Network Operations and Internet Security @ UChicago

Leave a comment

Srikanth Sundaresan wins ACM Internet Measurement Conference Community Contribution Award

Congratulations to Srikanth Sundaresan, whose paper “Measuring and Mitigating Web Performance Bottlenecks in Broadband Access Networks“, was selected for the Community Contribution Award at ACM SIGCOMM Internet Measurement Conference.  The research uses the BISmark home network measurement platform which he and others have developed and deployed in more than 200 home networks around the world.

The major findings of the work include:

  • When the downstream throughput of the access link exceeds about 16 Mbits/s, latency is the main bottleneck for Web page load time.
  • Placing a cache in the home network and performing active prefetching for DNS records and TCP connections can improve Web page load time by as much as 35%.

The paper was selected for the award based on the importance of the research findings and the value of the software and data to the broader networking community.  Congratulations to Srikanth!


Leave a comment

Nick Feamster Lectures on Censorship at ETH Zurich Workshop

Prof. Nick Feamster delivered a lecture on measuring and circumventing Internet censorship at the ETH Zurich Workshop on Securing Future Communication Networks Against Emerging Threats.  His talk covered three topics:

The slides from the talk are available here.

Feamster at ZISC Workshop

Leave a comment

Arpit Gupta Speaks about SDX at NANOG 59

Arpit Gupta spoke about a Software-Defined Internet Exchange at NANOG 59 in Phoenix, Arizona.  An abstract for the talk is below. See Arpit’s talk slides here.

Abstract: Deploying software-defined networking (SDN) at Internet Exchange Points (IXPs) offers new hope for solving longstanding problems in interdomain routing. SDN allows direct expression of more flexible policies, and IXPs are central rendezvous points that are in the midst of a rebirth, making them a natural place to start. We present the design of an SDN exchange point (SDX) that enables much more expressive policies than conventional hop-by-hop, destination-based forwarding. ISPs can apply many diverse actions on packets based on multiple header fields, and distant networks can exercise “remote control” over packet handling. This flexibility enables applications such as inbound traffic engineering, redirection of traffic to middleboxes, wide-area server load balancing, and blocking of unwanted traffic. Supporting these applications requires effective ways to combine the policies of multiple ISPs. Our SDX controller provides each ISP the abstraction of its own virtual switch and sequentially composes the policies of different ISPs into a single set of rules in the physical switches. Preliminary experiments on our operational SDX demonstrate the potential for changing interdomain routing from the inside out.

Leave a comment

Study Comparing Fixed and Mobile Broadband in South Africa to Appear at ACM DEV

A study led by Marshini Chetty and Srikanth Sundaresan will appear at the Fourth Annual Symposium on Computing for Development (ACM DEV) this coming December.  The study presents the results of a performance study of fixed and mobile broadband performance from five mobile providers and nine fixed-line providers across all nine provinces in South Africa in 2013.

The study involved the deployment of the BISmark performance measurement software on home routers across the country, as well as a widespread deployment of the MySpeedTest Android cellular performance measurement software.  The paper’s results include the following:

  • Performance consistently underperforms with respect to advertised rates
  • Mobile broadband consistently achieves higher throughput than fixed broadband
  • (Bad) peering can introduce significant latency, introduce fragility in times of failure (e.g., fiber cut).  (See Srikanth and Nick’s blog post for more detailed coverage of this phenomenon.)

We are continuing to collect performance data in South Africa and are in the process of replicating and expanding this study in other countries in Africa.  The plot below shows some summary data of download throughput from ISPs across Africa from May 1 through today (September 18, 2013).  You can explore the data for the fixed-line South African deployment more at BISmark’s Network Dashboard (developed by Alfred Roberts).

ISP Throughput in South Africa

Leave a comment

Sarthak Grover Presents on Home Network Security at Ubicomp Workshop

Sarthak Grover presented a new system built on BISmark for detecting malware in home networks at Ubicomp.  The current system, called Panoptes, tracks DNS lookups from hosts inside a home and compares the DNS lookups against a blacklist on the router.   The system then notifies the user if the DNS lookups suggest the presence of malware on a device in the home.

The system significantly enhances the capabilities of existing systems for providing security in home networks, building on deployed products such as Comcast’s Constant Guard service.  He and Yogesh Mundada are currently working with Comcast on designing an SDN-based system that builds on this design, called SAZO, as part of a larger field deployment.  More to come on SAZO in the future!


Leave a comment

Software Defined Security: Data Leak Prevention System to Appear at ACSAC

Yogesh Mundada and Anirudh Ramachandran‘s SilverLine system was accepted to the 2013 Annual Computer Security Applications Conference (ACSAC).  SilverLine is an SDN-based system that protects against data leaks from multi-tier Web applications that access sensitive data but are nonetheless vulnerable to various attacks such as SQL injection and insecure direct object reference that might ultimately leak sensitive data.

SilverLine Architecture

In SilverLine, an application developer who writes a Web application can apply security labels to data in a database.  When a Web application issues a query against the database to retrieve data, the query is rewritten so that the records include security labels.  All network connections associated with that result are also associated with both labels and the intended recipient of the data.  A declassifier (a special SDN controller) inspects the security labels associated with each flow and determines whether to allow the flow based on the recipient of the data and the security labels associated with that flow.

SilverLine is one of the first systems to step into the space of Software Defined Security.  Congratulations to Yogesh and Anirudh on this pioneering effort!  An abstract of the work is below.

SilverLine: Preventing Data Leaks from Compromised Web Applications 
Yogesh Mundada, Anirudh Ramachandran, Nick Feamster
Web applications can have vulnerabilities that result in server- side data leaks. Securing sensitive data from Web applications while ensuring reasonable performance and without requiring developers to rewrite applications is challenging. We present SilverLine, which prevents data leaks from compromised Web applications. SilverLine uses login information to associate a user with each Web session; it then taints each file and database record applies information-flow tracking to the data associated with each session to ensure that application data is released only to sessions of authorized users. We have implemented SilverLine on Linux; our implementation demonstrates that SilverLine can protect a PHP-based Web application from many of the most common server-side Web application attacks, with only minor application modifications and reasonable performance overhead.

Leave a comment

New Measurement/Policy Brief: Mobile and Fixed Broadband in South Africa

How do mobile and fixed broadband stack up in South Africa?

Unlike in more developed nations, where fixed-line broadband connectivity is the predominant form of broadband access, in South Africa, mobile broadband is predominant. Mobile broadband connectivity is also both cheaper and faster than fixed-line connectivity.   Unfortunately, our study using a BISmark testbed deployment in South Africa shows that wireless is inherently less stable than fixed broadband technologies such as XDSL and fibre and the implications of not having ubiquitous, reliable always-on high-speed connectivity for the economy and global competitiveness are serious.

For a detailed description about the methods applied for measuring broadband performance, download the policy paper draft that we co-authored with Research ICT Africa for comments on investigating broadband performance in South Africa 2013. (Comments welcome!)

Leave a comment

Feamster Gives Talk on Coursera SDN MOOC Experience

Professor Feamster gave a talk at the University of Cape Town on his experiences with designing and running the first-ever university-level course on Software Defined Networking, which was also a Coursera Massive Open Online Course (MOOC).

In the talk, Nick offers several insights and thoughts about MOOCs, including why certain aspects of teaching a large MOOC are, in fact, easier than teaching a small classroom course.

Slides from the talk are available here: A ReMOOCable Experience: Teaching Networking to the Masses from Nick Feamster

Update: See the interview with Nick in TechTarget on his experiences preparing the SDN MOOC.

1 Comment

Home Networking and DNS Security Papers Accepted to Internet Measurement Conference

Project BISmark

Our research group has had three long papers accepted at the ACM SIGCOMM Internet Measurement Conference this October in Berlin, Germany.  Two of the papers are on studying the performance and usage of home networks.  A third paper is on the security of the Internet’s domain name system.  The draft abstracts of the papers are below.  We are very well represented (seven students, and one alum, Nazanin, who is now at Cisco).

There were only 25 long papers accepted at IMC, so we are very well-represented in the program.

Congrats to Sarthak, Srikanth, Shuang, Mi Seon, Sam, Joon, Bharath, and Nazanin!

Peeking Behind the NAT: An Empirical Study of Home Networks
Sarthak Grover (Georgia Institute of Technology)
Mi Seon Park (Georgia Institute of Technology)
Srikanth Sundaresan (Georgia Institute of Technology)
Sam Burnett (Georgia Institute of Technology)
Hyojoon Kim (Georgia Institute of Technology)
Bharath Ravi (Georgia Institute of Technology)
Nick Feamster (Georgia Institute of Technology)

We present the first empirical study of home network availability, infrastructure, and usage, using data collected from home networks around the world. In each home, we deploy a router with custom firmware to collect information about the availability of home broadband network connectivity, the home network infrastructure (including the wireless connectivity in each home network and the number of devices connected to the network), and how people in each home network use the network. Outages are more frequent and longer in developing countries—sometimes due to the network, and in other cases because they simply turn their home router off. We also find that some portions of the wireless spectrum are extremely crowded, that diurnal patterns are more pronounced during the week, and that most traffic in home networks is exchanged over a few connections to a small number of domains. Our study is both a preliminary view into many home networks and an illustration of how measurements from a home router can yield significant information about home networks.

Measuring and Mitigating Web Performance Bottlenecks in Broadband Access Networks
Srikanth Sundaresan (Georgia Institute of Technology)
Nick Feamster (Georgia Institute of Technology)
Renata Teixeira (CNRS/UPMC Sorbonne Universites)
Nazanin Magharei (Cisco Systems)

We measure Web performance bottlenecks in home broadband access networks and evaluate ways to mitigate these bottlenecks with caching in home networks. We first measure Web performance bottlenecks to nine popular Web sites from more than 5,000 broadband access networks and demonstrate that when the downstream throughput of the access link exceeds about 16 Mbits/s, latency is the main bottleneck for Web page load time. Next, we use a router-based Web measurement tool, Mirage, to deconstruct Web page load time into its constituent components (DNS lookup, TCP connection setup, object download) and show that simple latency optimizations can yield significant improvements in overall page load times. We then present a case for placing a cache in the home network and deploy three common optimizations: DNS caching, TCP connection caching, and content caching. We show that just caching DNS and TCP connections can can yield significant improvements in page load time, and even user’s browser is already performing similar independent optimizations. Finally, we use traces from real homes to demonstrate how popularity-based prefetching of DNS and TCP connections in a home-router cache can achieve faster page load times in home networks.

Understanding the Domain Registration Behavior of Spammers
Shuang Hao (Georgia Institute of Technology)
Matthew Thomas (Verisign, Inc.)
Vern Paxson (ICSI & UC Berkeley)
Nick Feamster (Georgia Institute of Technology)
Christian Kreibich (ICSI)
Chris Grier (ICSI)
Scott Hollenbeck (Verisign, Inc.)

Spammers register tremendous number of domains to evade blacklisting and takedown efforts. Current techniques to detect such domains rely on crawling spam URLs or monitoring lookup traffic. Such detection triggers after the spammers have already launched their campaigns, and thus these countermeasures may only come into play after the spammer has already reaped significant benefits from the dissemination of large volumes of spam. In this paper we examine the registration process of such domains, with a particular eye towards features that might indicate directly at registration time that a given domain likely has a malicious purpose. Our assessment includes exploring the characteristics of registrars, domain life cycles, registration bursts, and naming patterns. By investigating zone changes from the .com TLD over a 5-month period, we discover that spammers employ bulk registration, often re-use domains previously registered by others, and tend to register and host their domains over a small set of registrars. Our findings suggest a number of steps that registries and/or registrars could employ to crimp the ease with which miscreants acquire domains in bulk, thus potentially increasing their costs and reducing their agility for large-scale attacks.