AbdelRahman Abdou

CPV: Delay-Based Location Verification for the Internet

The number of location-aware services over the Internet continues growing. Some of these require the client’s geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g., by faking GPS coordinates or employing a non-local IP address through proxy and virtual private networks. We devise Client Presence Verification (CPV), a delay-based verification technique designed to verify an assertion about a device’s presence inside a prescribed geographic region. CPV does not identify devices by their IP addresses. Rather, the device’s location is corroborated in a novel way by leveraging geometric properties of triangles, which prevents an adversary from manipulating measured delays. To achieve high accuracy, CPV mitigates Internet path asymmetry using a novel method to deduce one-way application-layer delays to/from the client’s participating device, and mines these delays for evidence supporting/refuting the asserted location. We evaluate CPV through detailed experiments on PlanetLab, exploring various factors that affect its efficacy, including the granularity of the verified location, and the verification time. Results highlight the potential of CPV for practical adoption.

What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks

We report on what we believe to be the largest dataset (to date) of automated secure shell (SSH) bruteforce attacks. The dataset includes plaintext password guesses in addition to timing, source, and username details, which allows us to analyze attacker behaviour and dynamics (e.g., coordinated attacks and password dictionary sharing). Our methodology involves hosting six instrumented SSH servers in six cities. Over the course of a year, we recorded a total of \(\sim \)17M login attempts originating from 112 different countries and over 6 K distinct source IP addresses. We shed light on attacker behaviour, and based on our findings provide recommendations for SSH users and administrators.

Taxing the Queue: Hindering Middleboxes From Unauthorized Large-Scale Traffic Relaying

When employed by online content providers, access-control policies can be evaded whenever clients masquerade behind a middlebox (MB) that meets the policies. An MB, commonly being the gateway of a virtual private network (VPN), typically contacts the content provider on behalf of the clients it colludes with, and relays the providers outbound traffic to those clients. We propose a solution to hinder MBs from unauthorized relaying of traffic to a large number of clients. To the best of our knowledge, this is the first work to address this problem. Our solution increases the cost of collusion by leveraging client puzzles in a novel way, and uses network properties to help the content provider detect if its outbound traffic is being further relayed beyond a transport-layer connection. Our evaluation shows that the number of colluding clients follows a hyperbolic decay with the rate of creation of puzzles and the time required to solve a puzzle-both factors are influenced by the content provider, but grows almost linearly with the MBs computational resources.

Location verification on the Internet: Towards enforcing location-aware access policies over Internet clients

Over the Internet, location-sensitive content/service providers are those that employ location-aware authentication or location-aware access policies in order to prevent fraud, comply with media streaming licencing, regulate online gambling/voting, etc. An adversary can configure its device to fake geolocation information, such as GPS coordinates, and send this information to the location-sensitive provider. IP-address based geolocation is circumvented when the adversarys device employs a nonlocal IP address, which is easily achievable through third party proxy and Virtual Private Network providers. To address the issue that existing Internet geolocation techniques were not designed with adversaries in mind, we propose Client Presence Verification (CPV), a delay-based verification technique designed to verify an assertion about a devices presence inside a prescribed triangular geographic region. CPV does not identify devices by their IP addresses, thus hiding the IP does not evade it. Rather, the devices location is corroborated in a novel way by leveraging geometric properties of triangles, which prevents an adversary from manipulating the delay-sampling process to forge the location. To achieve high accuracy, CPV mitigates path asymmetry by introducing a new method to deduce one-way application-layer delays to/from the adversarys participating device, and mines these delays for evidence supporting/denying the asserted location. We implemented CPV, and conducted real world extensive experimental evaluation on PlanetLab. Our results to date show false reject and false accept rates of 2% and 1.1% respectively.

Accurate One-Way Delay Estimation With Reduced Client Trustworthiness

The requirement for accurate one-way delay (OWD) estimation led to the recent introduction of an algorithm enabling a server to estimate OWDs between itself and a client by cooperating with two other servers, requiring neither client-clock synchronization nor client trustworthiness in reporting one-way delays. We evaluate the algorithm by deriving the probability distribution of its absolute error and compare its accuracy with the well-known round-trip halving algorithm. While neither algorithm requires client trustworthiness nor client-clock synchronization, the analysis shows that the new algorithm is more accurate in many situations.

Accurate Manipulation of Delay-based Internet Geolocation

Delay-based Internet geolocation techniques are repeatedly positioned as well suited for security-sensitive applications, e.g., location-based access control, and credit-card verification. We present new strategies enabling adversaries to accurately control the forged location. Evaluation showed that using the new strategies, adversaries could misrepresent their true locations by over 15000km, and in some cases within 100km of an intended geographic location. This work significantly improves the adversarys control in misrepresenting its location, directly refuting the appropriateness of current techniques for security-sensitive applications. We finally discuss countermeasures to mitigate such strategies.

Server Location Verification (SLV) and Server Location Pinning: Augmenting TLS Authentication

We introduce the first known mechanism providing realtime server location verification. Its uses include enhancing server authentication by enabling browsers to automatically interpret server location information. We describe the design of this new measurement-based technique, Server Location Verification (SLV), and evaluate it using PlanetLab. We explain how SLV is compatible with the increasing trends of geographically distributed content dissemination over the Internet, without causing any new interoperability conflicts. Additionally, we introduce the notion of (verifiable) server location pinning (conceptually similar to certificate pinning) to support SLV, and evaluate their combined impact using a server-authentication evaluation framework. The results affirm the addition of new security benefits to the existing TLS-based authentication mechanisms. We implement SLV through a location verification service, the simplest version of which requires no server-side changes. We also implement a simple browser extension that interacts seamlessly with the verification infrastructure to obtain realtime server location-verification results.

A survey on forensic event reconstruction systems

Security related incidents such as unauthorised system access, data tampering and theft have been noticeably rising. Tools such as firewalls, intrusion detection systems and anti-virus software strive to prevent these incidents. Since these tools only prevent an attack, once an illegal intrusion occurs, they cease to provide useful information beyond this point. Consequently, system administrators are interested in identifying the vulnerability in order to: 1) avoid future exploitation; 2) recover corrupted data; 3) present the attacker to law enforcement where possible. As such, forensic event reconstruction systems are used to provide the administrators with possible information. We present a survey on the current approaches towards forensic event reconstruction systems proposed over the past few years. Technical details are discussed, as well as analysis to their effectiveness, advantages and limitations. The presented tools are compared and assessed based on the primary principles that a forensic technique is expected to follow.