Active TLS Stack Fingerprinting: Characterizing TLS Server Deployments at Scale

by   Markus Sosnowski, et al.

Active measurements can be used to collect server characteristics on a large scale. This kind of metadata can help discovering hidden relations and commonalities among server deployments offering new possibilities to cluster and classify them. As an example, identifying a previously-unknown cybercriminal infrastructures can be a valuable source for cyber-threat intelligence. We propose herein an active measurement-based methodology for acquiring Transport Layer Security (TLS) metadata from servers and leverage it for their fingerprinting. Our fingerprints capture the characteristic behavior of the TLS stack primarily caused by the implementation, configuration, and hardware support of the underlying server. Using an empirical optimization strategy that maximizes information gain from every handshake to minimize measurement costs, we generated 10 general-purpose Client Hellos used as scanning probes to create a large database of TLS configurations used for classifying servers. We fingerprinted 28 million servers from the Alexa and Majestic toplists and two Command and Control (C2) blocklists over a period of 30 weeks with weekly snapshots as foundation for two long-term case studies: classification of Content Delivery Network and C2 servers. The proposed methodology shows a precision of more than 99 identification of new servers over time. This study describes a new opportunity for active measurements to provide valuable insights into the Internet that can be used in security-relevant use cases.


Characterizing and Modeling Distributed Training with Transient Cloud GPU Servers

Cloud GPU servers have become the de facto way for deep learning practit...

Client-side Active Measurements Without Application Control

Monitoring performance and availability are critical to operating succes...

Exploration of Enterprise Server Data to Assess Ease of Modeling System Behavior

Enterprise networks are one of the major targets for cyber attacks due t...

MetaSys: A Practical Open-Source Metadata Management System to Implement and Evaluate Cross-Layer Optimizations

This paper introduces the first open-source FPGA-based infrastructure, M...

Measuring I2P Censorship at a Global Scale

The prevalence of Internet censorship has prompted the creation of sever...

Short-Lived Forward-Secure Delegation for TLS

On today's Internet, combining the end-to-end security of TLS with Conte...

TimeWeaver: Opportunistic One Way Delay Measurement via NTP

One-way delay (OWD) between end hosts has important implications for Int...

Please sign up or login with your details

Forgot password? Click here to reset