You are here: Home > Publications > RIPE Labs > Security

Security

Adam Castle — Feb 24, 2014 05:02 PM
DNS Censorship (DNS Lies) As Seen By RIPE Atlas
DNS Censorship (DNS Lies) As Seen By RIPE Atlas
Stéphane Bortzmeyer — Dec 11, 2015 12:20 PM

More and more governments, authorities and courts are requesting censorship of Internet content. It is often done via a lying DNS resolver. Can we use RIPE Atlas probes to see it, and how?

Implementing DANE for RIPE NCC Websites
Implementing DANE for RIPE NCC Websites
Mihnea-Costin Grigore — Nov 19, 2015 09:40 AM

In September of this year, we activated DNS-based Authentication of Named Entities (DANE) for our main web services, including www.ripe.net, the LIR Portal, RIPE Atlas and RIPE Labs.

DNSSEC Algorithm Roll-over
Anand Buddhdev — Nov 06, 2015 02:55 PM

Rolling over the algorithm (usually to a stronger variant) used to sign a DNS zone isn't as easy as regular key roll-overs. This is because some DNSSEC validators are less forgiving than others, and fail validation unless the right combination of keys and signatures is present in a zone. This article describes our experiences with DNSSEC algorithm roll-over. We hope that our experience will help others who may be considering doing this.

Mapping the Internet Infrastructure in Serbia
Mapping the Internet Infrastructure in Serbia
Andrej Petrovski — Sep 22, 2015 12:30 PM

Through empirical research, SHARE Foundation created a map of the Internet in Serbia and analysed the implications network structure could have on Internet filtering. By visualising and analysing the structure and topology of individual Internet Service Providers in Serbia, we tried to determine how easy it would be to install filtering devices on these networks. This data was used to inform the government on the proposal of a new law. In addition, the output of this research can be used for different qualitative measurements of the network, such as bandwidth, IPv6 penetration and Internet throttling.

Delta-V Gets Take-off Speed
George Michaelson — Jul 16, 2015 02:41 PM

The adoption of the RPKI system is growing rapidly. To make sure the system scales, we’ve developed a new protocol that should drastically improve fetch times for RPKI repositories. This article explains how.

Enabling Data Compression in RIPE Atlas
Enabling Data Compression in RIPE Atlas
Daniel Quinn — Jun 17, 2015 02:55 PM

We’d like to enable gzip compression on all of RIPE Atlas' measurement API calls — but thanks to the BREACH vulnerability, doing so could mean that some enterprising individual with an obscene amount of time on their hands might be able read the contents of the responses. This means measurement results as well as metadata for measurements — including the small number of measurements not marked as “public”. We believe the drawbacks are negligible, but we’re looking for community support.

Will the SIDR Model Succeed where the IRR Model Failed?
Will the SIDR Model Succeed where the IRR Model Failed?
Cengiz Alaettinoglu — Jun 09, 2015 08:50 AM

In this post (originally published on the APNIC blog), Cengiz Alaettinoglou gives a brief overview and comparison of the IRR and SIDR security models and shares his thoughts about the chances for these models to succeed.

Quality of ROAs in RPKI Repositories
Quality of ROAs in RPKI Repositories
Daniele Iamartino — Mar 10, 2015 03:25 PM

RPKI.me is a website collecting statistics and information about objects in the RPKI repositories. The web page shows some of the most problematic ROAs present and suggests possible fixes.

Introducing ENISA: Securing European Networks
Rossella Mattioli — Mar 03, 2015 01:45 PM

ENISA, the European Union Agency for Network & Information Security, is an independent body of expertise, set up by the European Union, to secure Europe’s information society. It was founded in 2004 to facilitate the exchange of information between EU institutions, the public and the private sector. The goal is to work together with operational communities to identify pragmatic solutions to current security issues. In this first article, we have asked ENISA to introduce themselves and highlight some of their activities that could be of interest to the RIPE community.

Stopping Support for Internet Explorer 8 on Windows XP in RIPE Atlas and RIPEstat
Robert Kisteleki — Feb 24, 2015 10:55 AM

Microsoft ended support for Windows XP as of April 2014. We're about to change RIPE Atlas and RIPEstat to stop support for Internet Explorer 8 running on these systems.

Survey on Internet Routing Security
Survey on Internet Routing Security
Sebastian Abt — Dec 17, 2014 02:20 PM

This is a call for participation in a survey on Internet Routing Security. The survey runs until 9 January 2015 and will only take a few minutes.

Call for Input: RPKI Browser
Call for Input: RPKI Browser
Matthias Wählisch — Nov 27, 2014 05:00 PM

The RPKI Browser is a graphical user interface to the objects of the distributed RPKI repository. The development is at very early stage. In this article, we ask for external input in terms of use cases, features etc.

Who's Watching
Who's Watching
Geoff Huston — Nov 13, 2014 10:45 AM

Much has been said over the pasts year or so about various forms of cyber spying. The United States has accused the Chinese of cyber espionage and stealing industrial secrets. A former contractor to the United States' NSA, Edward Snowden, has accused various US intelligence agencies of systematic examination of activity on various popular social network services, through a program called “PRISM”. These days cloud services may be all the vogue, but there is also an emerging understanding that once your data heads off into one of these clouds, then it’s no longer necessarily entirely your data; it may have become somebody else's data too.

ECDSA and DNSSEC
ECDSA and DNSSEC
Geoff Huston — Nov 11, 2014 09:35 AM

Yes, that's a cryptic topic, even for an article that addresses matters of the use of cryptographic algorithms, so congratulations for getting even this far! This is a report of an experiment conducted in September and October 2014 by the authors to measure the extent to which deployed DNSSEC-validating resolvers fully support the use of the Elliptic Curve Digital Signature Algorithm (ECDSA) with curve P-256.

Privacy and Security - Five Objectives
Geoff Huston — Nov 06, 2014 10:50 AM

It has been a very busy period in the domain of computer security. With "shellshock", "heartbleed" and NTP monlink adding to the background of open DNS resolvers, port 445 viral nasties, SYN attacks and other forms of vulnerability exploits, it's getting very hard to see the forest for the trees. We are spending large amounts of resources in reacting to various vulnerabilities and attempting to mitigate individual network attacks, but are we making overall progress? What activities would constitute "progress" anyway?

Secure Internet Routing with RPKI
Secure Internet Routing with RPKI
Remy de Boer — Oct 30, 2014 04:15 PM

Last week we improved the security of our routing infrastructure by implementing RPKI (Resource Public Key Infrastructure), a technology that can be used to secure the Internet routing infrastructure. RPKI was the topic of my Master's thesis and in this article I am trying to convince you to use this important technology for a more secure Internet.

SSHCure: SSH Intrusion Detection Using NetFlow and IPFIX
SSHCure: SSH Intrusion Detection Using NetFlow and IPFIX
Luuk Hendriks — Jun 05, 2014 11:30 AM

SSHCure is an Intrusion Detection System for SSH, developed at the University of Twente. It allows analysing large amounts of flow data and is the first IDS capable of identifying actual compromises. Being deployed in various networks, ranging from small Web-hosting companies to nation-wide backbone networks, SSHCure has proven to be a stable system in high-speed networks.

Better Crypto - Applied Cryptography Hardening
Better Crypto - Applied Cryptography Hardening
Aaron Kaplan — May 22, 2014 11:35 AM

This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.). It was presented at the recent RIPE 68 Meeting in Warsaw. For those of you who couldn't attend the meeting, here is summary of the talk.

Survey on Mitigation and Response of Network Attacks
Survey on Mitigation and Response of Network Attacks
Jessica Steinberger — May 21, 2014 11:40 AM

Network-based attacks pose a strong threat to the Internet landscape. In my PhD I am investigating different approaches on attack mitigation and response. Yet, a clear understanding of how mitigation and response is performed in commercial networks is missing. Hence, this survey aims at gaining insight in real-world processes, structures and capabilities of IT companies and the computer networks they run.

Report on IPv6 Security Test Methodology
Geert Jan de Groot — Apr 09, 2014 10:00 AM

The Dutch Institute for Applied Scientific Research (TNO) and a number of Dutch security companies have recently published a report on IPv6 security test methodologies.

Document Actions