Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011.

Slides:



Advertisements
Similar presentations
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Advertisements

Routing Basics.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
The need for BGP AfNOG Workshops Philip Smith. “Keeping Local Traffic Local”
Towards More Adaptive Internet Routing Mukund Seshadri Prof. Randy Katz.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
S ufficient C onditions to G uarantee P ath V isibility Akeel ur Rehman Faridee
Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK
MIRED: Managing IP Routing is Extremely Difficult Jennifer Rexford Internet and Networking Systems AT&T Labs - Research; Florham Park, NJ
Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)
Dynamics of Hot-Potato Routing in IP Networks Renata Teixeira (UC San Diego) with Aman Shaikh (AT&T), Tim Griffin(Intel),
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Exterior Gateway Protocols: EGP, BGP-4, CIDR Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.
Routing.
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research
04/05/20011 ecs298k: Routing in General... lecture #2 Dr. S. Felix Wu Computer Science Department University of California, Davis
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research Joint work with Lixin Gao.
Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)
EQ-BGP: an efficient inter- domain QoS routing protocol Andrzej Bęben Institute of Telecommunications Warsaw University of Technology,
Network Sensitivity to Hot-Potato Disruptions Renata Teixeira (UC San Diego) with Aman Shaikh (AT&T), Tim Griffin(Intel),
Authors Renata Teixeira, Aman Shaikh and Jennifer Rexford(AT&T), Tim Griffin(Intel) Presenter : Farrukh Shahzad.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)
Routing Protocols RIP, OSPF, BGP. A Routing Protocol’s Job Is to Find a “Best” Path between Any Pair of Nodes Routers in a network exchange their routing.
Information-Centric Networks04a-1 Week 4 / Paper 1 Open issues in Interdomain Routing: a survey –Marcelo Yannuzzi, Xavier Masip-Bruin, Olivier Bonaventure.
Introduction to BGP.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
Computer Networks Zhenhai Duan Department of Computer Science 09/03/2015.
IDRM: Inter-Domain Routing Protocol for Mobile Ad Hoc Networks C.-K. Chau, J. Crowcroft, K.-W. Lee, S. H.Y. Wong.
Lecture 4: BGP Presentations Lab information H/W update.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
BGP topics to be discussed in the next few weeks: –Excessive route update –Routing instability –BGP policy issues –BGP route slow convergence problem –Interaction.
T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429/556 Introduction to Computer Networks Inter-domain routing Some slides used with.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
Routing protocols. Static Routing Routes to destinations are set up manually Route may be up or down but static routes will remain in the routing tables.
Internet Protocols. ICMP ICMP – Internet Control Message Protocol Each ICMP message is encapsulated in an IP packet – Treated like any other datagram,
CSCI-1680 Network Layer: Inter-domain Routing Based partly on lecture notes by Rob Sherwood, David Mazières, Phil Levis, Rodrigo Fonseca John Jannotti.
An internet is a combination of networks connected by routers. When a datagram goes from a source to a destination, it will probably pass through many.
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
1 Agenda for Today’s Lecture The rationale for BGP’s design –What is interdomain routing and why do we need it? –Why does BGP look the way it does? How.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
Spring 2000CS 4611 Routing Outline Algorithms Scalability.
7/11/0666th IETF1 QoS Enhancements to BGP in Support of Multiple Classes of Service Andreas Terzis Computer Science Department Johns Hopkins University.
Routing Protocols COSC 541 Data Commun. System & Networks Yue Dou.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
Inter-domain Routing Outline Border Gateway Protocol.
Traffic-aware Inter-Domain Routing for Improved Internet Routing Stability Zhenhai Duan Florida State University 1.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)
ROUTING ON THE INTERNET COSC Jun-16. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.
1 Internet Routing 11/11/2009. Admin. r Assignment 3 2.
COMP 3270 Computer Networks
COS 561: Advanced Computer Networks
Routing.
Computer Networks and Network Security
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COMP/ELEC 429/556 Introduction to Computer Networks
COS 461: Computer Networks
Routing.
Presentation transcript:

Computer Networks Zhenhai Duan Department of Computer Science 9/15/2011

Research Area  Computer networks, in particular, Internet protocols, architectures, and systems Quality of Service (QoS) provisioning Internet inter-domain routing Internet systems security Overlay and peer-to-peer systems Network measurement  Details and publications 2

A Few Projects that I will Discuss  Packet scheduling algorithms  Improving Internet inter-domain routing performance  Controlling IP spoofing  Detecting compromised machines (botnets) 3

QoS Provisioning on the Internet  Current Internet provides a best-effort service No service guarantees in terms of bandwidth or end-to-end delay  Many new applications require more stringent service guarantees VoIP and real-time video streaming Games Mission-critical applications  Online financial transactions  Power grid control system 4 Internet Can you hear me now?

5 Why current Internet cannot provide QoS guarantees?  A number of factors (routing, architecture, etc)  A key limitation is the First Come First Served (FCFS) packet scheduling algorithm used by routers

6 Two Fundamental Approaches to Designing New Packet Scheduling  Round-robin packet scheduling algorithms Low complexity: O(1) Bad QoS performance: O(#flow)

7 Time stamp based fair queueing packet scheduling algorithms  Emulating a single-flow system  Time stamp based packet scheduling Compute and assign time stamps to each packet Scheduling based on time stamps Good performance: O(rate), largely independent of other flows High complexity: O(#flow) r C

More Scalable Packet Schedulers  Hybrid round-robin and time-stamp based approach FRR IEEE INFOCOM 2005 IEEE ToC 2009  Core stateless packet schedulers VTRS, SETF, DETF ACM SIGCOMM 2000, IEEE ICNP 2001, IEEE ICCCN 2006 IEEE JSAC 2000, IEEE TPDS 2004, 2005 C 8

Internet Inter-Domain Routing  Consists of large number of network domains (ASes) Each owns one or multiple network prefixes FSU campus network: /16  Intra-domain and inter-domain routing protocols Intra-domain: OSPF and IS-IS Inter-domain: BGP, a path-vector routing protocol  BGP Used to exchange network prefix reachability information  Network prefix, AS-level path to reach network prefix Path selection algorithm 9

10 BGP: an Example NLRI= /16 ASPATH=[0] /16 NLRI= /16 ASPATH=[10] NLRI= /16 ASPATH=[10] NLRI= /16 ASPATH=[210] NLRI= /16 ASPATH=[610] NLRI= /16 ASPATH=[610] NLRI= /16 ASPATH=[210] NLRI= /16 ASPATH=[7610] NLRI= /16 ASPATH=[4210] NLRI= /16 ASPATH=[3210] [3210]* [4210] [7610] NLRI= /16 ASPATH=[53210]

Performance Issues with BGP  Instability At anytime, large number of BGP messages exchanged  Slow convergence After a network failure event, it takes a long time for routing system to converge from one stable state to another stable state  They are related, but not the same 11

Live BGP Updates  Team Cymru  BGPlay at RouteView 12

13 Network Dynamics  Internet has about 38,600 ASes and 370,000 network prefixes (as of 09/03/2011)  In a system this big, things happen all the time Fiber cuts, equipment outages, operator errors.  Direct consequence on routing system Events may propagated through entire Internet Recomputing/propagating best routes Large number of BGP updates exchanged between ASes  Effects on user-perceived network performance Long network delay Packet loss Even loss of network connectivity

Causes of BGP instability and long convergence  Protocol artifacts of BGP  Constraints of physical propagation Internet is a GLOBAL network [3210]* [4210] [7610] NLRI= /16 ASPATH=[57610] NLRI= /16 ASPATH=[54210] NLRI= /16 Withdrawal /16 14

Improving BGP stability and convergence  BGP protocol artifacts EPIC: Carrying event origin in BGP updates Propagation delays on different paths Inter-domain failure vs. intra-domain failure Multi-connectivity between Ases Scalability and confidentiality  IEEE INFOCOM 2005  Physical propagation constraints Transient failures TIDR: Localize failure events Build back-up paths  IEEE GLOBECOM

Controlling IP Spoofing  What is IP spoofing? Act to fake source IP address Used by many DDoS attacks  Why it remains popular? Hard to isolate attack traffic from legitimate one Hard to pinpoint the true attacker Many attacks rely on IP spoofing cd ba s d c d s d s 16

Filtering based on Route  A key observation Attackers can spoof source address, But they cannot control route packets take  Requirement Filters need to compute best path from src to dst Filters need to know global topology info Not available in path-vector based Internet routing system cd ba s d s d s 17

Internet AS Relationship  Consists of large number of network domains,  Two common AS relationships Provider-customer Peering  AS relationships determine routing policies  A net effect of routing policies limit the number of routes between a pair of source and destination AS 2553 FSU AS FloridaNet AS 174 Cogent AS 3356 Level 3 AS2828 XO Comm AS Internet2 18

Topological Routes vs. Feasible Routes  Topological routes Loop-free paths between a pair of nodes  Feasible routes Loop-free paths between a pair of nodes that not violate routing policies cd ba s Topological routes s a d s b d s a b d s a c d s b a d s b c d s a b c d s a c b d s b a c d s b c a d Feasible routes s a d s b d cd ba s 19

Inter-Domain Packet Filter  Identifying feasible upstream neighbors Instead of filtering based on best path, based on feasible routes  Findings based on real AS graphs IDPFs can effectively limit the spoofing capability of attackers  From 80% networks attackers cannot spoof source addresses IDPFs are effective in helping IP traceback  All ASes can localize attackers to at most 28 Ases  IEEE INFOCOM 2006, IEEE TDSC

Detecting Compromised Computers in Networks  Botnet Network of compromised machines, with a bot program installed to execute cmds from controller, without owners knowledge.  July 2009: Cyberattacks on government and commercial websites in US and South Korea  About 50,000 compromised machines involved 21

Motivation and Problem  Botnet becoming a major security issue Spamming, DDoS, identity theft sheer volume and wide spread 22

SPOT: Detecting Spam Zombies by Monitoring Outgoing Messages  How to determine if a sending machine is compromised as s pass through SPOT sequentially Sequential probability ratio test (SPRT)  IEEE INFOCOM 2009, IEEE TDSC (accepted) AB 23

Other Research Projects  BGP Security ACM ASIACCS 2010  Spam filtering CEAS 2010, CEAS 2011  Detecting phishing s CEAS 2010  Security of anonymous networks Tor and Freenet 24

Thank you!  Questions and comments?  Details at my homepage 25

26 BGP Security  Security relies on trust relationship among Ases Who owns which prefixes/how to reach  Accidents (caused by human errors, not attacks) 24 Feb 2008, AS took Youtube’s /24 07 May 2005, AS 174 took Google’s /24 24 Dec 2004, Anatomy of a Leak: AS9121 ( 100K+ routes) 6 Apr 2001: C&W routing instability (f ull routing table announced) Check NANOG mailing list for more accidents  Network prefix hijacking Origin spoofing, and path spoofing  Existing solutions PKI-based secure BGP (S-BGP)

RBF: Region-Based BGP Update Filtering  Two region granularities considered Country-level and RIR-level  ACM ASIACCS