Report Available! Modelling and identifying IP address space fragmentation pressure points

Despite exhaustion of the IPv4 address space commencing in 2011, the Internet has largely not transitioned to IPv6, and in fact the rate of IPv6 diffusion has recently begun to slow down (Huston, 2018).  The IPv6 transition is expected to take decades and hence problems stemming from issues the lack of scalability of IPv4 will continue to affect the Internet for many years to come.

Indeed, the number of allocated IPv4 address blocks continues to grow; this is enabled due to subdivision of existing allocations into multiple blocks, and is argued to allow un-used or under-utilised address space to be moved to other organisations with greater need.  The amount of address space which could potentially be reallocated in this way is substantial: the volume of routed IPv4 address space is considerably less than the total allocated IPv4 address space (Richter et al., 2015), suggesting that there is a considerable amount of un-used address space which could potentially be transferred to other network operators.

This typically involves partitioning existing IPv4 address blocks into smaller pieces and transferring some of those pieces to other operators.  In some cases operators re-number their networks to free up contiguous address space which is subsequently transferred; while this can result in more effective use of address space it also results in BGP routing table growth, one of the major scaling issues facing the Internet today (Gamba et al., 2017).  In other cases network operators could migrate whole networks from public to private address space and deploy NAT before transferring address space elsewhere.

Continuing the current practice of dividing address space into ever-smaller allocations while increasingly relying on NAT not only presents challenges for IPv6 diffusion efforts but will increasingly create ‘pressure points’ in economies or regions where allocations are smaller.  Further, it also increases the prevalence of layered NAT (sometimes dubbed ‘double NAT’), which can not only lead to a range of operational problems but which has security implications including the creation of attack points to be targeted by malicious parties and increasing the difficulty of identifying hosts involved in botnet activity (BITAG, 2012).  Nevertheless, there has been nothing to suggest that the practice will end in the foreseeable future.

There has been no modelling to identify economies or regions likely to be first affected by such pressure points, or for how long this practice can continue.  This project will develop a statistical model of the process, thus allowing countries at greatest risk to develop mitigation strategies, providing clarity to the Internet community, and providing stakeholders tasked with stimulating IPv6 diffusion with a better understanding of differences between different countries and economies.

The final report is available here.

Report Available! Collaborative Honeynet Threat Sharing Platform

With the continuous rise of cyber security threats, monitoring security potential threats and attacks become essential to plan for cyber defense. Honeypot, a decoy system designed to lure attackers, has been used to track and learn attacker’s behavior. Collecting attacker’s interactions with honeypot at different locations inside different organization’s premises provide useful and more complete picture of the landscape of current cyber security threats. The log of the attacks to the honeypots become an essential cyber security threat information that could be shared to many of the security incident analysts at different organizations to provide relevant and contextual threat intelligence. The goal of this project is to develop and implement a collaborative honeynet threat sharing platform that could collect, store, add contextual information pertaining to the threat and share these threat information to the relevant organization. This project continues on the previous year project with additional type of honeypots are being added to the collection of honeypot sensors. In addition, new type of threat categories, threat purpose and threat phases are added to define more fine-grained secure shell (ssh) attacks seen in our honeypots. With the new public dashboard is now ready for public view, our hope is more organizations in Indonesia as well as organizations in ASEAN countries would be interested to participate in the project in a collaborative effort to share and exchange threat information, which potentially could be used as a cyber defense platform for each of the participating organizations.

The project achieved the following objectives:

  1. Develop a collaborative repository platform for storing honeynet-based threat information. The project allows anyone or organization to participate in a community-based threat information sharing based on the honeynet system.  There are 4 honeypots currently implemented, i.e., cowrie, Dionaea, Elastichoney, and conpot.
  2. Redesign and develop a more robust repository and visualization platform that allows security analysts to add and enrich existing security threat information with the results of the analysis of the security events or objects related to the events. The robust repository platform utilized the cluster database of MongoDB while the visualization platform also uses cluster setup to distribute search tasks over cluster servers, improving overall user experience of using the platform.
  3. An enhanced platform that allows organizations to share and exchange security threat information with other organizations. The platform enables the threat information to be exchanged with the cyber security community through TAXII services in a standardized format or through open-source threat intelligence Malware Information Sharing Platform (MISP).

The project was lead by the Charles Lim, from Swiss German University (SGU) and builds on years of collaboration to support the Honeynet project Indonesia Chapter (IHP), in partnership with the Ministry of Communication and Informatics (KOMINFO) and Badan Siber & Sandi Negara (BSSN). It is also an expansion of a previous ISIF Asia grant allocated in 2019.

The final report is available here.