2010 - Present 2000 1990's 1980's 1970's

 ISI-TR-734 Cache Me If You Can: Effects of DNS Time-to-Live (extended) John Heidemann, Wes Hardaker, Giovane C. M. Moura, Ricardo de O. Schmidt July 2019,  20 pages DNS depends on extensive caching for good performance, and every DNS zone owner must set Time-to-Live (TTL) values to control their DNS caching. Today there is relatively little guidance backed by research about how to set TTLs, and operators must balance conflicting demands of caching against agility of configuration. Exactly how TTL value choices affect operational networks is quite challenging to understand for several reasons: DNS is a distributed service, DNS resolution is security-sensitive, and resolvers require multiple types of information as they traverse the DNS hierarchy. These complications mean there are multiple frequently interacting, places TTLs can be specified. This paper provides the first careful evaluation of how these factors affect the effective cache lifetimes of DNS records, and provides recommendations for how to configure DNS TTLs based on our findings. We provide recommendations in TTL choice for different situations, and for where they must be configured. We show that longer TTLs have significant promise, reducing median latency from 183ms to 28.7ms for one country-code TLD. ISI-TR-733 Improving the Optics of Active Outage Detection Extended Guillermo Baltra, John Heidemann May 2019,  7 pages There is a growing interest in carefully observing the reliability of the Internet’s edge. Outage information can inform our understanding of Internet reliability and planning, and it can help guide operations. Outage detection algorithms using active probing from third parties have been shown to be accurate for most of the Internet, but inaccurate for blocks that are sparsely occupied. Our contributions include a definition of outages, which we use to determine how many independent observers are required to determine global outages. We we propose a new Full Block Scanning (FBS) algorithm that gathers more information for sparse blocks to reduce false outage reports. We also propose ISP Availability Sensing (IAS) to detect maintenance activity using only external information. We study a year of outage data and show that FBS has a True Positive Rate of 86%, and show that IAS detects maintenance events in a large U.S. ISP. ISI-TR-732 DARPA SAFER Program Concept of Operations Robert Braden, Stephen Schwab May 2019,  60 pages This report is the final version of the Concepts of Operations (CONOPS) document for DARPA’s SAFER Warfighter Communication program. During the course of the program, the CONOPS served as a “living” document, maintained online and updated periodically. This Release 4 of SAFER CONOPS contains significant changes in emphasis, organization, and content, to (1) summarize the current state of development and testing of prototype software by the program participants, and (2) provide basic information that will be required by any subsequent technology transition of the software. ISI-TR-730 Blacklists Assemble: Aggregating Blacklists for Accuracy Sivaramakrishnan Ramanthan, Jelena Mirkovic, Minlan Yu December 2018,  15 pages IP address blacklists are a useful defense against various cyberattacks. Because they contain IP addresses of known offenders, they can be used to preventively filter unwanted traffic, and reduce the load on more resource intensive defenses. Yet, blacklists today suffer from several drawbacks. First, they are compiled and updated using proprietary methods, and thus it is hard to evaluate accuracy and freshness of their information. Second, blacklists often focus on a single attack type, e.g., spam, while compromised machines are constantly and indiscriminately reused for many attacks. Finally, blacklists contain IP addresses, which lowers their accuracy in networks that use dynamic addressing. We propose BLAG, a sophisticated approach to select, aggregate and selectively expand only the accurate pieces of information from multiple blacklists. BLAG calculates information about accuracy of each blacklist over regions of address space, and uses recommendation systems to select most reputable and accurate pieces of information to aggregate into its master blacklist. This aggregation increases recall by 3–14%, compared to the best-performing blacklist, while preserving high specificity. After aggregation, BLAG identifies networks that have dynamic addressing or a high degree of mismanagement. IP addresses from such networks are selectively expanded into /24 prefixes. This further increases offender detection by 293–411%, with minimal loss in specifiity. Overall, BLAG achieves high specificity 85–89% and high recall 26–61%, which makes it a promising approach for blacklist generation ISI-TR-731 Plumb: Efficient Processing of Multi-User Pipelines (Poster) Abdul Qadeer, John Heidemann November 2018,  2 pages ISI-TR-729 Common Outage Data Format, version 1.0 Alberto Dainotti, John Heidemann, Alistair King, Ramakrishna Padmanabhan, Yuri Pradkin October 2018,  7 pages This document defines a data format for exchanging information about Internet outages. It specifies the semantics data about network outages, and two syntaxes that can be used to represent this information. This format is designed to support reports from Internet outage detection systems such as Trinocular, Thunderping, and IODA. ISI-TR-728 An Architecture for Interconnected Testbed Ecosystems Ryan Goodfellow, Lincoln Thurlow, Srivatsan Ravi October 2018,  8 pages In the cybersecurity research community, there is no one- size- fits-all solution for merging large numbers of heterogeneous resources and experimentation capabilities from disparate specialized testbeds into integrated experiments. The current landscape for cyber-experimentation is diverse, encompassing many fields including critical infrastructure, enterprise IT, cyber- physical systems, cel- lular networks, automotive platforms, IoT and industrial control systems. Existing federated testbeds are constricted in design to predefined domains of applicability, lacking the systematic ability to integrate the burgeoning number of heterogeneous devices or tools that enable their effective use for experimentation. We have developed the Merge architecture to dynamically integrate dis- parate testbeds in a logically centralized way that allows researchers to effectively discover, and use the resources and capabilities provided the by evolving ecosystem of distributed testbeds for the development of rigorous and high-fidelity cybersecurity experiments. ISI-TR-727 Efficient Processing of Multi-Users Pipelines (Extended) Abdul Qadeer, John Heidemann October 2018,  15 pages Services such as DNS and websites often produce streams of data that are consumed by analytics pipelines operated by multiple teams. Often this data is processed in large chunks (megabytes) to allow analysis of a block of time or to amortize costs. Such pipelines pose two problems: first, duplication of computation and storage may occur when parts of the pipeline are operated by different groups. Second, processing can be lumpy, with structural lumpiness occurring when different stages need different amounts of resources, and data lumpiness occurring when a block of input requires increased resources. Duplication and structural lumpiness both can result in inefficient processing. Data lumpiness can cause pipeline failure or deadlock, for example if differences in DDoS traffic compared to normal can require 6× CPU. We propose Plumb, a framework to abstract file processing for a multi-stage pipeline. Plumb integrates pipelines contributed by multiple users, detecting and eliminating duplication of computation and intermediate storage. It tracks and adjusts computation of each stage, accommodating both structural and data lumpiness. We exercise Plumb with the processing pipeline for B-Root DNS traffic, where it will replace a hand-tuned system to provide one third the original latency by utilizing 22% fewer CPU and will address limitations that occur as multiple users process data and when DDoS traffic causes huge shifts in performance. ISI-TR-726 Detecting IoT Devices in the Internet (Extended) Hang Guo, John Heidemann July 2018,  16 pages Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. We have developed these approaches with 10 device models from 7 vendors. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. Our IP-based algorithms see at least 35 IoT devices on a college campus, and 122 IoT devices in customers of a regional IXP. We apply our DNS-based algorithm to traffic from 5 root DNS servers from 2013 to 2018, finding huge growth (about 7×) in ISP-level deployment of 26 device types. DNS also shows similar growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world. ISI-TR-725 When the Dike Breaks: Dissecting DNS Defenses During DDoS (extended) Giovane C. M. Moura, John Heidemann, Moritz Mueller, Ricardo de O. Schmidt, Marco Davids May 2018,  10 pages The Internet's Domain Name System (DNS) is a frequent target of Distributed Denial-of-Service (DDoS) attacks, but such attacks have had very different outcomes---some attacks have disabled major public websites, while the external effects of other attacks have been minimal. While on one hand the DNS protocol is a relatively simple, the \emph{system} has many moving parts, with multiple levels of caching and retries and replicated servers. This paper uses controlled experiments to examine how these mechanisms affect DNS resilience and latency, exploring both the client side's DNS \emph{user experience}, and server-side traffic. We find that, for about about 30\% of clients, caching is not effective. However, when caches are full they allow about half of clients to ride out server outages, and caching and retries allow up to half of the clients to tolerate DDoS attacks that result in 90\% query loss, and almost all clients to tolerate attacks resulting in 50\% packet loss. The cost of such attacks to clients are greater median latency. For servers, retries during DDoS attacks increase normal traffic up to $8\times$. Our findings about caching and retries can explain why some real-world DDoS cause service outages for users while other large attacks have minimal visible effects. ISI-TR-724 Back Out: End-to-end Inference of Common Points-of-Failure in the Internet (extended) John Heidemann, Yuri Pradkin, Aqib Nisar January 2018,  17 pages Internet reliability has many potential weaknesses: fiber rights- of-way at the physical layer, exchange-point congestion from DDOS at the network layer, settlement disputes between organizations at the financial layer, and government intervention the political layer. This paper shows that we can discover common points-of-failure at any of these layers by observing correlated failures. We use end-to-end observations from data-plane-level connectivity of edge hosts in the Internet. We identify correlations in connectivity: networks that usually fail and recover at the same time suggest common point-of-failure. We define two new algorithms to meet these goals. First, we define a computationally-efficient algorithm to create a linear ordering of blocks to make correlated failures apparent to a human analyst. Second, we develop an event-based clustering algorithm that directly networks with correlated failures, suggesting common points-of-failure. Our algorithms scale to real-world datasets of millions of networks and observations: linear ordering is $O(n \log n)$ time and event-based clustering parallelizes with Map/Reduce. We demonstrate them on three months of outages for 4 million /24 network prefixes, showing high recall (0.83 to 0.98) and precision (0.72 to 1.0) for blocks that respond. We also show that our algorithms generalize to identify correlations in anycast catchments and routing. ISI-TR-723 An Ontology for the ENIGMA Neuroscience Collaboration MiHyun Jang December 2017,  14 pages ISI-TR-722 LDplayer: DNS Experimentation at Scale Liang Zhu, John Heidemann November 2017,  10 pages DNS has evolved over the last 20 years, improving in security and privacy and broadening the kinds of applications it supports. However, this evolution has been slowed by the large installed base with a wide range of implementations that are slow to change. Changes need to be carefully planned, and their impact is difficult to model due to DNS optimizations, caching, and distributed operation. We suggest that experimentation at scale is needed to evaluate changes and speed DNS evolution. This paper presents LDplayer, a configurable, general-purpose DNS testbed that enables DNS experiments to scale in several dimensions: many zones, multiple levels of DNS hierarchy, high query rates, and diverse query sources. LDplayer provides high fidelity experiments while meeting these requirements through its distributed DNS query replay system, methods to rebuild the relevant DNS hierarchy from traces, and efficient emulation of this hierarchy of limited hardware. We show that a single DNS server can correctly emulate multiple independent levels of the DNS hierarchy while providing correct responses as if they were independent. We validate that our system can replay a DNS root traffic with tiny error (± 8 ms quartiles in query timing and ± 0.1% difference in query rate). We show that our system can replay queries at 87k queries/s, more than twice of a normal DNS Root traffic rate, maxing out one CPU core used by our customized DNS traffic generator. LD player’s trace replay has the unique ability to evaluate important design questions with confidence that we capture the interplay of caching, timeouts, and resource constraints. As an example, we can demonstrate the memory requirements of a DNS root server with all traffic running over TCP, and we identified performance discontinuities in latency as a function of client RTT. ISI-TR-721 LDplayer: DNS Experimentation at Scale (poster abstract) Liang Zhu, John Heidemann August 2017,  4 pages In the last 20 years the core of the Domain Name System (DNS) has improved in security and privacy, and DNS use broadened from name-to-address mapping to a critical roles in service discovery and anti-spam. However, protocol evolution and expansion of use has been slow because advances must consider a huge and diverse installed base. We suggest that experimentation at scale can fill this gap. To meet the need for experimentation at scale, this paper presents LDplayer, a configurable, general- purpose DNS testbed. LDplayer enables DNS experiments to scale in several dimensions: many zones, multiple levels of DNS hierarchy, high query rates, and diverse query sources. To meet these requirements while providing high fidelity experiments, LDplayer includes a distributed DNS query replay system and methods to rebuild the relevant DNS hierarchy from traces. We show that a single DNS server can correctly emulate multiple independent levels of the DNS hierarchy while providing correct responses as if they were independent. We show the importance of our system to evaluate pressing DNS design questions, using it to evaluate changes in DNSSEC key size. ISI-TR-720 Recursives in the Wild: Engineering Authoritative DNS Servers Moritz Muller, Giovane C. M. Moura, Ricardo de O. Schmidt, John Heidemann June 2017,  10 pages In Internet Domain Name System (DNS), services operate \emph{authoritative} name servers that individuals query through \emph{recursive resolvers}. Operators strive to provide reliability by operating multiple name servers (NS), each on a separate IP address, and by using IP anycast to allow NSes to provide service from many physical locations. To meet their goals of minimizing latency and balancing load across NSes and anycast, operators need to know how recursive resolvers select an NS, and how that interacts with their NS deployments. Prior work has shown some recursives search for low latency, while others pick an NS at random or round robin, but did not examine how prevalent each choice was. This paper provides the first analysis of how recursives select between name servers in the wild, and from that we provide guidance to name server operators to reach their goals. We conclude that all NSes need to be equally strong and therefore we recommend to deploy IP anycast at every single authoritative. ISI-TR-719 Verfploeter: Broad and Load-Aware Anycast Mapping Wouter B. de Vries, Ricardo de O. Schmidt, Wes Hardaker, John Heidemann, Pieter-Tjerk de Boer, Aiko Pras May 2017,  0 pages IP anycast provides DNS operators and CDNs with automatic fail-over andreduced latency by breaking the Internet into *catchments*, each served by a different anycast site. Unfortunately, *understanding* and *predicting* changes to catchments as sites are added or removed has been challenging. Current tools such as RIPE Atlas or commercial equivalents map from thousands of vantage points (VPs), but their coverage can be inconsistent around the globe. This paper proposes *Verfploeter*, a new method that maps anycast catchments using active probing. Verfploeter provides around 3.8M virtual VPs, 430x the 9k physical VPs in RIPE Atlas, providing coverage of the vast majority of networks around the globe. We then add load information from prior service logs to provide calibrated predictions of anycast changes. Verfploeter has been used to evaluate the new anycast for B-Root, and we also report its use of a 9-site anycast testbed. We show that the greater coverage made possible by Verfploeter's active probing is necessary to see routing differences in regions that have sparse coverage from RIPE Atlas, like South America and China. ISI-TR-717 Detecting ICMP Rate Limiting in the Internet (Extended) Hang Guo, John Heidemann February 2017,  10 pages Active probing with ICMP is the center of many network measurements, with tools like ping, traceroute, and their derivatives used to map topologies and as a precursor for security scanning. However, rate limiting of ICMP traffic has long been a concern, since undetected rate limiting to ICMP could distort measurements, silently creating false conclusions. To settle this concern, we look systematically for ICMP rate limiting in the Internet. We develop a model for how rate limiting affects probing, validate it through controlled testbed experiments, and create FADER, a new algorithm that can identify rate limiting from user-side traces with minimal requirements for new measurement traffic. We validate the accuracy of FADER with many different network configurations in testbed experiments and show that it almost always detects rate limiting. Accuracy is perfect when measurement probing ranges from 0 to 60× the rate limit, and almost perfect (95%) with up to 20% packet loss. The worst case for detection is when when probing is very fast and blocks are very sparse, but even there accuracy remains good (measurements 60× the rate limit of a 10% responsive block is correct 65% of the time). With this confidence, we apply our algorithm to the whole Internet with random sampling showing that rate limiting exists but that for slow probing rates, rate-limiting is very, very rare. For our random sample of 40,493 /24 blocks (about 2% of the responsive space) and probing rates of 0.39 packets/s per block, only 6 blocks (0.02%!) in two ISPs show rate limiting. Finally, we show that it is possible for even very slow probing (0.0001 packet/s) to encounter rate limiting if traffic. ISI-TR-716 Does Anycast Hang up on You? Lan Wei, John Heidemann February 2017,  9 pages Anycast-based services today are widely used commercially, with several major providers serving thousands of important websites. However, to our knowledge, there has been only limited study of how often anycast fails because routing changes interrupt connections between users and their current anycast site. While the commercial success of anycast CDNs means anycast usually work well, do some users end up shut out of anycast? In this paper we examine data from more than 9000 geographically distributed vantage points (VPs) to 11 anycast services to evaluate this question. Our contribution is the analysis of this data to provide the first quantification of this problem, and to explore where and why it occurs. We see that about 1% of VPs are anycast unstable, reaching a different anycast site frequently sometimes every query. Flips back and forth between two sites in 10 seconds are observed in selected experiments for given service and VPs. Moreover, we show that anycast instability is persistent for some VPs---a few VPs never see a stable connections to certain anycast services during a week or even longer. The vast majority of VPs only saw unstable routing towards one or two services instead of instability with all services, suggesting the cause of the instability lies somewhere in the path to the anycast sites. Finally, we point out that for highly- unstable VPs, their probability to hit a given site is constant, which means the flipping are happening at a fine granularity ---per packet level, suggesting load balancing might be the cause to anycast routing flipping. Our findings confirm the common wisdom that anycast almost always works well, but provide evidence that a small number of locations in the Internet where specific anycast services are never stable. ISI-TR-715 How Users Choose and Reuse Passwords Jelena Mirkovic, Ameya Hanamsagar, Christopher Kanich, Simon S. Woo November 2016,  16 pages Weak or reused passwords are guilty for many contemporary security breaches. It is critical to study both how users choose and reuse passwords, and the causes that lead users to adopt unsafe practices. Existing literature on these topics is limited as it either studies patterns but not the causes (using leaked or contributed datasets), or it studies artificial patterns and causes that may not align with the real ones (lab interviews and/or fictional servers). Our research complements the existing works by studying the semantic structure, strength and reuse of real passwords, as well as conscious and unconscious causes of unsafe practices, in a population of 50 participants. The participants took part in a carefully designed, ethical and IRB-approved lab study, where we harvested their existing online credentials, and interviewed them about their password strategies and their risk perceptions. We found that: (1) an average password is weak and used at more than four sites, (2) important-site passwords are only 1-2 characters longer and 10 times stronger than those for non-important sites, (3) main causes of weak passwords are security fatigue and short password length, (4) 98% of users reuse their passwords with no changes and the rest make slight changes, which can be easily brute-forced, (5) 84% of users reuse passwords between important and non- important sites, and (6) main causes for password reuse are misconceptions about risk, and preference for memorability over security. ISI-TR-714 ReBots: A Drag-and-drop High-Performance Simulator for Modular and Self-Reconfigurable Robots Thomas Collins, Wei-Min Shen November 2016,  8 pages A key challenge in self-reconfigurable robotics is the development and validation of complex distributed behaviors and control algorithms, particularly for large populations of modules. Physics-based, 3D simulators play a vital role in helping researchers overcome this challenge by allowing them to approximate the physical interactions of connected, autonomous robotic systems with one another and with their surrounding environments in a fast, safe, and low-cost manner that can reveal physical details that are critical to successful control. Current state-of-the-art self- reconfigurable robot simulators require users to have extensive programming (and software engineering) knowledge. Additionally, tasks such as translating specifications of real-world modules into simulated ones, creat- ing complex configurations of modules, and designing complex environments are text-based, time-consuming, and error-prone tasks in these simulators, limiting their usefulness to quickly approximate real-world scenarios. This paper proposes ReBots, a drag-and-drop, high-performance self-reconfigurable robot simulator built on top of the Unreal Engine 4 (UE4) game engine. The mouse-and-keyboard GUI interface of ReBots allows users to rapidly prototype new modules, drag instances of them into environments, move and rotate modules, connect modules to one another, modify module properties, rotate module motors, change module behaviors, create complex and realistic environments, and run/pause/stop simulations. The results show that ReBots demonstrates high-performance and scalability of self- reconfigurable and modular robots with complex, distributed and autonomous behaviors in simulated realistic environments, including simulations of environments with up to 2000 autonomous modules physically interacting with one another. ISI-TR-713 High-Dimensional Inverse Kinematics and Self-Reconfiguration Kinematic Control Thomas Collins, Wei-Min Shen November 2016,  12 pages This paper addresses two unique challenges for self- reconfigurable robots to perform dexterous locomotion and manipulation in difficult environments: high-dimensional inverse kinematics (HDIK) for > 100 degrees of freedom, and self- reconfiguration kinematic control (SRKC) where the workspace targets at which connectors are to meet for docking are not known a priori. These challenges go beyond the state-of-the-art because traditional manipulation techniques (e.g., Jacobian-based) may not be stable or scalable, and alternative approaches (e.g., genetic algorithms or neural networks) provide no guarantees of optimality or convergence. This paper proposes a new technique called Provably-convergent Swarm-based Inverse Kinematics (PSIK) that extends Branch and Bound Particle Swarm Optimization with a unique approach for dynamic target adaptation for self- reconfiguration. The PSIK algorithm can find globally optimal solutions for both HDIK and SRKC to any precision requirement (i.e., positive error tolerance) in finite or real-time for tree structures of self- reconfigurable robots. This algorithm is implemented and validated in high-fidelity, physics-based simulation using SuperBot as prototype modules. The results are very encouraging and provide feasible solutions for dextrous locomotion, manipulation, and self-reconfiguration. ISI-TR-712 Globally Convergent Optimal Dynamic Inverse Kinematics for Distributed Modular and Self-Reconfigurable Robot Trees Thomas Collins, Wei-Min Shen November 2016,  7 pages Kinematic trees of self-reconfigurable, modular robots are difficult to control for at least three primary reasons: (1) they must be controlled in a distributed fashion, (2) they are often kinematically redundant or hyper-redundant, and (3) in many cases, these robots must be designed to safely operate autonomously in dangerous and isolated environments. Much work has been done to design hardware, distributed algorithms, and controllers to handle different aspects of this challenging problem, but the design of generalized and globally optimal inverse kinematics algorithms for such systems is largely an open problem. Jacobian-based methods have well-documented shortcomings, particularly for high-DOF systems, while alternative methods, such as those based on genetic and evolutionary algorithms, provide no guarantees of convergence to a globally optimal solution. Such a guarantee is particularly important in the types of dangerous environments in which these robots are to operate. This paper proposes a novel distributed inverse kinematics framework based on the recently proposed Branch and Bound Particle Swarm Optimization (BB-PSO) algorithm, which provably converges to a globally optimal solution (and converges in finite time given any positive error tolerance). This framework is demonstrated, through extensive simulations, to offer high-quality solutions in practical amounts of time, even for multi-effector and dynamic problems, such as those encountered in kinematic self- reconfiguration where the effector workspace goal pose is not available as input. ISI-TR-711 Middlebox Models Compatible with the Internet Joe Touch October 2016,  6 pages A hybrid model for middleboxes is presented that describes constraints on their compatibility with the Internet. The Internet is composed of hosts, routers, and links that exchange messages, and these components have been combined into hybrid models to describe tunnels and virtual routers. This document extends these models to describe the behavior of a variety of types of middleboxes, including network address translators, proxies, and transparent proxies. ISI-TR-710 Do You See Me Now? Sparsity in Passive Observations of Address Liveness (extended) Jelena Mirkovic , Genevieve Bartlett , John Heidemann, Hao Shi, Xiyue Deng July 2016,  15 pages abstract ISI-TR-709 Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event Given C. M. Moura, Ricardo de O. Schmidt, John Heidemann, Wouter B. de Vries, Moritz Muller, Lan Wei, Cristian Hesselman May 2016,  15 pages abstract ISI-TR-708 Anycast Latency: How Many Sites Are Enough? Ricardo de O. Schmidt, John Heidemann, Jan Harm Kuipers May 2016,  13 pages abstract ISI-TR-707 Improving Long-term Accuracy of DNS Backscatter for Monitoring of Internet-Wide Malicious Activity - The Poster Abdul Qadeer, John Heidemann, Kensuke Fukuda April 2016,  2 pages abstract ISI-TR-706 T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract) Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya March 2016,  3 pages abstract ISI-TR-705 RESECT: Self-learning Spoofed Traffic Filters Jelena Mirkovic, Erik Kline, Peter Reiher November 2015,  15 pages IP spoofing has been a persistent Internet security threat for decades. While research solutions exist that can help an edge network detect spoofed and reflected traffic, sheer volume of such traffic requires handling further upstream. Prior research [20] has shown that route-dependent spoofed packet filters, such as hop-count filtering and route-based filtering, would be extremely effective if deployed in the Internet core. Deployment at only 50 chosen autonomous systems (0.25% of all ASes) would eliminate 92–97% of spoofed traffic in the entire Internet! But prior research assumes that filters always have correct filtering information. It is an open research problem how to bootstrap this information and keep it up to date when routes change, or in presence of asymmetric or multi-path routing. Our paper addresses this issue. We propose RESECT - a system that enables route- dependent spoofed packet filters to learn correct filtering information in realistic routing scenarios. A RESECT-enhanced filter probes sources of traffic that have stale or missing filtering information, by dropping a minuscule fraction of their TCP traffic, which invokes retransmission behavior. Retransmitted TCP packets are used to update filtering information about the probed source. RESECT works with asymmetric and multi- path routing, quickly detects route changes, and requires no cooperation between filters nor any changes to traffic sources. Its operation has minimal effect on legitimate traffic, while it quickly detects and drops spoofed packets. RESECT thus completes route-dependent packet filters, making them practical and highly effective solutions for IP spoofing defense. ISI-TR-704 Detecting Malicious Activity with DNS Backscatter (extended) Kensuke Fukuda, John Heidemann October 2015,  18 pages ISI-TR-703 The FailSafe Assertion Language Hans P. Zima, Erik DeBenedictis, Jacqueline N. Chame, Pedro C. Diniz, Robert F. Lucas October 2015,  46 pages ISI-TR-702 Data Science in the News: Advances and Challenges for the Era of Big Data Kate Musen, Alyssa Deng, Taylor Alarcon, Yolanda Gil August 2015,  13 pages abstract ISI-TR-701 Evaluating Externally Visible Outages Abdulla Alwabel, John Healy, John Heidemann, Brian Luu, Yuri Pradkin, Rasoul Safavian August 2015,  8 pages abstract ISI-TR-700 QUASAR: A New Approach to Software Attestation Jeremy Abramson, Stephen Schwab, Quoc Tran, W. Brad Moore July 2015,  9 pages abstrack ISI-TR-699 LegoTG: Composable Traffic Generation with a Custom Blueprint Jelena Mirkovic, Genevieve Bartlett June 2015,  14 pages abstract ISI-TR-698 Poster: Lightweight Content-based Phishing Detection Calvin Ardi, John Heidemann May 2015,  3 pages abstract ISI-TR-697 PASO: An Integrated, Scalable PSO-based Optimization Framework for Hyper-Redundant Manipulator Path Planning and Inverse Kinematics Thomas Collins, Wei-Min Shen April 2015,  7 pages ISI-TR-696 Implementation of the TCP Extended Data Offset Option Harry Trieu, Joe Touch, Ted Faber March 2015,  3 pages abstract ISI-TR-695 Connection-Oriented DNS to Improve Privacy and Security (extended) Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya February 2015,  26 pages abstract ISI-TR-693 T-DNS: Connection-Oriented DNS to Improve Privacy and Security (extended) Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya June 2014,  26 pages abstract ISI-TR-692 Web-scale Content Reuse Detection (extended) Calvin Ardi, John Heidemann June 2014,  16 pages abstract ISI-TR-691 When the Internet Sleeps: Correlating Diurnal Networks With External Factors (extended) Lin Quan, John Heidemann, Yuri Pradkin May 2014,  16 pages abstract ISI-TR-690 The Impact of Errors on Differential Optical Processing J. Touch, A. Mohajerin-Ariaei, M. Chitgarha, M. Ziyadi, S. Khaleghi, Y. Akasaka, J. Y. Yang, M. Sekiya March 2014,  2 pages abstract ISI-TR-689 The BLEMS Augmented Sensor Device Joe Touch March 2014,  21 pages abstract ISI-TR-688 T-DNS: Connection-Oriented DNS to Improve Privacy and Security Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya February 2014,  17 pages abstract ISI-TR-687 A Holistic Framework for Bridging Physical Threats to User QoE Xue Cai, John Heidemann, Walter Willinger July 2013,  11 pages Submarine cable cuts have become increasingly common, with five incidents breaking more than ten cables in the last three years. Today, around 300 cables carry the majority of international Internet traffic, so a single cable cut can affect millions of users, and repairs to any cut are expensive and time consuming. Prior work has either measured the impact following incidents, or predicted the results of network changes to relatively abstract Internet topological models. In this paper, we develop a new approach to model cable cuts. Our approach differs by following problems drawn from real-world occurrences all the way to their impact on end-users. Because our approach spans many layers, no single organization can provide all the data needed to apply the model. We therefore perform what-if analysis to study a range of possibilities. With this approach we evaluate four incidents in 2012 and 2013; our analysis suggests general rules that assess the degree of a country's vulnerability to a cut. ISI-TR-686b Reducing False Alarms with Multi-modal Sensing for Pipeline Blockage (Extended) Chengjie Zhang, John Heidemann June 2013,  18 pages abstract ISI-TR-685 A Preliminary Analysis of Network Outages During Hurricane Sandy John Heidemann, Lin Quan, Yuri Pradkin November 2012,  8 pages abstract ISI-TR-684 Montage Topology Manager: Tools for Constructing and Sharing Representative Internet Topologies Alefiya Hussain, Jennifer Chen August 2012,  9 pages abstract ISI-TR-683 Building Apparatus for Multi-resolution Networking Experiments Using Containers DETER Team July 2012,  9 pages abstract ISI-TR-679 An Organization-Level View of the Internet and its Implications (extended) Xue Cai, John Heidemann, Balachander Krishnamurthy, Walter Willinger June 2012,  26 pages abstract ISI-TR-681 Characterizing Anycast in the Domain Name System Xun Fan, John Heidemann, Ramesh Govindan May 2012,  14 pages abstract ISI-TR-680 Towards Geolocation of Millions of IP Addresses Zi Hu, John Heidemann, Yuri Pradkin May 2012,  7 pages abstract ISI-TR-678b Detecting Internet Outages with Precise Active Probing (extended) Lin Quan, John Heidemann, Yuri Pradkin May 2012,  22 pages abstract ISI-TR-677 Multifrontal Sparse Matrix Factorization on Graphics Processing Units Robert F. Lucas, Gene Wagenbreth, John J. Tran, Dan M. Davis January 2012,  19 pages abstract ISI-TR-676 A preliminary empirical study to compare MPI and OpenMP Lorin Hochstein, Victor R. Basili December 2011,  43 pages abstract ISI-TR-675 Evaluating Signature Matching in a Multi-Sensor Vehicle Classification System (extended) Chengjie Zhang, John Heidemann November 2011,  21 pages abstract ISI-TR-674 Final Report of the 2011 Workshop on Aquatic Ecosystem Sustainability Yolanda Gil, Tom Harmon October 2011,  34 pages ISI-TR-673 Data Muling with Mobile Phones for Sensornets Unkyu Park, John Heidemann July 2011,  16 pages abstract ISI-TR-672 Detecting Internet Outages with Active Probing Lin Quan, John Heidemann May 2011,  15 pages abstract ISI-TR-671 Identifying and Characterizing Anycast in the Domain Name System Xun Fan, John Heidemann, Ramesh Govindan May 2011,  13 pages abstract ISI-TR-670 Steam-Powered Sensing: Extended Design and Evaluation Chengjie Zhang, Affan Syed, Young H. Cho, John Heidemann February 2011,  28 pages abstract ISI-TR-669 Demo Abstract: Energy Transference for Sensornets Affan A. Syed, Young Cho, John Heidemann November 2010,  3 pages ISI-TR-668 Design and Analysis of a Propagation Delay Tolerant ALOHA Protocol for Underwater Networks Joon Ahn, Affan Syed, Bhaskar Krishnamachari, John Heidemann September 2010,  26 pages abstract ISI-TR-667 On the Characteristics and Reasons of Long-lived Internet Flows Lin Quan, John Heidemann July 2010,  9 pages abstract ISI-TR-666 Selecting Representative IP Addresses for Internet Topology Studies Xun Fan, John Heidemann June 2010,  12 pages abstract ISI-TR-665 Understanding Block-level Address Usage in the Visible Internet (extended) Xue Cai, John Heidemann June 2010,  24 pages abstract ISI-TR-660b Low-latency Synchronization of Loosely-coupled Sensornet Republishing Unkyu Park, John Heidemann June 2010,  18 pages abstract ISI-TR-664 DADL: Distributed Application Description Language Jelena Mirkovic, Ted Faber, Paul Hsieh, Ganesan Malaiyandisamy, Rashi Malaviy May 2010,  6 pages abstract