RACI

Thomas Daniels, KU Leuven

Characterising and Mitigating Phishing Attacks at ccTLD Scale

Phishing has been identified as one of the prime cyber threats in recent years. With the goal to effectively identifying and combating phishing as early as possible, we present a longitudinal analysis of phishing attacks from the vantage point of three country-code top-level domain (ccTLD) registries that manage more than 8 million active domains: .nl, .ie, and .be. We had the unique opportunity to analyse the entire namespace of these ccTLDs in combination with full historical domain registration information. Our analysis spans up to 10 years, based on more than 28 thousand phishing domains. Our results show two major attack strategies: national companies and organisations are far more often impersonated using malicious registered domains under their country’s own ccTLD, which enables better mimicry of the impersonated company. In stark contrast, international companies are impersonated using whatever domains that can be compromised, reducing overall mimicry but bearing no registration and financial costs. We show that 80% of phishing attacks in the studied ccTLDs employ compromised domain names. We also show the impact of ccTLDs’ registration and abuse handling policies, and of mitigation at different levels and intermediaries such as the registry, registrar, or hosting provider. This talk is based on the paper “Characterizing and Mitigating Phishing Attacks at ccTLD Scale” published at ACM CCS 2024.

Daniel Otten, Osnabrück University

Green Segment Routing: Enhancing Energy Efficiency in Backbone Networks

This talk presents a comprehensive analysis of domain blocklists over a four-year period, focusing on their effectiveness, update practices, and false positive rates. By examining DNS data and cross-referencing multiple detection tools, we identify key patterns in the number of entries, frequency of updates, and discrepancies in detection criteria. Notably, some blocklists list expired domains for up to 4000 days, indicating inconsistent updating practices. We also found that 0.92% of domains listed in the widely used Spamhaus DBL are flagged as malicious by Cisco Umbrella and VirusTotal, highlighting low false positive rates or potential variations in how malicious activity is detected. Additionally, by comparing the ratio of blocked domains to total domains within each TLD, we observed that specific TLDs are disproportionately targeted by certain blocklists. This suggests a need for more targeted filtering strategies and improved blocklist management practices. These insights contribute to strengthening network defences and guiding future research.

In the second part of the talk, we shift focus to energy efficiency in network management, specifically through Traffic Engineering (TE) based on Segment Routing (SR). SR is a source-routing architecture that allows traffic to be steered through pre-defined paths, offering a powerful tool for optimising network load balancing. However, its potential for reducing energy consumption has been underexplored. Our study develops an SR-based approach to TE aimed at reducing power usage by deactivating hardware components, such as linecards, under specific conditions. The results demonstrate that our approach can achieve near-optimal energy savings while maintaining performance. Furthermore, we integrate failure scenarios into the model to ensure that network resilience is preserved, even during disruptions. Overall, we showcase SR’s potential in balancing energy efficiency with performance and resiliency in backbone networks.

Aniketh Girish, IMDEA Networks Institute

In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes

The network communication between Internet of Things (IoT) devices on the same local network has significant implications for platform and device interoperability, security, privacy, and correctness. Yet, the analysis of local home Wi-Fi network traffic and its associated security and privacy threats have been largely ignored by prior literature, which typically focuses on studying the communication between IoT devices and cloud end-points, or detecting vulnerable IoT devices exposed to the Internet. In this talk, we present a comprehensive and empirical measurement study to shed light on the local communication within a smart home deployment and its threats. We use a unique combination of passive network traffic captures, protocol honeypots, dynamic mobile app analysis, and crowdsourced IoT data from participants to identify and analyse a wide range of device activities on the local network. We then analyse these datasets to characterise local network protocols, security and privacy threats associated with them. Our analysis reveals vulnerable devices, insecure use of network protocols, and sensitive data exposure by IoT devices. We provide evidence of how this information is exfiltrated to remote servers by mobile apps and third-party SDKs, potentially for household fingerprinting, surveillance and cross-device tracking.

Lion Steger, Technical University of Munich

Target Acquired? Evaluating Target Generation Algorithms for IPv6

Internet measurements are a crucial foundation of IPv6-related research. Due to the infeasibility of full address space scans for IPv6 however, those measurements rely on collections of reliably responsive, unbiased addresses, as provided e.g., by the IPv6 Hitlist service. Although used for various use cases, the hitlist provides an unfiltered list of responsive addresses, the hosts behind which can come from a range of different networks and devices, such as web servers, customer-premises equipment (CPE) devices, and Internet infrastructure. We demonstrate the importance of tailoring hitlists in accordance with the research goal in question. By using PeeringDB we classify hitlist addresses into six different network categories, uncovering that 42% of hitlist addresses are in ISP networks. Moreover, we show the different behaviour of those addresses depending on their respective category, e.g., ISP addresses exhibiting a relatively low lifetime. Furthermore, we analyse different Target Generation Algorithms (TGAs), which are used to increase the coverage of IPv6 measurements by generating new responsive targets for scans. We evaluate their performance under various conditions and find generated addresses to show vastly differing responsiveness levels for different TGAs.

Yevheniya Nosyk, Université Grenoble Alpes

Extended DNS Errors: Unlocking the Full Potential of DNS Troubleshooting

The Domain Name System (DNS) relies on response codes to confirm successful transactions or indicate anomalies. Yet, the codes are not sufficiently fine-grained to pinpoint the root causes of resolution failures. RFC 8914 (Extended DNS Errors or EDE) addresses the problem by defining a new extensible registry of error codes to be served inside the OPT resource record. We studied the implementation of EDE by four major DNS resolver vendors and five large public DNS resolvers. They correctly narrow down the cause of underlying problems, but do not agree in the majority of our test cases in terms of the returned EDE codes. We additionally performed a large-scale analysis of more than 297 million registered domain names. We show that 19.4 million of them trigger EDE codes. Lame delegations and DNSSEC validation failures are the most common problems encountered.

Aziz Soltobaev, ISOC Kyrgyzstan

From Mountains to Data: Low-Cost Weather Stations in Kyrgyzstan’s Challenging Terrain

Kyrgyzstan, a landlocked nation in Central Asia, is characterised by its rugged mountainous terrain, which covers approximately 90% of its land area. This unique geography poses specific challenges related to climate vulnerability. To address these challenges, we propose a comprehensive approach that involves gathering meteorological data and making it accessible to decision-makers. By leveraging LoRaWAN communication technology, which efficiently transmits sparse and low-speed data over long distances while minimising power consumption, we can enhance climate resilience. The Internet Society Kyrgyz Chapter, in collaboration with the International Centre for Theoretical Physics (ICTP) and the Central Asia Institute for Applied Geosciences (CAIAG), has initiated the installation of meteorological sensors and disaster mitigation devices, including river water level sensors, terrain moisture sensors, and tilt detectors. These sensors collect critical data, which is stored within the country on an ad hoc server. Stakeholders can access this data according to their specific requirements. This paper outlines the criteria for selecting the deployed equipment and provides details on the installation process at pilot sites, along with the challenges encountered during project execution.

Antonia Affinito, University of Twente

Unveiling Domain Blocklist Performance: An Analysis over Four Years

Domain blocklists play a key role in identifying and blocking malicious domains that pose significant risks to users and organisations. These blocklists serve as a frontline defence, preventing access to known harmful sites and mitigating threats such as phishing, malware, and other cyberattacks. In addition to their practical security applications, domain blocklists are also widely used in academic research. For example, studies have used blocklists to analyse the accuracy of DNS resolvers in identifying malicious domains or to investigate the performance of threat detection systems. Despite their widespread use, there remains a need for a deeper understanding of the characteristics and effectiveness of these blocklists.

Petros Gigis, University College London

Bad Packets Come Back, Worse Ones Don’t

Inter-domain routing is critical to the business operations of Internet Service Providers (ISPs). ISPs may notice that traffic from certain sources is entering their network at an unexpected location,  but it is hard to know if this represents a problem or is just normal spoofed background noise. If such traffic is not spoofed, it could be the result of misconfigurations, sub-optimal routing policies, violations of commercial agreement or even BGP hijacking. However, raising alerts for background noise would only waste operators’ time.

In this talk, we describe Penny, a test ISPs can run to tell unspoofed traffic aggregates arriving on the wrong port from spoofed ones. The key idea is simple: when new traffic is received at unexpected routers, drop a few TCP packets. Non-spoofed TCP packets (“bad packets”) will be retransmitted while spoofed ones (“worse packets”) will not. However, building a robust test on top of this simple idea is challenging. It involves addressing conflicting goals, such as minimising performance degradation for legitimate flows, accounting for external conditions like path changes and remote packet loss, and ensuring robustness against spoofers attempting to evade the test. Our evaluation results show that by dropping just 12 packets, regardless of network conditions, we can accurately and reliably identify aggregates containing non-spoofed TCP flows, even when these flows are mixed with high volumes of spoofed traffic. Additionally, we show that Penny has a minimal impact on the performance of the tested flows.

Šeila Bećirović Ramić, University of Sarajevo

Selective Disclosure in Digital Credentials

Digital credentials are digital versions of physical credentials. They are the cornerstone of digital identity on the Internet. As digital identities become more common, particularly with the shift from traditional to digital methods like identity cards and signatures, protecting privacy has become a significant concern.

Self-sovereign identity (SSI) is a user-centric approach in which individuals have full control over their digital identity and data. This model contrasts with centralised identity systems, putting the user at the centre of their credentials management. Verifiable credentials, a key component, offer cryptographically secured, tamper-evident proofs of personal information, further reinforcing the user’s importance in the system.

Selective disclosure plays an important role in this system, enabling users to reveal only the information needed for a specific transaction or interaction while keeping other attributes private. Several technical requirements ensure that disclosed attributes cannot be linked across different interactions, providing a higher level of privacy.

The achievement of selective disclosure relies on robust cryptographic methods such as hashes, signatures, and zero-knowledge proofs (ZKPs). These tools are not just privacy safeguards, but also ensure the integrity of credentials, providing a strong sense of security.