112 research outputs found
The BGP Visibility Toolkit: detecting anomalous internet routing behavior
In this paper, we propose the BGP Visibility Toolkit, a system for detecting and analyzing anomalous behavior in the Internet. We show that interdomain prefix visibility can be used to single out cases of erroneous demeanors resulting from misconfiguration or bogus routing policies. The implementation of routing policies with BGP is a complicated process, involving fine-tuning operations and interactions with the policies of the other active ASes. Network operators might end up with faulty configurations or unintended routing policies that prevent the success of their strategies and impact their revenues. As part of the Visibility Toolkit, we propose the BGP Visibility Scanner, a tool which identifies limited visibility prefixes in the Internet. The tool enables operators to provide feedback on the expected visibility status of prefixes. We build a unique set of ground-truth prefixes qualified by their ASes as intended or unintended to have limited visibility. Using a machine learning algorithm, we train on this unique dataset an alarm system that separates with 95% accuracy the prefixes with unintended limited visibility. Hence, we find that visibility features are generally powerful to detect prefixes which are suffering from inadvertent effects of routing policies. Limited visibility could render a whole prefix globally unreachable. This points towards a serious problem, as limited reachability of a non-negligible set of prefixes undermines the global connectivity of the Internet. We thus verify the correlation between global visibility and global connectivity of prefixes.This work was sup-ported in part by the European Community's Seventh Framework Programme (FP7/2007-2013) under Grant 317647 (Leone)
An Internet Heartbeat
Obtaining sound inferences over remote networks via active or passive
measurements is difficult. Active measurement campaigns face challenges of
load, coverage, and visibility. Passive measurements require a privileged
vantage point. Even networks under our own control too often remain poorly
understood and hard to diagnose. As a step toward the democratization of
Internet measurement, we consider the inferential power possible were the
network to include a constant and predictable stream of dedicated lightweight
measurement traffic. We posit an Internet "heartbeat," which nodes periodically
send to random destinations, and show how aggregating heartbeats facilitates
introspection into parts of the network that are today generally obtuse. We
explore the design space of an Internet heartbeat, potential use cases,
incentives, and paths to deployment
A system for the detection of limited visibility in BGP
Mención Internacional en el tÃtulo de doctorThe performance of the global routing system is vital to thousands of entities operating
the Autonomous Systems (ASes) which make up the Internet. The Border Gateway
Protocol (BGP) is currently responsible for the exchange of reachability information and
the selection of paths according to their specified routing policies. BGP thus enables
traffic to flow from any point to another connected to the Internet. The manner traffic
flows if often influenced by entities in the Internet according to their preferences. The
latter are implemented in the form of routing policies by tweaking BGP configurations.
Routing policies are usually complex and aim to achieve a myriad goals, including technical,
economic and political purposes. Additionally, individual network managers need to
permanently adapt to the interdomain routing changes and, by engineering the Internet
traffic, optimize the use of their network.
Despite the flexibility offered, the implementation of routing policies is a complicated
process in itself, involving fine-tuning operations. Thus, it is an error-prone task and
operators might end up with faulty configurations that impact the efficacy of their strategies
or, more importantly, their revenues. Withal, even when correctly defining legitimate
routing policies, unforeseen interactions between ASes have been observed to cause important
disruptions that affect the global routing system. The main reason behind this
resides in the fact that the actual inter-domain routing is the result of the interplay of
many routing policies from ASes across the Internet, possibly bringing about a different
outcome than the one expected.
In this thesis, we perform an extensive analysis of the intricacies emerging from the
complex netting of routing policies at the interdomain level, in the context of the current
operational status of the Internet. Abundant implications on the way traffic flows in
the Internet arise from the convolution of routing policies at a global scale, at times
resulting in ASes using suboptimal ill-favored paths or in the undetected propagation of configuration errors in routing system. We argue here that monitoring prefix visibility
at the interdomain level can be used to detect cases of faulty configurations or backfired
routing policies, which disrupt the functionality of the routing system. We show that the
lack of global prefix visibility can offer early warning signs for anomalous events which,
despite their impact, often remain hidden from state of the art tools. Additionally, we show that such unintended Internet behavior not only degrades the efficacy of the routing
policies implemented by operators, causing their traffic to follow ill-favored paths, but
can also point out problems in the global connectivity of prefixes.
We further observe that majority of prefixes suffering from limited visibility at the
interdomain level is a set of more-specific prefixes, often used by network operators to
fulfill binding traffic engineering needs. One important task achieved through the use
of routing policies for traffic engineering is the control and optimization of the routing
function in order to allow the ASes to engineer the incoming traffic. The advertisement
of more-specific prefixes, also known as prefix deaggregation, provides network operators
with a fine-grained method to control the interdomain ingress traffic, given that the
longest-prefix match rule over-rides any other routing policy applied to the covering lessspecific
prefixes.
Nevertheless, however efficient, this traffic engineering tool comes with a cost, which
is usually externalized to the entire Internet community. Prefix deaggregation is a known
reason for the artificial inflation of the BGP routing table, which can further affect the
scalability of the global routing system. Looking past the main motivation for deploying
deaggregation in the first place, we identify and analyze here the economic impact of
this type of strategy. We propose a general Internet model to analyze the effect that
advertising more-specific prefixes has on the incoming transit traffic burstiness. We show
that deaggregation combined with selective advertisements (further defined as strategic
deaggregation) has a traffic stabilization side-effect, which translates into a decrease of the
transit traffic bill. Next, we develop a methodology for Internet Service Providers (ISPs)
to monitor general occurrences of deaggregation within their customer base. Furthermore,
the ISPs can detect selective advertisements of deaggregated prefixes, and thus identify customers which may impact the business of their providers. We apply the proposed
methodology on a complete set of data including routing, traffic, topological and billing
information provided by an operational ISP and we discuss the obtained results.Programa Oficial de Doctorado en IngenierÃa TelemáticaPresidente: Arturo Azcorra Saloña.- Secretario: Steffano Vissichio.- Vocal: Kc. Claff
A Brave New World: Studies on the Deployment and Security of the Emerging IPv6 Internet.
Recent IPv4 address exhaustion events are ushering in a new era of
rapid transition to the next generation Internet protocol---IPv6. Via
Internet-scale experiments and data analysis, this dissertation
characterizes the adoption and security of the emerging IPv6 network.
The work includes three studies, each the largest of its kind,
examining various facets of the new network protocol's deployment,
routing maturity, and security.
The first study provides an analysis of ten years of IPv6 deployment
data, including quantifying twelve metrics across ten global-scale
datasets, and affording a holistic understanding of the state and
recent progress of the IPv6 transition. Based on cross-dataset
analysis of relative global adoption rates and across features of the
protocol, we find evidence of a marked shift in the pace and nature
of adoption in recent years and observe that higher-level metrics of
adoption lag lower-level metrics.
Next, a network telescope study covering the IPv6 address space of the
majority of allocated networks provides insight into the early state
of IPv6 routing. Our analyses suggest that routing of average IPv6
prefixes is less stable than that of IPv4. This instability is
responsible for the majority of the captured misdirected IPv6 traffic.
Observed dark (unallocated destination) IPv6 traffic shows substantial
differences from the unwanted traffic seen in IPv4---in both character
and scale.
Finally, a third study examines the state of IPv6 network security
policy. We tested a sample of 25 thousand routers and 520 thousand
servers against sets of TCP and UDP ports commonly targeted by
attackers. We found systemic discrepancies between intended
security policy---as codified in IPv4---and deployed IPv6 policy.
Such lapses in ensuring that the IPv6 network is properly managed and
secured are leaving thousands of important devices more vulnerable to
attack than before IPv6 was enabled.
Taken together, findings from our three studies suggest that IPv6 has
reached a level and pace of adoption, and shows patterns of use, that
indicates serious production employment of the protocol on a broad
scale. However, weaker IPv6 routing and security are evident, and
these are leaving early dual-stack networks less robust than the IPv4
networks they augment.PhDComputer Science and EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/120689/1/jczyz_1.pd
Improving the Accuracy of the Internet Cartography
As the global Internet expands to satisfy the demands of the ever-increasing connected population, profound changes are occurring in its interconnection structure. The pervasive growth of IXPs and CDNs, two initially independent but synergistic infrastructure sectors, have contributed to the gradual flattening of the Internet’s inter-domain hierarchy with primary routing paths shifting from backbone networks to peripheral peering links. At the same time the IPv6 deployment has taken off due to the depletion of unallocated IPv4 addresses. These fundamental changes in Internet dynamics has obvious implications for network engineering and operations, which can be benefited by accurate topology maps to understand the properties of this critical infrastructure. This thesis presents a set of new measurement techniques and inference algorithms to construct a new type of semantically rich Internet map, and improve the state of the art in Internet cartography. The author first develops a methodology to extract large-scale validation data from the Communities BGP attribute, which encodes rich routing meta-data on BGP messages. Based on this better-informed dataset the author proceeds to analyse popular assumptions about inter-domain routing policies and devise a more accurate model to describe inter-AS business relationships. Accordingly, the thesis proposes a new relationship inference algorithm to accurately capture both simple and complex AS relationships across two dimensions: prefix type, and geographic location. Validation against three sources of ground-truth data reveals that the proposed algorithm achieves a near-perfect accuracy. However, any inference approach is constrained by the inability of the existing topology data sources to provide a complete view of the inter-domain topology. To limit the topology incompleteness problem the author augments traditional BGP data with routing policy data obtained directly from IXPs to discover massive peering meshes which have thus far been largely invisible
Kirin: Hitting the Internet with Millions of Distributed IPv6 Announcements
The Internet is a critical resource in the day-to-day life of billions ofusers. To support the growing number of users and their increasing demands,operators have to continuously scale their network footprint -- e.g., byjoining Internet Exchange Points -- and adopt relevant technologies -- such asIPv6. IPv6, however, has a vastly larger address space compared to itspredecessor, which allows for new kinds of attacks on the Internet routinginfrastructure. In this paper, we present Kirin: a BGP attack that sources millions of IPv6routes and distributes them via thousands of sessions across various IXPs tooverflow the memory of border routers within thousands of remote ASes. Kirin'shighly distributed nature allows it to bypass traditional route-floodingdefense mechanisms, such as per-session prefix limits or route flap damping. Weanalyze the theoretical feasibility of the attack by formulating it as aInteger Linear Programming problem, test for practical hurdles by deploying theinfrastructure required to perform a small-scale Kirin attack using 4 IXPs, andvalidate our assumptions via BGP data analysis, real-world measurements, androuter testbed experiments. Despite its low deployment cost, we find Kirincapable of injecting lethal amounts of IPv6 routes in the routers of thousandsof ASes.<br
Bias in Internet Measurement Platforms
Network operators and researchers frequently use Internet measurement
platforms (IMPs), such as RIPE Atlas, RIPE RIS, or RouteViews for, e.g.,
monitoring network performance, detecting routing events, topology discovery,
or route optimization. To interpret the results of their measurements and avoid
pitfalls or wrong generalizations, users must understand a platform's
limitations. To this end, this paper studies an important limitation of IMPs,
the \textit{bias}, which exists due to the non-uniform deployment of the
vantage points. Specifically, we introduce a generic framework to
systematically and comprehensively quantify the multi-dimensional (e.g., across
location, topology, network types, etc.) biases of IMPs. Using the framework
and open datasets, we perform a detailed analysis of biases in IMPs that
confirms well-known (to the domain experts) biases and sheds light on
less-known or unexplored biases. To facilitate IMP users to obtain awareness of
and explore bias in their measurements, as well as further research and
analyses (e.g., methods for mitigating bias), we publicly share our code and
data, and provide online tools (API, Web app, etc.) that calculate and
visualize the bias in measurement setups
Systems for characterizing Internet routing
2018 Spring.Includes bibliographical references.Today the Internet plays a critical role in our lives; we rely on it for communication, business, and more recently, smart home operations. Users expect high performance and availability of the Internet. To meet such high demands, all Internet components including routing must operate at peak efficiency. However, events that hamper the routing system over the Internet are very common, causing millions of dollars of financial loss, traffic exposed to attacks, or even loss of national connectivity. Moreover, there is sparse real-time detection and reporting of such events for the public. A key challenge in addressing such issues is lack of methodology to study, evaluate and characterize Internet connectivity. While many networks operating autonomously have made the Internet robust, the complexity in understanding how users interconnect, interact and retrieve content has also increased. Characterizing how data is routed, measuring dependency on external networks, and fast outage detection has become very necessary using public measurement infrastructures and data sources. From a regulatory standpoint, there is an immediate need for systems to detect and report routing events where a content provider's routing policies may run afoul of state policies. In this dissertation, we design, build and evaluate systems that leverage existing infrastructure and report routing events in near-real time. In particular, we focus on geographic routing anomalies i.e., detours, routing failure i.e., outages, and measuring structural changes in routing policies
Improving the accuracy of spoofed traffic inference in inter-domain traffic
Ascertaining that a network will forward spoofed traffic usually requires an active probing vantage point in that network, effectively preventing a comprehensive view of this global Internet vulnerability. We argue that broader visibility into the spoofing problem may lie in the capability to infer lack of Source Address Validation (SAV) compliance from large, heavily aggregated Internet traffic data, such as traffic observable at Internet Exchange Points (IXPs). The key idea is to use IXPs as observatories to detect spoofed packets, by leveraging Autonomous System (AS) topology knowledge extracted from Border Gateway Protocol (BGP) data to infer which source addresses should legitimately appear across parts of the IXP switch fabric. In this thesis, we demonstrate that the existing literature does not capture several fundamental challenges to this approach, including noise in BGP data sources, heuristic AS relationship inference, and idiosyncrasies in IXP interconnec- tivity fabrics. We propose Spoofer-IX, a novel methodology to navigate these challenges, leveraging Customer Cone semantics of AS relationships to guide precise classification of inter-domain traffic as In-cone, Out-of-cone ( spoofed ), Unverifiable, Bogon, and Unas- signed. We apply our methodology on extensive data analysis using real traffic data from two distinct IXPs in Brazil, a mid-size and a large-size infrastructure. In the mid-size IXP with more than 200 members, we find an upper bound volume of Out-of-cone traffic to be more than an order of magnitude less than the previous method inferred on the same data, revealing the practical importance of Customer Cone semantics in such analysis. We also found no significant improvement in deployment of SAV in networks using the mid-size IXP between 2017 and 2019. In hopes that our methods and tools generalize to use by other IXPs who want to avoid use of their infrastructure for launching spoofed-source DoS attacks, we explore the feasibility of scaling the system to larger and more diverse IXP infrastructures. To promote this goal, and broad replicability of our results, we make the source code of Spoofer-IX publicly available. This thesis illustrates the subtleties of scientific assessments of operational Internet infrastructure, and the need for a community focus on reproducing and repeating previous methods.A constatação de que uma rede encaminhará tráfego falsificado geralmente requer um ponto de vantagem ativo de medição nessa rede, impedindo efetivamente uma visão abrangente dessa vulnerabilidade global da Internet. Isto posto, argumentamos que uma visibilidade mais ampla do problema de spoofing pode estar na capacidade de inferir a falta de conformidade com as práticas de Source Address Validation (SAV) a partir de dados de tráfego da Internet altamente agregados, como o tráfego observável nos Internet Exchange Points (IXPs). A ideia chave é usar IXPs como observatórios para detectar pacotes falsificados, aproveitando o conhecimento da topologia de sistemas autônomos extraÃdo dos dados do protocolo BGP para inferir quais endereços de origem devem aparecer legitimamente nas comunicações através da infra-estrutura de um IXP. Nesta tese, demonstramos que a literatura existente não captura diversos desafios fundamentais para essa abordagem, incluindo ruÃdo em fontes de dados BGP, inferência heurÃstica de relacionamento de sistemas autônomos e caracterÃsticas especÃficas de interconectividade nas infraestruturas de IXPs. Propomos o Spoofer-IX, uma nova metodologia para superar esses desafios, utilizando a semântica do Customer Cone de relacionamento de sistemas autônomos para guiar com precisão a classificação de tráfego inter-domÃnio como In-cone, Out-of-cone ( spoofed ), Unverifiable, Bogon, e Unassigned. Aplicamos nossa metodologia em análises extensivas sobre dados reais de tráfego de dois IXPs distintos no Brasil, uma infraestrutura de médio porte e outra de grande porte. No IXP de tamanho médio, com mais de 200 membros, encontramos um limite superior do volume de tráfego Out-of-cone uma ordem de magnitude menor que o método anterior inferiu sob os mesmos dados, revelando a importância prática da semântica do Customer Cone em tal análise. Além disso, não encontramos melhorias significativas na implantação do Source Address Validation (SAV) em redes usando o IXP de tamanho médio entre 2017 e 2019. Na esperança de que nossos métodos e ferramentas sejam aplicáveis para uso por outros IXPs que desejam evitar o uso de sua infraestrutura para iniciar ataques de negação de serviço através de pacotes de origem falsificada, exploramos a viabilidade de escalar o sistema para infraestruturas IXP maiores e mais diversas. Para promover esse objetivo e a ampla replicabilidade de nossos resultados, disponibilizamos publicamente o código fonte do Spoofer-IX. Esta tese ilustra as sutilezas das avaliações cientÃficas da infraestrutura operacional da Internet e a necessidade de um foco da comunidade na reprodução e repetição de métodos anteriores
Inferring BGP blackholing activity in the Internet
The Border Gateway Protocol (BGP) has been used for decades as the de facto protocol to exchange reachability information among networks in the Internet. However, little is known about how this protocol is used to restrict reachability to selected destinations, e.g., that are under attack. While such a feature, BGP blackholing, has been available for some time, we lack a systematic study of its Internet-wide adoption, practices, and network efficacy, as well as the profile of blackholed destinations. In this paper, we develop and evaluate a methodology to automatically detect BGP blackholing activity in the wild. We apply our method to both public and private BGP datasets. We find that hundreds of networks, including large transit providers, as well as about 50 Internet exchange points (IXPs) offer blackholing service to their customers, peers, and members. Between 2014-2017, the number of blackholed prefixes increased by a factor of 6, peaking at 5K concurrently blackholed prefixes by up to 400 Autonomous Systems. We assess the effect of blackholing on the data plane using both targeted active measurements as well as passive datasets, finding that blackholing is indeed highly effective in dropping traffic before it reaches its destination, though it also discards legitimate traffic. We augment our findings with an analysis of the target IP addresses of blackholing. Our tools and insights are relevant for operators considering offering or using BGP blackholing services as well as for researchers studying DDoS mitigation in the Internet
- …