Network Operations Research

Nick Feamsterhttp://www.cc.gatech.edu/~feamster/

What is Network Operations?

• Security: spam, denial of service, botnets

• Troubleshooting: reachability and performance problems, equipment failures, configuration problems, etc.

• Three problem areas

– Detection

– Identification: What is causing the problem?

– Mitigation: How to fix the problem?

Helping network operators run secure, robust, highly available communications networks.

Research Areas

• Monitoring and Diagnosis– rcc: Router Configuration Checker

• Network Virtualization

• Internet Availability and Accessibility– Failure Recovery

– Anti-Censorship

• Network Security– Spam Filtering

– Information-Flow Control

4

Problem: Network Configuration

• Problems cause downtime• Problems often not immediately apparent

What happens if I tweak this policy…?

5

“rcc”

Solution: rcc

Normalized Representation

CorrectnessSpecification

Constraints

Faults

• Analyzing complex, distributed configuration• Defining a correctness specification• Mapping specification to constraints• Verifying global correctness with local information

Components

Distributed routerconfigurations

(Single AS)

Feamster & Balakrishnan, “Detecting BGP Configuration Faults with Static Analysis”, NSDI 2005

Best Paper, ACM/USENIX Symposium on Networked Systems Design and Implemntation (NSDI), 2005

rcc: Summary of Contributions• Correctness specification for Internet routing

– Path visibility

– Route validity

– Safety

• Static analysis of routing configuration– Global correctness guarantees with only local checks

• New results on global stability

• Analysis of 17 real-world networks

• Practical and research significance– Downloaded by over sixty operators.

Problem: Spam

• Spam: About 80% of today’s email is “abusive”– Content filtering doesn’t work

• Network monitoring: Today’s network devices were designed for yesterday’s threats– Circa 2000: Worms, DDoS– Today: Botnets, spam, click fraud, etc.

Idea: Study Network-Level Properties

Ramachandran et al. “Understanding the Network-Level Behavior of Spammers”, Best Paper, ACM SIGCOMM, 2006

• Ultimate goal: Construct spam filters based on network-level properties, rather than content

• Content-based properties are malleable• Low cost to evasion: Spammers can alter content• High admin cost: Filters must be continually updated

• Content-based filters are applied at the destination• Too little, too late: Wasted network bandwidth, storage, etc.

9

Spam Study: Major Findings• Where does spam come from?

– Most received from few regions of IP address space

• Do spammers hijack routes?– A small set of spammers continually advertise short-lived routes

• How is spam sent?– Most coming from Windows hosts (likely, bots)

~ 10 minutes

SNARE: Network-Based Filtering

• Filter email based on how it is sent, in addition to simply what is sent.

• Network-level properties are less malleable– Network/geographic location of sender and receiver

– Set of target recipients

– Hosting or upstream ISP (AS number)

– Membership in a botnet (spammer, hosting infrastructure)

Shuang Hao et al., “Detecting Spammers with SNARE”, USENIX Security Sympoisium, August 2009

Spam Filtering: Summary of Results

• Spam increasing, spammers becoming agile– Content filters are falling behind– IP-Based blacklists are evadable

• Up to 30% of spam not listed in common blacklists at receipt. ~20% remains unlisted after a month

• Complementary approach: behavioral blacklisting based on network-level features– Key idea: Blacklist based on how messages are sent– SNARE: Automated sender reputation

• ~90% accuracy of existing with lightweight features– SpamTracker: Spectral clustering

• catches significant amounts faster than existing blacklists– SpamSpotter: Putting it together in an RBL system

Network VirtualizationACM SIGCOMM 2006

13

Today: ISPs Serve Two Roles

• Infrastructure providers: Maintain routers, links, data centers, other physical infrastructure

• Service providers: Offer services (e.g., layer 3 VPNs, performance SLAs, etc.) to end users

Role 1: Infrastructure Providers Role 2: Service Providers

No single party has control over an end-to-end path.

14

Instead: Elastic Networks

• Interesting Questions– Network embedding

– System building

– Economics and markets

• Infrastructure providers: maintain physical infrastructure needed to build networks

• Service providers: lease “slices” of physical infrastructure from one or more providers

Virtual Networks Need Connectivity

• Strawman– Default routes– Public IP address

• Problems– Experiments may need

to see all upstream routes– Experiments may need

more control overtraffic

• Need “BGP”– Setting up individual

sessions is cumbersome– …particularly for transient

experiments

ISP 1 ISP 2

BGP Sessions

GENI