Networking and Cybersecurity

NETWORK INFRASTRUCTURE SUPPORTING SCIENCE AND OPERATIONS

B-Root DNS Infrastructure

ISI's B-Root DNS critical infrastructure serves as the foundation in a number of efforts to advance the state of the art for the Domain Name System (DNS) in multiple directions. B-Root is one of the 13 different root servers that are at the top of the DNS system ("above" .com and .edu). The Internet's DNS was created at ISI in the late 1980s, and we have managed and maintained the B-Root DNS Root server ever since–with a focus on both a mission of research and as a service to the Internet at large.

New Service Locations: B-Root currently operates from two locations (Los Angeles and Miami) to provide disaster recovery, capacity, and to reduce latency. In 2018 B-Root installed its first international Anycast instance in Chile, in cooperation with PitChile. We expect this site to go into production service in early 2019.

In the Internet Community: ISI has also played a critical role in establishing an Internet Governance model for the DNS Root Server system. This multi-year cooperative effort is working to put in place oversight, increasing transparency and accountability, in cooperation with the international Corporation for Assigned Names and Numbers (ICANN).

Supporting Research: B-Root actively supports USC and ISI's mission a research university. We have worked with researchers in the Global Analysis of Weak Signals for Enterprise Event Detection (GAWSEED) project, part of DARPA's Cyber Hunting at Scale (CHASE) program, the DDoS Defense In Depth for DNS (DDIDD) project under the NSF's CICI (Cybersecurity Innovation for Cyberinfrastructure) program, and shared data through the DHS IMPACT program. Insights from B-Root have informed academic work such as "When the Dike Breaks: Dissecting DNS Defenses During DDoS" by researchers from USC/ISI with SIDN Labs, University of Twente (Netherlands), University of Passo Fundo (Brazil), and published in the ACM Internet Measurements conference 2018.

Intersecting Community and Research: B-Root played a critical role in the intersection of the Internet governance and research. DNS Security (DNSSEC) depends on a central cryptographic key managed by the International Corporation for Assigned Names and Numbers (ICANN). ICANN had been planning this change for several years, yet was uncertain about risks surrounding the change and postponed it for a year out of concern.

The rise and fall of trust in cryptographic
trust anchors

ISI identified a major source of incorrect use of old cryptographic keys, and addressed the issue through community outreach. The resulting conclusion built confidence and allowed ICANN to successfully carry out the key change in October 2018. A key insight was ISI research identifying one software product that was the source of a majority of errors. The following graph shows errors in the black line. After we contacted the vendor, they rolled out updates and the error reports dropped in half (June and July, 2008), even as reporting increased (green line).

Defeating Distributed Attacks Through ISP Collaboration

Volumetric distributed denial-of-service (DDoS) attacks can bring any network to a halt. Because of their distributed nature and high volume, the victim often cannot handle these attacks alone and needs help from upstream ISPs. Today's Internet has no automated mechanism for victims to petition ISPs for help in handling attacks, and ISPs themselves do not offer such services. Instead, traffic is usually redirected to cloud-based scrubbing centers, and the routed back to the target of the attack. This approach is costly; it introduces delays, jeopardizes user privacy and does not allow the victim to control the mitigation process.

SENSS: A collaborative approach to fight DDoS attack

ISI's STEEL lab has developed a collaborative approach to fight DDoS attacks. The SENSS project—funded by the Department of Homeland Security—enables the victim of an attack to request attack monitoring and filtering on demand, and to pay only for the services rendered. Request can be sent both to the immediate and remote ISPs in an automated and secure manner, and can be authenticated by these ISPs without having prior trust with the victim. The adjacent figure show the SENSS architecture and operation.

Simple and generic SENSS APIs enable victims to build custom detection and mitigation approaches against a variety of DDoS attacks. SENSS is deployable with today's infrastructure, and it has strong economic incentives—both for ISPs and for the attack victims.

SENSS is very effective in sparse deployment, offering full protection to direct customers of early adopters, and considerable protection to remote victims when deployed strategically. For example, in 2016 the large DNS provider "Dyn" was hit by a 600 Gbps attack; this disrupted services to more than 1,200 domains. If SENSS had been strategically deployed on only four ISPs close to Dyn, it would have filtered 100% of the attack within seconds.

The SENSS project will be piloted in three academic ISPs across the U.S. in 2019.

AARCLight—A Series of Underseas Fiber Optic Cable Networks in the South Atlantic

A USC/ISI researcher from the Networking and Cybersecurity Division facilitated a US-Africa side meeting for the AARCLight at the 2018 Internet2 Global Summit in San Diego, California. This meeting was aimed at defining consensus on the use of a South Atlantic research and education (R&E) network link to facilitate collaborations between Africa and North and South America. Later that year, ISI represented the project at the Ubuntunet Connect conference in Zanzibar, Tanzania, where we led a quantitative and qualitative survey of network operators in Africa and served as an invited speaker for the NSF-funded AARCLight planning project.

A series of new and existing undersea fiber optic telecommunication networks are connecting continents in the South Atlantic. With the exception of the SABR, Fortaleza (Brazil) is the landing point for all the cables listed here. 

  • The MONET undersea fiber optic cable system, which connects to Boca Raton and further connects to Miami, Florida (USA) and to Fortaleza and Santos (Brazil), has been operational since May 2018. It spans 10,556 km and has an initial design capacity of more than 64Tbps.

  • The 6,165 km undersea fiber optic cable system South Atlantic Cable System (SACS) between Fortaleza (Brazil) and Sangano (Angola) was completed in the third quarter of 2018 and is operational. SACS is owned and managed by Angola Cables who has entered into an agreement with USC/ISI and Florida International University (FIU) for effectively 100 Gbps provisioned over the spectrum using coherent WDM technology. SACS offers a total design capacity of 40Tbit/s between Fortaleza (Brazil) and Luanda (Angola).

  • Almost at the same time, in September 2018, the completion of the close-to-6000-km undersea fiber optic cable system, from Fortaleza (Brazil) to Sines (Portugal), is currently planned and will be ready for service in 2020.

  • The 17,500 km America Movil (AMX-1) undersea fiber optic cable system, from Fortaleza (Brazil) to Jacksonville and Hollywood (USA), has been operational since 2015. AMX-1, has multiple landing points in Columbia, Brazil, the Dominican Republic, Puerto Rico, Guatemala, Mexico, and the United States.

  • Seaborn Networks' SABR undersea fiber  optic cable network is currently being developed to connect Cape Town (South Africa) to Recife (Brazil), and eventually the USA. It will be ready for service in 2029.

The AARCLight project has created several components critical to revolutionizing U.S. collaboration with the African continent. It has developed a critical mass of connectivity by signing agreements with funding for spectrum between the U.S. and Luanda, Angola via Fortaleza, Brazil that could last 35 years. AARCLight has fostered critical research collaborations with the nascent and established African regional network consortiums—the UbuntuNet Alliance and WACREN. It has developed a critical partnership with SA NREN and TENET in South Africa to extend 100GB connectivity from Angola to Cape Town and on to East Africa. AARCLight has further strengthened the partnership with RNP and ANSP, the national R&E networks for Brazil and the State of Sao Paulo where Brazilian collaboration in the operation and the development of U.S.-Brazil-Africa network connectivity will play a critical role.