Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS590B/690B Measuring network interference (Fall 2016)

Published byBruce Glenn Modified over 6 years ago

Similar presentations

Presentation on theme: "CS590B/690B Measuring network interference (Fall 2016)"— Presentation transcript:

1 CS590B/690B Measuring network interference (Fall 2016)
Lecture 04 Phillipa Gill, Umass -- AMherst ACKs: Slides based on material from Nick weaver’s presentation at the connaught summer institute 2013 Also from: Kurose + Ross; Computer Networking a Top Down approach featuring the Internet (6th edition)

2 Administrative note Project list posted. Link is on the Piazza forum
Projects are fairly open ended End goal is a 6-8 page research paper First official milestone: Project Idea talk Oct. 20 Optional: 1-2 page write up of project plan in GDoc, send to me via and set up 30 minute meeting slot to discuss. CS590 folks may opt for CS690 grading scheme, but must commit to that. Send include “[CS590B690B]” in the subject line to me about this. Presentation sign up need folks for these two papers: Web trip-wires Here Be Proxies

3 Administrative notes 2 Questions about paper readings:
Should have last weeks and today’s in for today (Papers on the course site are the same as in HotCRP!) Will give til Friday Sept. 23 for folks to catch up Review marks will be based on review + participating in HotCRP discussions Assignment 1 is posted! Due: Sept 27

4 Where we are Last time: TCP Resets for censorship
On path vs. In path censorship Questions?

5 Test your understanding
What is the difference between an in-path and on-path censor? What are the pros of each approach? Cons? What are the two race conditions that can occur with reset injectors? What headers would you look at to ID a reset injector? How would you localize an injector to a specific location in the network? If the TCP reset occurs before the HTTP GET what can you say about the trigger? After?

6 Overview Block IP addresses IP layer Disrupt TCP flows
TCP (transport layer) Many possible triggers Block hostnames DNS (application layer) Disrupt HTTP transfers HTTP (application layer) Today

7 Domain name system (dns)

8 DNS name resolution example
root DNS server 2 host at cis.poly.edu wants IP address for gaia.cs.umass.edu 3 TLD DNS server 4 5 iterated query: contacted server replies with name of server to contact “I don’t know this name, but ask this server” local DNS server dns.poly.edu 7 6 1 8 authoritative DNS server dns.cs.umass.edu requesting host cis.poly.edu gaia.cs.umass.edu Application Layer

9 DNS: a distributed, hierarchical database
Root DNS Servers com DNS servers org DNS servers edu DNS servers poly.edu DNS servers umass.edu yahoo.com amazon.com pbs.org Application Layer

10 DNS: root name servers root name server:
contacted by local name server that can not resolve name root name server: contacts authoritative name server if name mapping not known gets mapping returns mapping to local name server c. Cogent, Herndon, VA (5 other sites) d. U Maryland College Park, MD h. ARL Aberdeen, MD j. Verisign, Dulles VA (69 other sites ) k. RIPE London (17 other sites) i. Netnod, Stockholm (37 other sites) e. NASA Mt View, CA f. Internet Software C. Palo Alto, CA (and 48 other sites) m. WIDE Tokyo (5 other sites) 13 root name “servers” worldwide a. Verisign, Los Angeles CA (5 other sites) b. USC-ISI Marina del Rey, CA l. ICANN Los Angeles, CA (41 other sites) g. US DoD Columbus, OH (5 other sites) Application Layer

11 TLD, authoritative servers
top-level domain (TLD) servers: responsible for com, org, net, edu, aero, jobs, museums, and all top-level country domains, e.g.: uk, fr, ca, jp Network Solutions maintains servers for .com TLD Educause for .edu TLD authoritative DNS servers: organization’s own DNS server(s), providing authoritative hostname to IP mappings for organization’s named hosts can be maintained by organization or service provider Application Layer

12 RR format: (name, value, type, ttl)
DNS records DNS: distributed db storing resource records (RR) RR format: (name, value, type, ttl) type=A name is hostname value is IP address type=CNAME name is alias name for some “canonical” (the real) name is really servereast.backup2.ibm.com value is canonical name type=NS name is domain (e.g., foo.com) value is hostname of authoritative name server for this domain type=MX value is name of mailserver associated with name Application Layer

13 DNS protocol, messages msg header
query and reply messages, both with same message format 2 bytes 2 bytes identification flags # questions questions (variable # of questions) # additional RRs # authority RRs # answer RRs answers (variable # of RRs) authority (variable # of RRs) additional info (variable # of RRs) msg header identification: 16 bit # for query, reply to query uses same # flags: query or reply recursion desired recursion available reply is authoritative Application Layer

14 DNS protocol, messages name, type fields for a query RRs in response
2 bytes 2 bytes identification flags # questions questions (variable # of questions) # additional RRs # authority RRs # answer RRs answers (variable # of RRs) authority (variable # of RRs) additional info (variable # of RRs) name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used Application Layer

15 DNS: caching, updating records
once (any) name server learns mapping, it caches mapping cache entries timeout (disappear) after some time (TTL) TLD servers typically cached in local name servers thus root name servers not often visited cached entries may be out-of-date (best effort name-to-address translation!) if name host changes IP address, may not be known Internet-wide until all TTLs expire update/notify mechanisms proposed IETF standard RFC 2136 Application Layer

16 Ok … so now we know about DNS
… how can we block it! A few things to keep in mind … No cryptographic integrity of DNS messages DNSSEC proposed but not widely implemented Caching of replies means leakage of bad DNS data can persist

17 Blocking dns names

18 Blocking dns names

19 Types of false DNS responses
DNS RESPONSE A DNS RESPONSE A DNS RESPONSE A NXDOMAIN 3rd Party DNS Server ( ) DNS QTYPE A DNS Server ( ) DNS RESPONSE A (correct IP) Block page server ( ) Home connection ( ) This diagram assumes ISP DNS Server is complicit.

20 Blocking DNS names Option A: get ISP resolver on board
(Previous slide) Option B: On-path packet injection similar to TCP Resets Can be mostly countered with DNS-hold-open: Don’t take the first answer but instead wait for up to a second Generally reliable when using an out of country recursive resolve E.g., Can be completely countered by DNS-hold-open + DNSSEC Accept the first DNS reply which validates

21 Reading from Web … Hold-On: Protecting Against On-Path DNS Poisoning
H. Duan, N. Weaver, Z. Zhao, M. Hu, J. Liang, J. Jiang, K. Li, and V. Paxson. Idea: Once you receive a DNS packet, wait for a predefined “hold-on” period before accepting the result. DNSSEC is still vulnerable to these injected packets and does not make hold-on unneccessary Inject a reply with an invalid signature: client will reject Use active measurements to determine the expected TTL and RTT to the server.

22 Chinese DNS censorship
Digging into China’s DNS censorship from the outside Repeating this may be an interesting course project. Another paper you might consider:

23 Next time … Filtering of Web requests at application layer.

24 Additional SLIDES

Download ppt "CS590B/690B Measuring network interference (Fall 2016)"

Similar presentations

DNS – Domain Name system Converting domain names to IP addresses since 1983.

DNS – Domain Name system Converting domain names to IP addresses since 1983.
Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.

Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.
1 EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

1 EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
Domain Name System (or Service) (DNS) Computer Networks Computer Networks Spring 2012 Spring 2012.

Domain Name System (or Service) (DNS) Computer Networks Computer Networks Spring 2012 Spring 2012.
EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
2: Application Layer1 FTP, SMTP and DNS. 2: Application Layer2 FTP: separate control, data connections r FTP client contacts FTP server at port 21, specifying.

2: Application Layer1 FTP, SMTP and DNS. 2: Application Layer2 FTP: separate control, data connections r FTP client contacts FTP server at port 21, specifying.
EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts, routers: –IP address (32 bit) - used for addressing datagrams –“name”, e.g., gaia.cs.umass.edu.

1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts, routers: –IP address (32 bit) - used for addressing datagrams –“name”, e.g., gaia.cs.umass.edu.
EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
2: Application Layer1 Chapter 2 Application Layer Computer Networking: A Top Down Approach, 4 th edition. Jim Kurose, Keith Ross Addison-Wesley, July 2007.

2: Application Layer1 Chapter 2 Application Layer Computer Networking: A Top Down Approach, 4 th edition. Jim Kurose, Keith Ross Addison-Wesley, July 2007.
Application Layer12-1 2010 session 1 TELE3118: Network Technologies Week 12: DNS Some slides have been taken from: r Computer Networking: A Top Down Approach.

Application Layer session 1 TELE3118: Network Technologies Week 12: DNS Some slides have been taken from: r Computer Networking: A Top Down Approach.
CPSC 441: DNS1 Instructor: Anirban Mahanti Office: ICT 745 Class Location: ICT 121 Lectures: MWF 12:00 – 12:50 Notes derived.

CPSC 441: DNS1 Instructor: Anirban Mahanti Office: ICT Class Location: ICT 121 Lectures: MWF 12:00 – 12:50 Notes derived.
Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.

Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.
Name Resolution and DNS. Domain names and IP addresses r People prefer to use easy-to-remember names instead of IP addresses r Domain names are alphanumeric.

Name Resolution and DNS. Domain names and IP addresses r People prefer to use easy-to-remember names instead of IP addresses r Domain names are alphanumeric.
Chapter 2 Application Layer

Chapter 2 Application Layer
2: Application Layer1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.

2: Application Layer1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.

NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
CS 4396 Computer Networks Lab

CS 4396 Computer Networks Lab

Similar presentations

Ads by Google