Resilient Networking

VortragsspracheEnglisch

Inhalte

Vorlesung auf Englisch.

The lecture is going to be given on Fridays, 10-11:30. It will be streamed and the videos will be available for download, online, subsequent to the corresponding lecture. We will organize the reading group during the first lecture, so please try to make sure that you participate in this event, at least.

Alike the past years there's a limit of 15 students who can participate in this course, as the reading group does not scale to larger groups.

 

Subject

The lecture resilient networking provides an overview on the basics of secure networks as well as on current threats and respective countermeasures. Especially bandwidth-depleting Denial of Service attacks represent a serious threat. Moreover, over the last years the number of targeted and highly sophisticated attacks on company and governmental networks increased. To make it worse, as a new trend at the moment, the interconnection of the Internet with cyber physical systems takes place. Such systems, e.g., the energy network (smart grid), trans- portation systems and large industrial facilities, are critical infrastructures with severe results in case of their failure. Thus, the Internet that interconnects these systems has evolved to a critical infrastructure as well.

The lecture introduces the current state-of-the-art in the research towards resilient networks. Resilience-enhancing techniques can be generally classified in proactive and reactive methods. Proactive techniques are redundancy and compartmentalization. Redundancy allows to tolerate attacks to a certain extent, while compartmentalization attempts to restrict the attack locally and preventing its expansion across the whole system. Reactive techniques follow a three step approach by comprising the phases of detecting    an attack, mitigate its impacts, and finally restore a system's usual operation.

 

        Topics

  •  excursus to graph theorie
  •  overview on BGP routing and the Domain Name Service
  •  Denial of Service attacks and their mitigation
  •  mechanism for increasing the resilience of P2P networks
  •  Intrusion Detection system

 

Organizational matters

Fridays     10:00 hybrid: 50.34:301 online at our bbb server (contactus for the pass code)

Access to online lectures through ILIAS.

The course will consist of a lecture (3SWS) and an exercise course (1SWS). The exercise course consists of two parts: we will hold a biweekly reading group and there will be a task assignment. We will read papers from the context of the topics in class in the reading group. Everybody is expected to read all mandatory papers (around 9), and we will choose volunteers for each paper to briefly summarize the content, before the entire group discusses their questions and comments regarding the paper. We hope to discuss two papers during each session. The implementation task will be introduced in the context of the class discussing database publication and differential privacy. Each participant of the course will be tasked to implement a simple solution for data sharing with differential privacy, and the results will be presented and discussed during the last exercise course.

Please register to the mailing list.
There will be an etherpad to organize the reading group

 

Teaching material

Lecture Schedule (tentative)

Date Topic
22.10. Preliminaries and Organization
29.10. Basic Background (pdf)
05.11. Background on Graphs
12.11. KASTEL Distinguished Lecture Series: Chris Kruegel
19.11. Background on Graphs 2 (pdf)
26.11. Background on Crypto (pdf)
03.12. Internet Routing (pdf see below)
10.12. skipped
17.12. Routing Security (pdf)
14.01. Name Resolution
21.01. Invited Talk: Aurélien Francillon on PBX Hacking (pdf)
28.01. DNS Security
04.02. Invited Talk: Mathias Fischer on Intrusion Detection
11.02. DDoS and Countermeasures

 

 

Reading Group

Here is the list of mandatory and optional reading material (publications regarding the topics in class).
The reading group will mainly cover the mandatory reading, potentially some additional papers of interest (depending on the number of students who enrol in the course).

Paper Date

a) Albert, Jeong, Barabasi: Error and Attack Tolerance of Complex Networks, Nature

b) Magoni, Damien. "Tearing down the Internet." IEEE Journal on Selected Areas in Communications 21.6 (2003): 949-960

Nov  25th and 30th

a)  Schuchard, Max, et al. "Losing control of the internet: using the data  plane to attack the control plane." Proceedings of the 17th ACM  conference on Computer and communications security. ACM, 2010.

b)  Cohen, Reuven, Raziel Hess-Green, and Gabi Nakibly. "Small lies, lots  of damage: a partition attack on link-state routing protocols." 2015  IEEE Conference on Communications and Network Security (CNS). IEEE, 2015

Dec 2nd and Dec 7th

a)  CDN Judo: Breaking the CDN DoS Protection with Itself
Run  Guo, Weizhong Li, Baojun   Liu, Shuang Hao,   Jia Zhang, Haixin Duan,   Kaiwen Sheng, Jianjun Chen, Ying Liu, NDSS 2020

b)  Herley, Cormac, and Paul C. Van Oorschot. "Sok: Science, security and  the elusive goal of security as a scientific pursuit." 2017 IEEE  Symposium on Security and Privacy (SP). IEEE, 2017.

Dec 14th and 16th

a) Threat modeling – A systematic literature review

Xiong Wenjun, and Robert Lagerström; Elsevier Computers & Security

b) IMP4GT: IMPersonation Attacks in 4G NeTworks

David  Rupprecht, Katharina Kohls, Thorsten Holz, Christina  Poepper, NDSS 2020

Jan 11th and 13th

a) Flexsealing BGP Against Route Leaks: Peerlock Active Measurement and Analysis

Tyler  McDaniel, Jared M. Smith, Max Schuchard, NDSS

b)  Liu, Daiping, Shuai Hao, and Haining Wang."All your DNS records point to us." Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2016.

Jan 18th and 20th

a) ROV++: Improved Deployable Defense against BGP Hijacking

Reynaldo   Morillo, Justin Furuness, Cameron Morris, James  Breslin, Amir Herzberg, Bing Wang, NDSS

b) Withdrawing the BGP Re-Routing Curtain: Understanding the Security Impact of BGP Poisoning through Real-World Measurements

Jared   M. Smith, Kyle Birkeland, Tyler McDaniel, Max Schuchard, NDSS 2020

Jan 25th and 27th

a) Rossow, Christian. "Amplification Hell: Revisiting Network Protocols for

DDoS Abuse." NDSS. 2014.

b) Rossow et al. "Identifying the scan and attack infrastructures

behind amplification DDoS attacks." Proceedings of the 2016 ACM SIGSAC

Conference on Computer and Communications Security. ACM, 2016

Feb 1st and 3rd