Institut für Verteilte Systeme
Unser Institut beschäftigt sich mit Themen wie Skalierbarkeit, Zuverlässigkeit, Sicherheit und Datenschutz, Selbstorganisation und Beherrschbarkeit von Komplexität in Verteilten Systemen in einer Vielzahl von Einsatzszenarien wie Cloud-Computing oder Fahrzeug-Fahrzeug-Kommunikation.
In der Lehre decken wir das gesamte Spektrum von Rechnernetzen, über verteilte Systeme bis hin zu Sicherheit und Privacy-Schutz ab.
Ältere News finden Sie im Archiv.
Unsere letzten Publikationen
An SDN-based Approach For Defending Against Reflective DDoS Attacks
Proceedings of the 43rd IEEE Conference on Local Computer Networks
Zusammenfassung: Distributed Reflective Denial of Service (DRDoS) attacks are an immanent threat to Internet services. The potential scale of such attacks became apparent in March 2018 when a memcached-based attack peaked at 1.7 Tbps. Novel services built upon UDP increase the need for automated mitigation mechanisms that react to attacks without prior knowledge of the actual application protocols used. With the flexibility that software-defined networks offer, we developed a new approach for defending against DRDoS attacks; it not only protects against arbitrary DRDoS attacks but is also transparent for the attack target and can be used without assistance of the target host operator. The approach provides a robust mitigation system which is protocol-agnostic and effective in the defense against DRDoS attacks.
Mitigation of Flooding and Slow DDoS Attacks in a Software-Defined Network
Proceedings of the 43rd IEEE Conference on Local Computer Networks (Demo Track)
Zusammenfassung: Distributed denial of service (DDoS) attacks are a constant threat for services in the Internet. This year, the record for the largest DDoS attack ever observed was set at 1.7 Tbps. Meanwhile, detection and mitigation mechanisms are still lacking behind. Many mitigation systems require the assistance by the victim — or the victim’s administrator themself has to become active to mitigate attacks. We introduced a system that can detect attacks, identify attackers, and mitigate the attacks purely within the network infrastructure. With the improved flexibility of software-defined networks, new possibilities to mitigate such attacks can be implemented. In addition to our short paper on the mitigation of reflective DDoS attacks on LCN 2018 , we also like to demonstrate our work on mitigating flooding attacks presented at LCN 2017  and our mitigation of slow DDoS attacks . In our demo, we show how these systems can be combined and how they work when faced with such different attacks.
An Evaluation of Pseudonym Changes for Vehicular Networks in Large-Scale, Realistic Traffic ScenariosIEEE Transactions on Intelligent Transportation Systems, 19(10):3400--3405
Resource-Efficient State-Machine Replication with Multithreading and Vertical Scaling
Proc. of the 14th Eur. Dep. Comp. Conf. (EDCC)
Zusammenfassung: State-machine replication (SMR) enables transparent and delayless masking of node faults. It can tolerate crash faults and malicious misbehavior, but usually comes with high resource costs, not only by requiring multiple active replicas, but also by providing the replicas with enough resources for the expected peak load. This paper presents a vertical resource-scaling solution for SMR systems in virtualized environments, which can dynamically adapt the number of available cores to current load. In similar approaches, benefits of CPU core scaling are usually small due to the inherent sequential execution of SMR systems in order to achieve determinism. In our approach, we utilize sophisticated deterministic multithreading to avoid this bottleneck and experimentally demonstrate that core scaling then allows SMR systems to effectively tailor resources to service load, dramatically reducing service provider costs.
NEMESYS: Network Message Syntax Reverse Engineering by Analysis of the Intrinsic Structure of Individual Messages
12th USENIX Workshop on Offensive Technologies, WOOT 18, Baltimore, MD, USA, August 13-14, 2018
Herausgeber: USENIX Association,
Zusammenfassung: Protocol reverse engineering based on traffic traces allows to analyze observable network messages. Thereby, message formats of unknown protocols can be inferred. We present a novel method to infer structure from network messages of binary protocols. The method derives field boundaries from the distribution of value changes throughout individual messages. None of many previous approaches exploits features of structure which are contained within each single message. Our method exploits this intrinsic structure instead of comparing multiple messages with each other. We implement our approach in the tool NEMESYS: NEtwork Message SYntax analysiS. Additionally, we introduce the Format Match Score: the first quantitative measure of the quality of a message format inference. We apply the Format Match Score to NEMESYS and a previous approach and compare the results to mutually validate our new format inference method and the measure of its quality.