and no systematic detection results have been studied.This paper proposes Argus, an agile system that can accurately detect prefix hijackings and deduce the underlying cause of route anomalies in a very fast way. Argus is based on correlating the control and data plane information closely and pervasively, and has been continuously monitoring the Internet for more than one year. During this period, around 40K routing anomalies were detected, from which 220 stable prefix hijackings were identified. Our analysis on these events shows that, hijackings that have only been theoretically studied before do exist in the Internet. Although the frequency of new hijackings is nearly stable, more specific prefixes are hijacked more frequently. Around 20% of the hijackings last less than ten minutes, and some can pollute 90% of the Internet in less than two minutes. These characteristics make \\emph{Argus} especially useful in practice. We further analyze some representative cases in detail to help increase the understanding of prefix hijackings in the Internet.","author":[{"name":"Xingang Shi","tag":"2"},{"name":"Yang Xiang","tag":"1"},{"name":"Zhiliang Wang","tag":"2"},{"name":"Xia Yin","tag":"1"},{"name":"Jianping Wu","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/10.1145/2398776.2398779","info":"IMC"},"publishDate":"2012-11-14","uri":"2012_detecting_prefix_hijackings_in_the_internet_with_argus","tags":["Routing","BGP Hijacking"],"titleEn":"Detecting prefix hijackings in the internet with argus","affiliation":[{"name":"Department of Computer Science & Technology,Tsinghua University","tag":1},{"name":"Institute for Network Sciences and Cyberspace,Tsinghua University","tag":2}],"titleCn":"Detecting prefix hijackings in the internet with argus","cite":{"template":[{"template":"Shi X, Xiang Y, Wang Z, et al. Detecting prefix hijackings in the internet with argus[C]//Proceedings of the 2012 Internet Measurement Conference. 2012: 15-28.","type":"GB/T 7714"},{"template":"Shi, Xingang, et al. \"Detecting prefix hijackings in the internet with argus.\" Proceedings of the 2012 Internet Measurement Conference. 2012.","type":"MLA"},{"template":"Shi, X., Xiang, Y., Wang, Z., Yin, X., & Wu, J. (2012, November). Detecting prefix hijackings in the internet with argus. In Proceedings of the 2012 Internet Measurement Conference (pp. 15-28).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":466,"keyword":[""],"fileType":3},{"paperType":1,"abstracts":"Many botnet detection systems employ a blacklist of known command and control (C&C) domains to detect bots and block their traffic. Similar to signature-based virus detection, such a botnet detection approach is static because the blacklist is updated only after running an external (and often manual) process of domain discovery. As a response, botmasters have begun employing domain generation algorithms (DGAs) to dynamically produce a large number of random domain names and select a small subset for actual C&C use. That is, a C&C domain is randomly generated and used for a very short period of time, thus rendering detection approaches that rely on static domain lists ineffective. Naturally, if we know how a domain generation algorithm works, we can generate the domains ahead of time and still identify and block botnet C&C traffic. The existing solutions are largely based on reverse engineering of the bot malware executables, which is not always feasible.In this paper we present a new technique to detect randomly generated domains without reversing. Our insight is that most of the DGA-generated (random) domains that a bot queries would result in Non-Existent Domain (NXDomain) responses, and that bots from the same botnet (with the same DGA algorithm) would generate similar NXDomain traffic. Our approach uses a combination of clustering and classification algorithms. The clustering algorithm clusters domains based on the similarity in the make-ups of domain names as well as the groups of machines that queried these domains. The classification algorithm is used to assign the generated clusters to models of known DGAs. If a cluster cannot be assigned to a known model, then a new model is produced, indicating a new DGA variant or family. We implemented a prototype system and evaluated it on real-world DNS traffic obtained from large ISPs in North America. We report the discovery of twelve DGAs. Half of them are variants of known (botnet) DGAs, and the other half are brand new DGAs that have never been reported before.","author":[{"name":"Manos Antonakakis","tag":"2,1"},{"name":" Roberto Perdisci","tag":"3,1"},{"name":" Yacin Nadji","tag":"4"},{"name":" Nikolaos Vasiloglou","tag":"2"},{"name":" Saeed Abu-Nimeh","tag":"2"},{"name":" Wenke Lee","tag":"4"},{"name":" David Dagon","tag":"4"}],"origin":{"url":"https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis","info":"Security"},"publishDate":"2012-08-08","uri":"2012_from_throw_away_traffic_to_bots_detecting_the_rise_of_dga_based_malware","tags":["DNS","Domain Name"],"titleEn":"From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware","affiliation":[{"name":" Georgia Institute of Technology","tag":1},{"name":"Damballa Inc.","tag":2},{"name":"University of Georgia","tag":3},{"name":"Georgia Institute of Technology","tag":4}],"titleCn":"From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware","cite":{"template":[{"template":"Antonakakis M, Perdisci R, Nadji Y, et al. From {Throw-Away} traffic to bots: Detecting the rise of {DGA-Based} malware[C]//21st USENIX Security Symposium (USENIX Security 12). 2012: 491-506.","type":"GB/T 7714"},{"template":"Antonakakis, Manos, et al. \"From {Throw-Away} traffic to bots: Detecting the rise of {DGA-Based} malware.\" 21st USENIX Security Symposium (USENIX Security 12). 2012.","type":"MLA"},{"template":"Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., & Dagon, D. (2012). From {Throw-Away} traffic to bots: Detecting the rise of {DGA-Based} malware. In 21st USENIX Security Symposium (USENIX Security 12) (pp. 491-506).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":470,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"Operators have deployed Multiprotocol Label Switching (MPLS) in the Internet for over a decade. However, its impact on Internet topology measurements is not well known, and it is possible for some MPLS configurations to lead to false router-level links in maps derived from traceroute data. In this paper, we introduce a measurement-based classification of MPLS tunnels, identifying tunnels where IP hops are revealed but not explicitly tagged as label switching routers, as well as tunnels that obscure the underlying path. Using a large-scale dataset we collected, we show that paths frequently cross MPLS tunnels in today’s Internet: in our data, at least 30% of the paths we tested traverse an MPLS tunnel. We also propose and evaluate several methods to reveal MPLS tunnels that are not explicitly flagged as such: we discover that their fraction is significant (up to half the explicit tunnel quantity) but most of them do not obscure IP-level topology discovery.","author":[{"name":"Benoit Donnet","tag":"1"},{"name":" Matthew Luckie","tag":"2"},{"name":" Pascal Mérindol","tag":"3"},{"name":" Jean-Jacques Pansiot","tag":"3"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/2185376.2185388","info":"SIGCOMM"},"publishDate":"2012-03-29","uri":"2012_revealing_mpls_tunnels_obscured_from_traceroute","tags":["IP Address","Traceroute"],"titleEn":"Revealing MPLS Tunnels Obscured from Traceroute","affiliation":[{"name":"Université de Liège","tag":1},{"name":"caida/UC San Diego","tag":2},{"name":"Université de Strasbourg","tag":3}],"titleCn":"Revealing MPLS Tunnels Obscured from Traceroute","cite":{"template":[{"template":"Donnet B, Luckie M, Mérindol P, et al. Revealing MPLS tunnels obscured from traceroute[J]. ACM SIGCOMM Computer Communication Review, 2012, 42(2): 87-93.","type":"GB/T 7714"},{"template":"Donnet, Benoit, et al. \"Revealing MPLS tunnels obscured from traceroute.\" ACM SIGCOMM Computer Communication Review 42.2 (2012): 87-93.","type":"MLA"},{"template":"Donnet, B., Luckie, M., Mérindol, P., & Pansiot, J. J. (2012). Revealing MPLS tunnels obscured from traceroute. ACM SIGCOMM Computer Communication Review, 42(2), 87-93.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":455,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Tools to measure Internet properties usually assume the existence of just one single path from a source to a destination. However, load-balancing capabilities, which create multiple active paths between two end-hosts, are available in most contemporary routers. This paper extends Paris traceroute and proposes an extensive characterization of multipath routing in the Internet. We use Paris traceroute from RON and PlanetLab nodes to collect various datasets in 2007 and 2009. Our results show that the traditional concept of a single network path between hosts no longer holds. For instance, 39% of the source–destination pairs in our 2007 traces traverse a load balancer. This fraction increases to 72% if we consider the paths between a source and a destination network. In 2009, we notice a consolidation of per-flow and per-destination techniques and confirm that per-packet load balancing is rare.","author":[{"name":"Brice Augustin","tag":"1"},{"name":"Timur Friedman","tag":"1"},{"name":"Renata Teixeira","tag":"1"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/5671515/","info":"ToN"},"publishDate":"2010-12-17","uri":"2010_measuring_multipath_routing_in_the_internet","tags":["IP Address"," Internet Topology"],"titleEn":"Measuring Multipath Routing in the Internet","affiliation":[{"name":"Laboratoire d'Informatique de Paris 6 (LIP6), University Pierre et Marie Curie-Centre National de la Recherche Scientifique, Paris, France","tag":1}],"titleCn":"Measuring Multipath Routing in the Internet","cite":{"template":[{"template":"Augustin B, Friedman T, Teixeira R. Measuring multipath routing in the internet[J]. IEEE/ACM Transactions on Networking, 2010, 19(3): 830-840.","type":"GB/T 7714"},{"template":"Augustin, Brice, Timur Friedman, and Renata Teixeira. \"Measuring multipath routing in the internet.\" IEEE/ACM Transactions on Networking 19.3 (2010): 830-840.","type":"MLA"},{"template":"Augustin, B., Friedman, T., & Teixeira, R. (2010). Measuring multipath routing in the internet. IEEE/ACM Transactions on Networking, 19(3), 830-840.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":519,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Large scale active measurement of the Internet requires appropriate software support. The better tools that we have for executing consistent and systematic measurements, the more confidence we can have in the results. This paper presents scamper, a powerful open-source packet-prober for active measurement of the Internet designed to stand alone from coordination mechanisms. We built scamper and populated it with specific measurement techniques, making design decisions aimed at allowing Internet researchers to focus on scientific experiments rather than building accurate instrumentation.","author":[{"name":"Matthew Luckie","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/pdf/10.1145/1879141.1879171","info":"IMC"},"publishDate":"2010-11-01","uri":"2010_scamper_a_scalable_and_extensible_packet_prober_for_active_measurement_of_the_internet","tags":["Traceroute"," Internet Topology"],"titleEn":"Scamper: a Scalable and Extensible Packet Prober for Active Measurement of the Internet","affiliation":[{"name":"University of Waikato","tag":1}],"titleCn":"Scamper: a Scalable and Extensible Packet Prober for Active Measurement of the Internet","cite":{"template":[{"template":"Luckie M. Scamper: a scalable and extensible packet prober for active measurement of the internet[C]//Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. 2010: 239-245.","type":"GB/T 7714"},{"template":"Luckie, Matthew. \"Scamper: a scalable and extensible packet prober for active measurement of the internet.\" Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. 2010.","type":"MLA"},{"template":"Luckie, M. (2010, November). Scamper: a scalable and extensible packet prober for active measurement of the internet. In Proceedings of the 10th ACM SIGCOMM conference on Internet measurement (pp. 239-245).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":417,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"The domain name system (DNS) is critical to Internet functionality. The availability of a domain name refers to its ability to be resolved correctly. We develop a model for server dependencies that is used as a basis for measuring availability. We introduce the minimum number of servers queried (MSQ) and redundancy as availability metrics and show how common DNS misconfigurations impact the availability of domain names. We apply the availability model to domain names from production DNS and observe that 6.7% of names exhibit sub-optimal MSQ, and 14% experience false redundancy. The MSQ and redundancy values can be optimized by proper maintenance of delegation records for zones.","author":[{"name":"Casey Deccio","tag":"3"},{"name":"Jeff Sedayao","tag":"1"},{"name":"Krishna Kant","tag":"1"},{"name":"Prasant Mohapatra","tag":"2"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/5462270","info":"INFOCOM"},"publishDate":"2010-05-06","uri":"2010_measuring_availability_in_the_domain_name_system","tags":["DNS","Domain Name"],"titleEn":"Measuring Availability in the Domain Name System","affiliation":[{"name":"Intel Corporation","tag":1},{"name":"University of California","tag":2},{"name":"Sandia National Laboratories","tag":3}],"titleCn":"Measuring Availability in the Domain Name System","cite":{"template":[{"template":"Deccio C, Sedayao J, Kant K, et al. Measuring availability in the domain name system[C]//2010 Proceedings IEEE INFOCOM. IEEE, 2010: 1-5.","type":"GB/T 7714"},{"template":"Deccio, Casey, et al. \"Measuring availability in the domain name system.\" 2010 Proceedings IEEE INFOCOM. IEEE, 2010.","type":"MLA"},{"template":"Deccio, C., Sedayao, J., Kant, K., & Mohapatra, P. (2010, March). Measuring availability in the domain name system. In 2010 Proceedings IEEE INFOCOM (pp. 1-5). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":482,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Traceroute is the most widely used Internet diagnostic tool today. Network operators use it to help identify routing failures, poor performance, and router misconfigurations. Researchers use it to map the Internet, predict performance, geolocate routers, and classify the performance of ISPs. However, traceroute has a fundamental limitation that affects all these applications: it does not provide reverse path information. Although various public traceroute servers across the Internet provide some visibility, no general method exists for determining a reverse path from an arbitrary destination. In this paper, we address this longstanding limitation by building a reverse traceroute system. Our system provides the same information as traceroute, but for the reverse path, and it works in the same case as traceroute,when the user may lack control of the destination. We use a variety of measurement techniques to incrementally piece together the path from the destination back to the source. We deploy our system on PlanetLab and compare reverse traceroute paths with traceroutes issued from the destinations. In the median case our tool finds 87% of the hops seen in a directly measured traceroute along the same path, versus only 38% if one simply assumes the path is symmetric, a common fallback given the lack of available tools. We then illustrate how we can use our reverse traceroute system to study previously unmeasurable aspects of the Internet: we present a case study of how a content provider could use our tool to troubleshoot poor path performance, we uncover more than a thousand peer-to-peer AS links invisible to current topology mapping efforts, and we measure the latency of individual backbone links with average error under a millisecond.","author":[{"name":"Ethan Katz-Bassett","tag":"0"},{"name":"Harsha V. Madhyastha","tag":"0"},{"name":"Vijay Kumar Adhikari","tag":"0"},{"name":"Colin Scott","tag":"0"},{"name":"Justine Sherry","tag":"0"},{"name":"Peter van Wesep","tag":"0"},{"name":"Thomas Anderson","tag":"0"},{"name":"Arvind Krishnamurthy","tag":"0"}],"origin":{"url":"https://www.usenix.org/legacy/event/nsdi10/tech/full_papers/katz-bassett.pdf","info":"NSDI"},"publishDate":"2010-04-28","uri":"2010_reverse_traceroute","tags":["IP Address"," Traceroute"],"titleEn":"Reverse traceroute","affiliation":[{"name":" Dept. of Computer Science, Univ. of Washington, Seattle","tag":1},{"name":" Dept. of Computer Science, Univ. of California, San Diego","tag":2},{"name":" Dept. of Computer Science, Univ. of Minnesota","tag":3}],"titleCn":"Reverse traceroute","cite":{"template":[{"template":"Katz-Bassett E, Madhyastha H V, Adhikari V K, et al. Reverse traceroute[C]//NSDI. 2010, 10: 219-234.","type":"GB/T 7714"},{"template":"Katz-Bassett, Ethan, et al. \"Reverse traceroute.\" NSDI. Vol. 10. 2010.","type":"MLA"},{"template":"Katz-Bassett, E., Madhyastha, H. V., Adhikari, V. K., Scott, C., Sherry, J., Van Wesep, P., ... & Krishnamurthy, A. (2010, June). Reverse traceroute. In NSDI (Vol. 10, pp. 219-234).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":513,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"The well-known traceroute probing method discovers links between interfaces on Internet routers. IP alias resolution, the process of identifying IP addresses belonging to the same router, is a critical step in producing Internet topology maps. We compare the performance and accuracy of known alias resolution techniques, propose some enhancements, and suggest a practical combination of techniques that can produce the most accurate and complete IP-to-router mapping at macroscopic scale.","author":[{"name":"Ken Keys","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/1672308.1672318","info":"ACM CCR"},"publishDate":"2010-01-07","uri":"2010_internet_scale_ip_alias_resolution_techniques","tags":["IP Address"," IP Alias"],"titleEn":"Internet-Scale IP Alias Resolution Techniques","affiliation":[{"name":"CAIDA","tag":1}],"titleCn":"Internet-Scale IP Alias Resolution Techniques","cite":{"template":[{"template":"Keys K. Internet-scale IP alias resolution techniques[J]. ACM SIGCOMM Computer Communication Review, 2010, 40(1): 50-55.","type":"GB/T 7714"},{"template":"Keys, Ken. \"Internet-scale IP alias resolution techniques.\" ACM SIGCOMM Computer Communication Review 40.1 (2010): 50-55.","type":"MLA"},{"template":"Keys, K. (2010). Internet-scale IP alias resolution techniques. ACM SIGCOMM Computer Communication Review, 40(1), 50-55.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":518,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Alias resolution, the task of identifying IP addresses belonging to the same router, is an important step in building traceroute-based Internet topology maps. Inaccuracies in alias resolution affect the representativeness of constructed topology maps. This in turn affects the conclusions derived from studies that use these maps. This paper presents two complementary studies on alias resolution. First, we present an experimental study to demonstrate the impact of alias resolution on topology measurement studies. Then, we introduce an alias resolution approach called analytic and probe-based alias resolver (APAR). APAR consists of an analytical component and a probe-based component. Given a set of path traces, the analytical component utilizes the common IP address assignment scheme to infer IP aliases. The probe-based component introduces a minimal probing overhead to improve the accuracy of APAR. Compared to the existing state-of-the-art tool ally, APAR uses an orthogonal approach to resolve a large number of IP aliases that ally fails to identify. Our extensive verification study on sample data sets shows that our approach is effective in resolving many aliases with good accuracy. Our evaluations also indicate that the two approaches (ally and APAR) should be used together to maximize the success of the alias resolution process.","author":[{"name":"Mehmet H. Gunes","tag":"1"},{"name":" Kamil Sarac","tag":"1"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/5233750","info":"ToN"},"publishDate":"2009-12-01","uri":"2009_resolving_ip_aliases_in_building_traceroute_based_internet_maps","tags":["IP Address"," IP Alias"],"titleEn":"Resolving IP Aliases in Building Traceroute-Based Internet Maps","affiliation":[{"name":"Department of Computer Science and Engineering, University of Nevada, Reno, NV, USA","tag":1},{"name":" Department of Computer Science and Engineering, University of Nevada, Reno, NV, USA","tag":2}],"titleCn":"Resolving IP Aliases in Building Traceroute-Based Internet Maps","cite":{"template":[{"template":"Gunes M H, Sarac K. Resolving IP aliases in building traceroute-based Internet maps[J]. IEEE/ACM Transactions on Networking, 2009, 17(6): 1738-1751.","type":"GB/T 7714"},{"template":"Gunes, Mehmet H., and Kamil Sarac. \"Resolving IP aliases in building traceroute-based Internet maps.\" IEEE/ACM Transactions on Networking 17.6 (2009): 1738-1751.","type":"MLA"},{"template":"Gunes, M. H., & Sarac, K. (2009). Resolving IP aliases in building traceroute-based Internet maps. IEEE/ACM Transactions on Networking, 17(6), 1738-1751.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":515,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"The Domain Name System (DNS) is integral to today’s Internet. Name resolution for a domain is often dependent on servers well outside the control of the domain’s owner. In this paper we propose a formal model for analyzing the name dependencies inherent in DNS, based on protocol specification and actual implementations. We derive metrics to quantify the extent to which domain names affect other domain names. It is found that under certain conditions, the name resolution for over one-half of the queries exhibits influence of domains not expressly configured by administrators. This result serves to quantify the degree of vulnerability of DNS due to dependencies that administrators are unaware of. The model presented in the paper also shows that the set of domains whose resolution affects a given domain name is much smaller than previously thought. The model also shows that with caching of NS target addresses, the number of influential domains expands greatly, thereby making the DNS infrastructure more vulnerable.","author":[{"name":"Casey Deccio","tag":"3"},{"name":"Chao-Chih Chen","tag":"2"},{"name":"Prasant Mohapatra","tag":"2"},{"name":"Jeff Sedayao","tag":"1"},{"name":"Krishna Kant","tag":"1"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/5339693","info":"ICNP"},"publishDate":"2009-11-20","uri":"2009_quality_of_name_resolution_in_the_domain_name_system","tags":["DNS","Domain Name"],"titleEn":"Quality of Name Resolution in the Domain Name System","affiliation":[{"name":"Intel Corporation","tag":1},{"name":"University of California","tag":2},{"name":"Sandia National Laboratories","tag":3}],"titleCn":"Quality of Name Resolution in the Domain Name System","cite":{"template":[{"template":"Deccio C, Chen C C, Mohapatra P, et al. Quality of name resolution in the domain name system[C]//2009 17th IEEE International Conference on Network Protocols. IEEE, 2009: 113-122.","type":"GB/T 7714"},{"template":"Deccio, Casey, et al. \"Quality of name resolution in the domain name system.\" 2009 17th IEEE International Conference on Network Protocols. IEEE, 2009.","type":"MLA"},{"template":"Deccio, C., Chen, C. C., Mohapatra, P., Sedayao, J., & Kant, K. (2009, October). Quality of name resolution in the domain name system. In 2009 17th IEEE International Conference on Network Protocols (pp. 113-122). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":481,"keyword":[""],"fileType":1},{"paperType":1,"abstracts":"Traceroute is widely used to report the path packets take between two internet hosts, but the widespread deployment of load balancing routers breaks a basic assumption – that there is only a single such path. We specify an adaptive, stochastic probing algorithm, the Multipath Detection Algorithm (MDA), to report all paths that probes can follow between a source and a destination. We establish the foundations of, and show how to calculate, rigorous statistical guarantees for the discovery of the entire multipath route. We explore algorithm cost/guarantee tradeoffs in real experiments and show the inadequacy of the classic practice of sending three probes per hop.","author":[{"name":"Darryl Veitch","tag":"1"},{"name":" Brice Augustin","tag":"0"},{"name":" Renata Teixeira","tag":"0"},{"name":" Timur Friedman","tag":"0"}],"origin":{"url":"https://ieeexplore.ieee.org/abstract/document/5062055/","info":"INFOCOM"},"publishDate":"2009-06-02","uri":"2009_failure_control_in_multipath_route_tracing","tags":["IP Address"," Internet Topology"],"titleEn":"Failure Control in Multipath Route Tracing","affiliation":[{"name":"ARC Special Centre for Ultra-Broadband Information Networks (CUBIN), an affiliated program ofNational ICT Australia (NICTA), The University of Melbourne, Australia","tag":1},{"name":" LIP6 Laboratory, University of Pierre and Marie Curie-Paris VI, CNRS, Paris, France","tag":2}],"titleCn":"Failure Control in Multipath Route Tracing","cite":{"template":[{"template":"Veitch D, Augustin B, Teixeira R, et al. Failure control in multipath route tracing[C]//IEEE INFOCOM 2009. IEEE, 2009: 1395-1403.","type":"GB/T 7714"},{"template":"Veitch, Darryl, et al. \"Failure control in multipath route tracing.\" IEEE INFOCOM 2009. IEEE, 2009.","type":"MLA"},{"template":"Veitch, D., Augustin, B., Teixeira, R., & Friedman, T. (2009, April). Failure control in multipath route tracing. In IEEE INFOCOM 2009 (pp. 1395-1403). IEEE.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":520,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Mapping the router topology is an important component of Internet measurement. Alias resolution, the process of mapping IP addresses to routers, is critical to accurate Internet mapping. Ally, a popular alias resolution tool, was developed to resolve aliases in individual ISPs, but its probabilistic accuracy and need to send O(n2) probes to infer aliases among n IP addresses make it unappealing for large-scale Internet mapping. In this paper, we present RadarGun, a tool that uses IP identifier velocity modeling to improve the accuracy and scalability of the Ally-based resolution technique. We provide analytical bounds on Ally’s accuracy and validate our predicted aliases against Ally. Additionally, we show that velocity modeling requires only O(n) probes and thus scales to Internet-sized mapping efforts.","author":[{"name":"Adam Bender","tag":"1"},{"name":"Rob Sherwood","tag":"1"},{"name":"Neil Spring","tag":"1"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/1452520.1452560","info":"IMC"},"publishDate":"2008-10-20","uri":"2008_fixing_ally_s_growing_pains_with_velocity_modeling","tags":["IP Address"," IP Alias"],"titleEn":"Fixing Ally’s Growing Pains with Velocity Modeling","affiliation":[{"name":"University of Maryland","tag":1}],"titleCn":"Fixing Ally’s Growing Pains with Velocity Modeling","cite":{"template":[{"template":"Bender A, Sherwood R, Spring N. Fixing Ally's growing pains with velocity modeling[C]//Proceedings of the 8th ACM SIGCOMM conference on Internet measurement. 2008: 337-342.","type":"GB/T 7714"},{"template":"Bender, Adam, Rob Sherwood, and Neil Spring. \"Fixing Ally's growing pains with velocity modeling.\" Proceedings of the 8th ACM SIGCOMM conference on Internet measurement. 2008.","type":"MLA"},{"template":"Bender, A., Sherwood, R., & Spring, N. (2008, October). Fixing Ally's growing pains with velocity modeling. In Proceedings of the 8th ACM SIGCOMM conference on Internet measurement (pp. 337-342).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":517,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"CDNs play a critical and central part of today’s Internet infrastructure. In this paper we conduct extensive and thorough measurements that accurately characterize the performance of two large-scale commercial CDNs: Akamai and Limelight. Our measurements include charting the CDNs (locating all their content and DNS servers), assessing their server availability, and quantifying their world-wide delay performance. Our measurement techniques can be adopted by CDN customers to independently evaluate the performance of CDN vendors. It can also be used by a new CDN entrant to choose an appropriate CDN design and to locate its servers. Based on the measurements, we shed light on two radically different design philosophies for CDNs: the Akamai design, which enters deep into ISPs; and the Limelight design, which brings ISPs to home. We compare these two CDNs with regards to the numbers of their content servers, their internal DNS designs, the geographic locations of their data centers, and their DNS and content server delays. Furthermore, we study where Limelight can locate additional servers to reap the greatest delay performance gains. As a byproduct, we also evaluate Limelight’s use of IP anycast, and gain insight into a large-scale IP anycast production system.","author":[{"name":"Cheng Huang","tag":"1"},{"name":" Angela Wang","tag":"2"},{"name":" Jin Li","tag":"1"},{"name":" Keith W. Ross","tag":"2"}],"origin":{"url":"https://www.cs.ucr.edu/~jiasi/teaching/cs204_spring19/papers/MeasureCDN08.pdf","info":"IMC"},"publishDate":"2008-10-20","uri":"2008_measuring_and_evaluating_large_scale_cdns","tags":["CDN"],"titleEn":"Measuring and Evaluating Large-Scale CDNs","affiliation":[{"name":"Microsoft Research","tag":1},{"name":"Polytechnic Institute of NYU","tag":2}],"titleCn":"Measuring and Evaluating Large-Scale CDNs","cite":{"template":[{"template":"Huang C, Wang A, Li J, et al. Measuring and evaluating large-scale CDNs[C]//ACM IMC. 2008, 8: 15-29.","type":"GB/T 7714"},{"template":"Huang, Cheng, et al. \"Measuring and evaluating large-scale CDNs.\" ACM IMC. Vol. 8. 2008.","type":"MLA"},{"template":"Huang, C., Wang, A., Li, J., & Ross, K. W. (2008, October). Measuring and evaluating large-scale CDNs. In ACM IMC (Vol. 8, pp. 15-29).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":497,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Recently, Doubletree, a cooperative algorithm for large-scale topology discovery at the IP level, was introduced. Compared to classic probing systems, Doubletree discovers almost as many nodes and links while strongly reducing the quantity of probes sent. This paper examines the problem of the nodes and links missed by Doubletree. In particular, this paper’s first contribution is to carefully describe properties of the nodes and links that Doubletree fails to discover. We explain incomplete coverage as a consequence of the way Doubletree models the network: a tree-like structure of routes. But routes do not strictly form trees, due to load balancing and routing changes. This paper’s second contribution is the Windowed Doubletree algorithm, which increases Doubletree’s coverage up to 16% without increasing its load. Compared to classic Doubletree, Windowed Doubletree does not start probing at a fixed hop distance from each monitor, but randomly picks a value from a range of possible values.","author":[{"name":"Benoit Donnet","tag":"1"},{"name":"Bradley Huffaker","tag":"2"},{"name":"Timur Friedman","tag":"3"},{"name":"K.C. Claffy","tag":"2"}],"origin":{"url":"https://link.springer.com/chapter/10.1007/978-3-540-72606-7_63","info":"NETWORKING"},"publishDate":"2007-05-14","uri":"2007_increasing_the_coverage_of_a_cooperative_internet_topology_discovery_algorithm","tags":["IP Address"," Internet Topology"],"titleEn":"Increasing the Coverage of a Cooperative Internet Topology Discovery Algorithm","affiliation":[{"name":"Universit´e Catholique de Louvain/CSE Department, Belgium","tag":1},{"name":"Caida/San Diego Supercomputer Center, USA","tag":2},{"name":"Universit´e Pierre, Marie Curie/Laboratoire LIP6/CNRS, France","tag":3}],"titleCn":"Increasing the Coverage of a Cooperative Internet Topology Discovery Algorithm","cite":{"template":[{"template":"Donnet B, Huffaker B, Friedman T, et al. Increasing the coverage of a cooperative internet topology discovery algorithm[C]//NETWORKING 2007. Ad Hoc and Sensor Networks, Wireless Networks, Next Generation Internet: 6th International IFIP-TC6 Networking Conference, Atlanta, GA, USA, May 14-18, 2007. Proceedings 6. Springer Berlin Heidelberg, 2007: 738-748.","type":"GB/T 7714"},{"template":"Donnet, Benoit, et al. \"Increasing the coverage of a cooperative internet topology discovery algorithm.\" NETWORKING 2007. Ad Hoc and Sensor Networks, Wireless Networks, Next Generation Internet: 6th International IFIP-TC6 Networking Conference, Atlanta, GA, USA, May 14-18, 2007. Proceedings 6. Springer Berlin Heidelberg, 2007.","type":"MLA"},{"template":"Donnet, B., Huffaker, B., Friedman, T., & Claffy, K. C. (2007). Increasing the coverage of a cooperative internet topology discovery algorithm. In NETWORKING 2007. Ad Hoc and Sensor Networks, Wireless Networks, Next Generation Internet: 6th International IFIP-TC6 Networking Conference, Atlanta, GA, USA, May 14-18, 2007. Proceedings 6 (pp. 738-748). Springer Berlin Heidelberg.","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":512,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"Traceroute is widely used, from the diagnosis of network problems to the assemblage of internet maps. However, there are a few serious problems with this tool, in particular due to the presence of load balancing routers in the network. This paper describes a number of anomalies that arise in nearly all traceroute-based measurements. We categorize them as “loops”, “cycles”, and “diamonds”. We provide a new publicly-available traceroute, called Paris traceroute, which controls packet header contents to obtain a more precise picture of the actual routes that packets follow. This new tool allows us to find conclusive explanations for some of the anomalies, and to suggest possible causes for others.","author":[{"name":"Brice Augustin","tag":"3"},{"name":"Xavier Cuvellier","tag":"3"},{"name":"Benjamin Orgogozo","tag":"2"},{"name":"Fabien Viger","tag":"2"},{"name":"Timur Friedman","tag":"3"},{"name":"Matthieu Latapy","tag":"2"},{"name":"Clemence Magnien","tag":"1"},{"name":"Renata Teixeira","tag":"3"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/1177080.1177100","info":"IMC"},"publishDate":"2006-10-25","uri":"2006_avoiding_traceroute_anomalies_with_paris_traceroute","tags":["IP Address"," Traceroute"],"titleEn":"Avoiding traceroute anomalies with Paris traceroute","affiliation":[{"name":"Ecole Polytechnique/CNRS, Laboratoire CREA","tag":1},{"name":"Universite Denis Diderot/CNRS, Laboratoire LIAFA","tag":2},{"name":"Universite Pierre et Marie Curie/CNRS, Laboratoire LIP6","tag":3}],"titleCn":"Avoiding traceroute anomalies with Paris traceroute","cite":{"template":[{"template":"Augustin B, Cuvellier X, Orgogozo B, et al. Avoiding traceroute anomalies with Paris traceroute[C]//Proceedings of the 6th ACM SIGCOMM conference on Internet measurement. 2006: 153-158.","type":"GB/T 7714"},{"template":"Augustin, Brice, et al. \"Avoiding traceroute anomalies with Paris traceroute.\" Proceedings of the 6th ACM SIGCOMM conference on Internet measurement. 2006.","type":"MLA"},{"template":"Augustin, B., Cuvellier, X., Orgogozo, B., Viger, F., Friedman, T., Latapy, M., ... & Teixeira, R. (2006, October). Avoiding traceroute anomalies with Paris traceroute. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement (pp. 153-158).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":514,"keyword":[""],"fileType":4},{"paperType":1,"abstracts":"The Domain Name System, DNS, is based on nameserver delegations, which introduce complex and subtle dependencies between names and nameservers. In this paper, we present results from a large scale survey of DNS, and show that these dependencies lead to a highly insecure naming system. We report specifically on three aspects of DNS security: the properties of the DNS trusted computing base, the extent and impact of existing vulnerabilities in the DNS infrastructure, and the ease with which attacks against DNS can be launched. The survey shows that a typical name depends on 46 servers on average, whose compromise can lead to domain hijacks, while names belonging to some countries depend on a few hundred servers. An attacker exploiting well-documented vulnerabilities in DNS nameservers can hijack more than 30% of the names appearing in the Yahoo and DMOZ.org directories. And certain nameservers, especially in educational institutions, control as much as 10% of the namespace.","author":[{"name":"Venugopalan Ramasubramanian","tag":"1"},{"name":"Emin Gun Sire","tag":"1"}],"origin":{"url":"https://www.usenix.org/legacy/event/imc05/tech/full_papers/ramasubramanian/ramasubramanian.pdf","info":"IMC"},"publishDate":"2005-05-13","uri":"2005_perils_of_transitive_trust_in_the_domain_name_system","tags":["DNS","Domain Name"],"titleEn":"Perils of Transitive Trust in the Domain Name System","affiliation":[{"name":"Cornell University","tag":1}],"titleCn":"Perils of Transitive Trust in the Domain Name System","cite":{"template":[{"template":"Ramasubramanian V, Sirer E G. Perils of transitive trust in the domain name system[C]//Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement. 2005: 35-35.","type":"GB/T 7714"},{"template":"Ramasubramanian, Venugopalan, and Emin Gün Sirer. \"Perils of transitive trust in the domain name system.\" Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement. 2005.","type":"MLA"},{"template":"Ramasubramanian, V., & Sirer, E. G. (2005, October). Perils of transitive trust in the domain name system. In Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement (pp. 35-35).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":480,"keyword":[""],"fileType":2},{"paperType":1,"abstracts":"In this paper, we ask whether it is possible to build an IP address to geographic location mapping service for Internet hosts. Such a service would enable a large and interesting class of location-aware applications. This is a challenging problem because an IP address does not inherently contain an indication of location. We present and evaluate three distinct techniques, collectively referred to as IP2Geo, for determining the geographic location of Internet hosts. The first technique, GeoTrack, infers location based on the DNS names of the target host or other nearby network nodes. The second technique, GeoPing, uses network delay measurements from geographically distributed locations to deduce the coordinates of the target host. The third technique, GeoCluster, combines partial (and possibly inaccurate) host-to-location mapping information and BGP prefix information to infer the location of the target host. Using extensive and varied data sets, we evaluate the performance of these techniques and identify funda- mental challenges in deducing geographic location from the IP address of an Internet host.","author":[{"name":"Venkata N. Padmanabhan","tag":"1"},{"name":"Lakshminarayanan Subramaniany","tag":"2"}],"origin":{"url":"https://dl.acm.org/doi/abs/10.1145/383059.383073","info":"SIGCOMM"},"publishDate":"2001-08-27","uri":"2001_an_investigation_of_geographic_mapping_techniques_for_internet_hosts","tags":["IP Address"," IP Geolocation"],"titleEn":"An Investigation of Geographic Mapping Techniques for Internet Hosts","affiliation":[{"name":"Microsoft Research","tag":1},{"name":"University of California at Berkeley","tag":2}],"titleCn":"An Investigation of Geographic Mapping Techniques for Internet Hosts","cite":{"template":[{"template":"Padmanabhan V N, Subramanian L. An investigation of geographic mapping techniques for Internet hosts[C]//Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications. 2001: 173-185.","type":"GB/T 7714"},{"template":"Padmanabhan, Venkata N., and Lakshminarayanan Subramanian. \"An investigation of geographic mapping techniques for Internet hosts.\" Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications. 2001.","type":"MLA"},{"template":"Padmanabhan, V. N., & Subramanian, L. (2001, August). An investigation of geographic mapping techniques for Internet hosts. In Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications (pp. 173-185).","type":"APA"}],"export":["BibTeX","EndNote","RefMan"]},"id":522,"keyword":[""],"fileType":2}],"msg":"success","pageIndex":0,"pageSize":0,"ref":200,"total":131}