Spam/Phishing/Botnet Maps ========================= A technique known as DNS cache snooping allows one to query any DNS server on the internet to determine whether a given hostname is in its cache (eg. queried recently by a client). Using this information, it is possible to determine how wide-spread spam, phishing, and botnet infections are across the internet. Combined with Geo-IP data, very interesting maps can be generated showing affected areas of the world. Appid Integration ================= Current software such as ethereal/wireshark performs dissection of packet payloads based on UDP/TCP port numbers. This is obviously less than optimal as software often utilizes non-standard ports. Arbor Networks is releasing Appid, a deep packet inspection (DPI) framework, which can identify application payloads based on signatures. Appid can be integrated into software such as wireshark to provide hints as to which protocol dissector to invoke. Network Distance Using BGP ========================== Simple distance metrics between network prefixes can be determined by analyzing BGP information available from public repositories such as Routeviews. Software libraries such as libbgpdump and pybgpdump can assist with the parsing of these BGP dumps. AS Relationships Using BGP ========================== Similarly, peering relationships between autonomous systems can be inferred using BGP data. Implementing the algorithms described in "On Inferring Autonomous System Relationships" can provide insight into current internet peering. Aimject Protocol Additions ========================== Aimject is a program that facilitates man-in-the-middle (MITM) attacks against AOL's Instant Messanger OSCAR protocol. This program can be easily extended to perform attacks on similar IM protocols such as Yahoo and MSN. (More information at http://jon.oberheide.org/projects/aimject/) Bayesian Passive TCP Fingerprinting =================================== Current passive TCP fingerprinting (p0f) depends on strict rules-based matching. Due to manual tweaking of network stack parameters, tools such as p0f may fail to match a specific fingerprint and return no information. Utilizing bayesian networks, a trained tool can adapt to such tweaks and provide a probabilistic answer. ARP Spoofing Analysis ===================== Operating systems respond to ARP spoofing attacks in different ways. Analyzing the behavior of numerous open/closed-source operating systems can be very beneficial when protecting a network from ARP spoofing attacks and developing new tools. P2P Poisoning ============= Widespread poisoning and forged search results are prevalent on P2P networks such as Limewire. Investigating the Limewire protocol and the malicious hosts responsible for these forged responses may lead to insightful results. Network Fingerprinting ====================== Abnormalities in network characteristics may indicate improperly deployment honeypots and other network sensors. Developing reconnaissance tools to map networks and potential sensor deployments can lead to better techniques to resist attack fingerprinting. Vulnerable Server Exploitation ============================== Intentionally introduce security vulnerabilities into a network service and develop proof-of-concept exploits to subvert, crash, and gain code execution privledges. Practical experience in vulnerability discovery and exploitation techniques is a very important skill in order to write secure software.