network operations research nick feamster feamster
TRANSCRIPT
Network Operations Research
Nick Feamsterhttp://www.cc.gatech.edu/~feamster/
What is Network Operations?
• Security: spam, denial of service, botnets
• Troubleshooting: reachability and performance problems, equipment failures, configuration problems, etc.
• Three problem areas
– Detection
– Identification: What is causing the problem?
– Mitigation: How to fix the problem?
Helping network operators run secure, robust, highly available communications networks.
Research Areas
• Monitoring and Diagnosis– rcc: Router Configuration Checker
• Network Virtualization
• Internet Availability and Accessibility– Failure Recovery
– Anti-Censorship
• Network Security– Spam Filtering
– Information-Flow Control
4
Problem: Network Configuration
• Problems cause downtime• Problems often not immediately apparent
What happens if I tweak this policy…?
5
“rcc”
Solution: rcc
Normalized Representation
CorrectnessSpecification
Constraints
Faults
• Analyzing complex, distributed configuration• Defining a correctness specification• Mapping specification to constraints• Verifying global correctness with local information
Components
Distributed routerconfigurations
(Single AS)
Feamster & Balakrishnan, “Detecting BGP Configuration Faults with Static Analysis”, NSDI 2005
Best Paper, ACM/USENIX Symposium on Networked Systems Design and Implemntation (NSDI), 2005
rcc: Summary of Contributions• Correctness specification for Internet routing
– Path visibility
– Route validity
– Safety
• Static analysis of routing configuration– Global correctness guarantees with only local checks
• New results on global stability
• Analysis of 17 real-world networks
• Practical and research significance– Downloaded by over sixty operators.
Problem: Spam
• Spam: About 80% of today’s email is “abusive”– Content filtering doesn’t work
• Network monitoring: Today’s network devices were designed for yesterday’s threats– Circa 2000: Worms, DDoS– Today: Botnets, spam, click fraud, etc.
Idea: Study Network-Level Properties
Ramachandran et al. “Understanding the Network-Level Behavior of Spammers”, Best Paper, ACM SIGCOMM, 2006
• Ultimate goal: Construct spam filters based on network-level properties, rather than content
• Content-based properties are malleable• Low cost to evasion: Spammers can alter content• High admin cost: Filters must be continually updated
• Content-based filters are applied at the destination• Too little, too late: Wasted network bandwidth, storage, etc.
9
Spam Study: Major Findings• Where does spam come from?
– Most received from few regions of IP address space
• Do spammers hijack routes?– A small set of spammers continually advertise short-lived routes
• How is spam sent?– Most coming from Windows hosts (likely, bots)
~ 10 minutes
SNARE: Network-Based Filtering
• Filter email based on how it is sent, in addition to simply what is sent.
• Network-level properties are less malleable– Network/geographic location of sender and receiver
– Set of target recipients
– Hosting or upstream ISP (AS number)
– Membership in a botnet (spammer, hosting infrastructure)
Shuang Hao et al., “Detecting Spammers with SNARE”, USENIX Security Sympoisium, August 2009
Spam Filtering: Summary of Results
• Spam increasing, spammers becoming agile– Content filters are falling behind– IP-Based blacklists are evadable
• Up to 30% of spam not listed in common blacklists at receipt. ~20% remains unlisted after a month
• Complementary approach: behavioral blacklisting based on network-level features– Key idea: Blacklist based on how messages are sent– SNARE: Automated sender reputation
• ~90% accuracy of existing with lightweight features– SpamTracker: Spectral clustering
• catches significant amounts faster than existing blacklists– SpamSpotter: Putting it together in an RBL system
Network VirtualizationACM SIGCOMM 2006
13
Today: ISPs Serve Two Roles
• Infrastructure providers: Maintain routers, links, data centers, other physical infrastructure
• Service providers: Offer services (e.g., layer 3 VPNs, performance SLAs, etc.) to end users
Role 1: Infrastructure Providers Role 2: Service Providers
No single party has control over an end-to-end path.
14
Instead: Elastic Networks
• Interesting Questions– Network embedding
– System building
– Economics and markets
• Infrastructure providers: maintain physical infrastructure needed to build networks
• Service providers: lease “slices” of physical infrastructure from one or more providers
Virtual Networks Need Connectivity
• Strawman– Default routes– Public IP address
• Problems– Experiments may need
to see all upstream routes– Experiments may need
more control overtraffic
• Need “BGP”– Setting up individual
sessions is cumbersome– …particularly for transient
experiments
ISP 1 ISP 2
BGP Sessions
GENI