Your search keyword '"Dimitris Kalogeras"' showing total 7 results

1. Enabling Privacy-Aware Zone Exchanges Among Authoritative and Recursive DNS Servers

Author

Nikos Kostopoulos, Dimitris Kalogeras, and Vasilis Maglaris

Subjects

Schema (genetic algorithms), Information sensitivity, business.industry, Computer science, Domain Name System, Server, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Testbed, DNS spoofing, Bloom filter, business, Variety (cybernetics), Computer network

Abstract

We propose a privacy-aware schema that enables Authoritative DNS Servers to distribute their zones to third parties, e.g. Recursive DNS Servers or scrubbing services, without disclosing sensitive information. Therefore, DNS attack mitigation may be effectively accomplished at external vantage points, presumably closer to the attack sources than the Authoritative DNS Server. Our schema leverages on the space, time and privacy-enhancing properties of Cuckoo Filters to map zone names in an efficient manner, while permitting rapid name updates for large zones. The feasibility of our approach is tested via experiments within our laboratory testbed for a variety of DNS zones. Our evaluation intends to assess the privacy-awareness of our schema and its responsiveness to zone name changes. We conclude that our approach enables mapping of large DNS zones, while preserving privacy.

Published

2020

2. Leveraging on the XDP Framework for the Efficient Mitigation of Water Torture Attacks within Authoritative DNS Servers

Author

Vasilis Maglaris, Dimitris Kalogeras, and Nikos Kostopoulos

Subjects

business.industry, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, DNS zone, 020206 networking & telecommunications, Deep packet inspection, Linux kernel, Denial-of-service attack, 02 engineering and technology, Bloom filter, Blacklist, Server, 0202 electrical engineering, electronic engineering, information engineering, User space, 020201 artificial intelligence & image processing, business, Computer network

Abstract

In this paper we utilize XDP for DNS Deep Packet Inspection (DPI) in order to mitigate Water Torture attacks at the NIC driver level of Authoritative DNS Servers. Our approach may benefit DNS Administrators who wish to filter attack traffic within their DNS infrastructure and avoid the latency overhead and additional costs imposed by external cloud scrubbing services. Our schema does not depend on specialized hardware and does not blacklist entire domain name suffices, hence does not block legitimate requests. Packets are intercepted by XDP that identifies messages of DNS requests for further processing. Requested names are extracted from the message payload and categorized based on their validity. Valid names are forwarded to the user space to be resolved, whilst invalid ones are dropped within the Linux kernel at an early stage without downgrading the DNS service. Names are classified using Bloom Filters that map DNS zone contents in a memory efficient manner. These probabilistic data structures are free of false negatives and therefore valid DNS requests are never dropped. We provide a proof of concept setup to test our schema under a DDoS attack scenario and assess how mitigation performance is affected by DPI on DNS requests. Our experiments verify that using XDP significantly increases the throughput of valid DNS responses compared to user space alternatives. In conclusion, XDP emerges as a promising solution for the mitigation of Water Torture attacks against DNS servers.

Published

2020

3. A Privacy-Preserving Schema for the Detection and Collaborative Mitigation of DNS Water Torture Attacks in Cloud Infrastructures

Author

Adam Pavlidis, Marinos Dimolianis, Nikos Kostopoulos, Dimitris Kalogeras, and Vasilis Maglaris

Subjects

Computer science, business.industry, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Probabilistic logic, Cloud computing, Bloom filter, Computer security, computer.software_genre, Data structure, Proof of concept, Server, Data center, business, computer

Abstract

This paper presents a privacy-preserving schema between Authoritative and Recursive DNS Servers for the efficient detection and collaborative mitigation of DNS Water Torture attacks in cloud environments. Monitoring data are harvested from the victim premises (Authoritative DNS Server and Data Center switches) to detect anomalies with DNS requester IPs classified as legitimate or suspicious. Subsequently, requests are forwarded or redirected for refined inspection to a filtering mechanism. Mitigation may be offered as a service either on-premises or via cloud scrubbing infrastructures. The proposed schema leverages on probabilistic data structures (Bloom Filters, Count-Min Sketches) and related algorithms (SymSpell) to meet time, space and privacy constraints required by cloud services. Notably, Bloom Filters are employed to map Resource Records of large DNS zones in a memory efficient manner; rapid name lookups are possible with zero false negatives and tolerable false positives. Our approach is tested via a proof of concept setup based on traces generated from publicly available DNS traffic datasets.

Published

2019

4. Policy-Based Management for Federation of Virtualized Infrastructures

Author

Maria Grammatikou, Dimitris Kalogeras, Yiannos Kryftis, and Vasilis Maglaris

Subjects

Service (systems architecture), Delegation, Computer Networks and Communications, Computer science, business.industry, Strategy and Management, media_common.quotation_subject, 020206 networking & telecommunications, Context (language use), Provisioning, Access control, 02 engineering and technology, Ontology (information science), Computer security, computer.software_genre, Hardware and Architecture, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, The Internet, business, computer, Policy-based management, Information Systems, media_common

Abstract

This paper presents Policy-based Federation (PBF) architecture for interworked Future Internet Virtualized Infrastructures (VIs). Each VI is an individually managed autonomous domain. Users may request slices of virtual resources across the federation, managed and controlled via inter-domain policies that abide by agreed upon federated SLAs. The key component of our PBF architecture is a Policy Service, which provides support for intra-domain policies (Obligation, Authorization, Role-Based Access Control) and for inter-domain Delegation policies. Delegation policies reserve resources in remote domains, update the number of resources exchanged, set alien domain obligations for cross-domain resource provisioning and define the exchange of internal domain information through the execution of remote semantic queries. Key to the architecture is the PBF Policy Ontology that specifies common federation concepts within the context of a user slice and the PBF services that trigger management actions. A prototype of the proposed architecture was developed and deployed in a European Future Internet federated testbed.

Published

2016

5. NFV-compliant Traffic Monitoring and Anomaly Detection based on Dispersed Vantage Points in Shared Network Infrastructures

Author

Giannis Sotiropoulos, Adam Pavlidis, Dimitris Kalogeras, Vasilis Maglaris, and Kostas Giotis

Subjects

Network Functions Virtualization, Process (engineering), Computer science, Analytics, business.industry, Visibility (geometry), Anomaly detection, Network monitoring, Architecture, business, Computer network

Abstract

In this paper we propose a monitoring architecture based on dispersed vantage points in networking infrastructures. Our framework offers on-demand network monitoring data and related analytics to users and/or organizations, considered as tenants of shared infrastructures. Measurements are collected from monitoring agents scattered in a legacy production network, offering authorized users (tenants and administrators) better visibility of events. Adhering to the NFV principles we implemented, deployed and orchestrated management-plane monitoring and anomaly detection services using Docker containers. Thus, our architecture enables users to process, analyze and visualize customized network monitoring data. The proposed architecture was shown to be well-suited for anomaly detection schemas by considering measurements gathered from centralized and localized vantage points within a network.

Published

2018

6. SaTPEP: A TCP Performance Enhancing Proxy for Satellite Links

Author

Dimitris Kalogeras, B. Maglaris, and Dimitris Velenis

Subjects

TCP acceleration, business.industry, Computer science, Transmission Control Protocol, Goodput, TCP tuning, TCP delayed acknowledgment, H-TCP, TCP global synchronization, TCP Friendly Rate Control, HSTCP, Zeta-TCP, Performance-enhancing proxy, business, Computer network

Abstract

Satellite link characteristics cause reduced performance in TCP data transfers. In this paper we present SaTPEP, a TCP Performance Enhancing Proxy which attempts to improve TCP performance by performing connection splitting. SaTPEP monitors the satellite link utilization, and assigns to connections window values that reflect the available bandwidth. Loss recovery is based on Negative Acknowledgements. The performance of SaTPEP is investigated in terms of goodput and fairness, through a series of simulation experiments. Results obtained in these experiments, show significant performance improvement in presence of available bandwidthand at higherror rates.

Published

2002

7. SaTPEP: A TCP Performance Enhancing Proxy for Satellite Links.

Author

Goos, G., Hartmanis, J., Leeuwen, J., Gregori, Enrico, Conti, Marco, Campbell, Andrew T., Omidyar, Guy, Zukerman, Moshe, Velenis, Dimitris, Kalogeras, Dimitris, and Maglaris, Basil

Abstract

Satellite link characteristics cause reduced performance in TCP data transfers. In this paper we present SaTPEP, a TCP Performance Enhancing Proxy which attempts to improve TCP performance by performing connection splitting. SaTPEP monitors the satellite link utilization, and assigns to connections window values that reflect the available bandwidth. Loss recovery is based on Negative Acknowledgements. The performance of SaTPEP is investigated in terms of goodput and fairness, through a series of simulation experiments. Results obtained in these experiments, show significant performance improvement in presence of available bandwidth and at high error rates. [ABSTRACT FROM AUTHOR]

Published

2006