Computer Networks

Computer Networks ZhenhaiDuan Department of Computer Science 9/15/2011

Research Area • Computer networks, in particular, Internet protocols, architectures, and systems • Quality of Service (QoS) provisioning • Internet inter-domain routing • Internet systems security • Overlay and peer-to-peer systems • Network measurement • Details and publications • http://www.cs.fsu.edu/~duan

A Few Projects that I will Discuss • Packet scheduling algorithms • Improving Internet inter-domain routing performance • Controlling IP spoofing • Detecting compromised machines (botnets)

Can you hear me now? Internet QoS Provisioning on the Internet • Current Internet provides a best-effort service • No service guarantees in terms of bandwidth or end-to-end delay • Many new applications require more stringent service guarantees • VoIP and real-time video streaming • Games • Mission-critical applications • Online financial transactions • Power grid control system

Why current Internet cannot provide QoS guarantees? • A number of factors (routing, architecture, etc) • A key limitation is the First Come First Served (FCFS) packet scheduling algorithm used by routers

Two Fundamental Approaches to Designing New Packet Scheduling • Round-robin packet scheduling algorithms • Low complexity: O(1) • Bad QoS performance: O(#flow)

r Time stamp based fair queueing packet scheduling algorithms • Emulating a single-flow system • Time stamp based packet scheduling • Compute and assign time stamps to each packet • Scheduling based on time stamps • Good performance: O(rate), largely independent of other flows • High complexity: O(#flow) C

C More Scalable Packet Schedulers • Hybrid round-robin and time-stamp based approach • FRR • IEEE INFOCOM 2005 • IEEE ToC 2009 • Core stateless packet schedulers • VTRS, SETF, DETF • ACM SIGCOMM 2000, IEEE ICNP 2001, IEEE ICCCN 2006 • IEEE JSAC 2000, IEEE TPDS 2004, 2005

Internet Inter-Domain Routing • Consists of large number of network domains (ASes) • Each owns one or multiple network prefixes • FSU campus network: 128.186.0.0/16 • Intra-domain and inter-domain routing protocols • Intra-domain: OSPF and IS-IS • Inter-domain: BGP, a path-vector routing protocol • BGP • Used to exchange network prefix reachability information • Network prefix, AS-level path to reach network prefix • Path selection algorithm

NLRI=128.186.0.0/16 ASPATH=[0] NLRI=128.186.0.0/16 ASPATH=[10] NLRI=128.186.0.0/16 ASPATH=[10] NLRI=128.186.0.0/16 ASPATH=[210] NLRI=128.186.0.0/16 ASPATH=[610] NLRI=128.186.0.0/16 ASPATH=[610] NLRI=128.186.0.0/16 ASPATH=[210] NLRI=128.186.0.0/16 ASPATH=[7610] NLRI=128.186.0.0/16 ASPATH=[4210] NLRI=128.186.0.0/16 ASPATH=[3210] NLRI=128.186.0.0/16 ASPATH=[53210] BGP: an Example [3210]* [4210] [7610] 128.186.0.0/16

Performance Issues with BGP • Instability • At anytime, large number of BGP messages exchanged • Slow convergence • After a network failure event, it takes a long time for routing system to converge from one stable state to another stable state • They are related, but not the same

Live BGP Updates • Team Cymru • http://www.cymru.com/BGP/bgp_updates.html • BGPlay at RouteView • http://bgplay.routeviews.org/

Network Dynamics • Internet has about 38,600ASes and 370,000 network prefixes (as of 09/03/2011) • In a system this big, things happen all the time • Fiber cuts, equipment outages, operator errors. • Direct consequence on routing system • Events may propagated through entire Internet • Recomputing/propagating best routes • Large number of BGP updates exchanged between ASes • Effects on user-perceived network performance • Long network delay • Packet loss • Even loss of network connectivity

NLRI=128.186.0.0/16 ASPATH=[57610] NLRI=128.186.0.0/16 ASPATH=[54210] NLRI=128.186.0.0/16 Withdrawal Causes of BGP instability and long convergence • Protocol artifacts of BGP • Constraints of physical propagation • Internet is a GLOBAL network [3210]* [4210] [7610] 128.186.0.0/16

Improving BGP stability and convergence • BGP protocol artifacts • EPIC: Carrying event origin in BGP updates • Propagation delays on different paths • Inter-domain failure vs. intra-domain failure • Multi-connectivity between Ases • Scalability and confidentiality • IEEE INFOCOM 2005 • Physical propagation constraints • Transient failures • TIDR: Localize failure events • Build back-up paths • IEEE GLOBECOM 2008

c s s d d d Controlling IP Spoofing • What is IP spoofing? • Act to fake source IP address • Used by many DDoS attacks • Why it remains popular? • Hard to isolate attack traffic from legitimate one • Hard to pinpoint the true attacker • Many attacks rely on IP spoofing c d b a s

s s d d Filtering based on Route • A key observation • Attackers can spoof source address, • But they cannot control route packets take • Requirement • Filters need to compute best path from src to dst • Filters need to know global topology info • Not available in path-vector based Internet routing system c d b a s

Internet AS Relationship • Consists of large number of network domains, • Two common AS relationships • Provider-customer • Peering • AS relationships determine routing policies • A net effect of routing policies limit the number of routes between a pair of source and destination AS 174 Cogent AS 3356 Level 3 AS2828 XO Comm AS 11537 Internet2 AS 11096 FloridaNet AS 2553 FSU

c d b a s Topological Routes vs. Feasible Routes • Topological routes • Loop-free paths between a pair of nodes • Feasible routes • Loop-free paths between a pair of nodes that not violate routing policies Topological routes Feasible routes s a d s b d s a b d s a c d s b a d s b c d s a b c d s a c b d s b a c d s b c a d c d s a d s b d b a s

Inter-Domain Packet Filter • Identifying feasible upstream neighbors • Instead of filtering based on best path, based on feasible routes • Findings based on real AS graphs • IDPFs can effectively limit the spoofing capability of attackers • From 80% networks attackers cannot spoof source addresses • IDPFs are effective in helping IP traceback • All ASes can localize attackers to at most 28 Ases • IEEE INFOCOM 2006, IEEE TDSC 2008

Detecting Compromised Computers in Networks • Botnet • Network of compromised machines, with a bot program installed to execute cmds from controller, without owners knowledge. • July 2009: Cyberattacks on government and commercial websites • in US and South Korea • About 50,000 compromised machines involved

Motivation and Problem • Botnet becoming a major security issue • Spamming, DDoS, identity theft • sheer volume and wide spread

SPOT: Detecting Spam Zombies by Monitoring Outgoing Messages • How to determine if a sending machine is compromised as emails pass through SPOT sequentially • Sequential probability ratio test (SPRT) • IEEE INFOCOM 2009, IEEE TDSC (accepted) A B

Other Research Projects • BGP Security • ACM ASIACCS 2010 • Spam filtering • CEAS 2010, CEAS 2011 • Detecting phishing emails • CEAS 2010 • Security of anonymous networks • Tor and Freenet

Thank you! • Questions and comments? • Details at my homepage • http://www.cs.fsu.edu/~duan

BGP Security • Security relies on trust relationship among Ases • Who owns which prefixes/how to reach • Accidents (caused by human errors, not attacks) • 24 Feb 2008, AS 17557 took Youtube’s 208.65.163.0/24 • 07 May 2005, AS 174 took Google’s 64.233.161.0/24 • 24 Dec 2004, Anatomy of a Leak: AS9121 (100K+ routes) • 6 Apr 2001: C&W routing instability (full routing table announced) • Check NANOG mailing list for more accidents • Network prefix hijacking • Origin spoofing, and path spoofing • Existing solutions • PKI-based secure BGP (S-BGP)

RBF: Region-Based BGP Update Filtering • Two region granularities considered • Country-level and RIR-level • ACM ASIACCS 2010

Computer Networks