RIPE NCC

Amsterdam, Netherlands
Amsterdam, Netherlands

Time filter

Source Type

News Article | May 21, 2017
Site: www.prlog.org

Joint cooperation with MENOG & RIPE NCC to help further utilise DNSSEC in developing Saudi Internet Domain Name System


Dainotti A.,University of Naples Federico II | Ammann R.,Auckland University of Technology | Aben E.,RIPE NCC | Claffy K.C.,University of California at San Diego
Computer Communication Review | Year: 2012

Unsolicited one-way Internet traffic, also called Internet background radiation (IBR), has been used for years to study malicious activity on the Internet, including worms, DoS attacks, and scanning address space looking for vulnerabilities to exploit. We show how such traffic can also be used to analyze macroscopic Internet events that are unrelated to malware. We examine two phenomena: country-level censorship of Internet communications described in recent work [17], and natural disasters (two recent earthquakes). We introduce a new metric of local IBR activity based on the number of unique IP addresses per hour contributing to IBR. The advantage of this metric is that it is not affected by bursts of traffic from a few hosts. Although we have only scratched the surface, we are convinced that IBR traffic is an important building block for comprehensive monitoring, analysis, and possibly even detection of events unrelated to the IBR itself. In particular, IBR offers the opportunity to monitor the impact of events such as natural disasters on network infrastructure, and in particular reveals a view of events that is complementary to many existing measurement platforms based on (BGP) control-plane views or targeted active ICMP probing.


News Article | November 2, 2016
Site: motherboard.vice.com

For pretty much any crime involving the internet, often the first step in an investigation is trying to figure out who is behind an IP address. But, according to the FBI and other law enforcement agencies, there is a problem: often it's unclear which organisations are actually in a position to respond to legal orders for information, because of the way that IP addresses are distributed by internet service providers (ISPs). In response, several law enforcement agencies are pushing for a change in how WHOIS data, the basic contact information of who is affiliated with an IP address, is recorded. Although likely not a privacy risk, the move, which will probably come into effect sometime in 2017, still presents a significant shake-up in how ISPs retain information. In the most innocuous cases, this problem can just be a waste of time, but in others it can present an urgent dilemma, FBI Supervisory Special Agent Robert Flaim told Motherboard in a phone call. According to a presentation from Flaim and other staff from the DEA and the Royal Canadian Mounted Police (RCMP), one case involved the online sexual extortion of a young girl. Because the WHOIS information was inaccurate, it took three months before law enforcement found the right ISP, all the while the girl was continually victimised. The issue is that it can take several attempts for agencies, including public safety and law enforcement, to find the right ISP to serve that court order on, because of how IP addresses are handled and allocated down a long chain of companies and organisations. At the top sit the five Regional Internet Registries (RIRs) which manage the allocation of IP addresses within different parts of the world. There's ARIN, or the American Registry for Internet Numbers; LACNIC, or the Latin American and Caribbean Network Information Centre; and so on. The FBI, DEA and RCMP have proposed a solution: each time an ISP sub-allocates some addresses, that is recorded in the WHOIS. RIRs allocate IP addresses to different ISPs. Then these ISPs may pass on those IP addresses to more local ISPs or other services. It's these smaller organisations that are typically the issue. "As you continue to get further down the chain with sub-allocations, many are not putting that information in the WHOIS," Flaim told Motherboard. What this means, according to Flaim, is that agencies end up getting bounced from one ISP to another before they eventually find the right one to start the legal process with: law enforcement don't know exactly who will actually be able to help from the outset. "Sometimes it may be one layer down, sometimes it can be four, five," Flaim said. Sub-allocation of IP addresses and unreliable WHOIS information can also allow cybercriminals to hijack blocks of addresses, and send spam. So the FBI, DEA and RCMP have proposed a solution: each time an ISP sub-allocates some addresses, that is recorded in the WHOIS. This way, agencies won't have to go asking around trying to find the ISP that just happens to have this data. They can just go to whoever is actually handling the respective IP address. Most of the RIRs declined to comment for this story, but RIPE NCC, which handles IP addresses for Europe, was supportive of the proposed policy. "The RIPE NCC applauds law enforcement for approaching RIPE and the other Regional Internet Registry (RIR) communities to find a solution to this issue. Accurate WHOIS data is crucial to effective Internet operations as well as criminal investigations," Marco Hogewoning, External Relations Officer, Technical Advisor with the RIPE NCC, told Motherboard in a statement. According to Flaim, after each of the RIRs hold their spring 2017 meetings, and if the policy is accepted, which may only be slightly different for each region, it could come into effect by the end of next year.


Dainotti A.,University of Naples Federico II | Squarcella C.,Third University of Rome | Aben E.,RIPE NCC | Claffy K.C.,CAIDA UCSD | And 3 more authors.
Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC | Year: 2011

In the first months of 2011, Internet communications were disrupted in several North African countries in response to civilian protests and threats of civil war. In this paper we analyze episodes of these disruptions in two countries: Egypt and Libya. Our analysis relies on multiple sources of large-scale data already available to academic researchers: BGP interdomain routing control plane data; unsolicited data plane traffic to unassigned address space; active macroscopic traceroute measurements; RIR delegation files; and MaxMind's geolocation database. We used the latter two data sets to determine which IP address ranges were allocated to entities within each country, and then mapped these IP addresses of interest to BGP-announced address ranges (prefixes) and origin ASes using publicly available BGP data repositories in the U.S. and Europe. We then analyzed observable activity related to these sets of prefixes and ASes throughout the censorship episodes. Using both control plane and data plane data sets in combination allowed us to narrow down which forms of Internet access disruption were implemented in a given region over time. Among other insights, we detected what we believe were Libya's attempts to test firewall-based blocking before they executed more aggressive BGP-based disconnection. Our methodology could be used, and automated, to detect outages or similar macroscopically disruptive events in other geographic or topological regions. © 2011 ACM.


Dainotti A.,University of California at San Diego | Squarcella C.,Third University of Rome | Aben E.,RIPE NCC | Claffy K.C.,University of California at San Diego | And 3 more authors.
IEEE/ACM Transactions on Networking | Year: 2014

In the first months of 2011, Internet communications were disrupted in several North African countries in response to civilian protests and threats of civil war. In this paper, we analyze episodes of these disruptions in two countries: Egypt and Libya. Our analysis relies on multiple sources of large-scale data already available to academic researchers: BGP interdomain routing control plane data, unsolicited data plane traffic to unassigned address space, active macroscopic traceroute measurements, RIR delegation files, and MaxMind's geolocation database. We used the latter two data sets to determine which IP address ranges were allocated to entities within each country, and then mapped these IP addresses of interest to BGP-announced address ranges (prefixes) and origin autonomous systems (ASs) using publicly available BGP data repositories in the US and Europe. We then analyzed observable activity related to these sets of prefixes and ASs throughout the censorship episodes. Using both control plane and data plane data sets in combination allowed us to narrow down which forms of Internet access disruption were implemented in a given region over time. Among other insights, we detected what we believe were Libya's attempts to test firewall-based blocking before they executed more aggressive BGP-based disconnection. Our methodology could be used, and automated, to detect outages or similar macroscopically disruptive events in other geographic or topological regions. © 2014 IEEE.


Di Battista G.,Third University of Rome | Squarcella C.,Third University of Rome | Nagele W.,RIPE NCC
Journal of Graph Algorithms and Applications | Year: 2012

We present a novel paradigm to visualize the evolution of the service provided by one of the most popular root name servers, called K-root, operated by the RIPE Network Coordination Centre (RIPE NCC) and distributed in several locations (instances) worldwide. Our approach can be used to either monitor what happened during a prescribed time interval or observe the status of the service in near real-time. We visualize how and when the clients of K-root migrate from one instance to another, how the workload associated with each instance changes over time, and what are the instances that contribute to offer the service to a selected Internet Service Provider. In addition, the visualization aims at distinguishing usual from unusual operational patterns. This helps not only to improve the quality of the service but also to spot security-related issues and to investigate unexpected routing changes.


Di Battista G.,Third University of Rome | Squarcella C.,Third University of Rome | Nagele W.,RIPE NCC
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2012

We present a system that visualizes the evolution of the service provided by one of the most popular root name servers, called K-root, operated by the RIPE Network Coordination Centre (RIPE NCC) and distributed in several locations (instances) worldwide. The system can be used either to monitor what happened during a prescribed time interval or to observe the status of the service in near real-time. The system visualizes how and when the clients of K-root migrate from one instance to another, how the number of clients associated with each instance changes over time, and what are the instances that contribute to offer the service to a selected Internet Service Provider. In addition, the visualization aims at distinguishing usual from unusual operational patterns. This helps not only to improve the quality of the service but also to spot security-related issues and to investigate unexpected routing changes. © 2012 Springer-Verlag Berlin Heidelberg.


Fanou R.,IMDEA Madrid Institute for Advanced Studies | Fanou R.,Charles III University of Madrid | Francois P.,Charles III University of Madrid | Aben E.,RIPE NCC
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2015

With IP networking booming in Africa, promotion of BGP peering in the region emerge, and changes in the transit behavior of ISPs serving Africa are expected. However, little is known about the IP transit topology currently forming the African Internet. Enhancing the RIPE Atlas infrastructure, we evaluate the topology interconnecting ISPs based on the continent. We reveal a variety of ISP transit habits, depending on a range of factors such as the official language or the business profile of the ISP. We highlight the emergence of IXPs in Africa, evaluating its impact on end-to-end connectivity. Our results however emphasize the remaining dominance of ISPs based outside Africa, for the provision of intra-continental paths. We study the impact of this aspect on AS path length and end-to-end delay. Such results illustrate that performing measurements from a broad, diversified, range of vantage points is necessary to assess interdomain routing on the continent. © Springer International Publishing Switzerland 2015.


Dhamdhere A.,University of California at San Diego | Luckie M.,University of California at San Diego | Huffaker B.,University of California at San Diego | Claffy K.,University of California at San Diego | And 2 more authors.
Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC | Year: 2012

We use historical BGP data and recent active measurements to analyze trends in the growth, structure, dynamics and performance of the evolving IPv6 Internet, and compare them to the evolution of IPv4. We find that the IPv6 network is maturing, albeit slowly. While most core Internet transit providers have deployed IPv6, edge networks are lagging. Early IPv6 network deployment was stronger in Europe and the Asia-Pacific region, than in North America. Current IPv6 network deployment still shows the same pattern. The IPv6 topology is characterized by a single dominant player - Hurricane Electric - which appears in a large fraction of IPv6 AS paths, and is more dominant in IPv6 than the most dominant player in IPv4. Routing dynamics in the IPv6 topology are largely similar to those in IPv4, and churn in both networks grows at the same rate as the underlying topologies. Our measurements suggest that performance over IPv6 paths is comparable to that over IPv4 paths if the AS-level paths are the same, but can be much worse than IPv4 if the AS-level paths differ. © 2012 ACM.


Benson K.,University of California at San Diego | Dainotti A.,University of California at San Diego | Claffy K.C.,University of California at San Diego | Aben E.,RIPE NCC
2013 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2013 | Year: 2013

Internet Background Radiation (IBR) is unsolicited network traffic mostly generated by malicious software, e.g., worms, scans. In previous work, we extracted a signal from IBR traffic arriving at a large (/8) segment of unassigned IPv4 address space to identify large-scale disruptions of connectivity at an Autonomous System (AS) granularity, and used our technique to study episodes of government censorship and natural disasters [1]. Here we explore other IBR-derived metrics that may provide insights into the causes of macroscopic connectivity disruptions. We propose metrics indicating packet loss (e.g., due to link congestion) along a path from a specific AS to our observation point. We use three case studies to illustrate how our metrics can help identify packet loss characteristics of an outage. These metrics could be used in the diagnostic component of a semi-automated system for detecting and characterizing large-scale outages. © 2013 IEEE.

Loading RIPE NCC collaborators
Loading RIPE NCC collaborators