Post on 17-Jan-2016
Internet Measurements
2
Web of interconnected networks• Grows with no central authority
• Autonomous Systems optimize local communication efficiency
• The building blocks are engineered and studied in depth
• Global entity has not been characterized
Most real world complex-networks have non-trivial properties.
Global properties can not be inferred from local ones• Engineered with large technical diversity
• Range from local campuses to transcontinental backbone providers
Internet
Need for Internet measurements arises due to commercial, social, and technical issues
• Realistic simulation environment for developed products,
• Improve network management
• Robustness with respect to failures/attacks
• Comprehend spreading of worms/viruses
• Know social trends in Internet use
• Scientific discovery
• Scale-free (power-law), Small-world, Rich-club, Dissasortativity,…
Internet Measurements
3
Internet Topology Measurement
4CAIDA 2006
Internet Topology Measurement
5CAIDA 2006
Internet Topology Measurement
6
Internet Topology Measurement
7CAIDA 2006
IPv4 address space (2010)
8
browse
Direct probing
Indirect probing
A DB C
Internet Topology MeasurementsProbing
IPB TTL=64
IPB
IPD TTL=64
IPD
Vantage Point
A DB C
Vantage Point
IPB
IPD TTL=2IPD TTL=1
IPC
9
Probe packets are carefully constructed to elicit intended response from a probe destination
traceroute probes all nodes on a path towards a given destination• TTL-scoped probes obtain ICMP error messages from routers on the path
• ICMP messages includes the IP address of intermediate routers as its source
Merging end-to-end path traces yields the network map
movie
S DA B C
Destination
Internet Topology MeasurementTopology Collection (traceroute)
TTL=1
IPA
TTL=2
IPB
TTL=3
IPC
TTL=4
IPD
Vantage Point
10
Internet Topology Measurement:Background
11
S
L
U
H
C
N
W
A
s.2
l.1
s.3
u.1
l.3
u.3
h.1
k.3
h.2
h.3
a.3
u.2k.1 c.4
a.1 a.2
w.3c.3
w.1c.2
n.1 n.3
w.2
l.2
K
c.1
k.2
dh.4
Trace to Seattle
h.4
l.3
s.2
Trace to NY
h.4
a.3
w.3
n.3
Internet2 backbone
Internet Topology Measurement:Background
12
S
L
U
C
N
A
s.2
l.1
s.3
u.1
l.3
h.1
k.3
h.2
a.3
u.2k.1 c.4
a.1 a.2
w.3c.3
w.1c.2
n.1 n.3
w.2
l.2
K
c.1
k.2
h.3
dh.4
s.1e f
n.2
H
W
u.3
13
Sampling to discover networks • Infer characteristics of the topology
Different studies considered • Effect of sample size [Barford 01]
• Sampling bias [Lakhina 03]
• Path accuracy [Augustin 06]
• Sampling approach [Gunes 07]
• Utilized protocol [Gunes 08]
• ICMP echo request
• TCP syn
• UDP port unreachable
Topology SamplingIssues
Unresponsive Router Resolution Problem
Unresponsive routers do not respond to traceroute probes and appear as a in path traces• Same router may appear as a in multiple traces.
• Unknown nodes belonging to the same router should be resolved.
Unresponsiveness Types1. Ignore all ICMP packets
2. ICMP rate-limiting
3. Ignore ICMP when congested
4. Filter ICMP at border
5. Private IP address
14
Unresponsive Router Resolution Problem
Internet2 backboneS
L
U
K
C
H
A
W
N
e
d
Traces• d - - L - S - e• d - - A - W - - f• e - S - L - - d• e - S - U - - C - - f• f - - C - - - d• f - - C - - U - S - e
15
f
Unresponsive Router Resolution Problem
U K C N
L H A W
S
d
e
f
Sampled network
d
e
fS U
L
C
AW
Resulting network
16
Traces• d - - L - S - e• d - - A - W - - f• e - S - L - - d• e - S - U - - C - - f• f - - C - - - d• f - - C - - U - S - e
17
Graph Based InductionCommon Structures
Parallel nodes
Ax C y2
y1
y3
Ax C y2
y1
y3
Star
DA wx
C y
E z
DA wx
C y
E z
Complete Bipartite
A
C
x
y
D w
F v
E z
A
C
x
y
D w
F v
E z
Clique
A
C
x
y
D w
E z
A
C
x
y
D w
E z
Each interface of a router
has an IP address. A router may respond with
different IP addresses to
different queries.
Alias Resolution is the process of grouping the interface IP addresses of each router into a single node.
Inaccuracies in alias resolution may result in a network map that• includes artificial links/nodes
• misses existing links
Alias Resolution:
.5.33
.18
.13.7
Denver
18
19
S
L
U
C
N
W
A
s.2
l.1
s.3
u.1
l.3
u.3
h.1
k.3
h.2
a.3
u.2k.1 c.4
a.1 a.2
w.3c.3
w.1c.2
n.1n.3
w.2
l.2
K
c.1
k.2
h.3
d
h.4
s.1e f
n.2
HTraces• d - h.4 - l.3 - s.2 - e• d - h.4 - a.3 - w.3 - n.3 - f• e - s.1 - l.1 - h.1 - d• e - s.1 - u.1 - k.1 - c.1 - n.1 - f• f - n.2 - c.2 - k.2 - h.2 - d• f - n.2 - c.2 - k.2 - u.2 - s.3 - e
IP Alias ResolutionProblem
20
IP Alias ResolutionProblem
U K C N
L H A W
S
d
e
fSampled network
Sample map without alias resolution
s.3
s.1
s.2
l.3
l.1
u.1
u.2
k.1 c.1 n.1
n.2k.2 c.2
w.3
a.3
h.2
h.4
h.1
e
d
f
n.3
Traces• d - h.4 - l.3 - s.2 - e• d - h.4 - a.3 - w.3 - n.3 - f• e - s.1 - l.1 - h.1 - d• e - s.1 - u.1 - k.1 - c.1 - n.1 - f• f - n.2 - c.2 - k.2 - h.2 - d• f - n.2 - c.2 - k.2 - u.2 - s.3 - e
21
Genuine Subnet ResolutionProblem
Alias resolution
• IP addresses that belong to the same router
Subnet resolution
• IP addresses that are connected over the same medium
IP2 IP3
IP4IP1
IP6 IP5
IP2 IP3
IP1
IP2 IP3
IP1
Autonomous System Level Mapping
22
Historical
Internet Topology Discovery 23
Internet Topology Discovery 24
Internet Topology Discovery 25
Autonomous System Level Mapping
26
27
Internet Topology Discovery 28
2010
Traffic Measurements
Traffic Measurements Monitoring and measuring network traffic
• to produce better models of network behavior
• to diagnose failures and detect anomalies
• to defend against unwanted traffic
Live weather map• Internernet2
PlanetLab
30
Traffic flow monitoring
31
Cisco US traffic estimate
32
Cisco Monthly Traffic Volume
33
DNS Workload for the Chilean TLD the number of queries and clients seen by one of
the .CL nameservers in Chile • its hourly variation along two days of traces on July 3rd 2007
animation
34
Code-Red Worm On July 19, 2001, more than 359,000 computers connected to the
Internet were infected with the Code-Red (CRv2) worm in less than 14 hours
Spread
35
Sapphire Worm was the fastest computer worm in history
• doubled in size every 8.5 seconds
• infected more than 90 percent of vulnerable hosts within 10 minutes.
36
Witty Worm reached its peak activity after approximately 45 minutes
• at which point the majority of vulnerable hosts had been infected
World USA
37
Nyxem Email Virus Estimate of total number of infected computers is
between 470K and 945K
At least 45K of the infected computers were also compromised by other forms of spyware or botware
Spread
38
Scam Hosting Study dynamics of scam hosting infrastructure
39
Measurement Studies Cheleby
• map Internet backbone
iPlane• construct an atlas of the Internet, measuring link attributes
Glasnost• tests whether BitTorrent is being blocked or throttled
BW-meter• Measurement tools for the capacity and load of Internet paths
NPAD Diagnostics Servers• Automatic diagnostic server for troubleshooting end-systems and
last-mile network problems
Hubble• find persistent Internet black holes as they occur
40
Internet Measurements The Internet is man-made, so why do we need to
measure it?
• Because we still don’t really understand it• Sometimes things go wrong
• Malicious users
• Measurement for network operations• Detecting and diagnosing problems
• What-if analysis of future changes
• Measurement for scientific discovery• Creating accurate models that represent reality
• Identifying new features and phenomena
41