Lecture 17Internet Measurements

2

Web of interconnected networks• Grows with no central authority

• Autonomous Systems optimize local communication efficiency

• The building blocks are engineered and studied in depth

• Global entity has not been characterized

Most real world complex-networks have non-trivial properties.

Global properties can not be inferred from local ones• Engineered with large technical diversity

• Range from local campuses to transcontinental backbone providers

Internet

Need for Internet measurements arises due to commercial, social, and technical issues

• Realistic simulation environment for developed products,

• Improve network management

• Robustness with respect to failures/attacks

• Comprehend spreading of worms/viruses

• Know social trends in Internet use

• Scientific discovery

• Scale-free (power-law), Small-world, Rich-club, Dissasortativity,…

Internet Measurements

3

Internet Topology Measurement

4CAIDA 2006

Internet Topology Measurement

5CAIDA 2006

Internet Topology Measurement

6

Internet Topology Measurement

7CAIDA 2006

IPv4 address space (2010)

8

browse

Direct probing

Indirect probing

A DB C

Internet Topology MeasurementsProbing

IPB TTL=64

IPB

IPD TTL=64

IPD

Vantage Point

A DB C

Vantage Point

IPB

IPD TTL=2IPD TTL=1

IPC

9

Probe packets are carefully constructed to elicit intended response from a probe destination

traceroute probes all nodes on a path towards a given destination• TTL-scoped probes obtain ICMP error messages from routers on the path

• ICMP messages includes the IP address of intermediate routers as its source

Merging end-to-end path traces yields the network map

movie

S DA B C

Destination

Internet Topology MeasurementTopology Collection (traceroute)

TTL=1

IPA

TTL=2

IPB

TTL=3

IPC

TTL=4

IPD

Vantage Point

10

Internet Topology Measurement:Background

11

S

L

U

H

C

N

W

A

s.2

l.1

s.3

u.1

l.3

u.3

h.1

k.3

h.2

h.3

a.3

u.2k.1 c.4

a.1 a.2

w.3c.3

w.1c.2

n.1 n.3

w.2

l.2

K

c.1

k.2

dh.4

Trace to Seattle

h.4

l.3

s.2

Trace to NY

h.4

a.3

w.3

n.3

Internet2 backbone

Internet Topology Measurement:Background

12

S

L

UC

N

A

s.2

l.1

s.3

u.1

l.3

h.1

k.3

h.2

a.3

u.2k.1 c.4

a.1 a.2

w.3c.3

w.1c.2

n.1 n.3

w.2

l.2

K

c.1

k.2

h.3

dh.4

s.1e f

n.2

H

W

u.3

13

Sampling to discover networks • Infer characteristics of the topology

Different studies considered • Effect of sample size [Barford 01]

• Sampling bias [Lakhina 03]

• Path accuracy [Augustin 06]

• Sampling approach [Gunes 07]

• Utilized protocol [Gunes 08]

• ICMP echo request

• TCP syn

• UDP port unreachable

Topology SamplingIssues

Unresponsive Router Resolution Problem

Unresponsive routers do not respond to traceroute probes and appear as a in path traces• Same router may appear as a in multiple traces.

• Unknown nodes belonging to the same router should be resolved.

Unresponsiveness Types1. Ignore all ICMP packets

2. ICMP rate-limiting

3. Ignore ICMP when congested

4. Filter ICMP at border

5. Private IP address

14

Unresponsive Router Resolution Problem

Internet2 backboneS

L

U

K

C

H

A

W

N

e

d

Traces• d - - L - S - e• d - - A - W - - f• e - S - L - - d• e - S - U - - C - - f• f - - C - - - d• f - - C - - U - S - e

15

f

Unresponsive Router Resolution Problem

U K C N

L H A W

S

d

e

f

Sampled network

d

e

fS U

L

C

AW

Resulting network

16

Traces• d - - L - S - e• d - - A - W - - f• e - S - L - - d• e - S - U - - C - - f• f - - C - - - d• f - - C - - U - S - e

17

Graph Based InductionCommon Structures

Parallel nodes

Ax C y2

y1

y3

Ax C y2

y1

y3

Star

DA wx

C y

E z

DA wx

C y

E z

Complete Bipartite

A

C

x

y

D w

F v

E z

A

C

x

y

D w

F v

E z

Clique

A

C

x

y

D w

E z

A

C

x

y

D w

E z

Each interface of a router

has an IP address. A router may respond with

different IP addresses to

different queries.

Alias Resolution is the process of grouping the interface IP addresses of each router into a single node.

Inaccuracies in alias resolution may result in a network map that• includes artificial links/nodes

• misses existing links

Alias Resolution:

.5.33

.18

.13.7

Denver

18

19

S

L

UC

N

W

A

s.2

l.1

s.3

u.1

l.3

u.3

h.1

k.3

h.2

a.3

u.2k.1 c.4

a.1 a.2

w.3c.3

w.1c.2

n.1n.3

w.2

l.2

K

c.1

k.2

h.3

d

h.4

s.1e f

n.2

HTraces• d - h.4 - l.3 - s.2 - e• d - h.4 - a.3 - w.3 - n.3 - f• e - s.1 - l.1 - h.1 - d• e - s.1 - u.1 - k.1 - c.1 - n.1 - f• f - n.2 - c.2 - k.2 - h.2 - d• f - n.2 - c.2 - k.2 - u.2 - s.3 - e

IP Alias ResolutionProblem

20

IP Alias ResolutionProblem

U K C N

L H A W

S

d

e

fSampled network

Sample map without alias resolution

s.3

s.1

s.2

l.3

l.1

u.1

u.2

k.1 c.1 n.1

n.2k.2 c.2

w.3

a.3

h.2

h.4

h.1

e

d

f

n.3

Traces• d - h.4 - l.3 - s.2 - e• d - h.4 - a.3 - w.3 - n.3 - f• e - s.1 - l.1 - h.1 - d• e - s.1 - u.1 - k.1 - c.1 - n.1 - f• f - n.2 - c.2 - k.2 - h.2 - d• f - n.2 - c.2 - k.2 - u.2 - s.3 - e

21

Genuine Subnet ResolutionProblem

Alias resolution

• IP addresses that belong to the same router

Subnet resolution

• IP addresses that are connected over the same medium

IP2 IP3

IP4IP1

IP6 IP5

IP2 IP3

IP1

IP2 IP3

IP1

Autonomous System Level Mapping

22

Historical

Internet Topology Discovery 23

Internet Topology Discovery 24

Internet Topology Discovery 25

Autonomous System Level Mapping

26

27

Internet Topology Discovery 28

2010

Traffic Measurements Monitoring and measuring network traffic

• to produce better models of network behavior

• to diagnose failures and detect anomalies

• to defend against unwanted traffic

Live weather map• Internernet2

PlanetLab

29

30

Cisco US traffic estimate

31

DNS Workload for the Chilean TLD the number of queries and clients seen by one of

the .CL nameservers in Chile • its hourly variation along two days of traces on July 3rd 2007

animation

32

Code-Red Worm On July 19, 2001, more than 359,000 computers connected to the

Internet were infected with the Code-Red (CRv2) worm in less than 14 hours

Spread

33

Sapphire Worm was the fastest computer worm in history

• doubled in size every 8.5 seconds

• infected more than 90 percent of vulnerable hosts within 10 minutes.

34

Witty Worm reached its peak activity after approximately 45 minutes

• at which point the majority of vulnerable hosts had been infected

World USA

35

Nyxem Email Virus Estimate of total number of infected computers is

between 470K and 945K At least 45K of the infected computers were also

compromised by other forms of spyware or botware

Spread

36

Scam Hosting Study dynamics of scam hosting infrastructure

37

Measurement Studies Glasnost

• tests whether BitTorrent is being blocked or throttled

BW-meter• Measurement tools for the capacity and load of Internet paths

NPAD Diagnostics Servers• Automatic diagnostic server for troubleshooting end-systems

and last-mile network problems

iPlane• construct a router interface-level atlas of the Internet

• measuring link attributes

Hubble• find persistent Internet black holes as they occur

38

Internet Measurements The Internet is man-made, so why do we need to

measure it?

• Because we still don’t really understand it• Sometimes things go wrong

• Malicious users

• Measurement for network operations• Detecting and diagnosing problems

• What-if analysis of future changes

• Measurement for scientific discovery• Creating accurate models that represent reality

• Identifying new features and phenomena

39

Questions ?

Internet Topology Discovery 40