1 / 27

Computer Networks

Computer Networks. Zhenhai Duan Department of Computer Science 9/15/2011. Research Area. Computer networks, in particular, Internet protocols, architectures, and systems Quality of Service ( QoS ) provisioning Internet inter-domain routing Internet systems security

aletha
Download Presentation

Computer Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Networks ZhenhaiDuan Department of Computer Science 9/15/2011

  2. Research Area • Computer networks, in particular, Internet protocols, architectures, and systems • Quality of Service (QoS) provisioning • Internet inter-domain routing • Internet systems security • Overlay and peer-to-peer systems • Network measurement • Details and publications • http://www.cs.fsu.edu/~duan

  3. A Few Projects that I will Discuss • Packet scheduling algorithms • Improving Internet inter-domain routing performance • Controlling IP spoofing • Detecting compromised machines (botnets)

  4. Can you hear me now? Internet QoS Provisioning on the Internet • Current Internet provides a best-effort service • No service guarantees in terms of bandwidth or end-to-end delay • Many new applications require more stringent service guarantees • VoIP and real-time video streaming • Games • Mission-critical applications • Online financial transactions • Power grid control system

  5. Why current Internet cannot provide QoS guarantees? • A number of factors (routing, architecture, etc) • A key limitation is the First Come First Served (FCFS) packet scheduling algorithm used by routers

  6. Two Fundamental Approaches to Designing New Packet Scheduling • Round-robin packet scheduling algorithms • Low complexity: O(1) • Bad QoS performance: O(#flow)

  7. r Time stamp based fair queueing packet scheduling algorithms • Emulating a single-flow system • Time stamp based packet scheduling • Compute and assign time stamps to each packet • Scheduling based on time stamps • Good performance: O(rate), largely independent of other flows • High complexity: O(#flow) C

  8. C More Scalable Packet Schedulers • Hybrid round-robin and time-stamp based approach • FRR • IEEE INFOCOM 2005 • IEEE ToC 2009 • Core stateless packet schedulers • VTRS, SETF, DETF • ACM SIGCOMM 2000, IEEE ICNP 2001, IEEE ICCCN 2006 • IEEE JSAC 2000, IEEE TPDS 2004, 2005

  9. Internet Inter-Domain Routing • Consists of large number of network domains (ASes) • Each owns one or multiple network prefixes • FSU campus network: 128.186.0.0/16 • Intra-domain and inter-domain routing protocols • Intra-domain: OSPF and IS-IS • Inter-domain: BGP, a path-vector routing protocol • BGP • Used to exchange network prefix reachability information • Network prefix, AS-level path to reach network prefix • Path selection algorithm

  10. NLRI=128.186.0.0/16 ASPATH=[0] NLRI=128.186.0.0/16 ASPATH=[10] NLRI=128.186.0.0/16 ASPATH=[10] NLRI=128.186.0.0/16 ASPATH=[210] NLRI=128.186.0.0/16 ASPATH=[610] NLRI=128.186.0.0/16 ASPATH=[610] NLRI=128.186.0.0/16 ASPATH=[210] NLRI=128.186.0.0/16 ASPATH=[7610] NLRI=128.186.0.0/16 ASPATH=[4210] NLRI=128.186.0.0/16 ASPATH=[3210] NLRI=128.186.0.0/16 ASPATH=[53210] BGP: an Example [3210]* [4210] [7610] 128.186.0.0/16

  11. Performance Issues with BGP • Instability • At anytime, large number of BGP messages exchanged • Slow convergence • After a network failure event, it takes a long time for routing system to converge from one stable state to another stable state • They are related, but not the same

  12. Live BGP Updates • Team Cymru • http://www.cymru.com/BGP/bgp_updates.html • BGPlay at RouteView • http://bgplay.routeviews.org/

  13. Network Dynamics • Internet has about 38,600ASes and 370,000 network prefixes (as of 09/03/2011) • In a system this big, things happen all the time • Fiber cuts, equipment outages, operator errors. • Direct consequence on routing system • Events may propagated through entire Internet • Recomputing/propagating best routes • Large number of BGP updates exchanged between ASes • Effects on user-perceived network performance • Long network delay • Packet loss • Even loss of network connectivity

  14. NLRI=128.186.0.0/16 ASPATH=[57610] NLRI=128.186.0.0/16 ASPATH=[54210] NLRI=128.186.0.0/16 Withdrawal Causes of BGP instability and long convergence • Protocol artifacts of BGP • Constraints of physical propagation • Internet is a GLOBAL network [3210]* [4210] [7610] 128.186.0.0/16

  15. Improving BGP stability and convergence • BGP protocol artifacts • EPIC: Carrying event origin in BGP updates • Propagation delays on different paths • Inter-domain failure vs. intra-domain failure • Multi-connectivity between Ases • Scalability and confidentiality • IEEE INFOCOM 2005 • Physical propagation constraints • Transient failures • TIDR: Localize failure events • Build back-up paths • IEEE GLOBECOM 2008

  16. c s s d d d Controlling IP Spoofing • What is IP spoofing? • Act to fake source IP address • Used by many DDoS attacks • Why it remains popular? • Hard to isolate attack traffic from legitimate one • Hard to pinpoint the true attacker • Many attacks rely on IP spoofing c d b a s

  17. s s d d Filtering based on Route • A key observation • Attackers can spoof source address, • But they cannot control route packets take • Requirement • Filters need to compute best path from src to dst • Filters need to know global topology info • Not available in path-vector based Internet routing system c d b a s

  18. Internet AS Relationship • Consists of large number of network domains, • Two common AS relationships • Provider-customer • Peering • AS relationships determine routing policies • A net effect of routing policies limit the number of routes between a pair of source and destination AS 174 Cogent AS 3356 Level 3 AS2828 XO Comm AS 11537 Internet2 AS 11096 FloridaNet AS 2553 FSU

  19. c d b a s Topological Routes vs. Feasible Routes • Topological routes • Loop-free paths between a pair of nodes • Feasible routes • Loop-free paths between a pair of nodes that not violate routing policies Topological routes Feasible routes s a d s b d s a b d s a c d s b a d s b c d s a b c d s a c b d s b a c d s b c a d c d s a d s b d b a s

  20. Inter-Domain Packet Filter • Identifying feasible upstream neighbors • Instead of filtering based on best path, based on feasible routes • Findings based on real AS graphs • IDPFs can effectively limit the spoofing capability of attackers • From 80% networks attackers cannot spoof source addresses • IDPFs are effective in helping IP traceback • All ASes can localize attackers to at most 28 Ases • IEEE INFOCOM 2006, IEEE TDSC 2008

  21. Detecting Compromised Computers in Networks • Botnet • Network of compromised machines, with a bot program installed to execute cmds from controller, without owners knowledge. • July 2009: Cyberattacks on government and commercial websites • in US and South Korea • About 50,000 compromised machines involved

  22. Motivation and Problem • Botnet becoming a major security issue • Spamming, DDoS, identity theft • sheer volume and wide spread

  23. SPOT: Detecting Spam Zombies by Monitoring Outgoing Messages • How to determine if a sending machine is compromised as emails pass through SPOT sequentially • Sequential probability ratio test (SPRT) • IEEE INFOCOM 2009, IEEE TDSC (accepted) A B

  24. Other Research Projects • BGP Security • ACM ASIACCS 2010 • Spam filtering • CEAS 2010, CEAS 2011 • Detecting phishing emails • CEAS 2010 • Security of anonymous networks • Tor and Freenet

  25. Thank you! • Questions and comments? • Details at my homepage • http://www.cs.fsu.edu/~duan

  26. BGP Security • Security relies on trust relationship among Ases • Who owns which prefixes/how to reach • Accidents (caused by human errors, not attacks) • 24 Feb 2008, AS 17557 took Youtube’s 208.65.163.0/24 • 07 May 2005, AS 174 took Google’s 64.233.161.0/24 • 24 Dec 2004, Anatomy of a Leak: AS9121 (100K+ routes) • 6 Apr 2001: C&W routing instability (full routing table announced) • Check NANOG mailing list for more accidents • Network prefix hijacking • Origin spoofing, and path spoofing • Existing solutions • PKI-based secure BGP (S-BGP)

  27. RBF: Region-Based BGP Update Filtering • Two region granularities considered • Country-level and RIR-level • ACM ASIACCS 2010

More Related