Network Operations and Internet Security @ Princeton

Leave a comment

Papers on IXP Connectivity in Africa, Filter Bubbles Accepted to PAM

Congratulations to Arpit Gupta and Xinyu Xing, who recently had papers accepted at the 2014 Passive and Active Measurements Conference!  Arpit’s paper studies connectivity and peering and what ISOC has been calling “tromboning” (paths on the continent that detour through LINX in London or AMS-IX in Amsterdam). Xinyu’s paper studies inconsistent Web search results using a tool we built called Bobble.

The abstracts of the accepted papers are below.  The final versions of the papers will be posted here shortly, and the papers will be presented in March 2014 in Los Angeles.

Peering at the Internet’s Frontier: A First Look at ISP Interconnectivity in Africa
Arpit Gupta (Georgia Institute of Technology), Matt Calder (University of Southern California), Nick Feamster (Georgia Institute of Technology), Marshini Chetty (University of Maryland, College Park), Enrico Calandro (Research ICT Africa), Ethan Katz-Bassett (University of Southern California)

Abstract. In developing regions, the performance to commonly visited destinations is dominated by the network latency to these destinations, which is in turn affected by the connectivity from ISPs in these regions to the locations that host popular sites and content. We take a first look at ISP interconnectivity between various regions in Africa and discover many circuitous Internet paths that should remain local often detour through Europe. We investigate the causes of circuitous Internet paths and evaluate the benefits of increased peering and better cache proxy placement for reducing latency to popular Internet sites.

Exposing Inconsistent Web Search Results with Bobble
Xinyu Xing (Georgia Institute of Technology), Wei Meng (Georgia Institute of Technology), Dan Doozan (Georgia Institute of Technology), Nick Feamster (Georgia Institute of Technology), Wenke Lee (Georgia Institute of Technology), Alex Snoeren (UC San Diego)

Abstract. Personalized Web search can potentially provide users with search results that are tailored to their geography, the device from which they are searching, and a variety of other preferences and predispositions. Although most major search engines employ some type of personalization, the algorithms used to implement this personalization remain a “black box” to users, who are not aware of the effects of these personalization algorithms on the results that they ultimately see. Indeed, many users may be unaware that such personalization is taking place at all. This papers take a first look at the nature of inconsistent search results that result from location-based personalization and search history. We present the design and implementation of Bobble, a tool that executes a single user query from a variety of different vantage points and under a range of different conditions and compared the consistency of the results that are returned from each query. Using more than 75,000 search queries from about 175 users over a nine-month period, we explore the nature of inconsistencies that arise in different search terms and regions and find that 98\% of all Google search queries from Bobble users resulted in some inconsistency, and that geography is more important than search history in influencing the nature of the inconsistency. Different from a recent study, our measurement also indicates that the influence of search history on search inconsistency is medium but not moderate. To demostrate the potential negative impact of search personalization, we also use Bobble to investigate more than 4,000 locally disreputable businesses. We find that more than 40 of these businesses for whom the negative search results are hidden from the local Google search result set but not in other Google search result sets obtained from other regions.


Leave a comment

Srikanth Sundaresan wins ACM Internet Measurement Conference Community Contribution Award

Congratulations to Srikanth Sundaresan, whose paper “Measuring and Mitigating Web Performance Bottlenecks in Broadband Access Networks“, was selected for the Community Contribution Award at ACM SIGCOMM Internet Measurement Conference.  The research uses the BISmark home network measurement platform which he and others have developed and deployed in more than 200 home networks around the world.

The major findings of the work include:

  • When the downstream throughput of the access link exceeds about 16 Mbits/s, latency is the main bottleneck for Web page load time.
  • Placing a cache in the home network and performing active prefetching for DNS records and TCP connections can improve Web page load time by as much as 35%.

The paper was selected for the award based on the importance of the research findings and the value of the software and data to the broader networking community.  Congratulations to Srikanth!


Leave a comment

Nick Feamster Lectures on Censorship at ETH Zurich Workshop

Prof. Nick Feamster delivered a lecture on measuring and circumventing Internet censorship at the ETH Zurich Workshop on Securing Future Communication Networks Against Emerging Threats.  His talk covered three topics:

The slides from the talk are available here.

Feamster at ZISC Workshop

Leave a comment

Arpit Gupta Speaks about SDX at NANOG 59

Arpit Gupta spoke about a Software-Defined Internet Exchange at NANOG 59 in Phoenix, Arizona.  An abstract for the talk is below. See Arpit’s talk slides here.

Abstract: Deploying software-defined networking (SDN) at Internet Exchange Points (IXPs) offers new hope for solving longstanding problems in interdomain routing. SDN allows direct expression of more flexible policies, and IXPs are central rendezvous points that are in the midst of a rebirth, making them a natural place to start. We present the design of an SDN exchange point (SDX) that enables much more expressive policies than conventional hop-by-hop, destination-based forwarding. ISPs can apply many diverse actions on packets based on multiple header fields, and distant networks can exercise “remote control” over packet handling. This flexibility enables applications such as inbound traffic engineering, redirection of traffic to middleboxes, wide-area server load balancing, and blocking of unwanted traffic. Supporting these applications requires effective ways to combine the policies of multiple ISPs. Our SDX controller provides each ISP the abstraction of its own virtual switch and sequentially composes the policies of different ISPs into a single set of rules in the physical switches. Preliminary experiments on our operational SDX demonstrate the potential for changing interdomain routing from the inside out.

Leave a comment

Study Comparing Fixed and Mobile Broadband in South Africa to Appear at ACM DEV

A study led by Marshini Chetty and Srikanth Sundaresan will appear at the Fourth Annual Symposium on Computing for Development (ACM DEV) this coming December.  The study presents the results of a performance study of fixed and mobile broadband performance from five mobile providers and nine fixed-line providers across all nine provinces in South Africa in 2013.

The study involved the deployment of the BISmark performance measurement software on home routers across the country, as well as a widespread deployment of the MySpeedTest Android cellular performance measurement software.  The paper’s results include the following:

  • Performance consistently underperforms with respect to advertised rates
  • Mobile broadband consistently achieves higher throughput than fixed broadband
  • (Bad) peering can introduce significant latency, introduce fragility in times of failure (e.g., fiber cut).  (See Srikanth and Nick’s blog post for more detailed coverage of this phenomenon.)

We are continuing to collect performance data in South Africa and are in the process of replicating and expanding this study in other countries in Africa.  The plot below shows some summary data of download throughput from ISPs across Africa from May 1 through today (September 18, 2013).  You can explore the data for the fixed-line South African deployment more at BISmark’s Network Dashboard (developed by Alfred Roberts).

ISP Throughput in South Africa

Leave a comment

Sarthak Grover Presents on Home Network Security at Ubicomp Workshop

Sarthak Grover presented a new system built on BISmark for detecting malware in home networks at Ubicomp.  The current system, called Panoptes, tracks DNS lookups from hosts inside a home and compares the DNS lookups against a blacklist on the router.   The system then notifies the user if the DNS lookups suggest the presence of malware on a device in the home.

The system significantly enhances the capabilities of existing systems for providing security in home networks, building on deployed products such as Comcast’s Constant Guard service.  He and Yogesh Mundada are currently working with Comcast on designing an SDN-based system that builds on this design, called SAZO, as part of a larger field deployment.  More to come on SAZO in the future!


Leave a comment

Software Defined Security: Data Leak Prevention System to Appear at ACSAC

Yogesh Mundada and Anirudh Ramachandran‘s SilverLine system was accepted to the 2013 Annual Computer Security Applications Conference (ACSAC).  SilverLine is an SDN-based system that protects against data leaks from multi-tier Web applications that access sensitive data but are nonetheless vulnerable to various attacks such as SQL injection and insecure direct object reference that might ultimately leak sensitive data.

SilverLine Architecture

In SilverLine, an application developer who writes a Web application can apply security labels to data in a database.  When a Web application issues a query against the database to retrieve data, the query is rewritten so that the records include security labels.  All network connections associated with that result are also associated with both labels and the intended recipient of the data.  A declassifier (a special SDN controller) inspects the security labels associated with each flow and determines whether to allow the flow based on the recipient of the data and the security labels associated with that flow.

SilverLine is one of the first systems to step into the space of Software Defined Security.  Congratulations to Yogesh and Anirudh on this pioneering effort!  An abstract of the work is below.

SilverLine: Preventing Data Leaks from Compromised Web Applications 
Yogesh Mundada, Anirudh Ramachandran, Nick Feamster
Web applications can have vulnerabilities that result in server- side data leaks. Securing sensitive data from Web applications while ensuring reasonable performance and without requiring developers to rewrite applications is challenging. We present SilverLine, which prevents data leaks from compromised Web applications. SilverLine uses login information to associate a user with each Web session; it then taints each file and database record applies information-flow tracking to the data associated with each session to ensure that application data is released only to sessions of authorized users. We have implemented SilverLine on Linux; our implementation demonstrates that SilverLine can protect a PHP-based Web application from many of the most common server-side Web application attacks, with only minor application modifications and reasonable performance overhead.