Projects

Email

DKIM Test

Use this web tool to test the DKIM signing of your MTA by sending a test email.

Domain Name System

NSEC3 Hash Breaker

nsec3breaker breaks the NSEC3 hashing used by DNSSEC servers and was the first public GPU-based NSEC3 hash crawler and hash breaker. Using a GPU is two orders of magnitude faster than a CPU. nsec3breaker was used in 2015 and 2017 in an Internet survey to provide the first complete quantification of DNSSEC-signed second-level domains. Beware that the tools have not been tailored towards a user-friendly usage.

DNSSEC Validation

The DNSSEC resolver test is a web-based tool that checks whether your name lookups are protected by DNSSEC. It was created in 2012 to determine the adoption of DNSSEC validation in the web and resulted in the first academic publication on this topic. It is still running and collecting data, which I’m hoping to evaluate in a future longitudinal study.

DNS Censorship

DNS injection is a DNS spoofing method used by Chinese ISPs to block access to foreign websites. While performing Internet measurements to analyze the global visibility of DNS injection from outside of China, this also led to the discovery of globally visible DNS injection from Iranian ISPs. As the measurements coincided with the election of President Hassan Rouhani, the data showed some indecisiveness about the blocking of social media in Iran.

Reassemble DNS Messages from PCAP

reassemble_dns is a Python 2.7 tool that extracts DNS messages from .pcap files. It supports IPv4/IPv6, IP fragmentation, TCP, UDP and writes a binary stream of reassembled DNS messages, which you can easily process without worrying about TCP/IP troubles. This is also a useful method to reduce the size of your .pcap files.

Traffic Analysis

I’ve captured Internet traffic from about 90 unused IPv4 addresses for several years. The IP addresses had been in active use before, which led to effects like BitTorrent swarms attempting to connect to it.

A generic TCP honeypot server (universe.py) was used for accepting incoming connections and reading TCP payload. Other than that, the subnet was listening passively while tcpdump was capturing traffic. My students Patrick Schumacher (2013) and Jan-Frederik Zaeske (2017) analyzed the .pcap data.

A use case for this type of measurement is the analysis of botnet activity like the Mirai botnet, which appeared in November 2016. Mirai exploited a remote code execution security flaw in the implementation of the TR-069 remote management in broadband routers. With the captured TCP payload, we can retrospectively analyze the commands injected by Mirai. By plotting a timeline of activity (animation), we notice that the security flaw was surveyed from US hosts about one week before Mirai became alive. If one detected this early activity, they would have had a head start and might take defensive measures before the botnet hit them.

Anonymize PCAP

anonymize-pcap anonymizes IPv4, IPv6 and MAC addresses from .pcap files. MAC addresses are substituted with zeros. IP addresses from given address prefixes are substituted either with a password-based HMAC or an irreversible first-time-seen method.