Presentation on theme: "Network Operations Research Nick Feamster"— Presentation transcript:
Network Operations Research Nick Feamster http://www.cc.gatech.edu/~feamster/
What is Network Operations? Security: spam, denial of service, botnets Troubleshooting: reachability and performance problems, equipment failures, configuration problems, etc. Three problem areas –Detection –Identification: What is causing the problem? –Mitigation: How to fix the problem? Helping network operators run secure, robust, highly available communications networks.
Research Areas Monitoring and Diagnosis –rcc: Router Configuration Checker Network Virtualization Internet Availability and Accessibility –Failure Recovery –Anti-Censorship Network Security –Spam Filtering –Information-Flow Control
4 Problem: Network Configuration Problems cause downtime Problems often not immediately apparent What happens if I tweak this policy…?
5 rcc Solution: rcc Normalized Representation Correctness Specification Constraints Faults Analyzing complex, distributed configuration Defining a correctness specification Mapping specification to constraints Verifying global correctness with local information Components Distributed router configurations (Single AS) Feamster & Balakrishnan, Detecting BGP Configuration Faults with Static Analysis, NSDI 2005 Best Paper, ACM/USENIX Symposium on Networked Systems Design and Implemntation (NSDI), 2005
rcc: Summary of Contributions Correctness specification for Internet routing –Path visibility –Route validity –Safety Static analysis of routing configuration –Global correctness guarantees with only local checks New results on global stability Analysis of 17 real-world networks Practical and research significance –Downloaded by over sixty operators.
Problem: Spam Spam: About 80% of todays email is abusive –Content filtering doesnt work Network monitoring: Todays network devices were designed for yesterdays threats –Circa 2000: Worms, DDoS –Today: Botnets, spam, click fraud, etc.
Idea: Study Network-Level Properties Ramachandran et al. Understanding the Network-Level Behavior of Spammers, Best Paper, ACM SIGCOMM, 2006 Ultimate goal: Construct spam filters based on network- level properties, rather than content Content-based properties are malleable Low cost to evasion: Spammers can alter content High admin cost: Filters must be continually updated Content-based filters are applied at the destination Too little, too late: Wasted network bandwidth, storage, etc.
9 Spam Study: Major Findings Where does spam come from? –Most received from few regions of IP address space Do spammers hijack routes? –A small set of spammers continually advertise short-lived routes How is spam sent? –Most coming from Windows hosts (likely, bots) ~ 10 minutes
SNARE: Network-Based Filtering Filter email based on how it is sent, in addition to simply what is sent. Network-level properties are less malleable –Network/geographic location of sender and receiver –Set of target recipients –Hosting or upstream ISP (AS number) –Membership in a botnet (spammer, hosting infrastructure) Shuang Hao et al., Detecting Spammers with SNARE, USENIX Security Sympoisium, August 2009
Spam Filtering: Summary of Results Spam increasing, spammers becoming agile –Content filters are falling behind –IP-Based blacklists are evadable Up to 30% of spam not listed in common blacklists at receipt. ~20% remains unlisted after a month Complementary approach: behavioral blacklisting based on network-level features –Key idea: Blacklist based on how messages are sent –SNARE: Automated sender reputation ~90% accuracy of existing with lightweight features –SpamTracker: Spectral clustering catches significant amounts faster than existing blacklists –SpamSpotter: Putting it together in an RBL system
Network Virtualization ACM SIGCOMM 2006
13 Today: ISPs Serve Two Roles Infrastructure providers: Maintain routers, links, data centers, other physical infrastructure Service providers: Offer services (e.g., layer 3 VPNs, performance SLAs, etc.) to end users Role 1: Infrastructure ProvidersRole 2: Service Providers No single party has control over an end-to-end path.
14 Instead: Elastic Networks Interesting Questions –Network embedding –System building –Economics and markets Infrastructure providers: maintain physical infrastructure needed to build networks Service providers: lease slices of physical infrastructure from one or more providers
Virtual Networks Need Connectivity Strawman –Default routes –Public IP address Problems –Experiments may need to see all upstream routes –Experiments may need more control over traffic Need BGP –Setting up individual sessions is cumbersome –…particularly for transient experiments ISP 1 ISP 2 BGP Sessions GENI