2017 Network Traffic Measurement and Analysis Conference (TMA)最新文献_第3页

Disco: Fast, good, and cheap outage detection 迪斯科:快速，良好，廉价的停机检测

2017 Network Traffic Measurement and Analysis Conference (TMA) Pub Date : 2017-06-01 DOI: 10.23919/TMA.2017.8002902

Anant Shah, Romain Fontugne, E. Aben, C. Pelsser, R. Bush

{"title":"Disco: Fast, good, and cheap outage detection","authors":"Anant Shah, Romain Fontugne, E. Aben, C. Pelsser, R. Bush","doi":"10.23919/TMA.2017.8002902","DOIUrl":"https://doi.org/10.23919/TMA.2017.8002902","url":null,"abstract":"Outage detection has been studied from different angles, such as active probing, analysis of background radiations, or control plane information. We approach outage detection from a new perspective. Disco is a detection technique that uses existing long-running TCP connections to identify bursts of disconnections. The benefits are considerable as we can monitor, without adding a single packet to the traffic, Internet-wide swaths of infrastructure that were not monitored previously because they are, for example, not responsive to ICMP probes or behind NATs. With Disco we analyze state changes on connections between RIPE Atlas probes and the RIPE Atlas infrastructure. This data, that is originally logged to monitor probe availability, has a small footprint and is available as a publicly accessible live stream, which makes light-weight near real-time outage detection possible. Probes perform planned traceroute measurements regardless of their connectivity to the RIPE Atlas infrastructure. This gives us a no cost advantage of viewing the outage inside out as the probes experienced it, characterizing the outage after the fact. Thus, we present an outage detection system able to run in near real-time (fast), with a precision of 95% (good), and without generating any new measurement traffic (cheap). We studied historical probe disconnections from 2011 to 2016 and report on the 443 most prominent outages. To validate our results we inspected traceroute results from affected probes and compared our detection to that of Trinocular.","PeriodicalId":118082,"journal":{"name":"2017 Network Traffic Measurement and Analysis Conference (TMA)","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126190844","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 24

MONROE-SOPHIA — A software radio platform for mobile network measurement 门罗-索菲亚-移动网络测量的软件无线电平台

2017 Network Traffic Measurement and Analysis Conference (TMA) Pub Date : 2017-06-01 DOI: 10.23919/TMA.2017.8002915

P. Sutton, Ismael Gómez Miguelez

引用次数: 3

Profiling internet scanners: Spatiotemporal structures and measurement ethics 剖析互联网扫描仪:时空结构和测量伦理

2017 Network Traffic Measurement and Analysis Conference (TMA) Pub Date : 2017-06-01 DOI: 10.23919/TMA.2017.8002909

J. Mazel, Romain Fontugne, K. Fukuda

{"title":"Profiling internet scanners: Spatiotemporal structures and measurement ethics","authors":"J. Mazel, Romain Fontugne, K. Fukuda","doi":"10.23919/TMA.2017.8002909","DOIUrl":"https://doi.org/10.23919/TMA.2017.8002909","url":null,"abstract":"Scanning is ubiquitous on the Internet. It assists administrators to troubleshoot their own network, researchers to survey the Internet, and malicious actors to assess the attack surface of targeted networks. As users requirements vary, scans in the wild exhibit very diverse characteristics. For example, the coverage, stealthiness and probing speed are drastically varying from one scanning IP to another. In this paper, we study 15 years of backbone traffic to understand the evolution of mass-scanning tool usage, scanning pattern and the concentration of scanning IPs (also called scanners) in small networks. We also propose a new method to classify scanning IPs' spatial and temporal structure into three profiles that reveal vastly different intent. In particular, we find that 33% of scanners repeatedly target the same set of hosts. If unsolicited, identifying this behavior provides good insights on the malicious intent of scanners. In the case of innocuous scanners, publicly documenting scanning activities and giving right to opt out are common ethical practices. Our study shows that documented scanning IPs behave differently from the vast majority of scanners. Furthermore, only 39% of these entities follow online documentation best practices.","PeriodicalId":118082,"journal":{"name":"2017 Network Traffic Measurement and Analysis Conference (TMA)","volume":"83 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121611648","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 7

Does anycast hang up on you? 有没有人挂断你的电话?

2017 Network Traffic Measurement and Analysis Conference (TMA) Pub Date : 2017-06-01 DOI: 10.23919/TMA.2017.8002905

Lan Wei, J. Heidemann

{"title":"Does anycast hang up on you?","authors":"Lan Wei, J. Heidemann","doi":"10.23919/TMA.2017.8002905","DOIUrl":"https://doi.org/10.23919/TMA.2017.8002905","url":null,"abstract":"Anycast-based services today are widely used commercially, with several major providers serving thousands of important websites. However, to our knowledge, there has been only limited study of how often anycast fails because routing changes interrupt connections between users and their current anycast site. While the commercial success of anycast CDNs means anycast usually works well, do some users end up shut out of anycast? In this paper we examine data from more than 9000 geographically distributed vantage points (VPs) to 11 anycast services to evaluate this question. Our contribution is the analysis of this data to provide the first quantification of this problem, and to explore where and why it occurs. We see that about 1% of VPs are anycast unstable, reaching a different anycast site frequently (sometimes every query). Flips back and forth between two sites in 10 seconds are observed in selected experiments for given service and VPs. Moreover, we show that anycast instability is persistent for some VPs — a few VPs never see a stable connections to certain anycast services during a week or even longer. The vast majority of VPs only saw unstable routing towards one or two services instead of instability with all services, suggesting the cause of the instability lies somewhere in the path to the anycast sites. Finally, we point out that for highly-unstable VPs, their probability to hit a given site is constant, which means the flipping are happening at a fine granularity — per packet level, suggesting load balancing might be the cause to anycast routing flipping. Our findings confirm the common wisdom that anycast almost always works well, but provide evidence that a small number of locations in the Internet where specific anycast services are never stable.","PeriodicalId":118082,"journal":{"name":"2017 Network Traffic Measurement and Analysis Conference (TMA)","volume":"74 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123116458","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 30

Towards a renewed alias resolution with space search reduction and IP fingerprinting 朝着一个新的别名分辨率与空间搜索减少和IP指纹

2017 Network Traffic Measurement and Analysis Conference (TMA) Pub Date : 2017-06-01 DOI: 10.23919/TMA.2017.8002907

J. Grailet, B. Donnet

{"title":"Towards a renewed alias resolution with space search reduction and IP fingerprinting","authors":"J. Grailet, B. Donnet","doi":"10.23919/TMA.2017.8002907","DOIUrl":"https://doi.org/10.23919/TMA.2017.8002907","url":null,"abstract":"Since the early 2000's, the Internet Topology has been frequently described and modeled from the perspective of routers. To this end, alias resolution mechanisms have been developed in order to aggregate all IP interfaces of a router, collected with traceroute, into a single identifier. So far, many active measurement techniques have been considered, often taking advantage of specific features from network protocols. However, a lot of these methods have seen their efficiency decrease over time due to security reinforcements across the Internet. In this paper, we introduce a generic methodology to conduct efficient and scalable alias resolution. It combines the space search reduction of TreeNET (a tool for efficiently discovering subnets) with a fingerprinting process used to assess the feasibility of several state-of-the-art alias resolution methods, using a small, fixed amount of probes. We validate our method along MIDAR on an academic groundtruth and demonstrate that our methodology can achieve similar accuracy while using less probes and discovering subnets in the process. We further evaluate our method with measurements made on PlanetLab towards several distinct ASes of varying sizes and roles in the Internet. The collected data shows that some properties of our fingerprints correlate with each other, hinting some observed profiles could be linked with equipment vendors. Both TreeNET (which implements our methodology) and our dataset are freely available.","PeriodicalId":118082,"journal":{"name":"2017 Network Traffic Measurement and Analysis Conference (TMA)","volume":"112 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124251157","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 12

Do you see me now? Sparsity in passive observations of address liveness 你现在看到我了吗?地址活动被动观察的稀疏性

2017 Network Traffic Measurement and Analysis Conference (TMA) Pub Date : 2017-06-01 DOI: 10.23919/TMA.2017.8002908

J. Mirkovic, G. Bartlett, J. Heidemann, Hao Shi, Xiyue Deng

{"title":"Do you see me now? Sparsity in passive observations of address liveness","authors":"J. Mirkovic, G. Bartlett, J. Heidemann, Hao Shi, Xiyue Deng","doi":"10.23919/TMA.2017.8002908","DOIUrl":"https://doi.org/10.23919/TMA.2017.8002908","url":null,"abstract":"Accurate information about address and block usage in the Internet has many applications in planning address allocation, topology studies, and simulations. Prior studies used active probing, sometimes augmented with passive observation, to study macroscopic phenomena, such as the overall usage of the IPv4 address space. This paper instead studies the completeness of passive sources: how well they can observe microscopic phenomena such as address usage within a given network. We define sparsity as the limitation of a given monitor to see a target, and we quantify the effects of interest, temporal, and coverage sparsity. To study sparsity, we introduce inverted analysis, a novel approach that uses complete passive observations of a few end networks (three campus networks in our case) to infer what of these networks would be seen by millions of virtual monitors near their traffic's destinations. Unsurprisingly, we find that monitors near popular content see many more targets and that visibility is strongly influenced by bipartite traffic between clients and servers. We are the first to quantify these effects and show their implications for the study of Internet liveness from passive observations. We find that visibility is heavy-tailed, with only 0.5% monitors seeing more than 10% of our targets' addresses, and is most affected by interest sparsity over temporal and coverage sparsity. Visibility is also strongly bipartite. Monitors of a different class than a target (e.g., a server monitor observing a client target) outperform monitors of the same class as a target in 82–99% of cases in our datasets. Finally, we find that adding active probing to passive observations greatly improves visibility of both server and client target addresses, but is not critical for visibility of target blocks. Our findings are valuable to understand limitations of existing measurement studies, and to develop methods to maximize microscopic completeness in future studies.","PeriodicalId":118082,"journal":{"name":"2017 Network Traffic Measurement and Analysis Conference (TMA)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127897499","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 3

Measurement survey of server-side DNSSEC adoption 服务器端DNSSEC采用的测量调查

2017 Network Traffic Measurement and Analysis Conference (TMA) Pub Date : 2017-06-01 DOI: 10.23919/TMA.2017.8002913

Matthäus Wander

引用次数: 16

FilteredWeb: A framework for the automated search-based discovery of blocked URLs FilteredWeb:一个基于自动搜索发现被阻止url的框架

2017 Network Traffic Measurement and Analysis Conference (TMA) Pub Date : 2017-04-24 DOI: 10.23919/TMA.2017.8002914

Alexander Darer, Oliver Farnan, Joss Wright

{"title":"FilteredWeb: A framework for the automated search-based discovery of blocked URLs","authors":"Alexander Darer, Oliver Farnan, Joss Wright","doi":"10.23919/TMA.2017.8002914","DOIUrl":"https://doi.org/10.23919/TMA.2017.8002914","url":null,"abstract":"Various methods have been proposed for creating and maintaining lists of potentially filtered URLs to allow for measurement of ongoing internet censorship around the world. Whilst testing a known resource for evidence of filtering can be relatively simple, given appropriate vantage points, discovering previously unknown filtered web resources remains an open challenge. We present a novel framework for automating the process of discovering filtered resources through the use of adaptive queries to well-known search engines. Our system applies information retrieval algorithms to isolate characteristic linguistic patterns in known filtered web pages; these are used as the basis for web search queries. The resulting URLs of these searches are checked for evidence of filtering, and newly discovered blocked resources will be fed back into the system to detect further filtered content. Our implementation of this framework, applied to China as a case study, shows the approach is demonstrably effective at detecting significant numbers of previously unknown filtered web pages, making a significant contribution to the ongoing detection of internet filtering as it develops. When deployed, this system was used to discover 1355 poisoned domains within China as of Feb 2017 — 30 times more than in the most widely-used published filter list of the time. Of these, 759 are outside of the Alexa Top 1000 domains list, demonstrating the capability of this framework to find more obscure filtered content. Further, our initial analysis of filtered URLs, and the search terms that were used to discover them, gives further insight into the nature of the content currently being blocked in China.","PeriodicalId":118082,"journal":{"name":"2017 Network Traffic Measurement and Analysis Conference (TMA)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2017-04-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115723370","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 11

Large-scale classification of IPv6-IPv4 siblings with variable clock skew 具有可变时钟偏差的IPv6-IPv4兄弟姐妹的大规模分类

2017 Network Traffic Measurement and Analysis Conference (TMA) Pub Date : 2016-10-24 DOI: 10.23919/TMA.2017.8002901

Quirin Scheitle, Oliver Gasser, Minoo Rouhi, G. Carle

{"title":"Large-scale classification of IPv6-IPv4 siblings with variable clock skew","authors":"Quirin Scheitle, Oliver Gasser, Minoo Rouhi, G. Carle","doi":"10.23919/TMA.2017.8002901","DOIUrl":"https://doi.org/10.23919/TMA.2017.8002901","url":null,"abstract":"Linking the growing IPv6 deployment to existing IPv4 addresses is an interesting field of research, be it for network forensics, structural analysis, or reconnaissance. In this work, we focus on classifying pairs of server IPv6 and IPv4 addresses as siblings, i.e., running on the same machine. Our methodology leverages active measurements of TCP timestamps and other network characteristics, which we measure against a diverse ground truth of 682 hosts. We define and extract a set of features, including estimation of variable (opposed to constant) remote clock skew. On these features, we train a manually crafted algorithm as well as a machine-learned decision tree. By conducting several measurement runs and training in cross-validation rounds, we aim to create models that generalize well and do not overfit our training data. We find both models to exceed 99% precision in train and test performance. We validate scalability by classifying 149k siblings in a large-scale measurement of 371k sibling candidates. We argue that this methodology, thoroughly cross-validated and likely to generalize well, can aid comparative studies of IPv6 and IPv4 behavior in the Internet. Striving for applicability and replicability, we release ready-to-use source code and raw data from our study.","PeriodicalId":118082,"journal":{"name":"2017 Network Traffic Measurement and Analysis Conference (TMA)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131866059","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 22