This paper presents the requirements, design, development, and evaluation of a container-based cyber range for cybersecurity training and education named Cyber Range Lite (CRL). CRL is a scalable, lightweight platform with well-defined interfaces tailored to educational contexts. Cybersecurity exercises, or challenges, are described using a YAML-based template and deployed via Docker container images, which simulate a networked environment with a large number of hosts orchestrated by Docker Swarm. Students access the system through WireGuard VPN tunnels. We initially tested CRL using jeopardy-style Capture The Flag (CTF) exercises, comprising independent challenges. We then extended it to a virtual network scenario where students must solve challenges in a prescribed sequence. CRL was deployed and evaluated in an advanced-level ethical hacking course, where we compared its functionality, cost, and student feedback against a previous cyber range implementation based on virtual machines hosted on the Google Cloud Platform. Our results indicate that CRL offers a cost-effective and pedagogically flexible alternative for hands-on cybersecurity education. 

Using the Internet today, both end-users and automated systems rely on the Domain Name System (DNS) to translate human-readable domain names to IP addresses for communication between machines. This system from 1985 has only in recent years seen Internet standards addressing security and privacy concerns. In the position as a machine-in-the-middle between the client and the distributed hierachical system of authoritative name servers, we find the DNS resolver. Due to its purpose of forwarding, looking up, and caching queries and responses, in addition to its location between the clients and the name servers, the DNS resolver becomes a critical point for implementing these security and privacy features. The widespread adoption of these features, their variation in implementation, and impact on both clients and other name servers remain as interesting topics in the research community. The goal of this thesis is to analyze servers in the wild and conduct a comprehensive investigation into the security and privacy mechanisms configured on DNS resolvers. Using an Internet measurement approach, we explore the trends in the adoption and implementation of these features by generating and observing our own queries to and from the resolvers. We also investigate how clients and the DNS ecosystem as a whole are impacted by resolver configurations. We use and improve methods for measuring adoption of various security and privacy related features. Based on these measurements we report the current level of adoption and adoption over time, investigate anomalies, and identify limitations with measurement approaches. We fingerprint the software and version of popular open-source DNS resolvers by classifying query patterns. Comparing the ingress and egress resolvers we analyze forwarding behaviors and their impact on the availability and effectiveness of security and privacy features. We also cross-analyze features in DNS resolvers to find correlations, which could help us understand obstacles and find solutions to feature adoption.

För att maskiner ska kunna kommunicera på Internet idag så bygger det på att domännamnssystemet (DNS) översätter domännamn till IP-adresser för både användare och automatiska system. Internetstandardiseringar som behandlar säkerhet och personlig integritet i detta system från 1985 har huvudsakligen dykt upp på senare år. Mellan klienter och den distribuerade hierakin av auktoritativa namnservrar finner vi DNS-resolvern. På grund av dess syfte att vidarebefodra och slå upp klienternas frågor samt cacha svar, och dess position som en låda-i-mitten blir den en kritisk punkt för säkerhet och personlig integritet. Hur antagna dessa mekanismer är, deras variation vid implementering samt påverkan på både klienter och andra namnservrar är fortfarande intressanta ämnen i forskningsvärlden. Målet med denna avhandling är att analysera DNS-resolvrar på internet för att genomföra en omfattande utvärdering av relaterade mekanismer runt säkerhet och personlig integritet. Vi utforskar trenderna i antagandet och och implementeringen av dessa funktioner, och analyserar hur de påverkar klienter och ekosystemet som helhet genom att observera trafik från DNS-frågor. Vi använder och förbättrar metoder för att mäta antagning av olika funktioner relaterade till säkerhet och personlig integritet. Baserat på dessa mätningar rapporterar vi den nuvarande nivån av antagning och antagning över tid. Vi undersöker även intressanta avvikelser i resultaten och identifierar begränsningar med mätmetoderna som används. Genom att klassifiera trafikmönster, lyckas vi identifiera versioner av programmvara från populära DNS-resolvrar med öppen källkod. När vi observerar resolvrar involverade i en uppslagning så analyserar vi hur de vidarebefodrar och hur detta påverkar tillgängligheten och effektiviteten av olika mekanismer. Vi undersöker även samband mellan olika mekanismer, vilket skulle kunna leda till en djupare förståelse om utmaningar och lösningar till högre antagande.

The Domain Name System (DNS) plays a pivotal role in the function of the Internet, but if the DNS resolvers are not correctly configured or updated, they could pose security and privacy risks. Fingerprinting resolvers helps the analysis of the DNS ecosystem and can reveal outdated software and misconfigurations. This study aims to evaluate if patterns in queries from DNS resolvers---implementing query name minimization as a privacy enhancing feature---can reveal their characteristics such as their software and versions. We examined the query patterns of minimizing resolvers at the authoritative name server side, and our findings indicate that distinct patterns correlate with specific open-source resolver software versions. Notably, none of the resolvers fully follow the recommended query name minimization algorithm outlined in RFC 9156, suggesting a discrepancy between recommendations and real-world implementations. We also identified high rates of query amplification, possibly caused in part by the combination of minimization and forwarding configurations. Our research contributes to understanding the current state of the DNS ecosystem, highlighting the potential for fingerprinting to enhance Internet security by identifying and addressing resolver-related risks.

The Domain Name System (DNS) is a critical Internet infrastructure that translates human-readable domain names to IP addresses. It was originally designed over 35 years ago and multiple enhancements have since then been made, in particular to make DNS lookups more secure and privacy preserving. Query name minimization (qmin) was initially introduced in 2016 to limit the exposure of queries sent across DNS and thereby enhance privacy. In this paper, we take a look at the adoption of qmin, building upon and extending measurements made by De Vries et al. in 2018. We analyze qmin adoption on the Internet using active measurements both on resolvers used by RIPE Atlas probes and on open resolvers. Aside from adding more vantage points when measuring qmin adoption on open resolvers, we also increase the number of repetitions, which reveals conflicting resolvers – resolvers that support qmin for some queries but not for others. For the passive measurements at root and Top-Level Domain (TLD) name servers, we extend the analysis over a longer period of time, introduce additional sources, and filter out non-valid queries. Furthermore, our controlled experiments measure performance and result quality of newer versions of the qmin -enabled open source resolvers used in the previous study, with the addition of PowerDNS. Our results, using extended methods from previous work, show that the adoption of qmin has significantly increased since 2018. New controlled experiments also show a trend of higher number of packets used by resolvers and lower error rates in the DNS queries. Since qmin is a balance between performance and privacy, we further discuss the depth limit of minimizing labels and propose the use of a public suffix list for setting this limit.

In this paper, we report on designing and deploying an on-campus, highly practical ethical hacking course   using the foundation of Kungl. Tekniska Högskolan's (KTH) existing, well-established, distance-based course. We explain our course organization, structure, and delivery and present the students' formative and summative feedback and their results. Moreover, we justify the choice of our platform, a custom GCP-based cyber range with twelve capture the flag exercises designed for an online ethical hacking course, and how our on-campus course was implemented around it. Our ethical hacking course is organized around ten mandatory lectures, seven flag reports and three lectures on ethics, two demonstrations, and four guest lectures. The student evaluation is continuous and based on the flags captured. Our collected data indicates the amount of effort spent on each exercise, the used hints, and for how long most of the students were actively solving the exercises. The students' feedback indicates they were overwhelmingly satisfied with the course elements and teaching staff. Finally, we propose changes to elements of our ethical hacking course. The course was delivered at Karlstad University over nine weeks between January and March 2023 for 24 students.

The widespread use of encryption and anonymization technologies - -e.g., HTTPS, VPNs, Tor, and iCloud Private Relay - -makes network attackers likely to resort to traffic analysis to learn of client activity. For web traffic, such analysis of encrypted traffic is referred to as Website Fingerprinting (WF). WF attacks have improved greatly in large parts thanks to advancements in Deep Learning (DL). In 2019, a new category of defenses was proposed: traffic splitting, where traffic from the client is split over two or more network paths with the assumption that some paths are unobservable by the attacker. In this paper, we take a look at three recently proposed defenses based on traffic splitting: HyWF, CoMPS, and TrafficSliver BWR5. We analyze real-world and simulated datasets for all three defenses to better understand their splitting strategies and effectiveness as defenses. Using our improved DL attack Maturesc on real-world datasets, we improve the classification accuracy wrt. state-of-the-art from 49.2% to 66.7% for HyWF, the F1 score from 32.9% to 72.4% for CoMPS, and the accuracy from 8.07% to 53.8% for TrafficSliver BWR5. We find that a majority of wrongly classified traces contain less than a couple hundred of packets/cells: e.g., in every dataset 25% of traces contain less than 155 packets. What cannot be observed cannot be classified. Our results show that the proposed traffic splitting defenses on average provide less protection against WF attacks than simply randomly selecting one path and sending all traffic over that path.