6 research outputs found
Bootstrapping Real-world Deployment of Future Internet Architectures
The past decade has seen many proposals for future Internet architectures.
Most of these proposals require substantial changes to the current networking
infrastructure and end-user devices, resulting in a failure to move from theory
to real-world deployment. This paper describes one possible strategy for
bootstrapping the initial deployment of future Internet architectures by
focusing on providing high availability as an incentive for early adopters.
Through large-scale simulation and real-world implementation, we show that with
only a small number of adopting ISPs, customers can obtain high availability
guarantees. We discuss design, implementation, and evaluation of an
availability device that allows customers to bridge into the future Internet
architecture without modifications to their existing infrastructure
IBTrack: An ICMP Black holes Tracker
ICMP is a fundamental part of the Internet as it handles the control and error messages. ICMP's treatment by the network and in particular by different routers it may cross is therefore a key aspect driving troubleshooting and diagnosis processes. In this paper we present IBTrack, a tool that aims at characterizing how the network actually treats different ICMP messages from an user point of view. Specifically, we detail a classification algorithm to categorize router behaviors and we introduce its associated refining method which exploits multiple probing protocols. We illustrate the average Internet router behavior and path composition through results gathered from Planet-Lab nodes using a large CAIDA's snapshot of routed /24. We further show that our refining method improves the routers behavior characterization up to 10% for more than 1% of the total number of observed routers
A middlebox-cooperative TCP for a non end-to-end Internet. In
ABSTRACT Understanding, measuring, and debugging IP networks, particularly across administrative domains, is challenging. One particularly daunting aspect of the challenge is the presence of transparent middleboxes-which are now common in today's Internet. In-path middleboxes that modify packet headers are typically transparent to a TCP, yet can impact end-to-end performance or cause blackholes. We develop TCP HICCUPS to reveal packet header manipulation to both endpoints of a TCP connection. HICCUPS permits endpoints to cooperate with currently opaque middleboxes without prior knowledge of their behavior. For example, with visibility into end-to-end behavior, a TCP can selectively enable or disable performance enhancing options. This cooperation enables protocol innovation by allowing new IP or TCP functionality (e.g., ECN, SACK, Multipath TCP, Tcpcrypt) to be deployed without fear of such functionality being misconstrued, modified, or blocked along a path. HICCUPS is incrementally deployable and introduces no new options. We implement and deploy TCP HICCUPS across thousands of disparate Internet paths, highlighting the breadth and scope of subtle and hard to detect middlebox behaviors encountered. We then show how path diagnostic capabilities provided by HICCUPS can benefit applications and the network
Blocking DDoS attacks at the network level
Denial of service (DDoS) is a persistent and continuously growing problem. These
attacks are based on methods that flood the victim with messages that it did not request,
effectively exhausting its computational or bandwidth resources. The variety of attack
approaches is overwhelming and the current defense mechanisms are not completely
effective. In today’s internet, a multitude of DDoS attacks occur everyday, some even
degrading the availability of critical or governmental services.
In this dissertation, we propose a new network level DDoS mitigation protocol that
iterates on previous attempts and uses proven mechanisms such as cryptographic challenges
and packet-tagging.
Our analysis of the previous attempts to solve this problem led to a ground-up design
of the protocol with adaptability in mind, trying to minimize deployment and adoption
barriers.
With this work we concluded that with software changes only on the communication
endpoints, it is possible to mitigate the most used DDoS attacks with results up to 25
times more favourable than standard resource rate limiting (RRL) methods
Measuring Path MTU discovery behaviour
Path MTU Discovery (PMTUD) is widely believed to be unreliable because of firewalls that discard ICMP “Packet Too Big”messages. This paper measures PMTUD behaviour for 50,000 popular websites and finds the failure rate in IPv4 is much less than previous studies. We measure the overall failure rate between 5% and 18%, depending on the MTU of the constraining link. We explore methods webserver operators are using to reduce their dependence on PMTUD, and find 11% limit themselves to sending packets no larger than 1380 bytes. We identify a number of common behaviours that seem to be software bugs rather than filtering by firewalls. If these are corrected PMTUD failures could be reduced by 63%. We further find the IPv6 failure rate is less than the IPv4 rate even with more scope for failure in IPv6