SNE Master Research Projects 2016 - 2017

Contact TimeLine Projects LeftOver Projects Presentations-rp1 Presentations-rp2 Objective Process Tips Project Proposal


Cees de Laat, room: C.3.152, and the OS3 staff.
Course Codes:

Research Project 1 MSNRP1-6 53841REP6Y
Networking Research Project 2 MSN2NRP6 53842NRP6Y
Security Research Project 2 MSN2FRP6 53842SRP6Y


RP1 (January):
  • Wednesday Sep 21, 2016, 10h15-13h00: Introduction to the Research Projects.
  • Wednesday Nov 02, 2016, 10h15-13h00: Detailed discussion on chosen subjects for RP1.
  • Monday Jan 9th - Friday Feb 3th 2017: Research Project 1.
  • Friday Jan 13th: (updated) research plan due.
  • Monday Jan 23, 16h00, progress meeting (not mandatory).
  • Monday Feb 6, 2017 13h00-17h00: Presentations RP1 in B1.23 at SP 904.
  • Tuesday Feb 7, 2017 10h00 - 17h00: Presentations RP1 in B1.23 at SP 904.
  • Sunday Feb 12th 24h00: RP1 - reports due
RP2 (June):
  • Wednesday May 10, 2017, 10h15-12h15, B1.23 Detailed discussion on chosen subjects for RP2.
  • Tuesday May 23, 2017, 16h00-17h00, B1.23 Detailed discussion on chosen subjects for RP2.
  • Tuesday Jun 6th - Friday Jun 30, 2017: Research Project 2.
  • Friday Jun 9th: (updated) research plan due.
  • Monday Jun 19, 16h00 progress meeting (not mandatory).
  • Monday Jul 3 2017, 13h00-17h00: presentations in C0.110 @ SP904.
  • Tuesday Jul 4 2017, 13h00-17h00: presentations in C0.110 @ SP904.
  • Sunday July 9th 24h00 2017: RP2 - reports due.


Here is a list of student projects. Find here the left over projects this year: LeftOvers.
In a futile attempt to prevent spam "@" is replaced by "=>" in the table.
Color of cell background:
Project available Presentation received. Confidentiality was requested.
Currently chosen project. Report received. Blocked, not available.
Project plan received. Completed project. Report but no presentation
Outside normal rp timeframe


supervisor contact



Thinking in possibilities for federated Log Out.

SURFnet runs a federated infrastructure for Single Sign On for the higher education and research community, called 0SURFconext. This uses the SAML 2.0 protocol over HTTP to provide access to hundreds of web-based cloudservices using your university account. Currently about 400.000 logins are processed daily.

Single Sign On is very convenient for users, but in contrast Single Sign Off has been a troublesome topic. The SAML standard has a provision called Single Log Out, but this is so complicated that it does not work in practice. Federations seem to have given up on the topic as "impossible", but users understandably want to be able to log out to services they have logged into. We would like to start from a positive approach: what techniques can we think of that *are* possible, and might they solve (at least part of) the problem?

The project aims to identify possible approaches to this problem, create a report with their pros and cons and a recommendation; and potentially implement a proof of concept of the most promising one. Basic knowledge of HTTP is required, prior experience with federated authentication is not necessary.
Thijs Kinkhorst <thijs.kinkhorst=>>
Joost van Dijk <joost.vandijk=>>

Marcel den Reijer <Marcel.denReijer=>>
Fouad Makioui <Fouad.Makioui=>>


Measuring Performance Overhead of Trans-encrypting HTTP Adaptive Streaming.

Common encryption (CE) and digital right management (DRM) are solutions used by the content industry to control the delivery of digital content, in particular streaming video. Whereas DRM focusses on securely getting a CE key to a trusted piece of user equipment, trans-encryption has been suggested as a technical alternative. Transencryption transforms the encryption of content without decrypting it. So encrypted content that can be decrypted with private key A is transformed into encrypted content that can be decrypted with private key B. This solution enables a content provider to outsource the transencryption of a piece of content to an untrusted third party in order to get the content cryptographically targeted to a single specific piece of user equipment.

In this project, you will investigate the technical viability of transencrypting streaming video by building an implementation. Your implementation should answer the following questions for at least the implemented configuration.
· Is it possible to implement transencryption on commercial-of-the-shelff computer equipment?
· Can the implementation handle transencryption of streaming video of 2 Mb/s?

Oskar van Deventer <oskar.vandeventer=>>
Abe Wiersma <Abe.Wiersma=>>


Extending the range of NFC capable devices.

Recently it has been shown that default and widely available Android devices can be used to effectively perform relay attacks on contact less payments (EMV Contact less). However, these attacks are obviously limited by the maximum range an Android device can read a bank card from a wallet or pocket. As of now, there does not seem to be a business case for large scale fraud as the range is typically limited to 5 cm. Improvements in the range, however, drastically change the business case and make relay attack fraud much more profitable. Reports from a laboratory show that a range up to 28 cm is possible. Another paper reports a simulated antenna with a range up to 55 cm. Students can research what the practical limit is, and what resources are needed to extend the range of NFC capable devices.
Jordi van den Breekel <vandenBreekel.Jordi=>>
Jarno van de Moosdijk <vandeMoosdijk.Jarno=>>

Sandino Moeniralam <Sandino.Moeniralam=>>
Bart Hermans <Bart.Hermans=>>


Automatic comparison of photo response non uniformity (PRNU) on Youtube.

In recent years a lot of research has been done in the field of Photo Response Non Uniformity (PRNU). PRNU refers to the non uniformity of pixels in photo sensors of digital cameras. Each sensor has small defects causing certain pixels to be darker or lighter then others. This can be used to determine a unique fingerprint for each digital camera. Re- search has shown that PRNU patters can be used to prove if a photo or video was made with a cer- tain camera. We are now interested in a tool to match the PRNU of larger amounts of YouTube videos against reference material from a suspect camera. This project will focus on automating the PRNU extraction from YouTube videos and com- paring them against a reference video file. The software for PRNU extraction and comparison is available at NFI, however the question is how can large numbers of video files from YouTube be pro- cessed based on this method and the amount of data transferred limited.

Goal :
  • This project would like to compare the different files available on Youtube and compare the PRNU patterns in a fast way.
Approach :
  • The software for PRNU extraction and comparison is available at NFI, however the question is how we can process large numbers of video files from Youtube based on this method and limit the amount of data transferred
Result :
  • Report and demonstrator for this approach
  • code
Zeno Geradts (DT) <zeno=>>

Marcel Brouwers <Marcel.Brouwers=>>
Rahaf Mousa <rahaf.mousa=>>


Building an IPS solution for inline usage during Red Teaming.

Repurposing defensive technologies for offensive Red Team operations.

Abstract: Customize an existing IDS sensor device in a way that can be used as an IDS/IPS during Red Teaming Operations inline between the attackers (red team) and the client's network (defensive team), that will pre-emptively alert and block known attack patterns used by the RTO. Additionally the device should monitor potential scans performed by the defensive team and targeting the attacker (red team) systems, for example to fingerprint the attackers (red team). Signatures that you should think of are ones to detect man-in-the-middle attacks, port scans and commonly used attacks such as PSEXEC/WMIEXEC with(out) pass-the-hash.

Area of expertise: Red Teaming Operations
Ari Davies <ADavies=>>

Arne Zismer <Arne.Zismer=>>
Kristiyan Mladenov <Kristiyan.Mladenov=>>


Security and Performance Analysis of Encrypted NoSQL Databases.

It has been shown that encryption over SQL data gives a performance penalty
of the range 6-26% [1,2,6]. In return, the SQL databases ensures confidentiality/privacy against malicious users such as "curious database admins" by protecting not only data but also the logs [3]. In this thesis, we will look at the same problems from the window of NoSQL databases. NoSQL databases are frequently used in Big Data applications thanks to their scalability in certain types of data (often less structured) [4].
There are many freely available NoSQL databases such as MongoDB[5] and Cassandra[6] that support "encryption at rest". We will try to answer the following questions over the selected databases in this thesis:
  • What are the possible weaknesses and strengths in terms of security?
  • What is the performance of the selected databases over a variety of encryption schemes?
  • What are the possible remedies/optimizations to the first two questions?
[2] Raluca A. Popa, Catherine M. S. Redfield, Nickolai Zeldovich, Hari Balakrishnan: CryptDB: protecting confidentiality with encrypted query processing. SOSP 2011: 85-100
Fatih Turkmen <F.Turkmen=>>

Abe Wiersma <abe.wiersma=>>
Max Grim <max.grim=>>


Formal verification of the implementation of the MQTT protocol in IoT devices.

Internet of Things (IoT) devices were the main building block in recent record breaking Distributed Denial of Service (DDoS) attacks, like the ones performed by the Mirai botnet [1]. Most of the attacks rely either on unchanged default configurations of the devices or outdated software with unpatched vulnerabilities. While the first one is mainly caused by human error and/or ignorance, the security community is proposing regulations in the later as well [9]. Different vendors in the security evaluation and compliance field are also offering testing methodologies specifically focused on IoT devices [3]. The evaluation can be extended to include methods for formally verifying that the protocols implemented in the embedded devices are compliant with the standards they claim support for. This research is aimed at finding and putting into practice methods for formally assessing to which extent a given vendor adheres to the protocol specification.
A standard, whose implementation verification will be studied further, is the Message Queue Telemetry Transport (MQTT) protocol. Although its first version dates back from 1999, its current specification has become an official International Organisation for Standardisation (ISO) standard in 2016. However, it is already widely deployed for different IoT applications, including the backend of The Things Network (TTN) - a global IoT data network utilising the LoRaWAN specification. Therefore, a method to test its implementation could prevent future large-scale compromises.
Rick van Galen <vanGalen.Rick=>>

Kristiyan Mladenov <kristiyan.mladenov=>>


Attacks on Android 7 File Based Encryption.

Some level of disk encryption has been available since Android 3.0. This was realised as encryption of the data partition at a sector level. The most recent Android release (7.0) has brought about a new scheme for disk encryption, file based encryption. This encryption scheme is implemented on a filesystem level rather than a block level. Is this new encryption scheme susceptible to the same attacks as the previous scheme?
Rick van Galen <vanGalen.Rick=>>

Marwin Baumann <marwin.baumann=>>
Ronan Loftus <ronan.loftus=>>


Automated embedding of dynamic libraries into iOS applications from GNU/Linux.

Developers and security researchers often perform dynamic analysis of iOS applications in order deploy debugging mechanisms, monitor the invocation of functions, tracking how data is propagated through the application, and to perform black-box tests. To perform dynamic analysis a jailbroken iOS device is typically needed. Since developers increasingly implement root detection, a new method is often used which does not require a jailbroken device. This is the embedding of dynamic libraries (gadgets) into an existing iOS application, in order to perform the dynamic analysis. Due to the closed nature of Apple's ecosystem, the embedding process can only be executed using a computer running macOS with Xcode installed. Besides the whole process consists of many steps and requirements. With more apps released every day, there is an increase in the need for mobile app security assessments. Implementing the dynamic library embedding process in a free OS, like GNU/Linux would allow more people to perform security assessments. Moreover, GNU/Linux distributions are often chosen by researches as they are open source and provide a comprehensive set of security assessment tools. There are currently no tools available that enable doing the embedding process without the use of macOS. Therefore, the aim of this study is to explore the feasibility of automated dynamic library embedding for reverse engineering of iOS applications on GNU/Linux.
Cedric Van Bockhaven <cvanbockhaven=>>

Marwin Baumann <marwin.baumann=>>
Leandro Velasco <leandro.velasco=>>


Advantages of anomaly detection between a controlling unit and its process devices for Industrial Control Systems.

During security reviews, industrial systems have revealed flaws in their communications that may lead to physical damage. We are interested to find out how SCADA systems can be set-up in a closed control loop.
  • What sensors could be used to detect tampering, and how could they be hacked?
We can provide the materials to build a SCADA set-up for mixing liquids, working with robotic arms, changing traffic lights, or something else.

The git with our source code:
Coen Steenbeek <csteenbeek=>>
Dima van de Wouw <dvandewouw=>>

Rick Lahaye <rick.lahaye=>>
Anouk Boukema <Anouk.Boukema=>>



Dynamic profiles for malware communication.

Malware has communication possibilties to a (de)central c&c. To hide this traffic we use profile, so it looks like legit traffic. However these profiles are static, making it possible to fingerprint them and detect them. Making these profiles dynamic will make it harder to detect the hidden traffic and makes it harder to create signatures for monitoring tools.
Cedric van Bockhaven <CvanBockhaven=>>
Ari Davies <adavies=>>

Joao Carlos de Novais Marques <joao.marques=>>
Mick Cox <mick.cox=>>


Visualizing security boundaries in Docker Swarm overlay networks.

Because infrastructure is increasingly dynamic we want to have an automated scanner which is capable of collecting data from host systems and map out security boundaries between guests and the network itself. Taking into account guest and host firewall settings. Ideally it would run as some agent to collect the data and then compiling a simple network graph which highlights hosts and paths between systems to find points of interests or certain super nodes which may pose a security risk if compromised.

For the project the scope would be limited to identifying services and possible security risks that occur from a network topology point of view. Preferably it would function for both para-virtualised and fully virtualised environments or even jail environments like FreeBSD jails. Although taking into account all possible firewall software stacks and the different configurations possible this would probably stretch the scope. An alternative could be running the tool on all nodes and collecting data by just trying to punch holes and seeing if it works or not. so decentralised network scanning and graphing and adding some measure of evaluating risk impacts.
Esan Wit <esan=>>

Marcel Brouwers <marcel.brouwers=>>


Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and HTTP/2.

The TOR Anonymity network is vulnerable for website fingerpring attacks, which is confirmed by various research papers.

In this project you will investigate the technical possibilities to prevent/hinder an adversary which is interested in identifying TOR users that visit a small, specific set of targeted (fingerprinted) pages.

How can the fingerprint from a (e.g. hidden) website can be changed/randmomised for each load via e.g. TOR-browser plugins (client side) or Webserver Modules (server side) to render fingerprinting attacks "useless".
David Vaartjes <david.vaartjes=>>
Jurgen Kloosterman

Kees Halvemaan <Kees.Halvemaan=>>
Tako Marks <tako.marks=>>


Calculating the Energy Consumption of a Website.

Greenhost is a small idealistic company that focuses on sustainable web hosting and cloud services built around preserving human rights. We host many websites on a hosting cluster with separate machines for MySQL servers, storage and computing power. We want to be able to tell a client how much energy his hosting package (website) is using.

In this project, the available website data (CPU usage, memory usage and disk read/write usage) must be used to calculate an estimation of how much energy is used by only that website. To be able to achieve this, we provide data of the energy consumption of the machines in the data center as well. The rough outline of steps needed to complete this project is as follows:
  • Aggregate usage data of all customers per bare metal machine (in a privacy-friendly manner)
  • Make (or train) a calculation of how usage statistics contribute to the power consumption of the bare metal machines
  • Use this calculation to calculate the amount of power "used" by one website
For more information (data formats, information on the structure of the hosting cluster, etc.) please do not hesitate to contact us. For signing up for the position, please also contact us!

The code used to train and validate the models can be found on the following git repository:
Maarten de Waard <maarten=>>

Anouk Boukema <Anouk.Boukema=>>


Techniques for detecting compromised IoT devices.

DDoS attacks have for a long time been performed using reflection/amplification attacks. The mechanisms for this type of attack are well known. Research has been done on detecting these types of attacks and various projects exist that monitor these types of attacks. The biggest DDoS attacks up until now have been around 400Gbps.

However, recently the infosec blogger Brian Krebs has been hit with a record-setting attack that had a volume of over 660Gbps, a few days later, web hosting company OVH has reportedly been hit with a DDoS of over 1Tbps. These attacks are unprecedented in volume but more interestingly they are not using reflection/amplification but direct attacks instead.

The attacks are leveraged using hacked Internet of Things devices like IP-cameras and DVR boxes and other linux-based internet connected devices. These devices have a telnet daemon with a very simple password. These devices get infected with malware by simple telnet dictionary attacks and are made part of a botnet, after which they are used in DDoS attacks.

The research project:
  • Which detecting techniques are feasible in order to detect the 'spreading' of the infected IoT devices in an early phase.
Once a technique has been chosen, research the following:
  • Is it possible to gain information on attacks such as victims, duration, volume etc.?
  • Is it possible to gain information on which botnets exist? And how they compete?
  • Is it possible to gain information on command and control infrastructure?
  • Is it possible to capture the malware for further analysis?
  • Further information.....?
Possible further study:
  • Which other IoT devices can be misused?
  • Is it possible to use other means like for example hacked wordpress sites in order to create large attacks?
Rogier Spoor <Rogier.Spoor=>>

Ivo van der Elzen <Ivo.vanderElzen=>>
Jeroen van Heugten <Jeroen.vanHeugten=>>


A hybrid system for automatic exchanges of routing information.

The goal of this project is to examine if it is possible to design a decen- tralized system that will automatically exchange routing policies between autonomous systems, in order to mitigate the above concerns. A distributed approach will reduce the load and supply information that is always accu- rate up to that point of time. Security is going to be taken into account as well, focusing on how we can authenticate the originator of a routing policy.

The main research question that arises is:
  • Is it possible to design a decentralized system to automatically exchange routing policies for BGP configurations?
To answer the main research question, the following sub-questions had been formed:
• Which would be the benefits by designing a decentralized approach?
• What is the potential of this decentralized system in terms of scalability and efficiency?
• What security aspects should this decentralized system employ?
Stavros Konstantaras <s.konstantaras=>>
Stamatios Maritsas <stamatios.maritsas=>>


Effective Automated Windows Lab Deployment.

We want students to research the best ways for automating the deployment and configuration of a Windows based (test) lab. Many options exist, like specific Powershell modules, puppet, vagrant and Microsoft native tools like DSC and SCCM. But its unclear what (combination) of techniques results in the fastest and easiest deployment of a 10-20 windows servers. Demands are: relatively fast deployment, multiple domain controllers, AD sites, user accounts, possibility for other core Windows server roles like SMB, IIS, Exchange, etc. Focus should not be on the hardware or virtualisation aspect of the setup.
Marc Smeets <marc=>>

Vincent van Dongen <Vincent.vanDongen=>>
Fons Mijnen <Fons.Mijnen=>>


Reliable Library Identification Using VMI Techniques.

Virtual Machines are widely used to share common physical resources in cloud environments. The isolation of the virtual machine layer is considered good enough to allow VMs from multiple businesses to reside on one machine. From a security perspective, Cloud Providers treat these machines as black boxes they only able to observe its in and output and don't have any idea on whats happening inside. VM introspection such as provided by libvmi[1] allows the cloud provider to get insight in the low level calls that a VM makes. This may be useful to enhance security of the Cloud provider, leading to the following question:
  • Can VM introspection help securing cloud providers against certain attacks?
Think about preventing a rowhammer/flip-feng-shui [2] attack early on, or to enforce that VMS enable security features e.g. SELINUX.
Ralph Koning <R.Koning=>>
Ben de Graaff <C.B.deGraaff=>>

Leandro Velasco <Leandro.Velasco=>>
Nick de Bruijn <nick.debruijn=>>


SURFWireless Energy Consumption.

Wireless Local Area Networks (WLANs) provide flexibility in connectivity for mobile devices. It is a solution for wireless Internet that satisfies most communication requirements in current environments. Similar to Ethernet technologies, WLAN has evolved and protocol improvements provide higher and higher speeds. Protocols like 802.11n, 802.11ac, and the research of 802.11ax makes it a viable alternative for Wired Ethernet.

SURFnet offers a service called SURFWireless, a distributed solution that provides WLANs for institutions. The WLANs are created by deploying dedicated Access Points (APs) in all areas that require coverage for wireless stations (STAs). The APs are monitored and managed from a central location, but do not depend on a controller for traffic flow control.

Currently, it is unknown how much energy the whole wireless infrastructure consumes spread over many locations. The research aims to find solutions that will decrease the energy utilization of all components of SURFWireless e.g. Access Points and management/monitoring. Current research indicates techniques like exploiting Software Defined Networking (SDN) to estimate network bandwidth requirements and turn off idle APs or the concept of Radio-on-Demand (ROD). Insight in the energy usage and hopefully decreasing can be beneficial for the future of existing and new WLANs.

The student is asked to research the following:
  • How much energy do the distributed components of SURFWireless consume and which aspects affect the amount of power consumption. The measurements must take place in a realtime situation during production of the SURFWireless service.
  • Once the consumption is clear, techniques to improve the energy efficiency of SURFWireless will be investigated.
  • Experiments of the effectiveness of the solutions will be done in a test environment and in a work environment with a realtime situation.
Frans Panken <frans.panken=>>
Marijke Kaat <Marijke.Kaat=>>

Jeroen van Leur <jeroen.vanleur=>>


Browser forensics: Adblocker extensions. .

Ad-blocking plugins for web browsers have seen a large increase in use over the past years. They usually work on the basis of white- and/or blacklists to block iframes and other elements that show (intrusive) advertisements on websites. Depending on the plugin that is used, these pieces of add-in software might (temporarily) store relevant information for digital forensics. The goal of this project is to determine what information is stored by such plugins, in which format and how it could be incorporated in forensic investigations of computers.
Johannes de Vries <jdevries=>>

Willem Rens <Willem.Rens=>>


Application aware digital objects access and distribution using Named Data Networking (NDN).

Information Centric Networking (ICN) is a new network paradigm for content delivery. Instead of routing information based on nodes and hosts like in IP networks, ICN routes data content based on unique identifiers assigned to data objects, caching them at selected points in the delivery path from source to destination based on e.g., the frequency of requests. In research data infrastructures, data preservation and the use of Persistent Identifiers (PIDs) to identify specific datasets (and versions of datasets) are important functional requirements for curation prior to and after formal publication, in particular for time series observations. ICN provides a natural architecture for delivering research data products that use PIDs to researchers.

This project focuses on technical challenges in applying ICN in big data infrastructures. The goal of this project is therefore to evaluate the current Cloud-based ICN solutions and to compare their performance for distributing different PID-augmented objects. This will involve:
  1. Constructing a literature review on technologies, requirements and challenges in applying ICN in big data infrastructures.
  2. Setting up a Cloud-based ICN environment for experiments.
  3. Characterizing the performance of sharing digital objects in different contexts using existing caching strategies.
Zhiming Zhao <z.zhao=>>
"D'Acunto, L. (Lucia)" <lucia.dacunto=>>
Paul Martin <p.w.martin=>>

Rahaf.Mousa <Rahaf.Mousa=>>


Collecting, cataloguing and searching performance information of Cloud resources.

Precise information about cloud resource types, service level agreements (SLAs) and provisioning constraints is crucial when developing cloud applications. Automated discovery of relevant cloud resource information from a pool of available providers, including maintaining an up to date cloud information catalogue, may be of great use in a number of applications; however, such a service is currently not available. Relevant cloud information includes:
  1. Static information collected from cloud providers, including information about the CPU, memory, and storage available to different kinds of virtual machine (VM) instance. It will be necessary to do some investigation about how to fetch this information (we have set up an example framework to do this).
  2. Performance information including the provisioning overhead for different VM instances and the network performance in one data centre or across different data centers. This information generally cannot be directly retrieved from cloud providers, but is very important for cloud customers wishing to choose the best cloud provider for their particular application and to organize their virtual resources on the Cloud (we have developed an example benchmark to test resources on Amazon EC2.)
The envisaged information catalogue aims to provide a service that can deliver the most up to date cloud resource information to cloud customers to help them use Cloud better. The goal of this project is therefore to:
  1. Investigate the state of the art for cloud performance information retrieval and cataloguing.
  2. Evaluate different methods for obtaining performance information.
  3. Provide a prototype for a cloud information catalogue. 
Zhiming Zhao <z.zhao=>>
Arie Taal <a.taal=>>

Olaf Elzinga <Olaf.Elzinga=>>


Feasibility of ILA as Network Virtualisation Overlay in multi-tenant, multi-domain Cloud.

ILA [1] [2] is an IPv6 based addressing scheme proposed as an alternative to the general way overlay networks are created nowadays - tunneling i.e. transporting original packets as a payload of another protocol.
A student is expected to evaluate the feasibility of using ILA with Docker ecosystem to create an overlay network.
Furthermore focusing on assessing ILA performance in regard to existing overlay approaches e.g. Docker overlay driver [3], Weave [4], Flannel [5]

Lukasz Makowski <l.s.makowski=>>
Paola Grosso <P.Grosso=>>

Tako Marks <Tako.Marks=>>


Parallelization of BGP for route server functionality; A protocol and implementation study.


To scale peering and make it easier for new customers to immediately exchange traffic over the exchange, AMS-IX operates two instances of a so called route server (RS). A RS can be seen as a route reflector for eBGP. The basic functionality is such that each participant of the RS advertises the prefixes under its control (Network Layer Reachability Information (NLRI)). The route server performs standard BGP path calculations and advertises received prefix reachability to its participants. As the route server does not take part in the actual traffic forwarding, with each route a NEXT HOP is advertised. For further information on RS see the links at the bottom of this document.

Problem Statement: Scaling of RS with number of RS peers

The current implementation of RS at AMS-IX are based on BIRD. For resilience reasons we are currently looking into another implementation based on GoBGP. Both implementations have as a limitation that they are build as single threaded applications, which is more or less inherent to the BGP protocol itself. Because of this, the current implementations reach their usability limits on AMS-IX as the number of adjacencies to the RS keeps growing. Specifically the UPDATE process when for example a large part of the peers need to re-establish a session can take very long and is increasing (> 20 minutes).
In the last couple of years a number of studies has been performed that have looked at parallelisation of the BGP process and sometimes specifically at the UPDATE process. One such study has been references below.

Research project:

AMS-IX would like have researched the possibilities of massive parallelisation of the RS process in order to further scale this service in the future. The research should study existing studies on BGP parallelisation and see if these are applicable to BGP as a RS. If the research concludes that scaling RS functionality this way is feasible the results of the study should also define what need to be done to get to an actual implementation. The actual implementation itself will be a later project.

For information on AMS-IX route server see
Route Server Implementations
Some examples of studies on parallelisation of BGP
Stavros Konstantaras <stavros.konstantaras=>>
Aris Lambrianidis <aristidis.lambrianidis=>>

Jenda Brands <Jenda.Brands=>>
Patrick deNiet <Patrick.deNiet=>>


eBPF based container networking.

Cilium [1] [2] is the project aiming at leveraging Linux kernel EBPF (Extended Berkeley Packet Filtering) mechanism to improve on the container networking complexity and performance. It is expected to provide a higher packet processing rates than the current linux-bridge or iptables based approaches. We are interested in evaluating this technology in the context of performance and multitenancy. In specific, we would like to analyze its ability to express the traffic policies for multitenant environments i.e. assuring the isolation between the flows and preventing the "noisy neighbor" problem.

Lukasz Makowski <l.s.makowski=>>
Paola Grosso <P.Grosso=>>

Nick de Bruijn <Nick.deBruijn=>>


Session based high bandwidth throughput testing.

Most of the bandwidth generation tools, like iPerf or PKTGEN, are capable of generating high bandwidth (40Gb/s or more) traffic streams. In order to reach maximum throughput most of the bandwidth generation tools rely on UDP to generate traffic in high volumes, and even then have innate limitations to exceed moderately high bandwidth thresholds. When it comes to session oriented protocols, it is even harder to generate a high bandwidth.

Some tools, like PKTGEN, are capable of exceeding the 40Gb/s threshold, but to do so they fore-go offering any meaningful insight or statistics, like re-ordering, jitter or integrity. Other tools do offer some of that insight, but only during a time window of the test, not within a (noisy) base-line environment.

Current tools only test the infrastructure towards a destination. On arrival, the NIC discards the traffic. However, iPerf is client - server based, the traffic is still discarded on arrival. No sessions are kept in memory. The result is the same. The infrastructure is tested and the destination doesn’t have to handle the traffic.
So the question is: what is needed to perform high bandwidth session based throughput tests and how to go beyond pure network infrastructure testing.
David Groep <davidg=>>
Tristan Suerink <tsuerink=>>

Bram ter Borch <Bram.terBorch=>>


Freenet Darknet Mapping.

Freenet is an anonymous distributed information storage and retrieval system [1]. Content gets uploaded to nodes which get mirrored over the network. The unique feature of Freenet is that the original uploading node can go offline and users will still be able to access content as it is mirrored on the various research nodes. This decentralised storage makes it difficult for content to be removed from the network. A user will send a request for a file to a node which will then forward it through the network until the file has been found. The nodes do not know if the request has been handed to it by a user or by another node. A node can connect to peers through either the 'opennet' and/or the 'darknet' systems. The former involves a centralised approach where nodes locations are announced to the world, and in the latter decentralised approach a node will only connect to a peer if both sides trust the connection [2]. The darknet should have a higher level op privacy as not all nodes are publicly available.

Both passive (harvesting) and active (DOS) attacks are possible on the network [3] [4]. Conducting measurements in the opennet are feasible despite Freenet's obfuscation techniques [3]. However, no such method has been found for darknet. The research project will focus on finding techniques to map a Freenet darknet network. Possible starting points would be to look at the trusting friends-of-friends setting, protocol analysis and/or source code analysis.
  1. Clarke, I., Sandberg, O., Wiley, B., & Hong, T. W. (2001); Freenet: A distributed anonymous information storage and retrieval system. In Designing Privacy Enhancing Technologies (pp. 46-66). Springer Berlin Heidelberg.
  2. Clarke, I., Sandberg, O., Toseland, M., & Verendel, V. (2010); Private communication through a network of trusted connections: The dark freenet Network.
  3. Roos, S., Schiller, B., Hacker, S., & Strufe, T. (2014, July). Measuring freenet in the wild: Censorship-resilience under observation. In International Symposium on Privacy Enhancing Technologies Symposium (pp. 263-282). Springer International Publishing.
  4. Evans, N. S., GauthierDickey, C., & Grothoff, C. (2007, December). Routing in the dark: Pitch black. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual (pp. 305-314). IEEE.
The code produced in this project can be found here: p86/rp86_src.tar.gz
Yonne de Bruijn <yonne.debruijn=>>
Lennart Haagsma <haagsma=>>

Kees Halvemaan <Kees.Halvemaan=>>


Discriminating reflective (D)DoS attack tools at the reflector.

Fox-IT has access to a system that observes ongoing DDoS attacks. The current system is able to identify the intended target of the attack but is unable to detects its origin nor link multiple attacks to a single attacker.

The goal of the research is to identify ‘features’ / characteristics in the DDoS packets that combined, can be used to link various attacks together as being generated from the same botnet / boot service / attack script. These characteristics can be fed back into the DDoS observer to classify future and historical attacks. For this research Fox-IT will provide snippets of DDoS traffic in from of PCAP data for the researcher to study. The focus will be on reflective amplification attacks, such as: DNS. Chargen, Portmap, SNMP, SSDP etc.
Lennart Haagsma <haagsma=>>

Fons Mijnen <Fons.Mijnen=>>
Max Grim <Max.Grim=>>


Segment routing in container networks.


Segment routing is aimed at simplifying control over forwarding paths, without requiring additional protocols or path signaling. It can be used to implement traffic engineering, network service chaining, and other SDN-like features on MPLS and IPv6 data planes. Vendors such as Cisco and Juniper offer services like VPNs based on segment routing.

Cilium is a Linux native engine for providing transparent and secure connectivity between containers. It offers a single flat layer 3 network which can span multiple clusters. Currently its overlay networks are based on VXLAN/Geneve/GRE.

The aim of this project will be to:

  • Research the applicability of segment routing/SRv6 in the context of container overlay networks
  • Building a proof-of-concept using Cilium/eBPF


NB: RP84 is looking at the current implementation of Cilium. However, I don't think there would be a lot of overlap between our projects. My intention is to simply use it as an experimentation platform.
Marijke Kaat <Marijke.Kaat=>>

Ben de Graaff <ben.degraaff=>>


Unintended metadata leakage at the Dutch Government.

Metadata can contain an abundance of information about an organization (such as detailes about the creation of files, usernames, software, file location, etc.). The goal of this research is to examine what kinds of metadata from Dutch governmental and semi-governmental websites such as those of ministries, municipalities, educational organizations and hospitals can be found online by parsing documents published on their websites. After gathering that information from hundreds of (semi-)governmental websites, it is analyzed and quantified;
  • How much information does the government leak in general?
Eventually, I will interpret the results and come up with recommendations. For example:
  • What could bad attackers do with this information (i.e. can they, for example, use the information to pinpoint weak spots in the Dutch government)?
  • How "good" or "bad" is the current situation?

Previous work, added value of the research.

Although metadata analysis tools do exist and research has been done in how it can be used for bad purposes, no prior research has been done to examine the metadata of the Dutch government. In fact, it is impossible to even find any research analyzing metadata of any foreign government, either. This research can help the Dutch government understand what their current state of affairs is, and, in times of cyber espionage and cyber warfare, help build the digital defense of the Netherlands as a nation. The techniques used, and the analysis and recommendations proposed in this research are made fully open source, so that it is also directly applicable to non-governmental organizations, or foreign governments, who can use this as a starting point for examining their own metadata exposure.
Alex Stavroulakis <stavroulakis.alex=>>
Sukalp Bhople <bhople.sukalp=>>

Auke Zwaan <Auke.Zwaan=>>


Kerberos Credential Thievery (GNU/Linux).

Kerberos provides a mechanism for authentication and single sign on. It doesn't require user passwords to be often sent over the wire. Instead. Encrypted blobs (tickets) are stored locally by clients and exchanged to provide authentication credentials. To obtain an initial ticket, a password must only be put in once at the start of a session. There are multiple ways that these tickets can be stored on a client machine.
  • What are the ways that kerberos credentials can be stored?
  • How can these credentials be extracted from a running system?
  • Can these credentials be used by an adversary to successfully authenticate?
  • How can these attacks be defended against?
Cedric van Bockhaven <CvanBockhaven=>>

Arne Zismer <arne.zismer=>>
Ronan Loftus <ronan.loftus=>>



Program (Printer friendly version: HTML, PDF): The event is stretched over two days: Monday-Tuesday July 3-4, 2017.

Monday July 3, 2017, Auditorium C0.110, FNWI, Sciencepark 904, Amsterdam.
Time #RP Title Name(s) LOC
Welcome, introduction. Cees de Laat

13h00 53 Visualising security boundaries and POIs in virtualised environments. Marcel Brouwers BUNQ 2
13h20 86 Freenet Darknet Mapping. Kees Halvemaan FOX-IT 2
13h40 90 Fingerprinting DDoS attack and determining the threat actor behind the attack. Fons Mijnen, Max Grim FOX-IT 2

14h30 50 Automated embedding of dynamic libraries into iOS applications from GNU/Linux. Marwin Baumann, Leandro Velasco DELOITTE 2
14h55 97 Kerberos Credential Thievery on GNU/Linux. Arne Zismer, Ronan Loftus DELOITTE 2
15h20 93 ICS/SCADA monitoring system. Kenneth van Rijsbergen DELOITTE 2

16h00 96 Unintended information leakage via metadata. Auke Zwaan KPMG 2
16h20 42 Formal verification of the implementation of the MQTT protocol in IoT devices.  Kristiyan Mladenov KPMG 2

Tuesday July 4, 2017, Auditorium C0.110, FNWI, Sciencepark 904, Amsterdam.
Time #RP Title Name(s) LOC
Welcome, introduction. Cees de Laat

13h00 58 Calculating the carbon footprint of individual hosting packages on a hosting cluster. Anouk Boukema GREENHOST 2
13h20 85 High Bandwidth Network Diagnostics. Bram ter Borch NIKHEF 2
13h40 70 Application aware access and distribution of digital objects using Named Data Networking (NDN).  Rahaf Mousa TNO/UvA 2

14h20 12 Measuring Performance Overhead of Trans-encrypting HTTP Adaptive Streaming. Abe Wiersma TNO 2
14h40 82 ILA with Docker to create an overlay network. Tako Marks UvA 2
15h00 84 EBPF based container networking.
Nick de Bruijn UvA 2

15h40 95 Segment routing in container overlay networks. Ben de Graaff SURFnet/UvA 2
16h00 83 A study into the BGP protocol as well as BGP implementations to improve Route Server scalability. Jenda Brands, Patrick deNiet AMS-IX 2


Program (Printer friendly version: HTML, PDF) :

Monday feb 6th in B.1.23 at Science Park 904 NL-1098XH Amsterdam.
Time #RP Title Name(s) LOC
Welcome, introduction. Cees de Laat

13h05 19
Extending the range of NFC capable devices. Sandino Moeniralam, Bart Hermans KPMG 1
13h30 45
Attacks on Android 7 File Based Encryption. Marwin Baumann, Ronan Loftus KPMG 1
13h55 24
Automatic comparison of photo response non uniformity (PRNU) on Youtube. Marcel Brouwers, Rahaf Mousa NFI 1

14h40 63
Automated Windows testlab deployment. Vincent van Dongen, Fons Mijnen Outflank 1
15h05 37
Security and Performance Analysis of (Encrypted) NoSQL Databases. Abe Wiersma, Max Grim SNE 1
15h30 52
Dynamic profiles for malware communication.
Joao Carlos de Novais Marques, Mick Cox Deloitte 1

16h10 55
Defenses against tor website fingerprinting deanonymization attacks. Kees Halvemaan, Tako Marks Securify 1
16h35 59 Techniques for detecting compromised IoT devices. Ivo van der Elzen, Jeroen van Heugten SURFnet 1

Tuesday feb 7th in room B1.23 at Science Park 904 NL-1098XH Amsterdam.
Time #RP Title Name(s) LOC RP
Welcome, introduction. Cees de Laat

11h05 33
Building an IPS solution for inline usage during Red Teaming..
Arne Zismer, Kristiyan Mladenov Deloitte 1
11h30 51
Advantages of anomaly detection between a controlling unit and its process devices for Industrial Control Systems Rick Lahaye, Anouk Boukema Deloitte 1

13h00 58
Using a SIM card to authenticate for eduroam. Alexander Blaauwgeers SURFnet 1
13h20 67
Browser forensics: Adblocker extensions. Willem Rens Fox-IT 1
13h40 64 Reliable Library Identification Using VMI Techniques. Leandro Velasco, Nick de Bruijn SNE 1

14h20 71
Collecting, cataloguing and searching performance information of Cloud resources. Olaf Elzinga SNE 2
14h40 7 Thinking in possibilities for federated Log Out. Marcel den Reijer, Fouad Makioui SURFnet 1

Out of normal schedule presentations:

Date Time Place #RP Title Name(s) LOC RP
2016-11-23 15h00
B1.23 60
A decentralized system for automatic exchange of policies for BGP configurations.
Stamatios Maritsas NLNET
2016-12-22 11h00
B1.23 66
SURFWireless Energy Consumption. Jeroen van Leur

B1.23 65 Real-time Video Stream filtration for Data and Facial Anonymization. Sandino Moeniralam JUNAID 2