computer networks zhenhai duan department of computer science 9/15/2011
TRANSCRIPT
![Page 1: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/1.jpg)
Computer NetworksZhenhai Duan
Department of Computer Science
9/15/2011
![Page 2: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/2.jpg)
2
Research Area Computer networks, in particular, Internet protocols,
architectures, and systems Quality of Service (QoS) provisioning Internet inter-domain routing Internet systems security Overlay and peer-to-peer systems Network measurement
Details and publications http://www.cs.fsu.edu/~duan
![Page 3: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/3.jpg)
3
A Few Projects that I will Discuss Packet scheduling algorithms Improving Internet inter-domain routing performance Controlling IP spoofing Detecting compromised machines (botnets)
![Page 4: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/4.jpg)
4
QoS Provisioning on the Internet Current Internet provides a best-effort service
No service guarantees in terms of bandwidth or end-to-end delay
Many new applications require more stringent service guarantees VoIP and real-time video streaming Games Mission-critical applications
Online financial transactions Power grid control system
InternetInternet
Can you hear me now?
![Page 5: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/5.jpg)
5
Why current Internet cannot provide QoS guarantees?
A number of factors (routing, architecture, etc)
A key limitation is the First Come First Served (FCFS) packet scheduling algorithm used by routers
![Page 6: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/6.jpg)
6
Two Fundamental Approaches to Designing New Packet Scheduling Round-robin packet scheduling
algorithms
Low complexity: O(1) Bad QoS performance: O(#flow)
![Page 7: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/7.jpg)
7
Time stamp based fair queueing packet scheduling algorithms
Emulating a single-flow system
Time stamp based packet scheduling Compute and assign time stamps to each packet Scheduling based on time stamps
Good performance: O(rate), largely independent of other flows High complexity: O(#flow)
r
C
![Page 8: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/8.jpg)
8
More Scalable Packet Schedulers Hybrid round-robin and
time-stamp based approach FRR
IEEE INFOCOM 2005 IEEE ToC 2009
Core stateless packet schedulers VTRS, SETF, DETF
ACM SIGCOMM 2000, IEEE ICNP 2001, IEEE ICCCN 2006
IEEE JSAC 2000, IEEE TPDS 2004, 2005
C
![Page 9: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/9.jpg)
9
Internet Inter-Domain Routing Consists of large number of network domains (ASes)
Each owns one or multiple network prefixes FSU campus network: 128.186.0.0/16
Intra-domain and inter-domain routing protocols Intra-domain: OSPF and IS-IS Inter-domain: BGP, a path-vector routing protocol
BGP Used to exchange network prefix reachability information
Network prefix, AS-level path to reach network prefix Path selection algorithm
![Page 10: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/10.jpg)
10
BGP: an Example
NLRI=128.186.0.0/16ASPATH=[0]
128.186.0.0/16
NLRI=128.186.0.0/16ASPATH=[10]
NLRI=128.186.0.0/16ASPATH=[10]
NLRI=128.186.0.0/16ASPATH=[210]
NLRI=128.186.0.0/16ASPATH=[610]
NLRI=128.186.0.0/16ASPATH=[610]
NLRI=128.186.0.0/16ASPATH=[210]
NLRI=128.186.0.0/16ASPATH=[7610]
NLRI=128.186.0.0/16ASPATH=[4210]
NLRI=128.186.0.0/16ASPATH=[3210]
[3210]*[4210][7610]
NLRI=128.186.0.0/16ASPATH=[53210]
![Page 11: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/11.jpg)
11
Performance Issues with BGP Instability
At anytime, large number of BGP messages exchanged Slow convergence
After a network failure event, it takes a long time for routing system to converge from one stable state to another stable state
They are related, but not the same
![Page 12: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/12.jpg)
12
Live BGP Updates Team Cymru
http://www.cymru.com/BGP/bgp_updates.html
BGPlay at RouteView http://bgplay.routeviews.org/
![Page 13: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/13.jpg)
13
Network Dynamics Internet has about 38,600 ASes and 370,000
network prefixes (as of 09/03/2011) In a system this big, things happen all the time
Fiber cuts, equipment outages, operator errors. Direct consequence on routing system
Events may propagated through entire Internet Recomputing/propagating best routes Large number of BGP updates exchanged between ASes
Effects on user-perceived network performance Long network delay Packet loss Even loss of network connectivity
![Page 14: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/14.jpg)
14
Causes of BGP instability and long convergence Protocol artifacts of BGP
Constraints of physical propagation Internet is a GLOBAL network
[3210]*[4210][7610]
NLRI=128.186.0.0/16ASPATH=[57610]
NLRI=128.186.0.0/16ASPATH=[54210]NLRI=128.186.0.0/16Withdrawal
128.186.0.0/16
![Page 15: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/15.jpg)
15
Improving BGP stability and convergence BGP protocol artifacts
EPIC: Carrying event origin in BGP updates
Propagation delays on different paths
Inter-domain failure vs. intra-domain failure
Multi-connectivity between Ases
Scalability and confidentiality
IEEE INFOCOM 2005
Physical propagation constraints Transient failures TIDR: Localize failure
events Build back-up paths
IEEE GLOBECOM 2008
![Page 16: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/16.jpg)
Controlling IP Spoofing
What is IP spoofing? Act to fake source IP address Used by many DDoS attacks
Why it remains popular? Hard to isolate attack traffic from legitimate one Hard to pinpoint the true attacker Many attacks rely on IP spoofing
c d
b a
s
d cd sd s
16
![Page 17: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/17.jpg)
Filtering based on Route
A key observation Attackers can spoof source address, But they cannot control route packets take
Requirement Filters need to compute best path from src to dst Filters need to know global topology info Not available in path-vector based Internet routing system
c d
b a
s
d sd s
17
![Page 18: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/18.jpg)
Internet AS Relationship Consists of large number of network domains, Two common AS relationships
Provider-customer Peering
AS relationships determine routing policies A net effect of routing policies limit the number of routes between a
pair of source and destination
AS 2553 FSU
AS 11096 FloridaNet
AS 174 Cogent
AS 3356 Level 3
AS2828XO Comm
AS 11537Internet2
18
![Page 19: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/19.jpg)
Topological Routes vs. Feasible Routes
Topological routes Loop-free paths between a pair of nodes
Feasible routes Loop-free paths between a pair of nodes that not violate routing policies
c d
b a
s
Topological routes
s a ds b ds a b ds a c ds b a ds b c ds a b c ds a c b ds b a c ds b c a d
Feasible routes
s a ds b d
c d
b a
s
19
![Page 20: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/20.jpg)
Inter-Domain Packet Filter Identifying feasible upstream neighbors
Instead of filtering based on best path, based on feasible routes
Findings based on real AS graphs IDPFs can effectively limit the spoofing capability of attackers
From 80% networks attackers cannot spoof source addresses
IDPFs are effective in helping IP traceback All ASes can localize attackers to at most 28 Ases
IEEE INFOCOM 2006, IEEE TDSC 200820
![Page 21: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/21.jpg)
Detecting Compromised Computers in Networks
Botnet Network of compromised machines, with a bot program installed
to execute cmds from controller, without owners knowledge.
July 2009: Cyberattacks on government and commercial websites in US and South Korea
About 50,000 compromised machines involved21
![Page 22: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/22.jpg)
Motivation and Problem Botnet becoming a major security issue
Spamming, DDoS, identity theft sheer volume and wide spread
22
![Page 23: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/23.jpg)
23
SPOT: Detecting Spam Zombies by Monitoring Outgoing Messages
How to determine if a sending machine is compromised as emails pass through SPOT sequentially Sequential probability ratio test (SPRT)
IEEE INFOCOM 2009, IEEE TDSC (accepted)
A B
![Page 24: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/24.jpg)
24
Other Research Projects BGP Security
ACM ASIACCS 2010 Spam filtering
CEAS 2010, CEAS 2011 Detecting phishing emails
CEAS 2010 Security of anonymous networks
Tor and Freenet
![Page 25: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/25.jpg)
25
Thank you! Questions and comments?
Details at my homepage http://www.cs.fsu.edu/~duan
![Page 26: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/26.jpg)
26
BGP Security
Security relies on trust relationship among Ases Who owns which prefixes/how to reach
Accidents (caused by human errors, not attacks) 24 Feb 2008, AS 17557 took Youtube’s 208.65.163.0/24 07 May 2005, AS 174 took Google’s 64.233.161.0/24 24 Dec 2004, Anatomy of a Leak: AS9121 (100K+ routes) 6 Apr 2001: C&W routing instability (full routing table announced) Check NANOG mailing list for more accidents
Network prefix hijacking Origin spoofing, and path spoofing
Existing solutions PKI-based secure BGP (S-BGP)
![Page 27: Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011](https://reader035.vdocuments.mx/reader035/viewer/2022062421/56649cf05503460f949bee7c/html5/thumbnails/27.jpg)
27
RBF: Region-Based BGP Update Filtering
Two region granularities considered Country-level and RIR-level
ACM ASIACCS 2010