QuLa: service selection and forwarding table population in service-centric networking using real-life topologies

The amount of services located in the network has drastically increased over the last decade which is why more and more datacenters are located at the network edge, closer to the users. In the current Internet it is up to the client to select a destination using a resolution service (Domain Name System, Content Delivery Networks ...). In the last few years, research on Information-Centric Networking (ICN) suggests to put this selection responsibility at the network components; routers find the closest copy of a content object using the content name as input. We extend the principle of ICN to services; service routers forward requests to service instances located in datacenters spread across the network edge. To solve this problem, we first present a service selection algorithm based on both server and network metrics. Next, we describe a method to reduce the state required in service routers while minimizing the performance loss caused by this data reduction. Simulation results based on real-life networks show that we are able to find a near-optimal load distribution with only minimal state required in the service routers

Re-designing Dynamic Content Delivery in the Light of a Virtualized Infrastructure

We explore the opportunities and design options enabled by novel SDN and NFV technologies, by re-designing a dynamic Content Delivery Network (CDN) service. Our system, named MOSTO, provides performance levels comparable to that of a regular CDN, but does not require the deployment of a large distributed infrastructure. In the process of designing the system, we identify relevant functions that could be integrated in the future Internet infrastructure. Such functions greatly simplify the design and effectiveness of services such as MOSTO. We demonstrate our system using a mixture of simulation, emulation, testbed experiments and by realizing a proof-of-concept deployment in a planet-wide commercial cloud system.Comment: Extended version of the paper accepted for publication in JSAC special issue on Emerging Technologies in Software-Driven Communication - November 201

Service oriented networking

This paper introduces a new paradigm for service oriented networking being developed in the FUSION project(1). Despite recent proposals in the area of information centric networking, a similar treatment of services - where networked software functions, rather than content, are dynamically deployed, replicated and invoked - has received little attention by the network research community to date. Our approach provides the mechanisms required to deploy a replicated service instance in the network and to route client requests to the closest instance in an efficient manner. We address the main issues that such a paradigm raises including load balancing, resource registration, domain monitoring and inter-domain orchestration. We also present preliminary evaluation results of current work

Machine Learning and Big Data Methodologies for Network Traffic Monitoring

Over the past 20 years, the Internet saw an exponential grown of traffic, users, services and applications. Currently, it is estimated that the Internet is used everyday by more than 3.6 billions users, who generate 20 TB of traffic per second. Such a huge amount of data challenge network managers and analysts to understand how the network is performing, how users are accessing resources, how to properly control and manage the infrastructure, and how to detect possible threats. Along with mathematical, statistical, and set theory methodologies machine learning and big data approaches have emerged to build systems that aim at automatically extracting information from the raw data that the network monitoring infrastructures offer. In this thesis I will address different network monitoring solutions, evaluating several methodologies and scenarios. I will show how following a common workflow, it is possible to exploit mathematical, statistical, set theory, and machine learning methodologies to extract meaningful information from the raw data. Particular attention will be given to machine learning and big data methodologies such as DBSCAN, and the Apache Spark big data framework. The results show that despite being able to take advantage of mathematical, statistical, and set theory tools to characterize a problem, machine learning methodologies are very useful to discover hidden information about the raw data. Using DBSCAN clustering algorithm, I will show how to use YouLighter, an unsupervised methodology to group caches serving YouTube traffic into edge-nodes, and latter by using the notion of Pattern Dissimilarity, how to identify changes in their usage over time. By using YouLighter over 10-month long races, I will pinpoint sudden changes in the YouTube edge-nodes usage, changes that also impair the end users’ Quality of Experience. I will also apply DBSCAN in the deployment of SeLINA, a self-tuning tool implemented in the Apache Spark big data framework to autonomously extract knowledge from network traffic measurements. By using SeLINA, I will show how to automatically detect the changes of the YouTube CDN previously highlighted by YouLighter. Along with these machine learning studies, I will show how to use mathematical and set theory methodologies to investigate the browsing habits of Internauts. By using a two weeks dataset, I will show how over this period, the Internauts continue discovering new websites. Moreover, I will show that by using only DNS information to build a profile, it is hard to build a reliable profiler. Instead, by exploiting mathematical and statistical tools, I will show how to characterize Anycast-enabled CDNs (A-CDNs). I will show that A-CDNs are widely used either for stateless and stateful services. That A-CDNs are quite popular, as, more than 50% of web users contact an A-CDN every day. And that, stateful services, can benefit of A-CDNs, since their paths are very stable over time, as demonstrated by the presence of only a few anomalies in their Round Trip Time. Finally, I will conclude by showing how I used BGPStream an open-source software framework for the analysis of both historical and real-time Border Gateway Protocol (BGP) measurement data. By using BGPStream in real-time mode I will show how I detected a Multiple Origin AS (MOAS) event, and how I studies the black-holing community propagation, showing the effect of this community in the network. Then, by using BGPStream in historical mode, and the Apache Spark big data framework over 16 years of data, I will show different results such as the continuous growth of IPv4 prefixes, and the growth of MOAS events over time. All these studies have the aim of showing how monitoring is a fundamental task in different scenarios. In particular, highlighting the importance of machine learning and of big data methodologies

보안 설정의 공간적 차이를 이용한 TLS 다운그레이드 공격

학위논문 (석사) -- 서울대학교 대학원 : 공과대학 컴퓨터공학부, 2021. 2. 권태경.To provide secure content delivery, Transport Layer Security (TLS) has become a de facto standard over a couple of decades. However, TLS has a long history of security weaknesses and drawbacks. Thus the security of TLS has been enhanced by addressing security problems through continuous version upgrades. Meanwhile, to provide fast content delivery globally, websites need to administer many machines in globally distributed environments. They often delegate the management of machines to web hosting services or Content Delivery Networks (CDNs), where the security configurations on distributed servers may vary depending on the managing entities or locations. By leveraging these spatial differences in TLS security, we present a new TLS downgrade attack, called a Teleport attack. In our attack model, an adversary collects the information of (web) domains that exhibit different TLS versions and cryptographic options depending on clients locations. Then the adversary redirects TLS handshake messages to weak TLS servers, and downgrades TLS sessions, which both the server and the client may not be aware of. We measure how many domains in the wild are vulnerable to the Teleport attack, and seek to better understand the root causes of the spatial differences in TLS security configurations. We also measure the redirection delay in various locations over the world to demonstrate the feasibility of the Teleport attack.지난 수십 년간 TLS(Transport Layer Security)는 안전한 웹 콘텐츠의 전달을 위한 사실상의 표준으로 자리매김했다. 그러나 TLS는 오랜 기간동안 지속적으로 취약점을 노출해 왔으며, 그로 인해 TLS의 안전성은 지속적인 버전 업그레이드를 통해 보안 문제들을 해결함으로써 유지되어 왔다. 한편, 세계각지의 사용자들에게 웹 콘텐츠를 빠르게 전달하기 위하여 웹서비스 제공자들이 지리적으로 분산된 환경에서 많은 서버들을 유지할 필요성이 대두되었다. 그 결과 웹 호스팅 또는 CDN(Content Delivery Networks) 서비스 제공자에게 자신들의 웹 콘텐츠를 위임하는 경우가 많아졌으며, 이때 분산된 서버들의 보안 설정 또한 위임되어 관리 주체나 서비스 지역에 따라 달라질 수 있게 되었다. 이러한 TLS 보안 설정의 공간적 차이를 활용하여 우리는 새로운 TLS 다운그레이드 공격으로 이른바 텔레포트(Teleport) 공격을 제시한다. 이 공격 모델에서 공격자는 클라이언트의 지리적 위치에 따라 다른 TLS 버전과 암호 옵션을 제공하는 도메인들의 정보를 수집한다. 그런 다음, 클라이언트의 TLS 연결 메시지를 다른 지역의 취약한 서버로 우회시켜 서버와 클라이언트 양자가 알아차리지 못하게 TLS 세션을 다운그레이드한다. 우리는 실제 환경에서 얼마나 많은 도메인들이 텔레포트 공격에 취약한지를 측정하였으며, TLS 보안 설정의 공간적 차이가 발생하는 근본적인 원인을 추적하기 위한 분석을 수행하였다. 또한 여러 지역에서 세션 우회로 인한 지연 시간을 측정하여 텔레포트 공격의 실효성을 입증하였다.Chapter 1. Introduction 1 Chapter 2. Background 6 2.1 TLS Handshakes and Downgrade Attacks 6 2.2 CDN Redirection 8 Chapter 3. Teleport Attack 10 3.1 Threat Model 10 3.2 Populating Target Database 12 3.3 TLS Handshake Redirection 14 3.4 Downgraded Session Exploitation 17 3.5 Summary 18 Chapter 4. Effect of the Teleport attack 19 4.1 Data Collection 19 4.2 Vulnerable Domains 21 4.3 Cases of Spatial Differences 25 4.4 How Web Servers are Managed 26 4.5 Classification Results 31 Chapter 5. Feasibility of the Teleport attack 34 Chapter 6. Discussions 38 6.1 Mitigation 38 6.2 Limitations 39 Chapter 7. Related Work 41 Chapter 8. Conclusion 44Maste

QuLa: queue and latency-aware service selection and routing in service-centric networking

Due to an explosive growth in services running in different datacenters, there is need for service selection and routing to deliver user requests to the best service instance. In current solutions, it is generally the client that must first select a datacenter to forward the request to before an internal load-balancer of the selected datacenter can select the optimal instance. An optimal selection requires knowledge of both network and server characteristics, making clients less suitable to make this decision. Information-Centric Networking (ICN) research solved a similar selection problem for static data retrieval by integrating content delivery as a native network feature. We address the selection problem for services by extending the ICN-principles for services. In this paper we present Queue and Latency, a network-driven service selection algorithm which maps user demand to service instances, taking into account both network and server metrics. To reduce the size of service router forwarding tables, we present a statistical method to approximate an optimal load distribution with minimized router state required. Simulation results show that our statistical routing approach approximates the average system response time of source-based routing with minimized state in forwarding tables

Improving Anycast with Measurements

Since the first Distributed Denial-of-Service (DDoS) attacks were launched, the strength of such attacks has been steadily increasing, from a few megabits per second to well into the terabit/s range. The damage that these attacks cause, mostly in terms of financial cost, has prompted researchers and operators alike to investigate and implement mitigation strategies. Examples of such strategies include local filtering appliances, Border Gateway Protocol (BGP)-based blackholing and outsourced mitigation in the form of cloud-based DDoS protection providers. Some of these strategies are more suited towards high bandwidth DDoS attacks than others. For example, using a local filtering appliance means that all the attack traffic will still pass through the owner's network. This inherently limits the maximum capacity of such a device to the bandwidth that is available. BGP Blackholing does not have such limitations, but can, as a side-effect, cause service disruptions to end-users. A different strategy, that has not attracted much attention in academia, is based on anycast. Anycast is a technique that allows operators to replicate their service across different physical locations, while keeping that service addressable with just a single IP-address. It relies on the BGP to effectively load balance users. In practice, it is combined with other mitigation strategies to allow those to scale up. Operators can use anycast to scale their mitigation capacity horizontally. Because anycast relies on BGP, and therefore in essence on the Internet itself, it can be difficult for network engineers to fine tune this balancing behavior. In this thesis, we show that that is indeed the case through two different case studies. In the first, we focus on an anycast service during normal operations, namely the Google Public DNS, and show that the routing within this service is far from optimal, for example in terms of distance between the client and the server. In the second case study, we observe the root DNS, while it is under attack, and show that even though in aggregate the bandwidth available to this service exceeds the attack we observed, clients still experienced service degradation. This degradation was caused due to the fact that some sites of the anycast service received a much higher share of traffic than others. In order for operators to improve their anycast networks, and optimize it in terms of resilience against DDoS attacks, a method to assess the actual state of such a network is required. Existing methodologies typically rely on external vantage points, such as those provided by RIPE Atlas, and are therefore limited in scale, and inherently biased in terms of distribution. We propose a new measurement methodology, named Verfploeter, to assess the characteristics of anycast networks in terms of client to Point-of-Presence (PoP) mapping, i.e. the anycast catchment. This method does not rely on external vantage points, is free of bias and offers a much higher resolution than any previous method. We validated this methodology by deploying it on a testbed that was locally developed, as well as on the B root DNS. We showed that the increased \textit{resolution} of this methodology improved our ability to assess the impact of changes in the network configuration, when compared to previous methodologies. As final validation we implement Verfploeter on Cloudflare's global-scale anycast Content Delivery Network (CDN), which has almost 200 global Points-of-Presence and an aggregate bandwidth of 30 Tbit/s. Through three real-world use cases, we demonstrate the benefits of our methodology: Firstly, we show that changes that occur when withdrawing routes from certain PoPs can be accurately mapped, and that in certain cases the effect of taking down a combination of PoPs can be calculated from individual measurements. Secondly, we show that Verfploeter largely reinstates the ping to its former glory, showing how it can be used to troubleshoot network connectivity issues in an anycast context. Thirdly, we demonstrate how accurate anycast catchment maps offer operators a new and highly accurate tool to identify and filter spoofed traffic. Where possible, we make datasets collected over the course of the research in this thesis available as open access data. The two best (open) dataset awards that were awarded for these datasets confirm that they are a valued contribution. In summary, we have investigated two large anycast services and have shown that their deployments are not optimal. We developed a novel measurement methodology, that is free of bias and is able to obtain highly accurate anycast catchment mappings. By implementing this methodology and deploying it on a global-scale anycast network we show that our method adds significant value to the fast-growing anycast CDN industry and enables new ways of detecting, filtering and mitigating DDoS attacks