Presentation is loading. Please wait.

Presentation is loading. Please wait.

WhoWas: A Platform for Measuring Web Deployments on IaaS Clouds Liang Wang *, Antonio Nappa +, Juan Caballero +, Thomas Ristenpart *, Aditya Akella * *

Published byByron Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "WhoWas: A Platform for Measuring Web Deployments on IaaS Clouds Liang Wang *, Antonio Nappa +, Juan Caballero +, Thomas Ristenpart *, Aditya Akella * *"— Presentation transcript:

1 WhoWas: A Platform for Measuring Web Deployments on IaaS Clouds Liang Wang *, Antonio Nappa +, Juan Caballero +, Thomas Ristenpart *, Aditya Akella * * University of Wisconsin-Madison + IMDEA Software Institute 1

2 2 Motivation An increasing number services are using clouds Understanding cloud usage pattern is important What is the usage pattern of a website? How many instances are used by a website? Do tenants leverage elasticity? Is piratebay using EC2? Are there OpenVPN servers in EC2? - Design new services & applications - Design provisioning & scaling algorithm

3 3 Motivation Little research about how tenants use public clouds Deepfield, 2012: 1/3 of daily users, 1% of Internet traffic are associated with AWS He et al., IMC 2013: 4% of the Alexa top million are in EC2/Azure -Answer the question: Who is using public clouds? -Technique: Investage DNS entries for Alexa top websites and network packet capture data. -No insight into changes to deployment pattern over time Bermudez et al, INFOCOM 2013: Exploring the cloud from passive measurements: The Amazon AWS case

4 4 Contributions We develop a new measurement platform, WhoWas, to facilitate measurement studies of public cloud services WhoWas High churn rates of IPs used by services each day Most of web services use a single IP New software adopted slowly. Outdated software popular Quantify growth in usage of EC2 & Azure Quantify growth in usage of EC2 & Azure Small number of malicious websites in clouds

5 The WhoWas Platform Analysis Clustering Engine VPC Map Feature Generator IP ranges TCP SYN Probes At most 3 probes for an IP per day At most two GET requests for an IP per day HTTP GET: http(s)://1.1.1.1/ IP=1.1.1.1 Lightweight probing to associate content to IPs over time 5 WhoWas DB Analysis APIs

6 6 Ethical Measurement Design Lightweight, low-frequency probing Robots.txt checking Note in the User-Agent IP exclusion list Collected data kept private Servers are not designed to be public (many tenants didn’t realize their servers are public) Providers charge tenants based on traffic Privacy issues

7 EC2: 4,702,208 IPs Oct 2013 – Dec 2013 51 rounds Azure: 495,872 IPs Nov 2013 – Dec 2013 46 rounds About 900 GB data in total Data Collection & DataSets No. of clusters 24.4% of all IPs 22.6% of all IPs 24.3% of all IPs Overall growth of No. of IPs responding to probes: 4.9% in EC2 and 7.7% in Azure 7

8 WhoWas Engines--Clustering WhoWas offers a new clustering heuristic … How to find IPs being operated by the same website? … Webpage Clustering 8

9 9 WhoWas Engines--Clustering Feature Extractor Fingerprint (six-item tuple) Title Keywords Template Google Analytics ID Server version Simhash of HTML textual content HTML contents For two fingerprints, check if : title1=title2 & keyword1=keyword2 & template1=template2 & server1=server2 & GID1=GID2? No Different clusters Yes Same top level clusters Clusters Unsupervised clustering + Elbow method Use simhash

10 10 WhoWas Engines--Clustering The No. of clusters increased by : 3.3% in EC2 and 6.2% in Azure EC2: 1,767,072 simhashes 243,164 clusters Azure: 210,418 simhashes 31,728 clusters

11 11 WhoWas Engines--Clustering About 80% use 1 IP, 0.1% use more than 50 IPs Large clusters tend to leverage cloud elasticity Total #IPMean #IP/RoundMin #IPMax #IP 51,21133,14530,62434,509 15,2835,5975,4355,785 3,8692,0291,7242,228 22,2261,1671792,501 8,488617571,837 Top 5 clusters by average number of IP addresses used per round (EC2)

12 12 More Results from WhoWas 1.Feature Adoption 2.Malicious Activity 3.Cloud Availability 4.Software Adoption

13 13 More Results from WhoWas 1.Feature Adoption 2.Malicious Activity 3.Cloud Availability 4.Software Adoption

14 14 Virtual Private Cloud Mapping Host A, Public IP=a Host B, Public IP=b DNS Resolve Host A Resolve Host B Get a Private IP != a Always Get Public IP b VPC networksClassic network Default DNS hostname =region specific string + IP EC2 Data Center

15 15 EC2 VPC usage increase whereas classic decrease Change over time in classic-only, VPC-only, and mixed clusters in EC2 classic-onlyVPC-onlymixed clusters

16 16 More Results from WhoWas 1.Feature Adoption 2.Malicious Activity 3.Cloud Availability 4.Software Adoption

17 Lifetime of malicious IP is long 90+ days! Webpage from an IP URLs in webpage 60% up for 7+ days WhoWas DB Safe Browsing API IP is malicious IP is benign EC2: 1,393 malicious URLs 196 malicious IPs Azure: 14 malicious URLs 13 malicious IPs 17

18 18 File hosting services are used for distributing malicious contents Domain# of URLs flagged as malicious dl.dropboxusercontent.com993 dl.dropbox.com936 download-instantly.com295 tr.im268 www.wishdownload.com223 IP ranges Malicious activity history VirusTotal API EC2: 2,070 malicious IPs 13,752 malicious URLs Azure: No malicious IPs!

19 19 Cloud Measurement Challenge and Future VM 1.1.1.1 VM 1.1.1.1 Backend VM No public IP Backend VM No public IP Frontend VM Public IP = 1.1.1.1 Frontend VM Public IP = 1.1.1.1 VPC VM No default HTTP(S) Port VM No default HTTP(S) Port Firewall VM Default website Other websites VM Website VM Website: deny IP access Only see a portion of web servers Only see a portion of web sites’ pages Lower bound on number of IPs used by web services Able to find Fail to find

20 20 Other results are in the paper! Visit our website: www.cloudwhowas.org www.cloudwhowas.org to get more information!

21 21 Conclusion WhoWas: new measurement platform Lightweight probing to associate content to IPs over time Used WhoWas for several first-of-their-kind measurements: Growth rates of IP usage Identification of malicious websites Software adoption rate in clouds … Questions? www.cloudwhowas.org

22 22 Conclusion WhoWas: new measurement platform Lightweight probing to associate content to IPs over time Used WhoWas for several first-of-their-kind measurements: Growth rates of IP usage Identification of malicious websites Software adoption rate in clouds … Questions? www.cloudwhowas.org

Download ppt "WhoWas: A Platform for Measuring Web Deployments on IaaS Clouds Liang Wang *, Antonio Nappa +, Juan Caballero +, Thomas Ristenpart *, Aditya Akella * *"

Similar presentations

Emerging Platform#6: Cloud Computing B. Ramamurthy 6/20/20141 cse651, B. Ramamurthy.

Emerging Platform#6: Cloud Computing B. Ramamurthy 6/20/20141 cse651, B. Ramamurthy.
Antonio Nappa⇤‡, Zhaoyan Xu†, M

Antonio Nappa⇤‡, Zhaoyan Xu†, M
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
Advanced Java Class Web Applications – Part 0 (Introduction)

Advanced Java Class Web Applications – Part 0 (Introduction)
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.

1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Nikolay Tomitov Technical Trainer SoftAcad.bg.  What are Amazon Web services (AWS) ?  What’s cool when developing with AWS ?  Architecture of AWS 

Nikolay Tomitov Technical Trainer SoftAcad.bg.  What are Amazon Web services (AWS) ?  What’s cool when developing with AWS ?  Architecture of AWS 
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.

Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Google AppEngine. Google App Engine enables you to build and host web apps on the same systems that power Google applications. App Engine offers fast.

Google AppEngine. Google App Engine enables you to build and host web apps on the same systems that power Google applications. App Engine offers fast.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
FALL 2012 DSCI5240 Graduate Presentation By Xxxxxxx.

FALL 2012 DSCI5240 Graduate Presentation By Xxxxxxx.
A User Experience-based Cloud Service Redeployment Mechanism KANG Yu.

A User Experience-based Cloud Service Redeployment Mechanism KANG Yu.
A Brief Overview by Aditya Dutt March 18 th ’ 2014 1Aditya Inc.

A Brief Overview by Aditya Dutt March 18 th ’ Aditya Inc.
PhD course - Milan, March 2010 - 05/09/2015 1 Some additional words about cloud computing Lionel Brunie National Institute of Applied Science (INSA) LIRIS.

PhD course - Milan, March /09/ Some additional words about cloud computing Lionel Brunie National Institute of Applied Science (INSA) LIRIS.
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
Session 10 Windows Platform Eng. Dina Alkhoudari.

Session 10 Windows Platform Eng. Dina Alkhoudari.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Similar presentations

Ads by Google