List of keywords used to build the text classifier for the paper Reviewing War: Unconventional User Reviews as a Side Channel to Circumvent Information Controls. For more information on how these keywords were obtained, see the "Data Labeling" section of this paper. The provided CSV file contains 3 columns: "keyword": Lowercased keyword in either English, Russian, Ukranian or Polish. "weight": Score indicating the keyword's war-related affinity, with 3 being the most related. Negative weights are used to correct for exceptions in our classifier. "topic": Subject of the keyword used for topic analysis.@en

During the last ten years, thousands of kilometers of submarine cables have been rolled out to connect regions around the globe and improve intercontinental connectivity. However, while it is relatively easy to get information about the frequent roll-outs of these cables, it is challenging to translate these developments into network information to facilitate networking research. For example, announcements for new submarine cables typically mention landing points and not router IP addresses. With this network information, it is easier to assess the impact of a new submarine cable on end-to-end delays in the connecting regions. In this paper, we investigate the necessary and sufficient conditions to translate public announcements for submarine cables to network information that enables networking research on this topic. We also develop and evaluate a methodology to automatically extract IP-level information for deployed submarine cables and assess their impact on end-to-end performance.@en

Time synchronization is of paramount importance on the Internet, with the Network Time Protocol (NTP) serving as the primary synchronization protocol. The NTP Pool, a volunteer-driven initiative launched two decades ago, facilitates connections between clients and NTP servers. Our analysis of root DNS queries reveals that the NTP Pool has consistently been the most popular time service. We further investigate the DNS component (GeoDNS) of the NTP Pool, which is responsible for mapping clients to servers. Our findings indicate that the current algorithm is heavily skewed, leading to the emergence of time monopolies for entire countries. For instance, clients in the US are served by 551 NTP servers, while clients in Cameroon and Nigeria are served by only one and two servers, respectively, out of the 4k+ servers available in the NTP Pool. We examine the underlying assumption behind GeoDNS for these mappings and discover that time servers located far away can still provide accurate clock time information to clients. We have shared our findings with the NTP Pool operators, who acknowledge them and plan to revise their algorithm to enhance security.@en

Malware is recognized as one of the most severe cybersecurity threats today. Although malware attacks are as old as the Internet, our understanding of which part of the Internet infrastructure is used to distribute malware software is still rather limited.
In this work, we analyze more than 3 million sessions established with honeypots deployed in 55 countries that are associated with the download and execution of malware binaries. We identify two main tactics to load malware to infected machines: injection of malware by hosts initiating the connection (clients) and downloading malware from third parties (loaders). The latter tactic contributes to more than 80% of this class of sessions but involves a smaller number of cloud and content delivery servers with very different profiles than that of the clients. Our analysis also shows that it is not uncommon for different malware families to rely on the same hosting infrastructures for downloading malware. Further investigation into the code executed to download and activate malware shows that criminals tend to hide their traces by deleting their history and modifying logs and files on the compromised machines.@en

On February 24, 2022, Russia invaded Ukraine after months of military preparations. Although secondary to the human tragedy resulting from the war, the Internet connectivity in the region was disrupted due to the military conflicts and economic sanctions. We study the Internet peering connectivity of the conflicted countries before, during, and after the Russian invasion of Ukraine. Our analysis shows that de-peering activity by Ukrainian, Russian, and international networks started months before the invasion at peering facilities in Ukraine and Russia, respectively. De-peering continued after the Russian invasion of Ukraine, with only minor changes in peering taking place until end of 2023. Our study shows that several Internet exchange points have stopped operating in Ukraine. We also report that the invasion has impacted the registry country code of operational networks in Ukraine and Russia, creating a new status quo in Internet peering in the region.

@en

Port scanning is the de-facto method to enumerate active hosts and potentially exploitable services on the Internet. Over the last years, several studies have quantified the ecosystem of port scanning. Each work has found drastic changes in the threat landscape compared to the previous one, and since the advent of high-performance scanning tools and botnets a lot has changed in this highly volatile ecosystem.
Based on a unique dataset of Internet-wide scanning traffic collected in a large network telescope, we provide an assessment of Internet-wide TCP scanning with measurement periods in the last 10 years (2015 to 2024). We collect over 750 million scanning campaigns sending more than 45 billion packets and report on the evolution and developments of actors, their tooling, and targets. We find that Internet scanning has increased 30-fold over the last ten years, but the number and speed of scans have not developed at the same pace. We report that the ecosystem is extremely volatile, where targeted ports and geographical scanner locations drastically change at the level of weeks or months. We thus find that for an accurate understanding of the ecosystem we need longitudinal assessments. We show that port scanning becomes heavily commoditized, and many scanners target multiple ports. By 2024, well-known scanning institutions are targeting the entire IPv4 space and the entire port range.@en

The virtue of data forgetting has become a substantial demand in the digital era. Once online content has served its purpose, the concept of forgetting arises to ensure that data remains private between data owners and service providers. Despite significant advancements in supporting data forgetting through approaches like access heuristics, elastic expiration times, and manual revocation, the existing research falls short in addressing the demand for a multi-level forgetting structure that can cater to diverse audience-based expiration requirements while considering additional criteria. To the best of our knowledge, no prior works have investigated this gap, emphasizing the need for a comprehensive solution that can effectively accommodate the varying expiration needs of different audience groups. In this paper, we introduce a novel disjunctive multi-level forgetting scheme designed to meet the aforementioned demand for data forgetting. Our scheme introduces unique expiration periods for the encrypted data the service provider stores, called levels. Users are grouped into different levels based on priorities assigned by the data owners. Each level corresponds to a specific expiration threshold, enabling designated user groups to access the content within its validity period before it is forgotten. This approach enables selective data forgetting for one group while enabling concurrent access and retention for other user groups until the stipulated expiration period elapses. To achieve this, we have devised a cutting-edge system that integrates a hierarchical and dynamic scheme utilizing a key decay for managing expiration periods. Moreover, we introduce an innovative approach that harnesses smart contracts on a local Ethereum blockchain to enforce regulations and streamline the secure and efficient expiration and deletion of data. Finally, we thoroughly evaluate our proposed scheme, focusing on decay sensitivity, computational complexity, and rigorous security analysis.@en

To avoid exploitation of known vulnerabilities, it is standard security practice to not disclose any model information regarding the antennas used in cellular infrastructure. However, in this work, we show that end-user devices receive enough information to infer, with high accuracy, the model-family of antennas. We demonstrate how low-cost hardware and software setups can fingerprint the cellular infrastructure of whole regions within a few minutes by only listening to cellular broadcast messages. To show the effectiveness and hence risk of such fingerprinting, we collected an extensive dataset of broadcast messages from three different countries. We then trained a machine-learning model to classify broadcast messages based on the model-family they belong to. Our results reveal a worryingly high average accuracy of 97% for model-family classification. We further discuss how inferring the model-family with such high accuracy can lead to a class of identification attacks on cellular infrastructure and we subsequently suggest countermeasures to mitigate the fingerprint effectiveness.

@en

Satellites have become part of critical infrastructure utilized for diverse applications, from Earth observation to communication and military missions. Several trends have reshaped satellite deployment and utilization in recent years, making satellite systems more accessible and vulnerable to cybersecurity threats. A notable trend is adopting Commercially Off-the-Shelf (COTS) hardware and software for satellite systems. However, this approach renders satellites susceptible to well-known cyberattacks. This paper presents a comprehensive exploration of attacks on satellite systems, with a specific emphasis on the security aspects of the satellite platform, encompassing both the bus and payload subsystems. The discussion includes existing security defenses that can enhance the security of the satellite platform. Ultimately, we present a real-world security framework designed to improve the overall security of the satellite platform.

@en

Phishing on the web is a model of social engineering and an attack vector for getting access to sensitive and financial data of individuals and corporations. Phishing has been identified as one of the prime cyber threats in recent years. With the goal to effectively identifying and combating phishing as early as possible, we present in this paper a longitudinal analysis of phishing attacks from the vantage point of three country-code top-level domain (ccTLD) registries that manage more than 8 million active domains – namely the Netherlands’ .nl, Ireland’s .ie, and Belgium’s .be. We perform a longitudinal analysis on phishing attacks spanning up to 10 years, based on more than 28 thousand phishing domains. Our results show two major attack strategies: national companies and organizations are far more often impersonated using malicious registered domains under their country own ccTLD, which enables better mimicry of the impersonated company. In stark contrast, international companies are impersonated using whatever domains that can be compromised, reducing overall mimicry but bearing no registration and financial costs. We show that 80% of phishing attacks in the studied ccTLDs employ compromised domain names and that most research works focus on detecting new domain names instead. We find banks, financial institutions, and high-tech giant companies at the top of the most impersonated targets. We also show the impact of ccTLD’s registration and abuse handling policies on preventing and mitigating phishing attacks, and that mitigation is complex and performed at both web and DNS level at different intermediaries. Last, our results provide a unique opportunity for ccTLDs to compare and revisit their policies and impacts, with the goal of improving mitigation procedures. @en

Time synchronization is of paramount importance on the Internet, with the Network Time Protocol (NTP) serving as the primary synchronization protocol. The NTP Pool, a volunteer-driven initiative launched two decades ago, facilitates connections between clients and NTP servers. Our analysis of root DNS queries reveals that the NTP Pool has consistently been the most popular time service. We further investigate the DNS component (GeoDNS) of the NTP Pool, which is responsible for mapping clients to servers. Our findings indicate that the current algorithm is heavily skewed, leading to the emergence of time monopolies for entire countries. For instance, clients in the US are served by 551 NTP servers, while clients in Cameroon and Nigeria are served by only one and two servers, respectively, out of the 4k+ servers available in the NTP Pool. We examine the underlying assumption behind GeoDNS for these mappings and discover that time servers located far away can still provide accurate clock time information to clients. We have shared our findings with the NTP Pool operators, who acknowledge them and plan to revise their algorithm to enhance security.

@en

Phishing on the web is a model of social engineering and an attack vector for getting access to sensitive and financial data of individuals and corporations. Phishing has been identified as one of the prime cyber threats in recent years. With the goal to effectively identifying and combating phishing as early as possible, we present in this paper a longitudinal analysis of phishing attacks from the vantage point of three country-code top-level domain (ccTLD) registries that manage more than 8 million active domains – namely the Netherlands’ .nl, Ireland’s .ie, and Belgium’s .be. We perform a longitudinal analysis on phishing attacks spanning up to 10 years, based on more than 28 thousand phishing domains. Our results show two major attack strategies: national companies and organizations are far more often impersonated using malicious registered domains under their country own ccTLD, which enables better mimicry of the impersonated company. In stark contrast, international companies are impersonated using whatever domains that can be compromised, reducing overall mimicry but bearing no registration and financial costs. We show that 80% of phishing attacks in the studied ccTLDs employ compromised domain names and that most research works focus on detecting new domain names instead. We find banks, financial institutions, and high-tech giant companies at the top of the most impersonated targets. We also show the impact of ccTLD’s registration and abuse handling policies on preventing and mitigating phishing attacks, and that mitigation is complex and performed at both web and DNS level at different intermediaries. Last, our results provide a unique opportunity for ccTLDs to compare and revisit their policies and impacts, with the goal of improving mitigation procedures. @en

List of keywords used to build the text classifier for the paper Reviewing War: Unconventional User Reviews as a Side Channel to Circumvent Information Controls. For more information on how these keywords were obtained, see the "Data Labeling" section of this paper. The provided CSV file contains 3 columns: "keyword": Lowercased keyword in either English, Russian, Ukranian or Polish. "weight": Score indicating the keyword's war-related affinity, with 3 being the most related. Negative weights are used to correct for exceptions in our classifier. "topic": Subject of the keyword used for topic analysis.@en

A data-driven, follow-The-money approach to characterize the ransomware ecosystem uncovers two parallel ransomware criminal markets: commodity ransomware and Ransomware as a Service (RaaS).

@en

The Dark Web, primarily Tor, has evolved to protect user privacy and freedom of speech through anonymous routing. However, Tor also facilitates cybercriminal actors who utilize it for illicit activities. Quantifying the size and nature of such activity is challenging, as Tor complicates indexing by design. This paper proposes a methodology to estimate both size and nature of illicit commercial activity on the Dark Web. We demonstrate this based on crawling Tor for single-vendor Dark Web Shops, i.e., niche storefronts operated by single cybercriminal actors or small groups. Based on data collected from Tor, we show that just in 2021, Dark Web Shops generated at least 113 million USD in revenue. Sexual abuse is the top illicit revenue category, followed by financial crime at a great distance. We also compare Dark Web Shops’ activity with a large Dark Web Marketplace, showing that these are parallel economies. Our methodology contributes towards automated analysis of illicit activity in Tor. Furthermore our analysis sheds light on the evolving Dark Web Shop ecosystem and provides insights into evidence-based policymaking regarding criminal Dark Web activity.@en

We introduce a runtime verification framework for programmable switches that complements static analysis. To evaluate our approach, we design and develop P6, a runtime verification system that automatically detects, localizes, and patches software bugs in P4 programs. Bugs are reported via a violation of pre-specified expected behavior that is captured by P6. P6 is based on machine learning-guided fuzzing that tests P4 switch non-intrusively, i.e., without modifying the P4 program for detecting runtime bugs. This enables an automated and real-time localization and patching of bugs. We used a P6 prototype to detect and patch existing bugs in various publicly available P4 application programs deployed on two different switch platforms, namely, behavioral model (bmv2) and Tofino. Our evaluation shows that P6 significantly outperforms bug detection baselines while generating fewer packets and patches bugs in large P4 programs, e.g., switch.p4 without triggering any regressions.

@en

The COVID-19 pandemic has disrupted the ‘real’ world and substantially impacted the virtual world and thus the Internet ecosystem. It has caused a significant exogenous shock that offers a wealth of natural experiments and produced new data about broadband, clouds, and the Internet in times of crisis. In this chapter, we characterise and evaluate the evolving impact of the global COVID-19 crisis on traffic patterns and loads and the impact of those on Internet performance from multiple perspectives. While we place a particular focus on deriving insights into how we can better respond to crises and better plan for the post-COVID-19 ‘new normal’, we analyse the impact on and the responses by different actors of the Internet ecosystem across different jurisdictions. With a focus on the USA and Europe, we examine the responses of both public and private actors, with the latter including content and cloud providers, content delivery networks, and Internet service providers (ISPs). This chapter makes two contributions: first, we derive lessons learned for a future post-COVID-19 world to inform non-networking spheres and policy-making; second, the insights gained assist the networking community in better planning for the future.@en

Unsolicited traffic sent to advertised network space that does not host active services provides insights about misconfigurations as well as potentially malicious activities, including the spread of Botnets, DDoS campaigns, and exploitation of vulnerabilities. Network telescopes have been used for many years to monitor such unsolicited traffic. Unfortunately, they are limi the available address space for such tasks and, thus, limited to specific geographic and/or network regions.

In this paper, we introduce a novel concept to broadly capture unsolicited Internet traffic, which we call a "meta-telescope". A meta-telescope is based on the intuition that, with the availability of appropriate vantage points, one can (i) infer which address blocks on the Internet are unused and (ii) capture traffic towards them-both without having control of such address blocks. From this intuition, we develop and evaluate a methodology for identifying unlikely to be used Internet address space and build a meta-telescope that has very desirable properties, such as broad coverage of dark space both in terms of size and topological placement. Such meta-telescope identifies and captures unsolicited traffic to more than 350k /24 blocks in more than 7k ASes. Through the analysis of background radiation towards these networks, we also highlight that unsolicited traffic differs by destination network/geographic region as well as by network type. Finally, we discuss our experience and challenges when operating a meta-telescope in the wild.@en