430 research outputs found

    On The Impact of Internet Naming Evolution: Deployment, Performance, and Security Implications

    Get PDF
    As one of the most critical components of the Internet, the Domain Name System (DNS) provides naming services for Internet users, who rely on DNS to perform the translation between the domain names and network entities before establishing an In- ternet connection. In this dissertation, we present our studies on different aspects of the naming infrastructure in today’s Internet, including DNS itself and the network services based on the naming infrastructure such as Content Delivery Networks (CDNs). We first characterize the evolution and features of the DNS resolution in web ser- vices under the emergence of third-party hosting services and cloud platforms. at the bottom level of the DNS hierarchy, the authoritative DNS servers (ADNSes) maintain the actual mapping records and answer the DNS queries. The increasing use of upstream ADNS services (i.e., third-party ADNS-hosting services) and Infrastructure-as-a-Service (IaaS) clouds facilitates the deployment of web services, and has been fostering the evo- lution of the deployment of ADNS servers. to shed light on this trend, we conduct a large-scale measurement to investigate the ADNS deployment patterns of modern web services and examine the characteristics of different deployment styles, such as perfor- mance, life-cycle of servers, and availability. Furthermore, we specifically focus on the DNS deployment for subdomains hosted in IaaS clouds. Then, we examine a pervasive misuse of DNS names and explore a straightforward solution to mitigate the performance penalty in DNS cache. DNS cache plays a critical role in domain name resolution, providing (1) high scalability at Root and Top-level- domain nameservers with reduced workloads and (2) low response latency to clients when the resource records of the queried domains are cached. However, the pervasive misuses of domain names, e.g., the domain names of “one-time-use” pattern, have negative impact on the effectiveness of DNS caching as the cache has been filled with those entries that are highly unlikely to be retrieved. By leveraging the domain name based features that are explicitly available from a domain name itself, we propose simple policies for improving DNS cache performance and validate their efficacy using real traces. Finally, we investigate the security implications of a fundamental vulnerability in DNS- based CDNs. The success of CDNs relies on the mapping system that leverages the dynamically generated DNS records to distribute a client’s request to a proximal server for achieving optimal content delivery. However, the mapping system is vulnerable to malicious hijacks, as it is very difficult to provide pre-computed DNSSEC signatures for dynamically generated records in CDNs. We illustrate that an adversary can deliberately tamper with the resolvers to hijack CDN’s redirection by injecting crafted but legitimate mappings between end-users and edge servers, while remaining undetectable by exist- ing security practices, which can cause serious threats that nullify the benefits offered by CDNs, such as proximal access, load balancing, and DoS protection. We further demonstrate that DNSSEC is ineffective to address this problem, even with the newly adopted ECDSA that is capable of achieving live signing for dynamically generated DNS records. We then discuss countermeasures against this redirection hijacking

    Automated Discovery of Internet Censorship by Web Crawling

    Full text link
    Censorship of the Internet is widespread around the world. As access to the web becomes increasingly ubiquitous, filtering of this resource becomes more pervasive. Transparency about specific content that citizens are denied access to is atypical. To counter this, numerous techniques for maintaining URL filter lists have been proposed by various individuals and organisations that aim to empirical data on censorship for benefit of the public and wider censorship research community. We present a new approach for discovering filtered domains in different countries. This method is fully automated and requires no human interaction. The system uses web crawling techniques to traverse between filtered sites and implements a robust method for determining if a domain is filtered. We demonstrate the effectiveness of the approach by running experiments to search for filtered content in four different censorship regimes. Our results show that we perform better than the current state of the art and have built domain filter lists an order of magnitude larger than the most widely available public lists as of Jan 2018. Further, we build a dataset mapping the interlinking nature of blocked content between domains and exhibit the tightly networked nature of censored web resources

    Information Centric Networking in the IoT: Experiments with NDN in the Wild

    Get PDF
    This paper explores the feasibility, advantages, and challenges of an ICN-based approach in the Internet of Things. We report on the first NDN experiments in a life-size IoT deployment, spread over tens of rooms on several floors of a building. Based on the insights gained with these experiments, the paper analyses the shortcomings of CCN applied to IoT. Several interoperable CCN enhancements are then proposed and evaluated. We significantly decreased control traffic (i.e., interest messages) and leverage data path and caching to match IoT requirements in terms of energy and bandwidth constraints. Our optimizations increase content availability in case of IoT nodes with intermittent activity. This paper also provides the first experimental comparison of CCN with the common IoT standards 6LoWPAN/RPL/UDP.Comment: 10 pages, 10 figures and tables, ACM ICN-2014 conferenc

    Spartan Web Application Firewall

    Get PDF
    Computer security is an ongoing issue and attacks are growing more sophisit- cated. One category of attack utilizes cross-site scripting (XSS) to extract confiden- tial data such as a user’s login credential’s without the knowledge of either the user nor the web server by utilizing vulnerabilities on web pages and internet browsers. Many people develop their own web applications without learning about or having good coding practices or security in mind. Web application firewalls are able to help but can be enhanced to be more effective than they currently are at detecting re- flected XSS attacks by analyzing the request and response data sent between the web application by a user’s browser to more quickly determine if a reflected XSS attack is being attempted. Spartan Web Application Firewall is designed to do this efficiently without being limited to requiring users to be using a specific web browser or web browser plug-in

    Machine Learning for Next-generation Content Delivery Networks: Deployment, Content Placement, and Performance Management

    Get PDF
    With the explosive demands for data and the growth in mobile users, content delivery networks (CDNs) are facing ever-increasing challenges to meet end-users quality-of-experience requirements, ensure scalability and remain cost-effective. These challenges encourage CDN providers to seek a solution by considering the new technologies available in today’s computer network domain. Network Function Virtualization (NFV) is a relatively new network service deployment technology used in computer networks. It can reduce capital and operational costs while yielding flexibility and scalability for network operators. Thanks to the NFV, the network functions that previously could be offered only by specific hardware appliances can now run as Virtualized Network Functions (VNF) on commodity servers or switches. Moreover, a network service can be flexibly deployed by a chain of VNFs, a structure known as the VNF Forwarding Graph or VNF-FG. Considering these advantages, the next-generation CDN will be deployed using NFV infrastructure. However, using NFV for service deployment is challenging as resource allocation in a shared infrastructure is not easy. Moreover, the integration of other paradigms (e.g., edge computing and vehicular network) into CDN will compound the complexity of content placement and performance management for the next-generation CDNs. In this regard, due to their impacts on final service and end-user perceived quality, the challenges in service deployment, content placement, and performance management should be addressed carefully. In this thesis, advanced machine learning methods are utilized to provide algorithmic solutions for the abovementioned challenges of the next generation CDNs. Regarding the challenges in the deployment of the next-generation CDNs, we propose two deep reinforcement learning-based methods addressing the joint problems of VNF-FG’s composition and embedding, as well as function scaling and topology adaptation. As for content placement challenges, a deep reinforcement learning-based approach for content migration in an edge-based CDN with vehicular nodes is proposed. The proposed approach takes advantage of the available caching resources in the proximity of the full local caches and efficiently migrates contents at the edge of the network. Moreover, for managing the performance quality of an operating CDN, an unsupervised machine learning anomaly detection method is provided. The proposed method uses clustering to enable easier performance analysis for next-generation CDNs. Each proposed method in this thesis is evaluated by comparison to the state-of-the-art approaches. Moreover, when applicable, the optimality gaps of the proposed methods are investigated as well
    • …
    corecore