Aiko Pras

Aiko Pras
University of Twente | UT · Department of Design and Analysis of Communication Systems (DACS)

PhD

About

265
Publications
77,370
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
4,557
Citations
Citations since 2017
38 Research Items
2462 Citations
20172018201920202021202220230100200300400
20172018201920202021202220230100200300400
20172018201920202021202220230100200300400
20172018201920202021202220230100200300400
Additional affiliations
September 1983 - present
University of Twente
Position
  • Professor (Full) Network Operations and Management

Publications

Publications (265)
Preprint
Attacks targeting network infrastructure devices pose a threat to the security of the internet. An attack targeting such devices can affect an entire autonomous system. In recent years, malware such as VPNFilter, Navidade, and SonarDNS has been used to compromise low-cost routers and commit all sorts of cybercrimes from DDoS attacks to ransomware d...
Preprint
On a regular basis, we read in the news about cyber-attacks on critical infrastructures, such as power plants. Such infrastructures rely on the so-called Industrial Control Systems (ICS) / Supervisory Control And Data Acquisition (SCADA) networks. By hacking the devices in such systems and networks, attackers may take over the control of critical i...
Article
Full-text available
Policy makers in regions such as Europe are increasingly concerned about the trustworthiness and sovereignty of the foundations of their digital economy, because it often depends on systems operated or manufactured elsewhere. To help curb this problem, we propose the novel notion of a responsible Internet, which provides higher degrees of trust and...
Preprint
Anycast routing is an area of studies that has been attracting interest of several researchers in recent years. Most anycast studies conducted in the past relied on coarse measurement data, mainly due to the lack of infrastructure where it is possible to test and collect data at same time. In this paper we present Tangled, an anycast test environme...
Conference Paper
Full-text available
In this paper, we are the first to quantify the problem that infecting MikroTik devices would pose to the Internet. Based on more than 4 TB of data, we reveal more than 4 million MikroTik devices in the world. Then, we propose an easy-to-deploy MikroTik honeypot and collect more than 17 millions packets, in 45 days, from sensors deployed in Austral...
Article
In 2009 Google launched its Public DNS service, which has since become the largest DNS service in existence. A common problem with public resolvers is that Content Delivery Networks (CDNs) struggle to map end user origin. The EDNS Client Subnet (ECS) extension allows resolvers to reveal part of a client’s IP to authoritative name servers, helping C...
Article
Reproducibility is one of the key characteristics of good science, but hard to achieve for experimental disciplines like Internet measurements and networked systems. This guide provides advice to researchers, particularly those new to the field, on designing experiments so that their work is more likely to be reproducible and to serve as a foundati...
Preprint
Reproducibility is one of the key characteristics of good science, but hard to achieve for experimental disciplines like Internet measurements and networked systems. This guide provides advice to researchers, particularly those new to the field, on designing experiments so that their work is more likely to be reproducible and to serve as a foundati...
Conference Paper
BGP blackholing is an operational countermeasure that builds upon the capabilities of BGP to achieve DoS mitigation. Although empirical evidence of blackholing activities are documented in literature, a clear understanding of how blackholing is used in practice when attacks occur is still missing. This paper presents a first joint look at DoS attac...
Conference Paper
Full-text available
In 2009 Google launched its Public DNS service, with its characteristic IP address 8.8.8.8. Since then, this service has grown to be the largest and most well-known DNS service in existence. The popularity of public DNS services has been disruptive for Content Delivery Networks (CDNs). CDNs rely on IP information to geo-locate clients. This no long...
Article
This article is a report of the IFIP AIMS 2016, which was held at Universität der Bundeswehr München, Germany from June 20 to June 23, 2016. AIMS 2016 focused on the theme “Management and Security in the Age of Hyperconnectivity”. The AIMS conference positions itself in the network management community as an educational venue for young researchers...
Article
Although the aggregated nature of exported flow data provides many advantages in terms of privacy and scalability, flow data may contain artifacts that impair data analysis. In this article, we investigate the differences between flow data analysis in theory and practice—that is, in lab environments and production networks.
Article
Network and service management is an established research field within the general area of computer networks. A few years ago, an initial taxonomy, organizing a comprehensive list of terms and topics, was established through interviews with experts from both industry and academia. This taxonomy has since been used to better partition standardizatio...
Article
The expansion of Distributed Denial of Service (DDoS)–for-hire websites, known as Booters, has radically modified both the scope and stakes of DDoS attacks. Until recently, however, Booters have only received little attention from the research community. Given their impact, addressing the challenges associated with this phenomenon is crucial. In th...
Article
Full-text available
The core architecture of current mobile networks does not scale well to cope with future traffic demands owing to its highly centralized composition. Typically, it is believed that decentralization of the network architecture would be a sustainable approach to deal with ever growing amount of mobile data traffic. Nevertheless, the decentralization...
Conference Paper
Full-text available
IP anycast provides DNS operators and CDNs with automatic fail-over and reduced latency by breaking the Internet into catchments, each served by a different anycast site. Unfortunately, understanding and predicting changes to catchments as anycast sites are added or removed has been challenging. Current tools such as RIPE Atlas or commercial equiva...
Article
Full-text available
In the early days of network and service management, researchers paid much attention to the design of management frameworks and protocols. Since then the focus of research has shifted from the development of management technologies towards the analysis of management data. From the five FCAPS areas, security of networks and services has become a key...
Article
This report summarizes a two and a half days Dagstuhl seminar on “Using Networks to Teach About Networks”. The seminar brought together people with mixed backgrounds in order to exchange experiences gained with different approaches to teach computer networking. Despite the obvious question of what to teach, special attention was given to the questi...
Conference Paper
Full-text available
With a vastly different header format, IPv6 introduces new vulnerabilities not possible in IPv4, potentially requiring new detection algorithms. While many attacks specific to IPv6 have proven to be possible and are described in the literature, no detection solutions for these attacks have been proposed. In this study we identify and characterise I...
Technical Report
Full-text available
IP anycast provides DNS operators and CDNs with automatic fail-over and reduced latency by breaking the Inter-net into catchments, each served by a different anycast site. Unfortunately, understanding and predicting changes to catchments as sites are added or removed has been challenging. Current tools such as RIPE Atlas or commercial equivalents m...
Conference Paper
The existing LTE network architecture dose not scale well to increasing demands due to its highly centralized and hierarchical composition. In this paper we discuss the major modifications required in the current LTE network to realize a decentralized LTE architecture. Next, we develop two IP address mobility support schemes for this architecture....
Conference Paper
In this paper we discuss the major modifications required in the current LTE network to realize a decentralized LTE architecture and develop a novel IP mobility management solution for it. The proposed solution can handle traffic redirecting and IP address continuity above the distributed anchor points in a scalable and resource efficient manner. O...
Article
Purpose This paper aims to examine whether there are morally defensible reasons for using or operating websites (called ‘booters’) that offer distributed denial-of-service (DDoS) attacks on a specified target to users for a price. Booters have been linked to some of the most powerful DDoS attacks in recent years. Design/methodology/approach The au...
Conference Paper
Distributed Denial of Service (DDoS) attacks have become a daily problem in today's Internet. These attacks aim at overwhelming online services or network infrastrucure. Some DDoS attacks explore open services to perform reflected and amplified attacks; and the DNS is one of the most (mis)used systems by attackers. This problem can be further aggra...
Article
Large network security companies often report websites, called Booters, that offer DDoS attacks as a paid service as the primary reason for the increase in occurrence and power of attacks. Although hundreds of active Booters exist today, only a handful of those that promoted massive attacks faced mitigation and prosecution actions. In this tutorial...
Conference Paper
Distributed Denial-of-Service (DDoS) attacks have steadily gained in popularity over the last decade, their intensity ranging from mere nuisance to severe. The increased number of attacks, combined with the loss of revenue for the targets, has given rise to a market for DDoS Protection Service (DPS) providers, to whom victims can outsource the clea...
Conference Paper
The location of data centres is crucial when mobile network operators are moving towards cloudified mobile networks to optimize resource utilization and to improve performance of services. Quality of Experience (QoE) can be enhanced in terms of content access latency, by placing user content at locations where they will be present in the future. Th...
Conference Paper
The expansion of Distributed Denial of Service (DDoS) for hire websites, known as Booters, has radically modified both the scope and stakes of DDoS attacks. Until recently, however, Booters have only received little attention from the research community. Given their impact, addressing the challenges associated with this phenomenon is crucial. In th...
Article
The domain name system (DNS) is a core Internet infrastructure that translates names to machine-readable information, such as IP addresses. Security flaws in DNS led to a major overhaul, with the introduction of the DNS security (DNSSEC) extensions. DNSSEC adds integrity and authenticity to the DNS using digital signatures. DNSSEC, however, has its...
Article
Full-text available
Network and service management has established itself as a research field in the general area of computer networks . However, up to now, no appropriate organization of the field has been carried out in terms of a comprehensive list of terms and topics. In this paper, we introduce a taxonomy for network and service management. With such a taxonomy,...
Conference Paper
Security event sharing is deemed of critical importance to counteract large-scale attacks at Internet service provider (ISP) networks as these attacks have become larger, more sophisticated and frequent. On the one hand, security event sharing is regarded to speed up organization’s mitigation and response capabilities. On the other hand, it is curr...
Conference Paper
Botnets are an enabler for many cyber-criminal activities and often responsible for DDoS attacks, banking fraud, cyber-espionage and extortion. Botnets are controlled by a botmaster that uses various advanced techniques to create, maintain and hide their complex and distributed C&C infrastructures. First, they use P2P techniques and domain fast-flu...
Book
This book constitutes the refereed proceedings of the 10th IFIP WG 6.6 International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2016, held in Munich, Germany, in June 2016. The 7 full papers presented together with 3 short papers were carefully reviewed and selected from 22 submissions. The volume also includes 9 paper...
Conference Paper
Full-text available
IP anycast is widely being used to distribute essential Inter-net services, such as DNS, across the globe. One of the main reasons for doing so is to increase the redundancy of the service and reduce the impacts of the growing threat of DDoS attacks. IP anycast can be further used to mitigate DDoS attacks by confining the attack traffic to certain...
Article
The domain name system (DNS) is a core component of the Internet. It performs the vital task of mapping human readable names into machine readable data (such as IP addresses, which hosts handle e-mail, and so on). The content of the DNS reveals a lot about the technical operations of a domain. Thus, studying the state of large parts of the DNS over...
Conference Paper
Full-text available
Dependable operation of the Internet is of crucial importance for our society. In recent years Distributed Denial of Service (DDoS) attacks have quickly become a major problem for the Internet. Most of these attacks are initiated by kids that target schools, ISPs, banks and web-shops; the Dutch NREN (SURFNet), for example, sees around 10 of such at...
Conference Paper
Since its initial proposal in 2008, OpenFlow has evolved to become today's main enabler of Software-Defined Networking. OpenFlow specifies operations for network forwarding devices and a communication protocol between data and control planes. Although not primarily designed as a traffic measurement tool, many works have proposed to use measured dat...
Article
Industrial control systems play a major role in the operation of critical infrastructure assets. Due to the polling mechanisms typically used to retrieve data from field devices, industrial control network traffic exhibits strong periodic patterns. This paper presents a novel approach that uses message repetition and timing information to automatic...
Article
Network and service management has established itself as a research field in the general area of computer networks. However, up to now, no appropriate organization of the field has been carried out in terms of a comprehensive list of terms and topics. In this paper, we introduce a taxonomy for network and service management. With such a taxonomy, i...
Conference Paper
Recently telecommunication industry benefits from infrastructure sharing, one of the most fundamental enablers of cloud computing, leading to emergence of the Mobile Virtual Network Operator (MVNO) concept. The most momentous intents by this approach are the support of on-demand provisioning and elasticity of virtualized mobile network components,...
Article
Full-text available
The Domain Name System Security Extensions (DNSSEC) add authenticity and integrity to the DNS, improving its security. Unfortunately, DNSSEC is not without problems. DNSSEC adds digital signatures to the DNS, significantly increasing the size of DNS responses. This means DNS-SEC is more susceptible to packet fragmentation and makes DNSSEC an attrac...
Article
Link dimensioning is used by network operators to properly provision the capacity of their network links. Proposed methods for link dimensioning often require statistics, such as traffic variance, that need to be calculated from packet-level measurements. In practice, due to increasing traffic volume, operators deploy packet sampling techniques aim...
Article
Full-text available
The Domain Name System (DNS) is part of the core infrastructure of the Internet. Tracking changes in the DNS over time provides valuable information about the evolution of the Internet's infrastructure. Until now, only one large-scale approach to perform these kinds of measurements existed, passive DNS (pDNS). While pDNS is useful for applications...
Conference Paper
The ever increasing traffic demands and the current trend of network and services virtualization calls for effective approaches for optimal use of network resources. In the future Internet multiple virtual networks will coexist on top of the same physical infrastructure, and these will compete for bandwidth resources. Link dimensioning can support...
Article
Full-text available
Flow-based DDoS attack detection is typically performed by analysis applications that are installed on or close to a flow collector. Although this approach allows for easy deployment, it makes detection far from real-time and susceptible to DDoS attacks for the following reasons. First, the fact that the flow export process is timeout-based and tha...
Article
Full-text available
Over recent years, network-based attacks have become one of the top causes of network infrastructure and service outages. To counteract such attacks, an approach is to move mitigation from the target network to the networks of Internet Service Providers (ISP). However, it remains unclear to what extent countermeasures are set up and which mitigatio...
Article
Full-text available
Many types of brute-force attacks are known to exhibit a characteristic 'flat' behavior at the network-level, meaning that connections belonging to an attack feature a similar number of packets and bytes, and duration. Flat traffic usually results from repeating similar application-layer actions, such as login attempts in a brute-force attack. For...
Conference Paper
Full-text available
In 2012, the Dutch National Research and Education Network, SURFnet, observed a multitude of Distributed Denial of Service (DDoS) attacks against educational institutions. These attacks were effective enough to cause the online exams of hundreds of students to be cancelled. Surprisingly, these attacks were purchased by students from websites, known...
Conference Paper
Full-text available
A network path is a path that a packet takes to reach its target. However, determining the network path that a host uses to reach it's target from the viewpoint of the latter is less trivial than it appears. Tools such as Traceroute allow the user to determine the path towards a target (i.e. the forward path), but not the path from the target to th...
Conference Paper
Full-text available
Networks are transitioning from IP version 4 to the new version 6. Fundamental differences in the protocols introduce new security challenges with varying levels of evidence. As enabling IPv6 in an existing network is often already challenging on the functional level, security aspects are overlooked, even those that are emphasized in literature. Re...
Article
Full-text available
HTTP Adaptive Streaming (HAS) is becoming the de-facto standard for adaptive streaming solutions. In HAS, a video is temporally split into segments which are encoded at different quality rates. The client can then autonomously decide, based on the current buffer filling and network conditions, which quality representation it will download. Each of...
Conference Paper
Full-text available
Currently most of the mobility management solutions rely on a centralized mobility anchor entity, which is in charge of both mobility-related control plane and user data forwarding. This makes mobility management prone to several performance limitations such as suboptimal routing, low scalability, potential single point of failure and the lack of g...
Article
Full-text available
Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the deployment of DNSSEC is its potential for abuse in Distributed Denial of Service (DDoS) attacks, in par...
Article
Full-text available
Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically provided in whether an attack was successful. We address this shortcoming by presenting a detection...
Conference Paper
Full-text available
In mobile networks, efficient IP mobility management is a crucial issue for the mobile users changing their mobility anchor points during handover. In this regard several mobility management methods have been proposed. However, those are insufficient for the future mobile Internet in terms of scalability and resource utilization as they mostly foll...
Article
An important task for network operators is to properly dimension the capacity of their links. Often, this is done by simple rules of thumb based on coarse traffic measurements provided, e.g., by SNMP. More accurate estimations of the required link capacity typically require packet-level measurements, which are hard to implement in today’s high-spee...
Article
Full-text available
Analogous to the real world, sources of malicious activities on the Internet tend to be concentrated in certain networks instead of being evenly distributed. In this article we formally define and frame such areas as Internet Bad Neighborhoods. By extending the reputation of malicious IP addresses to their neighbors, the bad neighborhood approach u...
Conference Paper
Gaussian traffic models are widely used in the domain of network traffic modeling. The central assumption is that traffic aggregates are Gaussian distributed. Due to its importance, the Gaussian character of network traffic has been extensively assessed by researchers in the past years. In 2001, researchers showed that the property of Gaussianity c...
Conference Paper
Full-text available
As an outcome of a seminar on the ’Ethics in Data Sharing’, we sketch a model of best practice for sharing data in research. We illustrate this model with two current and timely real-life cases from the context of computer and network security.
Conference Paper
Full-text available
It's known fact that malicious IP addresses are not evenly distributed over the IP addressing space. In this paper, we frame networks concentrating malicious addresses as bad neighborhoods. We propose a formal definition and show this concentration can be used to predict future attacks (new spamming sources, in our case), and propose an algorithm t...
Conference Paper
Full-text available
Malicious hosts tend to be concentrated in certain areas of the IP addressing space, forming the so-called Bad Neighborhoods. Knowledge about this concentration is valuable in predicting attacks from unseen IP addresses. This observation has been employed in previous works to filter out spam. In this paper, we focus on the temporal behavior of bad...
Article
Full-text available
Flow monitoring has become a prevalent method for monitoring traffic in high-speed networks. By focusing on the analysis of flows, rather than individual packets, it is often said to be more scalable than traditional packet-based traffic analysis. Flow monitoring embraces the complete chain of packet observation, flow export using protocols such as...
Article
Full-text available
The Domain Name System (DNS) provides a critical service on the Internet: translating host names into IP addresses. Traditional DNS does not provide guarantees about authenticity and origin integrity. DNSSEC, an extension to DNS, improves this by using cryptographic signatures, at the expense of larger response messages. Some of these larger respon...
Article
Supervisory control and data acquisition (SCADA) networks are commonly deployed in large industrial facilities. Modern SCADA networks are becoming more vulnerable to cyber attacks due to the common use of standard communications protocols and increased interconnections with corporate networks and the Internet. This paper describes an approach for i...