BZPEERReading, trust and collaboration for research
Menu

Discover

GraphFollow connections around a paper, topic or saved view.

Workspaces

HomePick up where your research flow left off.InboxHandle requests, replies and notifications from one place.CollectionsCurate reading lists, evidence sets and shareable dossiers.ResearchSee your private provenance graph, trail and imports.CollaborationMove from discovery into focused discussion rooms.PublishDraft, preview and publish full-text research articles.

Network

ExpertsFind specialists worth following or asking for help.CommunitiesJoin research circles organized around shared work.PartnersSee external organizations active around the same topics.

Opportunities

ListingsBrowse roles, calls and collaborations with clearer fit signals.

Account

Log inReturn to your reading and collaboration workspace.Create accountStart saving work, following people and joining teams.
Log inCreate account

Researcher profile

Quirin Scheitle

Quirin Scheitle contributes to research discovery and scholarly infrastructure.

ResearcherAffiliation not importedOpen to collaborate
Networking and Internet ArchitectureCryptography and Security

Trust snapshot

Quick read

Trust 17 - Baseline
4works
0followers
2topics
4close collaborators

Actions

Decide how to stay connected

Follow researcher0

Research graph

See the researcher in context

Open full explorer

Inspect adjacent work, topics, institutions and collaborators without jumping out to a separate graph page.

Building this graph slice

BZPEER is loading the nearby papers, people, topics and institutions for this page.

Published work

4 published item(s)

preprint2020arXiv

A Retrospective Analysis of User Exposure to (Illicit) Cryptocurrency Mining on the Web

In late 2017, a sudden proliferation of malicious JavaScript was reported on the Web: browser-based mining exploited the CPU time of website visitors to mine the cryptocurrency Monero. Several studies measured the deployment of such code and developed defenses. However, previous work did not establish how many users were really exposed to the identified mining sites and whether there was a real risk given common user browsing behavior. In this paper, we present a retroactive analysis to close this research gap. We pool large-scale, longitudinal data from several vantage points, gathered during the prime time of illicit cryptomining, to measure the impact on web users. We leverage data from passive traffic monitoring of university networks and a large European ISP, with suspected mining sites identified in previous active scans. We corroborate our results with data from a browser extension with a large user base that tracks site visits. We also monitor open HTTP proxies and the Tor network for malicious injection of code. We find that the risk for most Web users was always very low, much lower than what deployment scans suggested. Any exposure period was also very brief. However, we also identify a previously unknown and exploited attack vector on mobile devices.

0 citations0 reviewsNo code linkedOpen access
preprint2016arXiv

Analyzing Locality of Mobile Messaging Traffic using the MATAdOR Framework

Mobile messaging services have gained a large share in global telecommunications. Unlike conventional services like phone calls, text messages or email, they do not feature a standardized environment enabling a federated and potentially local service architecture. We present an extensive and large-scale analysis of communication patterns for four popular mobile messaging services between 28 countries and analyze the locality of communication and the resulting impact on user privacy. We show that server architectures for mobile messaging services are highly centralized in single countries. This forces messages to drastically deviate from a direct communication path, enabling hosting and transfer countries to potentially intercept and censor traffic. To conduct this work, we developed a measurement framework to analyze traffic of such mobile messaging services. It allows to conduct automated experiments with mobile messaging applications, is transparent to those applications and does not require any modifications to the applications.

0 citations0 reviewsNo code linkedOpen access
preprint2016arXiv

Carrier-Grade Anomaly Detection Using Time-to-Live Header Information

Time-to-Live data in the IP header offers two interesting characteristics: First, different IP stacks pick different start TTL values. Second, each traversed router should decrement the TTL value. The combination of both offers host and route fingerprinting options. We present the first work to investigate Internet-wide TTL behavior at carrier scale and evaluate its fit to detect anomalies, predominantly spoofed source IP addresses. Using purpose-built software, we capture 2 weeks of raw TTL data at a 40 Gbit/s Internet uplink. For further insight, we actively measure observed hosts and conduct large-scale hitlist-based measurements, which yields three complementary data sets for IPv4 and IPv6. A majority (69% IPv4; 81% IPv6) of passively observed multi-packet hosts exhibit one stable TTL value. Active measurements on unstable hosts yield a stable anchor TTL value for more than 85% of responsive hosts. We develop a structure to further classify unstable hosts taking, for example, temporal stability into account. Correlation of TTL values with BGP data is clear, yet unpredictive. The results indicate that carrier-grade TTL anomaly detection can yield significant insights in the following categories: First, the method can flag anomalies based on TTL observations (yet likely at a difficult false positive/false negative trade-off). Second, the method can establish trust that a packet originates from its acclaimed source.

0 citations0 reviewsNo code linkedOpen access
preprint2016arXiv

Scanning the IPv6 Internet: Towards a Comprehensive Hitlist

Active network measurements constitute an impor- tant part in gaining a better understanding of the Internet. Although IPv4-wide scans are now easily possible, random active probing is infeasible in the IPv6 Internet. Therefore, we propose a hybrid approach to generate a hitlist of IPv6 addresses for scanning: First, we extract IPv6 addresses from passive flow data. Second, we leverage publicly available resources such as rDNS data to gather further IPv6 addresses. Third, we conduct traceroute measurements from several vantage points to obtain additional addresses. We perform multiple active measurements on gathered IPv6 addresses and evaluate response rates over time. We extensively compare all IPv6 address sources. In total we found 150M unique IPv6 addresses over the course of four weeks. Our hitlist covers 72% of announced prefixes and 84% of Autonomous Systems. Finally, we give concrete recommendations to maximize source efficiency for different scan types.

0 citations0 reviewsNo code linkedOpen access