Internet Measurements. 2 Web of interconnected networks Grows with no central authority Autonomous Systems…

Internet Measurements

2

Web of interconnected networks• Grows with no central authority• Autonomous Systems optimize local communication efficiency• The building blocks are engineered and studied in depth• Global entity has not been characterized

Most real world complex-networks have non-trivial properties.

Global properties can not be inferred from local ones• Engineered with large technical diversity• Range from local campuses to transcontinental backbone

providers

Internet

Need for Internet measurements arises due to commercial, social, and technical issues

• Realistic simulation environment for developed products,

• Improve network management

• Robustness with respect to failures/attacks

• Comprehend spreading of worms/viruses

• Know social trends in Internet use

• Scientific discovery

• Scale-free (power-law), Small-world, Rich-club, Dissasortativity,…

Internet Measurements

3

Internet Topology Measurement

4CAIDA 2006


5CAIDA 2006


6Dandelion 2001


7

8Walrus


9CAIDA 2006

Direct probing

Indirect probing

A DB C

Internet Topology MeasurementsProbing

IPB TTL=64

IPB

IPD TTL=64

IPD

Vantage Point

A DB C

Vantage Point

IPB

IPD TTL=2IPD TTL=1

IPC

10

Autonomous System Level Mapping

11

Historical

Internet Topology Discovery 12


Autonomous System Level Mapping

14

15

Traffic Measurements Monitoring and measuring network traffic

• to produce better models of network behavior• to diagnose failures and detect anomalies• to defend against unwanted traffic

Live weather map• Internernet2

PlanetLab

16

Code-Red Worm On July 19, 2001, more than 359,000 computers connected to the

Internet were infected with the Code-Red (CRv2) worm in less than 14 hours

Spread

17

Sapphire Worm was the fastest computer worm in history

• doubled in size every 8.5 seconds• infected more than 90 percent of vulnerable hosts within 10

minutes.

18

Witty Worm reached its peak activity after approximately 45 minutes

• at which point the majority of vulnerable hosts had been infected World USA

19

Nyxem Email Virus Estimate of total number of infected computers is

between 470K and 945K At least 45K of the infected computers were also

compromised by other forms of spyware or botware

Spread

20

Scam Hosting Study dynamics of scam hosting infrastructure

21

Measurement Studies Glasnost

• tests whether BitTorrent is being blocked or throttled BW-meter

• Measurement tools for the capacity and load of Internet paths NPAD Diagnostics Servers

• Automatic diagnostic server for troubleshooting end-systems and last-mile network problems

iPlane• construct a router interface-level atlas of the Internet• measuring link attributes

Hubble• find persistent Internet black holes as they occur

22

Internet Measurements The Internet is man-made, so why do we need to

measure it?

• Because we still don’t really understand it• Sometimes things go wrong• Malicious users

• Measurement for network operations• Detecting and diagnosing problems• What-if analysis of future changes

• Measurement for scientific discovery• Creating accurate models that represent reality• Identifying new features and phenomena

23

Questions ?


Probe packets are carefully constructed to elicit intended response from a probe destination

traceroute probes all nodes on a path towards a given destination• TTL-scoped probes obtain ICMP error messages from routers on the path• ICMP messages includes the IP address of intermediate routers as its source

Merging end-to-end path traces yields the network map

S DA B C

Destination

Internet Topology MeasurementTopology Collection (traceroute)

TTL=1

IPA

TTL=2

IPB

TTL=3

IPC

TTL=4

IPD

Vantage Point

25

Internet Topology Measurement:Background

26

S

L

U

H

C

N

W

A

s.2

l.1

s.3

u.1

l.3

u.3

h.1

k.3

h.2

h.3

a.3

u.2k.1 c.4

a.1 a.2

w.3c.3w.1

c.2

n.1 n.3

w.2

l.2

K

c.1

k.2

dh.4

Trace to Seattle

h.4

l.3

s.2

Trace to NY

h.4

a.3

w.3

n.3

Internet2 backbone

Internet Topology Measurement:Background

27

S

L

UC

N

A

s.2

l.1

s.3

u.1

l.3

h.1

k.3

h.2

a.3

u.2k.1 c.4

a.1 a.2

w.3c.3w.1

c.2

n.1 n.3

w.2

l.2

K

c.1

k.2

h.3

dh.4

s.1e f

n.2

H

W

u.3

28

Sampling to discover networks • Infer characteristics of the topology

Different studies considered • Effect of sample size [Barford 01]• Sampling bias [Lakhina 03]• Path accuracy [Augustin 06] • Sampling approach [Gunes 07]• Utilized protocol [Gunes 08]

• ICMP echo request• TCP syn • UDP port unreachable

Topology SamplingIssues

Anonymous Router Resolution Problem

Anonymous routers do not respond to traceroute probes and appear as a in path traces• Same router may appear as a in multiple traces.• Anonymous nodes belonging to the same router should be resolved.

Anonymity Types1. Ignore all ICMP packets2. ICMP rate-limiting3. Ignore ICMP when congested4. Filter ICMP at border5. Private IP address

29


Internet2 backboneS

L

U

K

C

H

A

W

Ne

d

Traces• d - - L - S - e• d - - A - W - - f• e - S - L - - d• e - S - U - - C - - f• f - - C - - - d• f - - C - - U - S - e

30

f


U K C N

L H A W

S

d

e

f

Sampled network

d

e

fS U

L

C

AW

Resulting network

31

Traces• d - - L - S - e• d - - A - W - - f• e - S - L - - d• e - S - U - - C - - f• f - - C - - - d• f - - C - - U - S - e

32

Graph Based InductionCommon Structures

Parallel nodes

Ax C y2y1

y3

Ax C y2y1

y3

Star

DA wx

C y

E z

DA wx

C y

E z

Complete Bipartite

A

C

x

y

D w

F v

E z

A

C

x

y

D w

F v

E z

Clique

A

C

x

y

D w

E z

A

C

x

y

D w

E z

Each interface of a router has an IP address.

A router may respond withdifferent IP addresses to different queries.

Alias Resolution is the process of grouping the interface IP addresses of each router into a single node.

Inaccuracies in alias resolution may result in a network map that• includes artificial links/nodes • misses existing links

Alias Resolution:

.5.33

.18

.13.7

Denver

33

34

S

L

UC

N

W

A

s.2

l.1

s.3

u.1

l.3

u.3

h.1

k.3

h.2

a.3

u.2k.1 c.4

a.1 a.2

w.3c.3

w.1c.2

n.1n.3

w.2

l.2

K

c.1

k.2

h.3

dh.4

s.1e f

n.2

HTraces• d - h.4 - l.3 - s.2 - e• d - h.4 - a.3 - w.3 - n.3 - f• e - s.1 - l.1 - h.1 - d• e - s.1 - u.1 - k.1 - c.1 - n.1 - f• f - n.2 - c.2 - k.2 - h.2 - d• f - n.2 - c.2 - k.2 - u.2 - s.3 - e

IP Alias ResolutionProblem

35

IP Alias ResolutionProblem

U K C N

L H A W

S

d

e

fSampled network

Sample map without alias resolution

s.3

s.1

s.2

l.3

l.1

u.1

u.2

k.1 c.1 n.1

n.2k.2 c.2

w.3a.3

h.2

h.4

h.1

e

d

f

n.3

Traces• d - h.4 - l.3 - s.2 - e• d - h.4 - a.3 - w.3 - n.3 - f• e - s.1 - l.1 - h.1 - d• e - s.1 - u.1 - k.1 - c.1 - n.1 - f• f - n.2 - c.2 - k.2 - h.2 - d• f - n.2 - c.2 - k.2 - u.2 - s.3 - e

36

Genuine Subnet ResolutionProblem

Alias resolution• IP addresses that belong to the same router

Subnet resolution• IP addresses that are connected over the same medium

IP2 IP3

IP4IP1

IP6 IP5

IP2 IP3

IP1

IP2 IP3

IP1

Documents

Internet Measurements. 2 Web of interconnected networks Grows with no central authority Autonomous Systems…