Internet Measurements

2 Web of interconnected networks Grows with no central authority Autonomous Systems optimize local communication efficiency The building blocks are engineered and studied in depth Global entity has not been characterized Most real world complex-networks have non-trivial properties. Global properties can not be inferred from local ones Engineered with large technical diversity Range from local campuses to transcontinental backbone providers Internet

Need for Internet measurements arises due to commercial, social, and technical issues Realistic simulation environment for developed products, Improve network management Robustness with respect to failures/attacks Comprehend spreading of worms/viruses Know social trends in Internet use Scientific discovery Scale-free (power-law), Small-world, Rich-club, Dissasortativity,… Internet Measurements 3

Internet Topology Measurement 4 CAIDA 2006

Internet Topology Measurement 5 CAIDA 2006

Internet Topology Measurement 6

7 CAIDA 2006

IPv4 address space (2010) 8 browse

Direct probing Indirect probing A DBC Internet Topology Measurements Probing IP B TTL=64 IP B IP D TTL=64 IP D Vantage Point A DBC IP B IP D TTL=2IP D TTL=1 IP C 9

Probe packets are carefully constructed to elicit intended response from a probe destination traceroute probes all nodes on a path towards a given destination TTL-scoped probes obtain ICMP error messages from routers on the path ICMP messages includes the IP address of intermediate routers as its source Merging end-to-end path traces yields the network map movie S DABC Destination Internet Topology Measurement Topology Collection (traceroute) TTL=1 IP A TTL=2 IP B TTL=3 IP C TTL=4 IP D Vantage Point 10

Internet Topology Measurement: Background 11 S L U H C N W A s.2 l.1 s.3 u.1 l.3 u.3 h.1 k.3 h.2 h.3 a.3 u.2 k.1 c.4 a.1 a.2 w.3 c.3 w.1 c.2 n.1 n.3 w.2 l.2 K c.1 k.2 d h.4 Trace to Seattle h.4 l.3 s.2 Trace to NY h.4 a.3 w.3 n.3 Internet2 backbone

Internet Topology Measurement: Background 12 S L U C N A s.2 l.1 s.3 u.1 l.3 h.1 k.3 h.2 a.3 u.2 k.1 c.4 a.1 a.2 w.3 c.3 w.1 c.2 n.1 n.3 w.2 l.2 K c.1 k.2 h.3 d h.4 s.1 e f n.2 H W u.3

13 Sampling to discover networks Infer characteristics of the topology Different studies considered Effect of sample size [Barford 01] Sampling bias [Lakhina 03] Path accuracy [Augustin 06] Sampling approach [Gunes 07] Utilized protocol [Gunes 08] ICMP echo request TCP syn UDP port unreachable Topology Sampling Issues

Unresponsive Router Resolution Problem Unresponsive routers do not respond to traceroute probes and appear as a  in path traces Same router may appear as a  in multiple traces. Unknown nodes belonging to the same router should be resolved. Unresponsiveness Types 1. Ignore all ICMP packets 2. ICMP rate-limiting 3. Ignore ICMP when congested 4. Filter ICMP at border 5. Private IP address 14

Unresponsive Router Resolution Problem Internet2 backbone S L U K C H A W N e d Traces d -  - L - S - e d -  - A - W -  - f e - S - L -  - d e - S - U -  - C -  - f f -  - C -  -  - d f -  - C -  - U - S - e 15 f

Unresponsive Router Resolution Problem UKCN LHAW S d e f Sampled network d e f S U L C A W Resulting network 16 Traces d -  - L - S - e d -  - A - W -  - f e - S - L -  - d e - S - U -  - C -  - f f -  - C -  -  - d f -  - C -  - U - S - e

17 Graph Based Induction Common Structures Parallel nodes A x C y2 y1 y3    A x C y2 y1 y3  Star DA wx C y E z  DA wx C y E z    Complete Bipartite A C x y D w F v E z  A C x y D w F v E z       Clique A C x y D w E z  A C x y D w E z      

Each interface of a router has an IP address. A router may respond with different IP addresses to different queries. Alias Resolution is the process of grouping the interface IP addresses of each router into a single node. Inaccuracies in alias resolution may result in a network map that includes artificial links/nodes misses existing links Alias Resolution: Denver 18

19 S L U C N W A s.2 l.1 s.3 u.1 l.3 u.3 h.1 k.3 h.2 a.3 u.2 k.1 c.4 a.1 a.2 w.3 c.3 w.1 c.2 n.1 n.3 w.2 l.2 K c.1 k.2 h.3 d h.4 s.1 e f n.2 H Traces d - h.4 - l.3 - s.2 - e d - h.4 - a.3 - w.3 - n.3 - f e - s.1 - l.1 - h.1 - d e - s.1 - u.1 - k.1 - c.1 - n.1 - f f - n.2 - c.2 - k.2 - h.2 - d f - n.2 - c.2 - k.2 - u.2 - s.3 - e IP Alias Resolution Problem

20 IP Alias Resolution Problem UKCN LHAW S d e f Sampled network Sample map without alias resolution s.3 s.1 s.2 l.3 l.1 u.1 u.2 k.1 c.1n.1 n.2 k.2 c.2 w.3 a.3 h.2 h.4 h.1 e d f n.3 Traces d - h.4 - l.3 - s.2 - e d - h.4 - a.3 - w.3 - n.3 - f e - s.1 - l.1 - h.1 - d e - s.1 - u.1 - k.1 - c.1 - n.1 - f f - n.2 - c.2 - k.2 - h.2 - d f - n.2 - c.2 - k.2 - u.2 - s.3 - e

21 Genuine Subnet Resolution Problem Alias resolution IP addresses that belong to the same router Subnet resolution IP addresses that are connected over the same medium IP2IP3 IP4 IP1 IP6IP5 IP2 IP3 IP1 IP2IP3 IP1

Autonomous System Level Mapping 22 Historical

Internet Topology Discovery 23

Internet Topology Discovery 24

Internet Topology Discovery 25

Autonomous System Level Mapping 26

27

Internet Topology Discovery

Traffic Measurements

Monitoring and measuring network traffic to produce better models of network behavior to diagnose failures and detect anomalies to defend against unwanted traffic Live weather map Internernet2 PlanetLab 30

Traffic flow monitoring 31

Cisco US traffic estimate 32

Cisco Monthly Traffic Volume 33

DNS Workload for the Chilean TLD the number of queries and clients seen by one of the.CL nameservers in Chile its hourly variation along two days of traces on July 3rd 2007 animation 34

Code-Red Worm On July 19, 2001, more than 359,000 computers connected to the Internet were infected with the Code-Red (CRv2) worm in less than 14 hours Spread 35

Sapphire Worm was the fastest computer worm in history doubled in size every 8.5 seconds infected more than 90 percent of vulnerable hosts within 10 minutes. 36

Witty Worm reached its peak activity after approximately 45 minutes at which point the majority of vulnerable hosts had been infected World USA 37

Nyxem Virus Estimate of total number of infected computers is between 470K and 945K At least 45K of the infected computers were also compromised by other forms of spyware or botware Spread 38

Scam Hosting Study dynamics of scam hosting infrastructure 39

Measurement Studies Cheleby map Internet backbone iPlane construct an atlas of the Internet, measuring link attributes Glasnost tests whether BitTorrent is being blocked or throttled BW-meter Measurement tools for the capacity and load of Internet paths NPAD Diagnostics Servers Automatic diagnostic server for troubleshooting end-systems and last-mile network problems Hubble find persistent Internet black holes as they occur 40

Internet Measurements The Internet is man-made, so why do we need to measure it? Because we still don’t really understand it Sometimes things go wrong Malicious users Measurement for network operations Detecting and diagnosing problems What-if analysis of future changes Measurement for scientific discovery Creating accurate models that represent reality Identifying new features and phenomena 41