Network Operations Nick Feamster

Slides:



Advertisements
Similar presentations
Enterprise Network Troubleshooting Nick Feamster Georgia Tech (joint with Russ Clark, Yiyi Huang, Anukool Lakhina, Manas Khadilkar, Aditi Thanekar)
Advertisements

Building Fast, Flexible Virtual Networks on Commodity Hardware Nick Feamster Georgia Tech Trellis: A Platform for Building Flexible, Fast Virtual Networks.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Nick Feamster Georgia Tech
Improving Internet Availability. Some Problems Misconfiguration Miscoordination Efficiency –Market efficiency –Efficiency of end-to-end paths Scalability.
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Path Splicing with Network Slicing
Data Mining Challenges for Network Management Nick Feamster, Georgia Tech Dave Andersen, CMU (joint with Jay Lepreau and Emulab)
Networking Research Nick Feamster CS Nick Feamster Ph.D. from MIT, Post-doc at Princeton this fall Arriving January 2006 –Here off-and-on until.
Network Virtualization Nick Feamster, Georgia Tech Lixin Gao, UMass Amherst Jennifer Rexford, Princeton NSF NeTS-FIND PI Meeting.
VINI: Virtual Network Infrastructure
Challenges in Making Tomography Practical
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.
Path Splicing with Network Slicing Nick Feamster Murtaza Motiwala Santosh Vempala.
Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.
Cabo: Concurrent Architectures are Better than One Nick Feamster, Georgia Tech Lixin Gao, UMass Amherst Jennifer Rexford, Princeton.
Internet Availability Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
VINI Overview. PL-VINI: Prototype on PlanetLab PlanetLab: testbed for planetary-scale services Simultaneous experiments in separate VMs –Each has root.
Nick Feamster Research Interest: Networked Systems Arriving January 2006 Likely teaching CS 7260 in Spring 2005 Here off-and-on until then. works.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.
My Experience Writing an NSF NeTS FIND Proposal Nick Feamster Georgia Tech.
Multihoming and Multi-path Routing
Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.
Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with.
Nick Feamster Research: Network security and operations Teaching CS 7260 in Spring 2007 CS 7001 Mini-projects: –
Cabo: Concurrent Architectures are Better than One Nick Feamster, Georgia Tech Lixin Gao, UMass Amherst Jennifer Rexford, Princeton.
Network Operations Nick Feamster
Network Troubleshooting: rcc and Beyond Nick Feamster Georgia Tech (joint with Russ Clark, Yiyi Huang, Anukool Lakhina)
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Network Operations Research Nick Feamster
Path Splicing with Network Slicing Nick Feamster Murtaza Motiwala Santosh Vempala.
Theory Lunch. 2 Problem Areas Network Virtualization for Experimentation and Architecture –Embedding problems –Economics problems (markets, etc.) Network.
Cabo: Concurrent Architectures are Better than One Nick Feamster, Georgia Tech Lixin Gao, UMass Amherst Jennifer Rexford, Princeton.
Network Security Highlights Nick Feamster Georgia Tech.
Multihoming and Multi-path Routing
Zhiyun Qian, Z. Morley Mao (University of Michigan)
Chapter 1: Introduction to Scaling Networks
The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
Routing Basics.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Internet Routing Instability
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Network Security: Spam Nick Feamster Georgia Tech CS 6250 Joint work with Anirudh Ramachanrdan, Shuang Hao, Santosh Vempala, Alex Gray.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
1 VINI: Virtual Network Infrastructure Jennifer Rexford Princeton University
Internet In A Slice Andy Bavier CS461 Lecture.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University
Measurement and Monitoring Nick Feamster Georgia Tech.
In VINI Veritas Realistic and Controlled Network Experimentation Andy Bavier Nick Feamster* Mark Huang Larry Peterson Jennifer Rexford Princeton University.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.
Happy Network Administrators  Happy Packets  Happy Users WIRED Position Statement Aman Shaikh AT&T Labs – Research October 16,
1 Cabo: Concurrent Architectures are Better than One Jennifer Rexford Princeton University Joint work with Nick Feamster.
Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)
Towards an Internet that “Never Fails” Hari Balakrishnan MIT Joint work with Nick Feamster, Scott Shenker, Mythili Vutukuru.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Presentation transcript:

Network Operations Nick Feamster

What is Network Operations? Security: spam, denial of service, botnets Troubleshooting: reachability and performance problems, equipment failures, configuration problems, etc. Three problem areas –Detection –Identification: What is causing the problem? –Mitigation: How to fix the problem? Helping network operators run secure, robust, highly available communications networks.

Two Approaches Bandage approach: Tools and systems –Proactive: Static configuration analysis –Reactive: Analysis of network dynamics, traffic, etc. Clean slate approach: Network architecture –If we could change the network protocols, router design, etc., what might we do differently?

4 Problem: Network Configuration Problems cause downtime Problems often not immediately apparent What happens if I tweak this policy…?

5 Causes Catastrophic Faults …a glitch at a small ISP… triggered a major outage in Internet access across the country. The problem started when MAI Network Services...passed bad router information from one of its customers onto Sprint. -- news.com, April 25, 1997 Microsoft's websites were offline for up to 23 hours...because of a [router] misconfiguration…it took nearly a day to determine what was wrong and undo the changes. -- wired.com, January 25, 2001 WorldCom Inc…suffered a widespread outage on its Internet backbone that affected roughly 20 percent of its U.S. customer base. The network problems…affected millions of computer users worldwide. A spokeswoman attributed the outage to "a route table issue." -- cnn.com, October 3, 2002 "A number of Covad customers went out from 5pm today due to, supposedly, a DDOS (distributed denial of service attack) on a key Level3 data center, which later was described as a route leak (misconfiguration). -- dslreports.com, February 23, 2004

6 rcc Proactive Detection Normalized Representation Correctness Specification Constraints Faults Analyzing complex, distributed configuration Defining a correctness specification Mapping specification to constraints Verifying global correctness with local information Components Distributed router configurations (Single AS) Feamster & Balakrishnan, Detecting BGP Configuration Faults with Static Analysis, NSDI 2005 Best Paper, ACM/USENIX Symposium on Networked Systems Design and Implemntation (NSDI), 2005

Anomaly Detection and Identification What happens when the network doesn't behave as expected? Internet routing: lots of noise; whats important? Exploit network-wide dependencies of routing streams to detect anomalies Student: Yiyi Huang

Network-Wide Dependencies

Network-Wide Detection Architecture

Major Findings

Problem: Spam Spam: About 80% of todays is abusive –Content filtering doesnt work Network monitoring: Todays network devices were designed for yesterdays threats –Circa 2000: Worms, DDoS –Today: Botnets, spam, click fraud, etc.

Idea: Study Network-Level Properties Best Paper, ACM SIGCOMM, 2006 Student: Anirudh Ramachandran Ultimate goal: Construct spam filters based on network- level properties, rather than content Content-based properties are malleable Low cost to evasion: Spammers can alter content High admin cost: Filters must be continually updated Content-based filters are applied at the destination Too little, too late: Wasted network bandwidth, storage, etc.

13 Spam Study: Major Findings Where does spam come from? –Most received from few regions of IP address space Do spammers hijack routes? –A small set of spammers continually advertise short-lived routes How is spam sent? –Most coming from Windows hosts (bots) ~ 10 minutes

BGP Spectrum Agility Log IP addresses of SMTP relays Join with BGP route advertisements seen at network where spam trap is co-located. A small club of persistent players appears to be using this technique. Common short-lived prefixes and ASes / / / ~ 10 minutes Somewhere between 1-10% of all spam (some clearly intentional, others might be flapping)

Mitigation: Network Monitoring In-network filtering –Requires the ability to detect botnets Question: Can we detect botnets by observing communication structure among hosts? Example: Migration between command and control hosts New type of problem: essentially coupon collection How good are current traffic sampling techniques at exposing these patterns?

16 Designing for Manageability Hosts at the edge have fine-grained views of –Unwanted traffic (e.g., spam) –Network performance Idea: Use that data to help network operators run their networks better

Two Approaches Bandage approach: Tools and systems –Proactive: Static configuration analysis –Reactive: Analysis of network dynamics, traffic, etc. Clean slate approach: Network architecture –If we could change the network protocols, router design, etc., what might we do differently?

Fixed Physical Topology, Arbitrary Virtual Topologies ACM SIGCOMM 2006

19 Concurrent Architectures: Better than One Interesting Questions –Network embedding –System building –Economics and markets Infrastructure providers: maintain physical infrastructure needed to build networks Service providers: lease slices of physical infrastructure from one or more providers

VINI Overview Runs real routing software Exposes realistic network conditions Gives control over network events Carries traffic on behalf of real users Is shared among many experiments Simulation Emulation Small-scale experiment Live deployment VINI Bridge the gap between lab experiments and live experiments at scale.

Goal: Control and Realism Control –Reproduce results –Methodically change or relax constraints Realism –Long-running services attract real users –Connectivity to real Internet –Forward high traffic volumes (Gb/s) –Handle unexpected events Topology Actual network Arbitrary, emulated Traffic Real clients, serversSynthetic or traces Traffic Real clients, servers Synthetic or traces Network Events Observed in operational network Inject faults, anomalies

PL-VINI: Prototype on PlanetLab First experiment: Internet In A Slice –XORP open-source routing protocol suite –Click modular router Clarify issues that VINI must address –Unmodified routing software on a virtual topology –Forwarding packets at line speed –Illusion of dedicated hardware –Injection of faults and other events

Click: Data Plane Performance –Avoid UML overhead –Move to kernel, FPGA Interfaces tunnels –Click UDP tunnels correspond to UML network interfaces Filters –Fail a link by blocking packets at tunnel XORP (routing protocols) UML eth1eth3eth2eth0 Click Packet Forward Engine Control Data UmlSwitch element Tunnel table Filters

25 Today: ISPs Serve Two Roles Infrastructure providers: Maintain routers, links, data centers, other physical infrastructure Service providers: Offer services (e.g., layer 3 VPNs, performance SLAs, etc.) to end users Role 1: Infrastructure ProvidersRole 2: Service Providers No single party has control over an end-to-end path.

26 Coupling Causes Problems Deployment stalemates: Secure routing, multicast, etc. –Focus on incremental deployability cripples us Shrinking profits and commoditization: ISPs cannot enhance end-to-end service –No single ISP has purview over an entire path As of 5:30 am EDT, October 5 th, [2005], Level(3) terminated peering with Cogent without cause…even though both Cogent and Level(3) remained in full compliance …We are extending a special offering to single homed Level 3 customers. Cogent will offer any Level 3 customer, who is single homed to the Level 3 network on the date of this notice, one year of full Internet transit free of charge at the same bandwidth currently being supplied by Level 3. … How do you think they're going to get to customers? Through a broadband pipe.. we have spent this capital and we have to have a return … there's going to have to be some mechanism for these people who use these pipes to pay for the portion they're using. –Edward Witacre Peering Tiffs: End-to-end connectivity is in the balance