Detection of Security Incidents at Internet Exchange Points


Topic and Goals of the Project

The overall goal of X-Check (Cross-Check) is to provide improved security for ICT-systems by leveraging data from Internet Exchange Points (IXP). X-Check designs and implements a system for the large-scale detection of (a) known security incidents and (b) novel, unconventional anomalies at central Internet nodes.

Point of Departure: Heterogeneous Attacks, Limited View

The majority of today’s information and communications systems communicate with each other via the Internet. Hence, two attack vectors exist: (a) making use of the Internet to spread attacks and (b) preventing communication by disrupting the Internet infrastructure. Threats on the network and application layer are omnipresent. For example, misconfigurations of backbone-routers allow the redirection of data (prefix hijacking), and well-established application protocols are susceptible to misuse that overloads the network access (amplification attacks). In order to detect such incidents, it is required to select the appropriate monitoring points, to evaluate high volumes of data efficiently, and to deploy protecting protocols and system components.

X-Check aims to detect and prevent security incidents reliably by operating across multiple ISPs. The state of the art detection of network incidents is based on active and passive measurements that retrieve data from closed, cooperating or open, decoupled probes. So far, the possible large-scale detection of anomalies by utilizing IXPs has been neglected. IXPs are transit points for public network data and crucial components of the Internet infrastructure. They provide a holistic view beyond individual ISP boundaries and offer additionally an interface to the ISPs by its route servers. However, IXPs face two major challenges: (a) They must not compete with their members by deploying extra services; (b) they experience similar attacks compared to ISPs, but act as a vital multiplier. X-Check will not only design an observation method and assess the threat potential for IXPs, but rather provide added value by techniques and tools that cannot be implemented by its individual members.

Objective: Detection and Protection with the Aid of Internet Exchange Points

The three main objectives are as follows:

  1. Threat analysis for public network access points.
  2. Scalable real-time analysis of network incidents at IXPs.
  3. Development of open-source tools for the detection of security incidents.

The X-Check software components will be designed and implemented to detect anomalies with a predictable, low latency. These components will scale dynamically for small as well as very large data sets and thus allow a resource-saving usage. Based on a preventive vulnerability and threat analysis new services for the route server infrastructure will be designed and implemented. Correlating event reports between several IXPs will improve the precision of the incident detection.

X-Check explicitly pursues the community-driven approach. Innovative solutions are developed considering real-world deployment scenarios. The intended objectives will be realized in close cooperation with the largest IXPs in Germany (DE-CIX and BCIX) and a well-established IT-security company (DFN-CERT). The solutions will be tested and refined during inter-regional field tests in Berlin, Frankfurt, Hamburg, and Munich.