University of Southern California
 2010 - Present 2000 1990's 1980's 1970's
Cache Me If You Can: Effects of DNS Time-to-Live (extended)
John Heidemann, Wes Hardaker, Giovane C. M. Moura, Ricardo de O. Schmidt
July 2019,  20 pages

DNS depends on extensive caching for good performance, and every DNS zone owner must set Time-to-Live (TTL) values to control their DNS caching. Today there is relatively little guidance backed by research about how to set TTLs, and operators must balance conflicting demands of caching against agility of configuration. Exactly how TTL value choices affect operational networks is quite challenging to understand for several reasons: DNS is a distributed service, DNS resolution is security-sensitive, and resolvers require multiple types of information as they traverse the DNS hierarchy. These complications mean there are multiple frequently interacting, places TTLs can be specified. This paper provides the first careful evaluation of how these factors affect the effective cache lifetimes of DNS records, and provides recommendations for how to configure DNS TTLs based on our findings. We provide recommendations in TTL choice for different situations, and for where they must be configured. We show that longer TTLs have significant promise, reducing median latency from 183ms to 28.7ms for one country-code TLD.

Improving the Optics of Active Outage Detection Extended
Guillermo Baltra, John Heidemann
May 2019,  7 pages

There is a growing interest in carefully observing the reliability of the Internet’s edge. Outage information can inform our understanding of Internet reliability and planning, and it can help guide operations. Outage detection algorithms using active probing from third parties have been shown to be accurate for most of the Internet, but inaccurate for blocks that are sparsely occupied. Our contributions include a definition of outages, which we use to determine how many independent observers are required to determine global outages. We we propose a new Full Block Scanning (FBS) algorithm that gathers more information for sparse blocks to reduce false outage reports. We also propose ISP Availability Sensing (IAS) to detect maintenance activity using only external information. We study a year of outage data and show that FBS has a True Positive Rate of 86%, and show that IAS detects maintenance events in a large U.S. ISP.

DARPA SAFER Program Concept of Operations
Robert Braden, Stephen Schwab
May 2019,  60 pages

This report is the final version of the Concepts of Operations (CONOPS) document for DARPA’s SAFER Warfighter Communication program. During the course of the program, the CONOPS served as a “living” document, maintained online and updated periodically. This Release 4 of SAFER CONOPS contains significant changes in emphasis, organization, and content, to (1) summarize the current state of development and testing of prototype software by the program participants, and (2) provide basic information that will be required by any subsequent technology transition of the software.

Blacklists Assemble: Aggregating Blacklists for Accuracy
Sivaramakrishnan Ramanthan, Jelena Mirkovic, Minlan Yu
December 2018,  15 pages

IP address blacklists are a useful defense against various cyberattacks. Because they contain IP addresses of known offenders, they can be used to preventively filter unwanted traffic, and reduce the load on more resource intensive defenses. Yet, blacklists today suffer from several drawbacks. First, they are compiled and updated using proprietary methods, and thus it is hard to evaluate accuracy and freshness of their information. Second, blacklists often focus on a single attack type, e.g., spam, while compromised machines are constantly and indiscriminately reused for many attacks. Finally, blacklists contain IP addresses, which lowers their accuracy in networks that use dynamic addressing. We propose BLAG, a sophisticated approach to select, aggregate and selectively expand only the accurate pieces of information from multiple blacklists. BLAG calculates information about accuracy of each blacklist over regions of address space, and uses recommendation systems to select most reputable and accurate pieces of information to aggregate into its master blacklist. This aggregation increases recall by 3–14%, compared to the best-performing blacklist, while preserving high specificity. After aggregation, BLAG identifies networks that have dynamic addressing or a high degree of mismanagement. IP addresses from such networks are selectively expanded into /24 prefixes. This further increases offender detection by 293–411%, with minimal loss in specifiity. Overall, BLAG achieves high specificity 85–89% and high recall 26–61%, which makes it a promising approach for blacklist generation

Plumb: Efficient Processing of Multi-User Pipelines (Poster)
Abdul Qadeer, John Heidemann
November 2018,  2 pages

Common Outage Data Format, version 1.0
Alberto Dainotti, John Heidemann, Alistair King, Ramakrishna Padmanabhan, Yuri Pradkin
October 2018,  7 pages

This document defines a data format for exchanging information about Internet outages. It specifies the semantics data about network outages, and two syntaxes that can be used to represent this information. This format is designed to support reports from Internet outage detection systems such as Trinocular, Thunderping, and IODA.

An Architecture for Interconnected Testbed Ecosystems
Ryan Goodfellow, Lincoln Thurlow, Srivatsan Ravi
October 2018,  8 pages

In the cybersecurity research community, there is no one- size- fits-all solution for merging large numbers of heterogeneous resources and experimentation capabilities from disparate specialized testbeds into integrated experiments. The current landscape for cyber-experimentation is diverse, encompassing many fields including critical infrastructure, enterprise IT, cyber- physical systems, cel- lular networks, automotive platforms, IoT and industrial control systems. Existing federated testbeds are constricted in design to predefined domains of applicability, lacking the systematic ability to integrate the burgeoning number of heterogeneous devices or tools that enable their effective use for experimentation. We have developed the Merge architecture to dynamically integrate dis- parate testbeds in a logically centralized way that allows researchers to effectively discover, and use the resources and capabilities provided the by evolving ecosystem of distributed testbeds for the development of rigorous and high-fidelity cybersecurity experiments.

Efficient Processing of Multi-Users Pipelines (Extended)
Abdul Qadeer, John Heidemann
October 2018,  15 pages

Services such as DNS and websites often produce streams of data that are consumed by analytics pipelines operated by multiple teams. Often this data is processed in large chunks (megabytes) to allow analysis of a block of time or to amortize costs. Such pipelines pose two problems: first, duplication of computation and storage may occur when parts of the pipeline are operated by different groups. Second, processing can be lumpy, with structural lumpiness occurring when different stages need different amounts of resources, and data lumpiness occurring when a block of input requires increased resources. Duplication and structural lumpiness both can result in inefficient processing. Data lumpiness can cause pipeline failure or deadlock, for example if differences in DDoS traffic compared to normal can require 6× CPU. We propose Plumb, a framework to abstract file processing for a multi-stage pipeline. Plumb integrates pipelines contributed by multiple users, detecting and eliminating duplication of computation and intermediate storage. It tracks and adjusts computation of each stage, accommodating both structural and data lumpiness. We exercise Plumb with the processing pipeline for B-Root DNS traffic, where it will replace a hand-tuned system to provide one third the original latency by utilizing 22% fewer CPU and will address limitations that occur as multiple users process data and when DDoS traffic causes huge shifts in performance.

Detecting IoT Devices in the Internet (Extended)
Hang Guo, John Heidemann
July 2018,  16 pages

Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices have shown how vulnerable the Internet is to large-scale DDoS attacks. To understand the risks of these attacks requires learning about these IoT devices: where are they? how many are there? how are they changing? This paper describes three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates. Our primary methods (IP addresses and DNS names) use knowledge of servers run by the manufacturers of these devices. We have developed these approaches with 10 device models from 7 vendors. Our third method uses TLS certificates obtained by active scanning. We have applied our algorithms to a number of observations. Our IP-based algorithms see at least 35 IoT devices on a college campus, and 122 IoT devices in customers of a regional IXP. We apply our DNS-based algorithm to traffic from 5 root DNS servers from 2013 to 2018, finding huge growth (about 7×) in ISP-level deployment of 26 device types. DNS also shows similar growth in IoT deployment in residential households from 2013 to 2017. Our certificate-based algorithm finds 254k IP cameras and network video recorders from 199 countries around the world.

When the Dike Breaks: Dissecting DNS Defenses During DDoS (extended)
Giovane C. M. Moura, John Heidemann, Moritz Mueller, Ricardo de O. Schmidt, Marco Davids
May 2018,  10 pages

The Internet's Domain Name System (DNS) is a frequent target of Distributed Denial-of-Service (DDoS) attacks, but such attacks have had very different outcomes---some attacks have disabled major public websites, while the external effects of other attacks have been minimal. While on one hand the DNS protocol is a relatively simple, the \emph{system} has many moving parts, with multiple levels of caching and retries and replicated servers. This paper uses controlled experiments to examine how these mechanisms affect DNS resilience and latency, exploring both the client side's DNS \emph{user experience}, and server-side traffic. We find that, for about about 30\% of clients, caching is not effective. However, when caches are full they allow about half of clients to ride out server outages, and caching and retries allow up to half of the clients to tolerate DDoS attacks that result in 90\% query loss, and almost all clients to tolerate attacks resulting in 50\% packet loss. The cost of such attacks to clients are greater median latency. For servers, retries during DDoS attacks increase normal traffic up to $8\times$. Our findings about caching and retries can explain why some real-world DDoS cause service outages for users while other large attacks have minimal visible effects.

Back Out: End-to-end Inference of Common Points-of-Failure in the Internet (extended)
John Heidemann, Yuri Pradkin, Aqib Nisar
January 2018,  17 pages

Internet reliability has many potential weaknesses: fiber rights- of-way at the physical layer, exchange-point congestion from DDOS at the network layer, settlement disputes between organizations at the financial layer, and government intervention the political layer. This paper shows that we can discover common points-of-failure at any of these layers by observing correlated failures. We use end-to-end observations from data-plane-level connectivity of edge hosts in the Internet. We identify correlations in connectivity: networks that usually fail and recover at the same time suggest common point-of-failure. We define two new algorithms to meet these goals. First, we define a computationally-efficient algorithm to create a linear ordering of blocks to make correlated failures apparent to a human analyst. Second, we develop an event-based clustering algorithm that directly networks with correlated failures, suggesting common points-of-failure. Our algorithms scale to real-world datasets of millions of networks and observations: linear ordering is $O(n \log n)$ time and event-based clustering parallelizes with Map/Reduce. We demonstrate them on three months of outages for 4 million /24 network prefixes, showing high recall (0.83 to 0.98) and precision (0.72 to 1.0) for blocks that respond. We also show that our algorithms generalize to identify correlations in anycast catchments and routing.

An Ontology for the ENIGMA Neuroscience Collaboration
MiHyun Jang
December 2017,  14 pages

LDplayer: DNS Experimentation at Scale
Liang Zhu, John Heidemann
November 2017,  10 pages

DNS has evolved over the last 20 years, improving in security and privacy and broadening the kinds of applications it supports. However, this evolution has been slowed by the large installed base with a wide range of implementations that are slow to change. Changes need to be carefully planned, and their impact is difficult to model due to DNS optimizations, caching, and distributed operation. We suggest that experimentation at scale is needed to evaluate changes and speed DNS evolution. This paper presents LDplayer, a configurable, general-purpose DNS testbed that enables DNS experiments to scale in several dimensions: many zones, multiple levels of DNS hierarchy, high query rates, and diverse query sources. LDplayer provides high fidelity experiments while meeting these requirements through its distributed DNS query replay system, methods to rebuild the relevant DNS hierarchy from traces, and efficient emulation of this hierarchy of limited hardware. We show that a single DNS server can correctly emulate multiple independent levels of the DNS hierarchy while providing correct responses as if they were independent. We validate that our system can replay a DNS root traffic with tiny error (± 8 ms quartiles in query timing and ± 0.1% difference in query rate). We show that our system can replay queries at 87k queries/s, more than twice of a normal DNS Root traffic rate, maxing out one CPU core used by our customized DNS traffic generator. LD player’s trace replay has the unique ability to evaluate important design questions with confidence that we capture the interplay of caching, timeouts, and resource constraints. As an example, we can demonstrate the memory requirements of a DNS root server with all traffic running over TCP, and we identified performance discontinuities in latency as a function of client RTT.

LDplayer: DNS Experimentation at Scale (poster abstract)
Liang Zhu, John Heidemann
August 2017,  4 pages

In the last 20 years the core of the Domain Name System (DNS) has improved in security and privacy, and DNS use broadened from name-to-address mapping to a critical roles in service discovery and anti-spam. However, protocol evolution and expansion of use has been slow because advances must consider a huge and diverse installed base. We suggest that experimentation at scale can fill this gap. To meet the need for experimentation at scale, this paper presents LDplayer, a configurable, general- purpose DNS testbed. LDplayer enables DNS experiments to scale in several dimensions: many zones, multiple levels of DNS hierarchy, high query rates, and diverse query sources. To meet these requirements while providing high fidelity experiments, LDplayer includes a distributed DNS query replay system and methods to rebuild the relevant DNS hierarchy from traces. We show that a single DNS server can correctly emulate multiple independent levels of the DNS hierarchy while providing correct responses as if they were independent. We show the importance of our system to evaluate pressing DNS design questions, using it to evaluate changes in DNSSEC key size.

Recursives in the Wild: Engineering Authoritative DNS Servers
Moritz Muller, Giovane C. M. Moura, Ricardo de O. Schmidt, John Heidemann
June 2017,  10 pages

In Internet Domain Name System (DNS), services operate \emph{authoritative} name servers that individuals query through \emph{recursive resolvers}. Operators strive to provide reliability by operating multiple name servers (NS), each on a separate IP address, and by using IP anycast to allow NSes to provide service from many physical locations. To meet their goals of minimizing latency and balancing load across NSes and anycast, operators need to know how recursive resolvers select an NS, and how that interacts with their NS deployments. Prior work has shown some recursives search for low latency, while others pick an NS at random or round robin, but did not examine how prevalent each choice was. This paper provides the first analysis of how recursives select between name servers in the wild, and from that we provide guidance to name server operators to reach their goals. We conclude that all NSes need to be equally strong and therefore we recommend to deploy IP anycast at every single authoritative.

Verfploeter: Broad and Load-Aware Anycast Mapping
Wouter B. de Vries, Ricardo de O. Schmidt, Wes Hardaker, John Heidemann, Pieter-Tjerk de Boer, Aiko Pras
May 2017,  0 pages

IP anycast provides DNS operators and CDNs with automatic fail-over andreduced latency by breaking the Internet into *catchments*, each served by a different anycast site. Unfortunately, *understanding* and *predicting* changes to catchments as sites are added or removed has been challenging. Current tools such as RIPE Atlas or commercial equivalents map from thousands of vantage points (VPs), but their coverage can be inconsistent around the globe. This paper proposes *Verfploeter*, a new method that maps anycast catchments using active probing. Verfploeter provides around 3.8M virtual VPs, 430x the 9k physical VPs in RIPE Atlas, providing coverage of the vast majority of networks around the globe. We then add load information from prior service logs to provide calibrated predictions of anycast changes. Verfploeter has been used to evaluate the new anycast for B-Root, and we also report its use of a 9-site anycast testbed. We show that the greater coverage made possible by Verfploeter's active probing is necessary to see routing differences in regions that have sparse coverage from RIPE Atlas, like South America and China.

Detecting ICMP Rate Limiting in the Internet (Extended)
Hang Guo, John Heidemann
February 2017,  10 pages

Active probing with ICMP is the center of many network measurements, with tools like ping, traceroute, and their derivatives used to map topologies and as a precursor for security scanning. However, rate limiting of ICMP traffic has long been a concern, since undetected rate limiting to ICMP could distort measurements, silently creating false conclusions. To settle this concern, we look systematically for ICMP rate limiting in the Internet. We develop a model for how rate limiting affects probing, validate it through controlled testbed experiments, and create FADER, a new algorithm that can identify rate limiting from user-side traces with minimal requirements for new measurement traffic. We validate the accuracy of FADER with many different network configurations in testbed experiments and show that it almost always detects rate limiting. Accuracy is perfect when measurement probing ranges from 0 to 60× the rate limit, and almost perfect (95%) with up to 20% packet loss. The worst case for detection is when when probing is very fast and blocks are very sparse, but even there accuracy remains good (measurements 60× the rate limit of a 10% responsive block is correct 65% of the time). With this confidence, we apply our algorithm to the whole Internet with random sampling showing that rate limiting exists but that for slow probing rates, rate-limiting is very, very rare. For our random sample of 40,493 /24 blocks (about 2% of the responsive space) and probing rates of 0.39 packets/s per block, only 6 blocks (0.02%!) in two ISPs show rate limiting. Finally, we show that it is possible for even very slow probing (0.0001 packet/s) to encounter rate limiting if traffic.

Does Anycast Hang up on You?
Lan Wei, John Heidemann
February 2017,  9 pages

Anycast-based services today are widely used commercially, with several major providers serving thousands of important websites. However, to our knowledge, there has been only limited study of how often anycast fails because routing changes interrupt connections between users and their current anycast site. While the commercial success of anycast CDNs means anycast usually work well, do some users end up shut out of anycast? In this paper we examine data from more than 9000 geographically distributed vantage points (VPs) to 11 anycast services to evaluate this question. Our contribution is the analysis of this data to provide the first quantification of this problem, and to explore where and why it occurs. We see that about 1% of VPs are anycast unstable, reaching a different anycast site frequently sometimes every query. Flips back and forth between two sites in 10 seconds are observed in selected experiments for given service and VPs. Moreover, we show that anycast instability is persistent for some VPs---a few VPs never see a stable connections to certain anycast services during a week or even longer. The vast majority of VPs only saw unstable routing towards one or two services instead of instability with all services, suggesting the cause of the instability lies somewhere in the path to the anycast sites. Finally, we point out that for highly- unstable VPs, their probability to hit a given site is constant, which means the flipping are happening at a fine granularity ---per packet level, suggesting load balancing might be the cause to anycast routing flipping. Our findings confirm the common wisdom that anycast almost always works well, but provide evidence that a small number of locations in the Internet where specific anycast services are never stable.

How Users Choose and Reuse Passwords
Jelena Mirkovic, Ameya Hanamsagar, Christopher Kanich, Simon S. Woo
November 2016,  16 pages

Weak or reused passwords are guilty for many contemporary security breaches. It is critical to study both how users choose and reuse passwords, and the causes that lead users to adopt unsafe practices. Existing literature on these topics is limited as it either studies patterns but not the causes (using leaked or contributed datasets), or it studies artificial patterns and causes that may not align with the real ones (lab interviews and/or fictional servers). Our research complements the existing works by studying the semantic structure, strength and reuse of real passwords, as well as conscious and unconscious causes of unsafe practices, in a population of 50 participants. The participants took part in a carefully designed, ethical and IRB-approved lab study, where we harvested their existing online credentials, and interviewed them about their password strategies and their risk perceptions. We found that: (1) an average password is weak and used at more than four sites, (2) important-site passwords are only 1-2 characters longer and 10 times stronger than those for non-important sites, (3) main causes of weak passwords are security fatigue and short password length, (4) 98% of users reuse their passwords with no changes and the rest make slight changes, which can be easily brute-forced, (5) 84% of users reuse passwords between important and non- important sites, and (6) main causes for password reuse are misconceptions about risk, and preference for memorability over security.

ReBots: A Drag-and-drop High-Performance Simulator for Modular and Self-Reconfigurable Robots
Thomas Collins, Wei-Min Shen
November 2016,  8 pages

A key challenge in self-reconfigurable robotics is the development and validation of complex distributed behaviors and control algorithms, particularly for large populations of modules. Physics-based, 3D simulators play a vital role in helping researchers overcome this challenge by allowing them to approximate the physical interactions of connected, autonomous robotic systems with one another and with their surrounding environments in a fast, safe, and low-cost manner that can reveal physical details that are critical to successful control. Current state-of-the-art self- reconfigurable robot simulators require users to have extensive programming (and software engineering) knowledge. Additionally, tasks such as translating specifications of real-world modules into simulated ones, creat- ing complex configurations of modules, and designing complex environments are text-based, time-consuming, and error-prone tasks in these simulators, limiting their usefulness to quickly approximate real-world scenarios. This paper proposes ReBots, a drag-and-drop, high-performance self-reconfigurable robot simulator built on top of the Unreal Engine 4 (UE4) game engine. The mouse-and-keyboard GUI interface of ReBots allows users to rapidly prototype new modules, drag instances of them into environments, move and rotate modules, connect modules to one another, modify module properties, rotate module motors, change module behaviors, create complex and realistic environments, and run/pause/stop simulations. The results show that ReBots demonstrates high-performance and scalability of self- reconfigurable and modular robots with complex, distributed and autonomous behaviors in simulated realistic environments, including simulations of environments with up to 2000 autonomous modules physically interacting with one another.

High-Dimensional Inverse Kinematics and Self-Reconfiguration Kinematic Control
Thomas Collins, Wei-Min Shen
November 2016,  12 pages

This paper addresses two unique challenges for self- reconfigurable robots to perform dexterous locomotion and manipulation in difficult environments: high-dimensional inverse kinematics (HDIK) for > 100 degrees of freedom, and self- reconfiguration kinematic control (SRKC) where the workspace targets at which connectors are to meet for docking are not known a priori. These challenges go beyond the state-of-the-art because traditional manipulation techniques (e.g., Jacobian-based) may not be stable or scalable, and alternative approaches (e.g., genetic algorithms or neural networks) provide no guarantees of optimality or convergence. This paper proposes a new technique called Provably-convergent Swarm-based Inverse Kinematics (PSIK) that extends Branch and Bound Particle Swarm Optimization with a unique approach for dynamic target adaptation for self- reconfiguration. The PSIK algorithm can find globally optimal solutions for both HDIK and SRKC to any precision requirement (i.e., positive error tolerance) in finite or real-time for tree structures of self- reconfigurable robots. This algorithm is implemented and validated in high-fidelity, physics-based simulation using SuperBot as prototype modules. The results are very encouraging and provide feasible solutions for dextrous locomotion, manipulation, and self-reconfiguration.

Globally Convergent Optimal Dynamic Inverse Kinematics for Distributed Modular and Self-Reconfigurable Robot Trees
Thomas Collins, Wei-Min Shen
November 2016,  7 pages

Kinematic trees of self-reconfigurable, modular robots are difficult to control for at least three primary reasons: (1) they must be controlled in a distributed fashion, (2) they are often kinematically redundant or hyper-redundant, and (3) in many cases, these robots must be designed to safely operate autonomously in dangerous and isolated environments. Much work has been done to design hardware, distributed algorithms, and controllers to handle different aspects of this challenging problem, but the design of generalized and globally optimal inverse kinematics algorithms for such systems is largely an open problem. Jacobian-based methods have well-documented shortcomings, particularly for high-DOF systems, while alternative methods, such as those based on genetic and evolutionary algorithms, provide no guarantees of convergence to a globally optimal solution. Such a guarantee is particularly important in the types of dangerous environments in which these robots are to operate. This paper proposes a novel distributed inverse kinematics framework based on the recently proposed Branch and Bound Particle Swarm Optimization (BB-PSO) algorithm, which provably converges to a globally optimal solution (and converges in finite time given any positive error tolerance). This framework is demonstrated, through extensive simulations, to offer high-quality solutions in practical amounts of time, even for multi-effector and dynamic problems, such as those encountered in kinematic self- reconfiguration where the effector workspace goal pose is not available as input.

Middlebox Models Compatible with the Internet
Joe Touch
October 2016,  6 pages

A hybrid model for middleboxes is presented that describes constraints on their compatibility with the Internet. The Internet is composed of hosts, routers, and links that exchange messages, and these components have been combined into hybrid models to describe tunnels and virtual routers. This document extends these models to describe the behavior of a variety of types of middleboxes, including network address translators, proxies, and transparent proxies.

Do You See Me Now? Sparsity in Passive Observations of Address Liveness (extended)
Jelena Mirkovic , Genevieve Bartlett , John Heidemann, Hao Shi, Xiyue Deng
July 2016,  15 pages


Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event
Given C. M. Moura, Ricardo de O. Schmidt, John Heidemann, Wouter B. de Vries, Moritz Muller, Lan Wei, Cristian Hesselman
May 2016,  15 pages


Anycast Latency: How Many Sites Are Enough?
Ricardo de O. Schmidt, John Heidemann, Jan Harm Kuipers
May 2016,  13 pages


Improving Long-term Accuracy of DNS Backscatter for Monitoring of Internet-Wide Malicious Activity - The Poster
Abdul Qadeer, John Heidemann, Kensuke Fukuda
April 2016,  2 pages


T-DNS: Connection-Oriented DNS to Improve Privacy and Security (poster abstract)
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya
March 2016,  3 pages


RESECT: Self-learning Spoofed Traffic Filters
Jelena Mirkovic, Erik Kline, Peter Reiher
November 2015,  15 pages

IP spoofing has been a persistent Internet security threat for decades. While research solutions exist that can help an edge network detect spoofed and reflected traffic, sheer volume of such traffic requires handling further upstream. Prior research [20] has shown that route-dependent spoofed packet filters, such as hop-count filtering and route-based filtering, would be extremely effective if deployed in the Internet core. Deployment at only 50 chosen autonomous systems (0.25% of all ASes) would eliminate 92–97% of spoofed traffic in the entire Internet! But prior research assumes that filters always have correct filtering information. It is an open research problem how to bootstrap this information and keep it up to date when routes change, or in presence of asymmetric or multi-path routing. Our paper addresses this issue. We propose RESECT - a system that enables route- dependent spoofed packet filters to learn correct filtering information in realistic routing scenarios. A RESECT-enhanced filter probes sources of traffic that have stale or missing filtering information, by dropping a minuscule fraction of their TCP traffic, which invokes retransmission behavior. Retransmitted TCP packets are used to update filtering information about the probed source. RESECT works with asymmetric and multi- path routing, quickly detects route changes, and requires no cooperation between filters nor any changes to traffic sources. Its operation has minimal effect on legitimate traffic, while it quickly detects and drops spoofed packets. RESECT thus completes route-dependent packet filters, making them practical and highly effective solutions for IP spoofing defense.

Detecting Malicious Activity with DNS Backscatter (extended)
Kensuke Fukuda, John Heidemann
October 2015,  18 pages

The FailSafe Assertion Language
Hans P. Zima, Erik DeBenedictis, Jacqueline N. Chame, Pedro C. Diniz, Robert F. Lucas
October 2015,  46 pages

Data Science in the News: Advances and Challenges for the Era of Big Data
Kate Musen, Alyssa Deng, Taylor Alarcon, Yolanda Gil
August 2015,  13 pages


Evaluating Externally Visible Outages
Abdulla Alwabel, John Healy, John Heidemann, Brian Luu, Yuri Pradkin, Rasoul Safavian
August 2015,  8 pages


QUASAR: A New Approach to Software Attestation
Jeremy Abramson, Stephen Schwab, Quoc Tran, W. Brad Moore
July 2015,  9 pages


LegoTG: Composable Traffic Generation with a Custom Blueprint
Jelena Mirkovic, Genevieve Bartlett
June 2015,  14 pages


Poster: Lightweight Content-based Phishing Detection
Calvin Ardi, John Heidemann
May 2015,  3 pages


PASO: An Integrated, Scalable PSO-based Optimization Framework for Hyper-Redundant Manipulator Path Planning and Inverse Kinematics
Thomas Collins, Wei-Min Shen
April 2015,  7 pages

Implementation of the TCP Extended Data Offset Option
Harry Trieu, Joe Touch, Ted Faber
March 2015,  3 pages


Connection-Oriented DNS to Improve Privacy and Security (extended)
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya
February 2015,  26 pages


T-DNS: Connection-Oriented DNS to Improve Privacy and Security (extended)
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya
June 2014,  26 pages


Web-scale Content Reuse Detection (extended)
Calvin Ardi, John Heidemann
June 2014,  16 pages


When the Internet Sleeps: Correlating Diurnal Networks With External Factors (extended)
Lin Quan, John Heidemann, Yuri Pradkin
May 2014,  16 pages


The Impact of Errors on Differential Optical Processing
J. Touch, A. Mohajerin-Ariaei, M. Chitgarha, M. Ziyadi, S. Khaleghi, Y. Akasaka, J. Y. Yang, M. Sekiya
March 2014,  2 pages


The BLEMS Augmented Sensor Device
Joe Touch
March 2014,  21 pages


T-DNS: Connection-Oriented DNS to Improve Privacy and Security
Liang Zhu, Zi Hu, John Heidemann, Duane Wessels, Allison Mankin, Nikita Somaiya
February 2014,  17 pages


A Holistic Framework for Bridging Physical Threats to User QoE
Xue Cai, John Heidemann, Walter Willinger
July 2013,  11 pages

Submarine cable cuts have become increasingly common, with five incidents breaking more than ten cables in the last three years. Today, around 300 cables carry the majority of international Internet traffic, so a single cable cut can affect millions of users, and repairs to any cut are expensive and time consuming. Prior work has either measured the impact following incidents, or predicted the results of network changes to relatively abstract Internet topological models. In this paper, we develop a new approach to model cable cuts. Our approach differs by following problems drawn from real-world occurrences all the way to their impact on end-users. Because our approach spans many layers, no single organization can provide all the data needed to apply the model. We therefore perform what-if analysis to study a range of possibilities. With this approach we evaluate four incidents in 2012 and 2013; our analysis suggests general rules that assess the degree of a country's vulnerability to a cut.

Reducing False Alarms with Multi-modal Sensing for Pipeline Blockage (Extended)
Chengjie Zhang, John Heidemann
June 2013,  18 pages


A Preliminary Analysis of Network Outages During Hurricane Sandy
John Heidemann, Lin Quan, Yuri Pradkin
November 2012,  8 pages


Montage Topology Manager: Tools for Constructing and Sharing Representative Internet Topologies
Alefiya Hussain, Jennifer Chen
August 2012,  9 pages


Building Apparatus for Multi-resolution Networking Experiments Using Containers
July 2012,  9 pages


An Organization-Level View of the Internet and its Implications (extended)
Xue Cai, John Heidemann, Balachander Krishnamurthy, Walter Willinger
June 2012,  26 pages


Characterizing Anycast in the Domain Name System
Xun Fan, John Heidemann, Ramesh Govindan
May 2012,  14 pages


Towards Geolocation of Millions of IP Addresses
Zi Hu, John Heidemann, Yuri Pradkin
May 2012,  7 pages


Detecting Internet Outages with Precise Active Probing (extended)
Lin Quan, John Heidemann, Yuri Pradkin
May 2012,  22 pages


Multifrontal Sparse Matrix Factorization on Graphics Processing Units
Robert F. Lucas, Gene Wagenbreth, John J. Tran, Dan M. Davis
January 2012,  19 pages


A preliminary empirical study to compare MPI and OpenMP
Lorin Hochstein, Victor R. Basili
December 2011,  43 pages


Evaluating Signature Matching in a Multi-Sensor Vehicle Classification System (extended)
Chengjie Zhang, John Heidemann
November 2011,  21 pages


Final Report of the 2011 Workshop on Aquatic Ecosystem Sustainability
Yolanda Gil, Tom Harmon
October 2011,  34 pages

Data Muling with Mobile Phones for Sensornets
Unkyu Park, John Heidemann
July 2011,  16 pages


Detecting Internet Outages with Active Probing
Lin Quan, John Heidemann
May 2011,  15 pages


Identifying and Characterizing Anycast in the Domain Name System
Xun Fan, John Heidemann, Ramesh Govindan
May 2011,  13 pages


Steam-Powered Sensing: Extended Design and Evaluation
Chengjie Zhang, Affan Syed, Young H. Cho, John Heidemann
February 2011,  28 pages


Demo Abstract: Energy Transference for Sensornets
Affan A. Syed, Young Cho, John Heidemann
November 2010,  3 pages

Design and Analysis of a Propagation Delay Tolerant ALOHA Protocol for Underwater Networks
Joon Ahn, Affan Syed, Bhaskar Krishnamachari, John Heidemann
September 2010,  26 pages


On the Characteristics and Reasons of Long-lived Internet Flows
Lin Quan, John Heidemann
July 2010,  9 pages


Selecting Representative IP Addresses for Internet Topology Studies
Xun Fan, John Heidemann
June 2010,  12 pages


Understanding Block-level Address Usage in the Visible Internet (extended)
Xue Cai, John Heidemann
June 2010,  24 pages


Low-latency Synchronization of Loosely-coupled Sensornet Republishing
Unkyu Park, John Heidemann
June 2010,  18 pages


DADL: Distributed Application Description Language
Jelena Mirkovic, Ted Faber, Paul Hsieh, Ganesan Malaiyandisamy, Rashi Malaviy
May 2010,  6 pages


Technical Report Search

Title   Author