Computer NetworksZhenhai Duan

Department of Computer Science

9/15/2011

2

Research Area Computer networks, in particular, Internet protocols,

architectures, and systems Quality of Service (QoS) provisioning Internet inter-domain routing Internet systems security Overlay and peer-to-peer systems Network measurement

Details and publications http://www.cs.fsu.edu/~duan

3

A Few Projects that I will Discuss Packet scheduling algorithms Improving Internet inter-domain routing performance Controlling IP spoofing Detecting compromised machines (botnets)

4

QoS Provisioning on the Internet Current Internet provides a best-effort service

No service guarantees in terms of bandwidth or end-to-end delay

Many new applications require more stringent service guarantees VoIP and real-time video streaming Games Mission-critical applications

Online financial transactions Power grid control system

InternetInternet

Can you hear me now?

5

Why current Internet cannot provide QoS guarantees?

A number of factors (routing, architecture, etc)

A key limitation is the First Come First Served (FCFS) packet scheduling algorithm used by routers

6

Two Fundamental Approaches to Designing New Packet Scheduling Round-robin packet scheduling

algorithms

Low complexity: O(1) Bad QoS performance: O(#flow)

7

Time stamp based fair queueing packet scheduling algorithms

Emulating a single-flow system

Time stamp based packet scheduling Compute and assign time stamps to each packet Scheduling based on time stamps

Good performance: O(rate), largely independent of other flows High complexity: O(#flow)

r

C

8

More Scalable Packet Schedulers Hybrid round-robin and

time-stamp based approach FRR

IEEE INFOCOM 2005 IEEE ToC 2009

Core stateless packet schedulers VTRS, SETF, DETF

ACM SIGCOMM 2000, IEEE ICNP 2001, IEEE ICCCN 2006

IEEE JSAC 2000, IEEE TPDS 2004, 2005

C

9

Internet Inter-Domain Routing Consists of large number of network domains (ASes)

Each owns one or multiple network prefixes FSU campus network: 128.186.0.0/16

Intra-domain and inter-domain routing protocols Intra-domain: OSPF and IS-IS Inter-domain: BGP, a path-vector routing protocol

BGP Used to exchange network prefix reachability information

Network prefix, AS-level path to reach network prefix Path selection algorithm

10

BGP: an Example

NLRI=128.186.0.0/16ASPATH=[0]

128.186.0.0/16

NLRI=128.186.0.0/16ASPATH=[10]

NLRI=128.186.0.0/16ASPATH=[10]

NLRI=128.186.0.0/16ASPATH=[210]

NLRI=128.186.0.0/16ASPATH=[610]

NLRI=128.186.0.0/16ASPATH=[610]

NLRI=128.186.0.0/16ASPATH=[210]

NLRI=128.186.0.0/16ASPATH=[7610]

NLRI=128.186.0.0/16ASPATH=[4210]

NLRI=128.186.0.0/16ASPATH=[3210]

[3210]*[4210][7610]

NLRI=128.186.0.0/16ASPATH=[53210]

11

Performance Issues with BGP Instability

At anytime, large number of BGP messages exchanged Slow convergence

After a network failure event, it takes a long time for routing system to converge from one stable state to another stable state

They are related, but not the same

12

Live BGP Updates Team Cymru

http://www.cymru.com/BGP/bgp_updates.html

BGPlay at RouteView http://bgplay.routeviews.org/

13

Network Dynamics Internet has about 38,600 ASes and 370,000

network prefixes (as of 09/03/2011) In a system this big, things happen all the time

Fiber cuts, equipment outages, operator errors. Direct consequence on routing system

Events may propagated through entire Internet Recomputing/propagating best routes Large number of BGP updates exchanged between ASes

Effects on user-perceived network performance Long network delay Packet loss Even loss of network connectivity

14

Causes of BGP instability and long convergence Protocol artifacts of BGP

Constraints of physical propagation Internet is a GLOBAL network

[3210]*[4210][7610]

NLRI=128.186.0.0/16ASPATH=[57610]

NLRI=128.186.0.0/16ASPATH=[54210]NLRI=128.186.0.0/16Withdrawal

128.186.0.0/16

15

Improving BGP stability and convergence BGP protocol artifacts

EPIC: Carrying event origin in BGP updates

Propagation delays on different paths

Inter-domain failure vs. intra-domain failure

Multi-connectivity between Ases

Scalability and confidentiality

IEEE INFOCOM 2005

Physical propagation constraints Transient failures TIDR: Localize failure

events Build back-up paths

IEEE GLOBECOM 2008

Controlling IP Spoofing

What is IP spoofing? Act to fake source IP address Used by many DDoS attacks

Why it remains popular? Hard to isolate attack traffic from legitimate one Hard to pinpoint the true attacker Many attacks rely on IP spoofing

c d

b a

s

d cd sd s

16

Filtering based on Route

A key observation Attackers can spoof source address, But they cannot control route packets take

Requirement Filters need to compute best path from src to dst Filters need to know global topology info Not available in path-vector based Internet routing system

c d

b a

s

d sd s

17

Internet AS Relationship Consists of large number of network domains, Two common AS relationships

Provider-customer Peering

AS relationships determine routing policies A net effect of routing policies limit the number of routes between a

pair of source and destination

AS 2553 FSU

AS 11096 FloridaNet

AS 174 Cogent

AS 3356 Level 3

AS2828XO Comm

AS 11537Internet2

18

Topological Routes vs. Feasible Routes

Topological routes Loop-free paths between a pair of nodes

Feasible routes Loop-free paths between a pair of nodes that not violate routing policies

c d

b a

s

Topological routes

s a ds b ds a b ds a c ds b a ds b c ds a b c ds a c b ds b a c ds b c a d

Feasible routes

s a ds b d

c d

b a

s

19

Inter-Domain Packet Filter Identifying feasible upstream neighbors

Instead of filtering based on best path, based on feasible routes

Findings based on real AS graphs IDPFs can effectively limit the spoofing capability of attackers

From 80% networks attackers cannot spoof source addresses

IDPFs are effective in helping IP traceback All ASes can localize attackers to at most 28 Ases

IEEE INFOCOM 2006, IEEE TDSC 200820

Detecting Compromised Computers in Networks

Botnet Network of compromised machines, with a bot program installed

to execute cmds from controller, without owners knowledge.

July 2009: Cyberattacks on government and commercial websites in US and South Korea

About 50,000 compromised machines involved21

Motivation and Problem Botnet becoming a major security issue

Spamming, DDoS, identity theft sheer volume and wide spread

22

23

SPOT: Detecting Spam Zombies by Monitoring Outgoing Messages

How to determine if a sending machine is compromised as emails pass through SPOT sequentially Sequential probability ratio test (SPRT)

IEEE INFOCOM 2009, IEEE TDSC (accepted)

A B

24

Other Research Projects BGP Security

ACM ASIACCS 2010 Spam filtering

CEAS 2010, CEAS 2011 Detecting phishing emails

CEAS 2010 Security of anonymous networks

Tor and Freenet

25

Thank you! Questions and comments?

Details at my homepage http://www.cs.fsu.edu/~duan

26

BGP Security

Security relies on trust relationship among Ases Who owns which prefixes/how to reach

Accidents (caused by human errors, not attacks) 24 Feb 2008, AS 17557 took Youtube’s 208.65.163.0/24 07 May 2005, AS 174 took Google’s 64.233.161.0/24 24 Dec 2004, Anatomy of a Leak: AS9121 (100K+ routes) 6 Apr 2001: C&W routing instability (full routing table announced) Check NANOG mailing list for more accidents

Network prefix hijacking Origin spoofing, and path spoofing

Existing solutions PKI-based secure BGP (S-BGP)

27

RBF: Region-Based BGP Update Filtering

Two region granularities considered Country-level and RIR-level

ACM ASIACCS 2010