ISI-TR-730
 |
Blacklists Assemble: Aggregating Blacklists for Accuracy
 |
|
 Sivaramakrishnan Ramanthan, Jelena Mirkovic, Minlan Yu |
|
 December 2018, 15 pages |
 IP address blacklists are a useful defense against various
cyberattacks. Because they contain IP addresses of known
offenders, they can be used to preventively filter unwanted
traffic, and reduce the load on more resource intensive defenses.
Yet, blacklists today suffer from several drawbacks. First, they are
compiled and updated using proprietary methods, and thus it is
hard to evaluate accuracy and freshness of their information.
Second, blacklists often focus on a single attack type, e.g., spam,
while compromised machines are constantly and indiscriminately
reused for many attacks. Finally, blacklists contain IP addresses,
which lowers their accuracy in networks that use dynamic
addressing.
We propose BLAG, a sophisticated approach to select, aggregate
and selectively expand only the accurate pieces of information
from multiple blacklists. BLAG calculates information about
accuracy of each blacklist over regions of address space, and
uses recommendation systems to select most reputable and
accurate pieces of information to aggregate into its master
blacklist. This aggregation increases recall by 3–14%, compared
to the best-performing blacklist, while preserving high specificity.
After aggregation, BLAG identifies networks that have dynamic
addressing or a high degree of mismanagement. IP addresses
from such networks are selectively expanded into /24 prefixes.
This further increases offender detection by 293–411%, with
minimal loss in specifiity. Overall, BLAG achieves high specificity
85–89% and high recall 26–61%, which makes it a promising
approach for blacklist generation |
|
ISI-TR-731 
 |
Plumb: Efficient Processing of Multi-User Pipelines (Poster)
 |
|
 Abdul Qadeer, John Heidemann |
|
 November 2018, 2 pages |
|
ISI-TR-729 
 |
Common Outage Data Format, version 1.0
 |
|
 Alberto Dainotti, John Heidemann, Alistair King, Ramakrishna Padmanabhan, Yuri Pradkin |
|
 October 2018, 7 pages |
 This document defines a data format for exchanging information
about Internet outages. It specifies the semantics data about
network outages, and two syntaxes that can be used to represent
this information. This format is designed to support reports from
Internet outage detection systems such as Trinocular,
Thunderping, and IODA. |
|
ISI-TR-728
 |
An Architecture for Interconnected Testbed Ecosystems
 |
|
 Ryan Goodfellow, Lincoln Thurlow, Srivatsan Ravi |
|
 October 2018, 8 pages |
 In the cybersecurity research community, there is no one- size-
fits-all solution for merging large numbers of heterogeneous
resources and experimentation capabilities from disparate
specialized testbeds into integrated experiments. The current
landscape for cyber-experimentation is diverse, encompassing
many fields including critical infrastructure, enterprise IT, cyber-
physical systems, cel- lular networks, automotive platforms, IoT
and industrial control systems. Existing federated testbeds are
constricted in design to predefined domains of applicability,
lacking the systematic ability to integrate the burgeoning number
of heterogeneous devices or tools that enable their effective use
for experimentation. We have developed the Merge architecture
to dynamically integrate dis- parate testbeds in a logically
centralized way that allows researchers to effectively discover,
and use the resources and capabilities provided the by evolving
ecosystem of distributed testbeds for the development of rigorous
and high-fidelity cybersecurity experiments. |
|
ISI-TR-727 
 |
Efficient Processing of Multi-Users Pipelines (Extended)
 |
|
 Abdul Qadeer, John Heidemann |
|
 October 2018, 15 pages |
 Services such as DNS and websites often produce streams of
data that are consumed by analytics pipelines operated by
multiple teams. Often this data is processed in large chunks
(megabytes) to allow analysis of a block of time or to amortize
costs. Such pipelines pose two problems: first, duplication of
computation and storage may occur when parts of the pipeline
are operated by different groups. Second, processing can be
lumpy, with structural lumpiness occurring when different stages
need different amounts of resources, and data lumpiness
occurring when a block of input requires increased resources.
Duplication and structural lumpiness both can result in inefficient
processing. Data lumpiness can cause pipeline failure or
deadlock, for example if differences in DDoS traffic compared to
normal can require 6× CPU. We propose Plumb, a framework to
abstract file processing for a multi-stage pipeline. Plumb
integrates pipelines contributed by multiple users, detecting and
eliminating duplication of computation and intermediate storage.
It tracks and adjusts computation of each stage, accommodating
both structural and data lumpiness. We exercise Plumb with the
processing pipeline for B-Root DNS traffic, where it will replace a
hand-tuned system to provide one third the original latency by
utilizing 22% fewer CPU and will address limitations that occur as
multiple users process data and when DDoS traffic causes huge
shifts in performance. |
|
ISI-TR-726 
 |
Detecting IoT Devices in the Internet (Extended)
 |
|
 Hang Guo, John Heidemann |
|
 July 2018, 16 pages |
 Distributed Denial-of-Service (DDoS) attacks launched from
compromised Internet-of-Things (IoT) devices have shown how
vulnerable the Internet is to large-scale DDoS attacks. To
understand the risks of these attacks requires learning about
these IoT devices: where are they? how many are there? how are
they changing? This paper describes three new methods to find
IoT devices on the Internet: server IP addresses in traffic, server
names in DNS queries, and manufacturer information in TLS
certificates. Our primary methods (IP addresses and DNS names)
use knowledge of servers run by the manufacturers of these
devices. We have developed these approaches with 10 device
models from 7 vendors. Our third method uses TLS certificates
obtained by active scanning. We have applied our algorithms to a
number of observations. Our IP-based algorithms see at least 35
IoT devices on a college campus, and 122 IoT devices in
customers of a regional IXP. We apply our DNS-based algorithm
to traffic from 5 root DNS servers from 2013 to 2018, finding
huge growth (about 7×) in ISP-level deployment of 26 device
types. DNS also shows similar growth in IoT deployment in
residential households from 2013 to 2017. Our certificate-based
algorithm finds 254k IP cameras and network video recorders
from 199 countries around the world. |
|
ISI-TR-725 
 |
When the Dike Breaks: Dissecting DNS Defenses During DDoS (extended)
 |
|
 Giovane C. M. Moura, John Heidemann, Moritz Mueller, Ricardo de O. Schmidt, Marco Davids |
|
 May 2018, 10 pages |
 The Internet's Domain Name System (DNS) is a frequent target
of Distributed Denial-of-Service (DDoS) attacks, but such attacks
have had very different outcomes---some attacks have disabled
major public websites, while the external effects of other attacks
have been minimal. While on one hand the DNS protocol is a
relatively simple, the \emph{system} has many moving parts,
with multiple levels of caching and retries and replicated servers.
This paper uses controlled experiments to examine how these
mechanisms affect DNS resilience and latency, exploring both the
client side's DNS \emph{user experience}, and server-side
traffic. We find that, for about about 30\% of clients, caching is
not effective. However, when caches are full they allow about half
of clients to ride out server outages, and caching and retries
allow up to half of the clients to tolerate DDoS attacks that result
in 90\% query loss, and almost all clients to tolerate attacks
resulting in 50\% packet loss. The cost of such attacks to clients
are greater median latency. For servers, retries during DDoS
attacks increase normal traffic up to $8\times$. Our findings
about caching and retries can explain why some real-world DDoS
cause service outages for users while other large attacks have
minimal visible effects. |
|
ISI-TR-724 
 |
Back Out: End-to-end Inference of Common Points-of-Failure in the Internet (extended)
 |
|
 John Heidemann, Yuri Pradkin, Aqib Nisar |
|
 January 2018, 17 pages |
 Internet reliability has many potential weaknesses: fiber rights-
of-way at the physical layer, exchange-point congestion from
DDOS at the network layer, settlement disputes between
organizations at the financial layer, and government intervention
the political layer. This paper shows that we can discover common
points-of-failure at any of these layers by observing correlated
failures. We use end-to-end observations from data-plane-level
connectivity of edge hosts in the Internet. We identify
correlations in connectivity: networks that usually fail and recover
at the same time suggest common point-of-failure. We define two
new algorithms to meet these goals. First, we define a
computationally-efficient algorithm to create a linear ordering of
blocks to make correlated failures apparent to a human analyst.
Second, we develop an event-based clustering algorithm that
directly networks with correlated failures, suggesting common
points-of-failure. Our algorithms scale to real-world datasets of
millions of networks and observations: linear ordering is $O(n
\log n)$ time and event-based clustering parallelizes with
Map/Reduce. We demonstrate them on three months of outages
for 4 million /24 network prefixes, showing high recall (0.83 to
0.98) and precision (0.72 to 1.0) for blocks that respond. We also
show that our algorithms generalize to identify correlations in
anycast catchments and routing. |
|
ISI-TR-723 
 |
An Ontology for the ENIGMA Neuroscience Collaboration
 |
|
 MiHyun Jang |
|
 December 2017, 14 pages |
|
ISI-TR-722 
 |
LDplayer: DNS Experimentation at Scale
 |
|
 Liang Zhu, John Heidemann |
|
 November 2017, 10 pages |
 DNS has evolved over the last 20 years, improving in security
and privacy and broadening the kinds of applications it
supports.
However, this evolution has been slowed by the large installed
base with a wide range of implementations that are slow to
change. Changes need to be carefully planned, and their
impact
is difficult to model due to DNS optimizations, caching, and
distributed operation. We suggest that experimentation at
scale is
needed to evaluate changes and speed DNS evolution. This
paper
presents LDplayer, a configurable, general-purpose DNS
testbed
that enables DNS experiments to scale in several dimensions:
many zones, multiple levels of DNS hierarchy, high query
rates,
and diverse query sources. LDplayer provides high fidelity
experiments while meeting these requirements through its
distributed DNS query replay system, methods to rebuild the
relevant DNS hierarchy from traces, and efficient emulation of
this hierarchy of limited hardware. We show that a single DNS
server can correctly emulate multiple independent levels of
the
DNS hierarchy while providing correct responses as if they
were
independent. We validate that our system can replay a DNS
root
traffic with tiny error (± 8 ms quartiles in query timing and ±
0.1% difference in query rate). We show that our system can
replay queries at 87k queries/s, more than twice of a normal
DNS
Root traffic rate, maxing out one CPU core used by our
customized DNS traffic generator. LD player’s trace replay has
the
unique ability to evaluate important design questions with
confidence that we capture the interplay of caching, timeouts,
and resource constraints. As an example, we can demonstrate
the memory requirements of a DNS root server with all traffic
running over TCP, and we identified performance
discontinuities in
latency as a function of client RTT. |
|
ISI-TR-721 
 |
LDplayer: DNS Experimentation at Scale (poster abstract)
 |
|
 Liang Zhu, John Heidemann |
|
 August 2017, 4 pages |
 In the last 20 years the core of the Domain Name System (DNS)
has improved in security and privacy, and DNS use broadened
from name-to-address mapping to a critical
roles in service discovery and anti-spam. However, protocol
evolution and expansion of use has been slow because advances
must consider a huge and diverse installed
base. We suggest that experimentation at scale can fill this gap.
To meet the need for experimentation at scale, this paper
presents LDplayer, a configurable, general-
purpose DNS testbed. LDplayer enables DNS experiments to scale
in several dimensions: many zones, multiple levels of DNS
hierarchy, high query rates, and diverse query
sources. To meet these requirements while providing high fidelity
experiments, LDplayer includes a distributed DNS query replay
system and methods to rebuild the relevant
DNS hierarchy from traces. We show that a single DNS server can
correctly emulate multiple independent levels of the DNS
hierarchy while providing correct responses as if
they were independent. We show the importance of our system to
evaluate pressing DNS design questions, using it to evaluate
changes in DNSSEC key size. |
|
ISI-TR-720 
 |
Recursives in the Wild: Engineering Authoritative DNS Servers
 |
|
 Moritz Muller, Giovane C. M. Moura, Ricardo de O. Schmidt, John Heidemann |
|
 June 2017, 10 pages |
 In Internet Domain Name System (DNS), services operate
\emph{authoritative} name servers that individuals query
through
\emph{recursive resolvers}. Operators strive to provide reliability
by operating multiple name servers (NS), each on a separate IP
address, and by using IP anycast to allow NSes to provide service
from many physical locations. To meet their goals of minimizing
latency
and balancing load across NSes and anycast, operators need to
know how recursive resolvers select an NS, and how that
interacts with
their NS deployments. Prior work has shown some recursives
search for low latency, while others pick an NS at random or
round robin, but
did not examine how prevalent each choice was. This paper
provides the first analysis of how recursives select between name
servers in
the wild, and from that we provide guidance to name server
operators to reach their goals. We conclude that all NSes need to
be equally
strong and therefore we recommend to deploy IP anycast at
every single authoritative. |
|
ISI-TR-719 
 |
Verfploeter: Broad and Load-Aware Anycast Mapping
 |
|
 Wouter B. de Vries, Ricardo de O. Schmidt, Wes Hardaker, John Heidemann, Pieter-Tjerk de Boer, Aiko Pras |
|
 May 2017, 0 pages |
 IP anycast provides DNS operators and CDNs with automatic
fail-over andreduced latency by breaking the Internet into
*catchments*, each served by a different anycast site.
Unfortunately, *understanding* and *predicting*
changes to catchments as sites are added or removed has
been challenging. Current tools such as RIPE Atlas or
commercial equivalents map from thousands of vantage
points (VPs), but their coverage can be inconsistent
around the globe. This paper proposes *Verfploeter*, a new
method that maps anycast catchments using active probing.
Verfploeter provides around 3.8M virtual VPs, 430x the 9k
physical VPs in RIPE Atlas, providing
coverage of the vast majority of networks around the globe.
We then add load information from prior service logs to
provide calibrated predictions of anycast changes.
Verfploeter has been used to evaluate the new anycast
for B-Root, and we also report its use of a 9-site anycast
testbed. We show that the greater coverage made possible
by Verfploeter's active probing is necessary to see routing
differences in regions that have sparse coverage
from RIPE Atlas, like South America and China. |
|
ISI-TR-717 
 |
Detecting ICMP Rate Limiting in the Internet (Extended)
 |
|
 Hang Guo, John Heidemann |
|
 February 2017, 10 pages |
 Active probing with ICMP is the center of many network
measurements, with tools like ping, traceroute, and their
derivatives used to map topologies and as a precursor for
security scanning. However, rate limiting of ICMP traffic has
long been a concern, since undetected rate limiting to ICMP
could distort measurements, silently creating false
conclusions. To settle this concern, we look systematically
for ICMP rate limiting in the Internet. We develop a model
for how rate limiting affects probing, validate it through
controlled testbed experiments, and create FADER, a new
algorithm that can identify rate limiting from user-side traces
with minimal requirements for new measurement traffic. We
validate the accuracy of FADER with many different network
configurations in testbed experiments and show that it
almost always detects rate limiting. Accuracy is perfect when
measurement probing ranges from 0 to 60× the rate limit,
and almost perfect (95%) with up to 20% packet loss. The
worst case for detection is when when probing is very fast
and blocks are very sparse, but even there accuracy
remains good (measurements 60× the rate limit of a 10%
responsive block is correct 65% of the time). With this
confidence, we apply our algorithm to the whole Internet
with random sampling showing that rate limiting exists but
that for slow probing rates, rate-limiting is very, very rare.
For our random sample of 40,493 /24 blocks (about 2% of
the responsive space) and probing rates of 0.39 packets/s
per block, only 6 blocks (0.02%!) in two ISPs show rate
limiting. Finally, we show that it is possible for even very
slow probing (0.0001 packet/s) to encounter rate limiting if
traffic. |
|
ISI-TR-716 
 |
Does Anycast Hang up on You?
 |
|
 Lan Wei, John Heidemann |
|
 February 2017, 9 pages |
 Anycast-based services today are widely used commercially,
with several major providers serving thousands of important
websites. However, to our knowledge, there has been only
limited study of how often anycast fails because routing
changes interrupt connections between users and their
current anycast site. While the commercial success of
anycast CDNs means anycast usually work well, do some
users end up shut out of anycast? In this paper we examine
data from more than 9000 geographically distributed
vantage points (VPs) to 11 anycast services to evaluate this
question. Our contribution is the analysis of this data to
provide the first quantification of this problem, and to
explore where and why it occurs. We see that about 1% of
VPs are anycast unstable, reaching a different anycast site
frequently sometimes every query. Flips back and forth
between two sites in 10 seconds are observed in selected
experiments for given service and VPs.
Moreover, we show that anycast instability is persistent for
some VPs---a few VPs never see a stable connections to
certain anycast services during a week or even longer. The
vast majority of VPs only saw unstable routing towards one
or two services instead of instability with all services,
suggesting the cause of the instability lies somewhere in the
path to the anycast sites. Finally, we point out that for highly-
unstable VPs, their probability to hit a given site is constant,
which means the flipping are happening at a fine granularity
---per packet level, suggesting load balancing might be the
cause to anycast routing flipping. Our findings confirm the
common wisdom that anycast almost always works well, but
provide evidence that a small number of locations in the
Internet where specific anycast services are never stable. |
|
ISI-TR-715 
 |
How Users Choose and Reuse Passwords
 |
|
 Jelena Mirkovic, Ameya Hanamsagar, Christopher Kanich, Simon S. Woo |
|
 November 2016, 16 pages |
 Weak or reused passwords are guilty for many
contemporary security breaches. It is critical to study both
how users choose and reuse passwords, and the causes that
lead users to adopt unsafe practices. Existing literature on
these topics is limited as it either studies patterns but not the
causes (using leaked or contributed datasets), or it studies
artificial patterns and causes that may not align with the real
ones (lab interviews and/or fictional servers). Our research
complements the existing works by studying the semantic
structure, strength and reuse of real passwords, as well as
conscious and unconscious causes of unsafe practices, in a
population of 50 participants. The participants took part in a
carefully designed, ethical and IRB-approved lab study,
where we harvested their existing online credentials, and
interviewed them about their password strategies and their
risk perceptions. We found that: (1) an average password is
weak and used at more than four sites, (2)
important-site passwords are only 1-2 characters longer and
10 times stronger than those for non-important sites, (3)
main causes of weak passwords are security fatigue and
short password length, (4) 98% of users reuse their
passwords with no changes and the rest make slight
changes, which can be easily brute-forced, (5) 84% of users
reuse passwords between important and non- important
sites, and (6) main causes for password reuse are
misconceptions about risk, and preference for memorability
over security. |
|
ISI-TR-714 
 |
ReBots: A Drag-and-drop High-Performance Simulator for Modular and Self-Reconfigurable Robots
 |
|
 Thomas Collins, Wei-Min Shen |
|
 November 2016, 8 pages |
 A key challenge in self-reconfigurable robotics is the
development and validation of complex distributed behaviors
and control algorithms, particularly for large populations of
modules. Physics-based, 3D simulators play a vital role in
helping researchers overcome this challenge by allowing
them to approximate the physical interactions of connected,
autonomous robotic systems with one another and with their
surrounding environments in a fast, safe, and low-cost
manner that can reveal physical details that are critical to
successful control. Current state-of-the-art self-
reconfigurable robot simulators require users to have
extensive programming (and software engineering)
knowledge. Additionally, tasks such as translating
specifications of real-world modules into simulated ones,
creat- ing complex configurations of modules, and designing
complex environments are text-based, time-consuming, and
error-prone tasks in these simulators, limiting their
usefulness to quickly approximate real-world scenarios. This
paper proposes ReBots, a drag-and-drop, high-performance
self-reconfigurable robot simulator built on top of the Unreal
Engine 4 (UE4) game engine. The mouse-and-keyboard GUI
interface of ReBots allows users to rapidly prototype new
modules, drag instances of them into environments, move
and rotate modules, connect modules to one another, modify
module properties, rotate module motors, change module
behaviors, create complex and realistic environments, and
run/pause/stop simulations. The results show that ReBots
demonstrates high-performance and scalability of self-
reconfigurable and modular robots with complex, distributed
and autonomous behaviors in simulated realistic
environments, including simulations of environments with up
to 2000 autonomous modules physically interacting with one
another. |
|
ISI-TR-713 
 |
High-Dimensional Inverse Kinematics and Self-Reconfiguration Kinematic Control
 |
|
 Thomas Collins, Wei-Min Shen |
|
 November 2016, 12 pages |
 This paper addresses two unique challenges for self-
reconfigurable robots to perform dexterous locomotion and
manipulation in difficult environments: high-dimensional
inverse kinematics (HDIK) for > 100 degrees of freedom,
and self- reconfiguration kinematic control (SRKC) where the
workspace targets at which connectors are to meet for
docking are not known a priori. These challenges go beyond
the state-of-the-art because traditional manipulation
techniques (e.g., Jacobian-based) may not be stable or
scalable, and alternative approaches (e.g., genetic
algorithms or neural networks) provide no guarantees of
optimality or convergence. This paper proposes a new
technique called Provably-convergent Swarm-based Inverse
Kinematics (PSIK) that extends Branch and Bound Particle
Swarm Optimization with a unique approach for dynamic
target adaptation for self- reconfiguration. The PSIK
algorithm can find globally optimal solutions for both HDIK
and SRKC to any precision requirement (i.e., positive error
tolerance) in finite or real-time for tree structures of self-
reconfigurable robots. This algorithm is implemented and
validated in high-fidelity, physics-based simulation using
SuperBot as prototype modules. The results are very
encouraging and provide feasible solutions for dextrous
locomotion, manipulation, and self-reconfiguration. |
|
ISI-TR-712 
 |
Globally Convergent Optimal Dynamic Inverse Kinematics for Distributed Modular and Self-Reconfigurable Robot Trees
 |
|
 Thomas Collins, Wei-Min Shen |
|
 November 2016, 7 pages |
 Kinematic trees of self-reconfigurable, modular robots are
difficult to control for at least three primary reasons: (1)
they must be controlled in a distributed fashion, (2) they are
often kinematically redundant or hyper-redundant, and (3) in
many cases, these robots must be designed to safely
operate autonomously in dangerous and isolated
environments. Much work has been done to design
hardware, distributed algorithms, and controllers to handle
different aspects of this challenging problem, but the design
of generalized and globally optimal inverse kinematics
algorithms for such systems is largely an open problem.
Jacobian-based methods have well-documented
shortcomings, particularly for high-DOF systems, while
alternative methods, such as those based on genetic and
evolutionary algorithms, provide no guarantees of
convergence to a globally optimal solution. Such a guarantee
is particularly important in the types of dangerous
environments in which these robots are to operate. This
paper proposes a novel distributed inverse kinematics
framework based on the recently proposed Branch and
Bound Particle Swarm Optimization (BB-PSO) algorithm,
which provably converges to a globally optimal solution (and
converges in finite time given any positive error tolerance).
This framework is demonstrated, through extensive
simulations, to offer high-quality solutions in practical
amounts of time, even for multi-effector and dynamic
problems, such as those encountered in kinematic self-
reconfiguration where the effector workspace goal pose is
not available as input. |
|
ISI-TR-711 
 |
Middlebox Models Compatible with the Internet
 |
|
 Joe Touch |
|
 October 2016, 6 pages |
 A hybrid model for middleboxes is presented that describes
constraints on their compatibility with the Internet. The Internet
is composed of hosts, routers, and links that exchange
messages, and these components have been combined into
hybrid models to describe tunnels and virtual routers. This
document extends these models to describe the behavior of a
variety of types of middleboxes, including network address
translators, proxies, and transparent proxies. |
|
ISI-TR-710 
 |
Do You See Me Now? Sparsity in Passive Observations of Address Liveness (extended)
 |
|
 Jelena Mirkovic , Genevieve Bartlett , John Heidemann, Hao Shi, Xiyue Deng |
|
 July 2016, 15 pages |
 abstract |
|
ISI-TR-709 
 |
Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event
 |
|
 Given C. M. Moura, Ricardo de O. Schmidt, John Heidemann, Wouter B. de Vries, Moritz Muller, Lan Wei, Cristian Hesselman |
|
 May 2016, 15 pages |
 abstract |
|
ISI-TR-708 
 |
Anycast Latency: How Many Sites Are Enough?
 |
|
 Ricardo de O. Schmidt, John Heidemann, Jan Harm Kuipers |
|
 May 2016, 13 pages |
 abstract |
|
ISI-TR-707 
 |
Improving Long-term Accuracy of DNS Backscatter for Monitoring of Internet-Wide Malicious Activity - The Poster
 |
|
 Abdul Qadeer, John Heidemann, Kensuke Fukuda |
|
 April 2016, 2 pages |
 abstract |
|
ISI-TR-706 
 |
T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract)
 |
|
 Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya |
|
 March 2016, 3 pages |
 abstract |
|
ISI-TR-705
 |
RESECT: Self-learning Spoofed Traffic Filters
 |
|
 Jelena Mirkovic, Erik Kline, Peter Reiher |
|
 November 2015, 15 pages |
 IP spoofing has been a persistent Internet security threat for decades. While research solutions
exist that can help an edge network detect spoofed and reflected traffic, sheer volume of such
traffic requires handling further upstream. Prior research [20] has shown that route-dependent
spoofed packet filters, such as hop-count filtering and route-based filtering, would be extremely
effective if deployed in the Internet core. Deployment at only 50 chosen autonomous systems
(0.25% of all ASes) would eliminate 92–97% of spoofed traffic in the entire Internet! But prior
research assumes that filters always have correct filtering information. It is an open research
problem how to bootstrap this information and keep it up to date when routes change, or in
presence of asymmetric or multi-path routing. Our paper addresses this issue.
We propose RESECT - a system that enables route- dependent spoofed packet filters to learn
correct filtering information in realistic routing scenarios. A RESECT-enhanced filter probes sources
of traffic that have stale or missing filtering information, by dropping a minuscule fraction of their
TCP traffic, which invokes retransmission behavior. Retransmitted TCP packets are used to update
filtering information about the probed source. RESECT works with asymmetric and multi- path
routing, quickly detects route changes, and requires no cooperation between filters nor any
changes to traffic sources. Its operation has minimal effect on legitimate traffic, while it quickly
detects and drops spoofed packets. RESECT thus completes route-dependent packet filters, making
them practical and highly effective solutions for IP spoofing defense. |
|
ISI-TR-704 
 |
Detecting Malicious Activity with DNS Backscatter (extended)
 |
|
 Kensuke Fukuda, John Heidemann |
|
 October 2015, 18 pages |
 |
|
ISI-TR-703 
 |
The FailSafe Assertion Language
 |
|
 Hans P. Zima, Erik DeBenedictis, Jacqueline N. Chame, Pedro C. Diniz, Robert F. Lucas |
|
 October 2015, 46 pages |
|
ISI-TR-702 
 |
Data Science in the News: Advances and Challenges for the Era of Big Data
 |
|
 Kate Musen, Alyssa Deng, Taylor Alarcon, Yolanda Gil |
|
 August 2015, 13 pages |
 abstract |
|
ISI-TR-701 
 |
Evaluating Externally Visible Outages
 |
|
 Abdulla Alwabel, John Healy, John Heidemann, Brian Luu, Yuri Pradkin, Rasoul Safavian |
|
 August 2015, 8 pages |
 abstract |
|
ISI-TR-700 
 |
QUASAR: A New Approach to Software Attestation
 |
|
 Jeremy Abramson, Stephen Schwab, Quoc Tran, W. Brad Moore |
|
 July 2015, 9 pages |
 abstrack |
|
ISI-TR-699 
 |
LegoTG: Composable Traffic Generation with a Custom Blueprint
 |
|
 Jelena Mirkovic, Genevieve Bartlett |
|
 June 2015, 14 pages |
 abstract |
|
ISI-TR-698 
 |
Poster: Lightweight Content-based Phishing Detection
 |
|
 Calvin Ardi, John Heidemann |
|
 May 2015, 3 pages |
 abstract |
|
ISI-TR-697 
 |
PASO: An Integrated, Scalable PSO-based Optimization Framework for Hyper-Redundant Manipulator Path Planning and Inverse Kinematics
 |
|
 Thomas Collins, Wei-Min Shen |
|
 April 2015, 7 pages |
|
ISI-TR-696 
 |
Implementation of the TCP Extended Data Offset Option
 |
|
 Harry Trieu, Joe Touch, Ted Faber |
|
 March 2015, 3 pages |
 abstract |
|
ISI-TR-695 
 |
Connection-Oriented DNS to Improve Privacy and Security (extended)
 |
|
 Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya |
|
 February 2015, 26 pages |
 abstract |
|
ISI-TR-693 
 |
T-DNS: Connection-Oriented DNS to Improve Privacy and Security (extended)
 |
|
 Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya |
|
 June 2014, 26 pages |
 abstract |
|
ISI-TR-692 
 |
Web-scale Content Reuse Detection (extended)
 |
|
 Calvin Ardi, John Heidemann |
|
 June 2014, 16 pages |
 abstract |
|
ISI-TR-691 
 |
When the Internet Sleeps: Correlating Diurnal Networks With External Factors (extended)
 |
|
 Lin Quan, John Heidemann, Yuri Pradkin |
|
 May 2014, 16 pages |
 abstract |
|
ISI-TR-690 
 |
The Impact of Errors on Differential Optical Processing
 |
|
 J. Touch, A. Mohajerin-Ariaei, M. Chitgarha, M. Ziyadi, S. Khaleghi, Y. Akasaka, J. Y. Yang, M. Sekiya |
|
 March 2014, 2 pages |
 abstract |
|
ISI-TR-689 
 |
The BLEMS Augmented Sensor Device
 |
|
 Joe Touch |
|
 March 2014, 21 pages |
 abstract |
|
ISI-TR-688 
 |
T-DNS: Connection-Oriented DNS to Improve Privacy and Security
 |
|
 Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya |
|
 February 2014, 17 pages |
 abstract |
|
ISI-TR-687
 |
A Holistic Framework for Bridging Physical Threats to User QoE
 |
|
 Xue Cai, John Heidemann, Walter Willinger |
|
 July 2013, 11 pages |
 Submarine cable cuts have become increasingly
common, with five incidents breaking more than ten
cables in the last three years. Today, around 300
cables carry the majority of international Internet
traffic, so a single cable cut can affect millions of
users, and repairs to any cut are expensive and time
consuming. Prior work has either measured the impact
following incidents, or predicted the results of network
changes to relatively abstract Internet topological
models. In this paper, we develop a new approach to
model cable cuts. Our approach differs by following
problems drawn from real-world occurrences all the
way to their impact on end-users. Because our
approach spans many layers, no single organization
can provide all the data needed to apply the model.
We therefore perform what-if analysis to study a range
of possibilities. With this approach we evaluate four
incidents in 2012 and 2013; our analysis suggests
general rules that assess the degree of a country's
vulnerability to a cut. |
|
ISI-TR-686b 
 |
Reducing False Alarms with Multi-modal Sensing for Pipeline Blockage (Extended)
 |
|
 Chengjie Zhang, John Heidemann |
|
 June 2013, 18 pages |
 abstract |
|
ISI-TR-685 
 |
A Preliminary Analysis of Network Outages During Hurricane Sandy
 |
|
 John Heidemann, Lin Quan, Yuri Pradkin |
|
 November 2012, 8 pages |
 abstract |
|
ISI-TR-684 
 |
Montage Topology Manager: Tools for Constructing and Sharing Representative Internet Topologies
 |
|
 Alefiya Hussain, Jennifer Chen |
|
 August 2012, 9 pages |
 abstract |
|
ISI-TR-683 
 |
Building Apparatus for Multi-resolution Networking Experiments Using Containers
 |
|
 DETER Team |
|
 July 2012, 9 pages |
 abstract |
|
ISI-TR-679 
 |
An Organization-Level View of the Internet and its Implications (extended)
 |
|
 Xue Cai, John Heidemann, Balachander Krishnamurthy, Walter Willinger |
|
 June 2012, 26 pages |
 abstract |
|
ISI-TR-681 
 |
Characterizing Anycast in the Domain Name System
 |
|
 Xun Fan, John Heidemann, Ramesh Govindan |
|
 May 2012, 14 pages |
 abstract |
|
ISI-TR-680 
 |
Towards Geolocation of Millions of IP Addresses
 |
|
 Zi Hu, John Heidemann, Yuri Pradkin |
|
 May 2012, 7 pages |
 abstract |
|
ISI-TR-678b 
 |
Detecting Internet Outages with Precise Active Probing (extended)
 |
|
 Lin Quan, John Heidemann, Yuri Pradkin |
|
 May 2012, 22 pages |
 abstract |
|
ISI-TR-677 
 |
Multifrontal Sparse Matrix Factorization on Graphics Processing Units
 |
|
 Robert F. Lucas, Gene Wagenbreth, John J. Tran, Dan M. Davis |
|
 January 2012, 19 pages |
 abstract |
|
ISI-TR-676 
 |
A preliminary empirical study to compare MPI and OpenMP
 |
|
 Lorin Hochstein, Victor R. Basili |
|
 December 2011, 43 pages |
 abstract |
|
ISI-TR-675 
 |
Evaluating Signature Matching in a Multi-Sensor Vehicle Classification System (extended)
 |
|
 Chengjie Zhang, John Heidemann |
|
 November 2011, 21 pages |
 abstract |
|
ISI-TR-674 
 |
Final Report of the 2011 Workshop on Aquatic Ecosystem Sustainability
 |
|
 Yolanda Gil, Tom Harmon |
|
 October 2011, 34 pages |
|
ISI-TR-673 
 |
Data Muling with Mobile Phones for Sensornets
 |
|
 Unkyu Park, John Heidemann |
|
 July 2011, 16 pages |
 abstract |
|
ISI-TR-672 
 |
Detecting Internet Outages with Active Probing
 |
|
 Lin Quan, John Heidemann |
|
 May 2011, 15 pages |
 abstract |
|
ISI-TR-671 
 |
Identifying and Characterizing Anycast in the Domain Name System
 |
|
 Xun Fan, John Heidemann, Ramesh Govindan |
|
 May 2011, 13 pages |
 abstract |
|
ISI-TR-670 
 |
Steam-Powered Sensing: Extended Design and Evaluation
 |
|
 Chengjie Zhang, Affan Syed, Young H. Cho, John Heidemann |
|
 February 2011, 28 pages |
 abstract |
|
ISI-TR-669 
 |
Demo Abstract: Energy Transference for Sensornets
 |
|
 Affan A. Syed, Young Cho, John Heidemann |
|
 November 2010, 3 pages |
|
ISI-TR-668 
 |
Design and Analysis of a Propagation Delay Tolerant ALOHA Protocol for Underwater Networks
 |
|
 Joon Ahn, Affan Syed, Bhaskar Krishnamachari, John Heidemann |
|
 September 2010, 26 pages |
 abstract |
|
ISI-TR-667 
 |
On the Characteristics and Reasons of Long-lived Internet Flows
 |
|
 Lin Quan, John Heidemann |
|
 July 2010, 9 pages |
 abstract |
|
ISI-TR-666 
 |
Selecting Representative IP Addresses for Internet Topology Studies
 |
|
 Xun Fan, John Heidemann |
|
 June 2010, 12 pages |
 abstract |
|
ISI-TR-665 
 |
Understanding Block-level Address Usage in the Visible Internet (extended)
 |
|
 Xue Cai, John Heidemann |
|
 June 2010, 24 pages |
 abstract |
|
ISI-TR-660b 
 |
Low-latency Synchronization of Loosely-coupled Sensornet Republishing
 |
|
 Unkyu Park, John Heidemann |
|
 June 2010, 18 pages |
 abstract |
|
ISI-TR-664 
 |
DADL: Distributed Application Description Language
 |
|
 Jelena Mirkovic, Ted Faber, Paul Hsieh, Ganesan Malaiyandisamy, Rashi Malaviy |
|
 May 2010, 6 pages |
 abstract |
|
|