All times are in Universal Time Coordinated (UTC).
Full Program
Monday, 11 March, 2024 ( All times are UTC! Click here to see your timezome )
- 13:00 - 13:30 - Introduction - Session Chair: Philipp Richter, Vaibhav Bajpai and Esteban Carisimo
- 13:30 - 14:30 - Keynote - Session Chair: Philipp Richter (Akamai Technologies)
-
Abstract:
- 14:35 - 15:25 - Measurement tools - Session Chair: Giovane Moura
-
Crawling to the Top: An Empirical Evaluation of Top List UseQinge Xie (Georgia Institute of Technology), Frank Li (Georgia Institute of Technology)Abstract: Domain top lists, such as Alexa, Umbrella, and Majestic, are key datasets widely used by the networking and security research communities. Industry and attackers have also been documented as using top lists for various purposes. However, beyond these scattered documented cases, who actually uses these top lists and how are they used? Currently, the Internet measurement community lacks a deep understanding of real-world top list use and the dependencies on these datasets (especially in light of Alexa's retirement). In this study, we seek to fill in this gap by conducting controlled experiments with test domains in different ranking ranges of popular top lists, monitoring how network traffic differs for test domains in the top lists compared to baseline control domains. By analyzing the DNS resolutions made to domain authoritative name servers, HTTP requests to websites hosted on the domains, and messages sent to email addresses associated with the websites, we evaluate how domain traffic changes once placed in top lists, the characteristics of those visiting the domain, and the behavioral patterns of these visitors. Ultimately, our analysis sheds light on how these top lists are used in practice and their value to the networking and security community.
-
Towards Improving Outage Detection with Multiple Probing ProtocolsManasvini Sethuraman (Georgia Institute of Technology), Zachary Bischof (Georgia Institute of Technology), Alberto Dainotti (Georgia Institute of Technology)Abstract: Multiple systems actively monitor the IPv4 address space for outages, often through ICMP probing. In this work, we explore the potential benefits (in terms of increased coverage) of leveraging additional protocols for probing by analyzing Internet-wide scans conducted using transport layer (TCP/UDP) probes. Using several existing Internet-wide scan snapshots, we show that between 531k to 606k additional /24 blocks, which were originally too sparse to be monitored via ICMP probing alone, now have the potential to be monitored for outages. We also find that it is possible to improve the probing efficiency for 850k-970k blocks, of which, 106k-125k blocks were not observed in the previous two years of ICMP-based scans. We observe that the average percent of /24 blocks per AS that could potentially be reliably monitored for outages increases from 65% to 83%, spanning 28k ASes.
-
Designing a Lightweight Network Observability agent for Cloud ApplicationsPravein Govindan Kannan (IBM Research), Shachee Mishra Gupta (IBM Research), Dushyant Behl (IBM Research), Eran Raichstein (IBM Research), Joel Takvorian (Red Hat Inc.)Abstract: Applications are increasingly being deployed on the cloud as microservices using orchestrators like Kubernetes. With microservices-type deployment, performance and observability are critical requirements, especially given the SLAs and strict business guarantee requirements (latency, throughput, etc) of requests. Network observability is an im-perative feature that every orchestrator needs to incorporate to provide the operators visibility into the network communication between the services deployed and the ability to provide necessary metrics to diagnose problems. In this paper, we propose a lightweight network observability agent ebpf-agent1 built using eBPF, that can be deployed in various environments (K8s, Bare-metal, etc) and runs independent of the underlying network datapath/ Container Network Interfaces (CNIs) deployed by the orchestrator. ebpf-agent monitors the network traffic in each host-nodes’ interfaces running in the cluster and summarizes the necessary information of the traffic workloads with very minimal overhead. We articulate the design decisions of ebpf-agent using measurements which maximize the performance of the datapath. Our evaluations show that ebpf-agent of-fers significant performance benefits against the existing systems, while keeping the CPU and memory overheads lower by a magnitude. ebpf-agent is available in open source and is officially released as part of an Enterprise Orchestrator
- 15:25 - 15:55 - Break
- 15:55 - 16:50 - Securing and Protecting - Session Chair: John Heidemann
-
SunBlock: Cloudless Protection for IoT SystemsVadim Safronov (Imperial College London), Anna Maria Mandalari (University College London), Daniel J. Dubois (Northeastern University), David Choffnes (Northeastern University), Hamed Haddadi (Imperial College London)Abstract: With an increasing number of Internet of Things (IoT) devices present in homes, there is a rise in the number of potential information leakage channels and their associated security threats and privacy risks. Despite a long history of attacks on IoT devices in unprotected home networks, the problem of accurate, rapid detection and prevention of such attacks remains open. Many existing IoT protection solutions are cloud-based, sometimes ineffective, and might share consumer data with unknown third parties. This paper investigates the potential for effective IoT threat detection locally, on a home router, using AI tools combined with classic rule-based traffic-filtering algorithms. Our results show that with a slight rise of router hardware resources caused by machine learning and traffic filtering logic, a typical home router instrumented with our solution is able to effectively detect risks and protect a typical home IoT network, equaling or outperforming existing popular solutions, without any effects on benign IoT functionality, and without relying on cloud services and third parties.
-
Spoofed Emails: An Analysis of the Issues Hindering a Better Use and Larger Deployment of DMARCOlivier Hureau (Université Grenoble Alpes, CNRS, Grenoble INP, LIG), Jan Bayer (Université Grenoble Alpes, CNRS, Grenoble INP, LIG), Andrzej Duda (Université Grenoble Alpes, CNRS, Grenoble INP, LIG), Maciej Korczyński (Université Grenoble Alpes, CNRS, Grenoble INP, LIG)Abstract: In 2015, the IETF released an informational specification for the DMARC protocol, not establishing it as an Internet standard. DMARC is designed to fight against email spoofing, on top of SPF and DKIM. Given that these anti-spoofing measures could lead to the loss of legitimate emails, DMARC embedded a reporting system enabling domain owners to monitor rejected messages and enhance their configurations. Research communities have extensively examined various aspects of DMARC, including adoption rates, misuse, and integration into early spam detection systems while overlooking other vital aspects, potentially impeding its broader use and adoption. This paper sheds light on a widespread lack of comprehension of the standard and unexpected behavior regarding DMARC among various groups, including professionals, open-source libraries, and domain owners. We propose measurement and analysis approaches that include a DMARC record parser, a methodology for dataset collection, and an analysis of the domain name landscape. We provide insights for fostering a deeper understanding of the DMARC ecosystem. We also identify email addresses in DMARC records belonging to 9,121 unregistered domain names, which unintended users could register, leading to potential data leakage from the email systems of domain owners.
-
Trust Issue(r)s: Certificate Revocation and Replacement Practices in the WildDavid Cerenius (Linköping University), Martin Kaller (Linköping University), Carl Magnus Bruhner (Linköping University), Martin Arlitt (University of Calgary), Niklas Carlsson (Linköping University)Abstract: Every time we use the web, we place our trust in X.509 certificates binding public keys to domain identities. However, for these certificates to be trustworthy, proper issuance, management, and timely revocations (in cases of compromise or misuse) are required. While great efforts have been placed on ensuring trustworthiness in the issuance of new certificates, there has been a scarcity of empirical studies on revocation management. This study offers the first comprehensive analysis of certificate replacements (CRs) of revoked certificates. It provides a head-to-head comparison of the CRs where the replaced certificate was revoked versus not revoked. Leveraging two existing datasets with overlapping timelines, we create a combined dataset containing 1.5 million CRs that we use to unveil valuable insights into the effect of revocations on certificate management. Two key questions guide our research: (1) the influence of revocations on certificate replacement behavior and (2) the effectiveness of revocations in fulfilling their intended purpose. Our statistical analysis reveals significant variations in revocation rates, retention rates, and post-revocation usage, shedding light on differences in Certificate Authorities' (CAs) practices and subscribers' decisions. Notably, a substantial percentage of revoked certificates were either observed or estimated to be used after revocation, raising concerns about key-compromise instances. Finally, our findings highlight shortcomings in existing revocation protocols and practices, emphasizing the need for improvements. We discuss ongoing efforts and potential solutions to address these issues, offering valuable guidance for enhancing the security and integrity of web communications.
- 16:50 - 17:30 - Satellites - Session Chair: Zachary Bischof
-
Watching Stars in Pixels: The Interplay of Traffic Shaping and YouTube Streaming QoE over GEO Satellite NetworksJiamo Liu (University of California Santa Barbara), David Lerner (Viasat), Jae Chung (Viasat), Udit Paul (University of California Santa Barbara), Arpit Gupta (University of California Santa Barbara), Elizabeth M. Belding (University of California Santa Barbara)Abstract: Geosynchronous satellite (GEO) networks are an important Internet access option for users beyond terrestrial connectivity. However, unlike terrestrial networks, GEO networks exhibit high latency and deploy TCP proxies and traffic shapers. The deployment of proxies effectively mitigates the impact of high network latency in GEO networks, while traffic shapers help realize customer-controlled data-saver options that optimize data usage. However, it is unclear how the interplay between GEO networks' high latency, TCP proxies, and traffic-shaping policies affects the quality of experience (QoE) for commonly used video applications. To address this gap, we analyze the quality of over 2k YouTube video sessions streamed across a production GEO network with a 900Kbps shaping rate. Given the average bit rates for the selected videos, we expected streaming to be seamless at resolutions of 360p, and nearly seamless at resolutions approaching 480p. However, our analysis reveals that this is not the case: 30% of both TCP sessions and gQUIC sessions experience rebuffering, while the median average resolution is only 404p for TCP and 360p for gQUIC. Our analysis identifies two key factors contributing to sub-optimal performance: (i)~unlike TCP, gQUIC only utilizes 70% of the network capacity; and (ii) YouTube's chunk request pipelining neglects network latency, resulting in idle periods that disproportionately harm the throughput of smaller chunks. As a result of our study, the partner GEO ISP discontinued support for the low-bandwidth data-saving option in U.S. business and residential markets to avoid potential degradation of video quality---highlighting the practical significance of our findings.
-
Can LEO Satellites Enhance the Resilience of Internet to Multi-Hazard Risks?Aleksandr Stevens (University of Oregon), Blaise Iradukunda (University of Oregon), Brad Bailey (University of Oregon), Ram Durairajan (University of Oregon)Abstract: Climate change-induced and naturally-occurring multi-hazard risks (e.g., Cascadia megathrust earthquake followed by tsunamis in the U.S. Pacific Northwest or PNW) threaten humanity and society, in general, and critical Internet infrastructures, in particular. While mitigating the impacts of these hazards, in isolation, on terrestrial infrastructures has been the focus of prior efforts, we lack an in-depth understanding of infrastructure hardening efforts using non-terrestrial deployments such as low earth orbit or LEO satellites in the face of multi-hazard risks. The main goal of this work is to evaluate whether LEO satellites can bolster the resilience of Internet infrastructure in the Pacific Northwest (PNW) against multi-hazard risks. To this end, we have developed a first-of-its-kind simulator called MAZE to understand the impacts that multi-hazard risks, each of which combined or in isolation, pose to wired and wireless infrastructures in the PNW. Using MAZE, we address two key challenges faced by first responders today: (1) navigating the cost vs. performance trade-offs in the hybrid routing of traffic between terrestrial and non-terrestrial networks during disasters, and (2) comparing the efficacy of using LEO satellites against a terrestrial risk-aware routing strategy (ShakeNet) and a global satellite network (BGAN) for emergency communication during multi-hazard risks. Our assessments show that LEO satellites offer two orders of magnitude latency improvement and 100s of thousands of dollars in saving, all while maintaining network connectivity in the face of multi-hazard risks. To demonstrate the practicality and versatility of MAZE, we perform two case studies including testing a traffic prioritization scheme for LEO satellites and assessing the impacts of cascading risk on network infrastructures along the U.S. west coast.
Tuesday, 12 March, 2024 ( All times are UTC! Click here to see your timezome )
- 13:00 - 13:55 - Maliciousness and Blocking - Session Chair: Esteban Carisimo
-
Out in the Open: On the Implementation of Mobile App Filtering in IndiaDevashish Gosain (BITS Pilani Goa Campus), Kartikey Singh (IIIT Delhi), Rishi Sharma (IIIT Delhi), Jithin S (IIIT Delhi), Sambuddho (IIIT Delhi)Abstract: In this paper, we present the first comprehensive study highlighting the evolving mobile app filtering within India. We study the recent mobile app blocking in India and describe in detail the mechanics involved. We analyzed 220 Chinese apps that were blocked due to official government orders. Our research reveals a novel three-tiered app censorship scheme, with each tier increasing the sophistication of censorship. After thoroughly analyzing the app censorship mechanisms, we present effective circumvention techniques to bypass the tiered app censorship. We were able to access all the blocked apps with the said techniques. We believe our analysis and findings from the case study of India will aid future research on mobile app filtering.
-
Dom-BERT: Detecting Malicious Domains with Pre-training ModelYu Tian (Institute of Computing Technology & University of Chinese Academy of Sciences, China), Zhenyu Li (Institute of Computing Technology, Chinese Academy of Sciences, China)Abstract: Domain Name System (DNS) is widely abused by attackers, which thus makes malicious domain detection a crucial routine task for operators to combat cyber crimes. Existing classification-based models often struggle to achieve high accuracy in practical settings due to the persistent issue of class imbalance. Moreover, inference-based models, which hinge upon the resolution similarity between domains, often fail to harness the full potential of linguistic associations among domains. This paper first conducts a detailed analysis of the characteristics of malicious domains and contrasts them with those of benign ones, using a real-life passive DNS dataset obtained from several major ISPs (Internet Service Providers). With this basis, we then propose an efficient solution for the detection of malicious domains, called Dom-BERT. To adeptly capture the resolution associations among domains, Dom-BERT constructs a heterogeneous graph and incorporates a pruning module, facilitating the modeling of relationships among domains, clients, and hosting servers. Building upon this graph, we employ techniques such as random walks with restart and a domain association prediction downstream task to compute similarity scores for domains. These scores are then used to fine-tune the pre-trained BERT model. The performance of Dom-BERT is evaluated using our passive DNS logs. The results notably illustrate that Dom-BERT surpasses the state-of-the-art solutions, achieving higher F1 scores and demonstrating resilience to class imbalance.
-
On the Dark Side of the Coin: Characterizing Bitcoin use for Illicit ActivitiesHampus Rosenquist (Linköping University), David Hasselquist (Linköping University), Martin Arlitt (University of Calgary), Niklas Carlsson (Linköping University)Abstract: Bitcoin's decentralized nature enables reasonably anonymous exchange of money outside of the authorities' control. This has led to Bitcoin being popular for various illegal activities, including scams, ransomware attacks, money laundering, black markets, etc. In this paper, we characterize this landscape, providing insights into similarities and differences in the use of Bitcoin for such activities. Our analysis and the derived insights contribute to the understanding of Bitcoin transactions associated with illegal activities through three main aspects. First, our study offers a comprehensive characterization of money flows to and from Bitcoin addresses linked to different abuse categories, revealing variations in flow patterns and success rates. Second, our temporal analysis captures long-term trends and weekly patterns across categories. Finally, our analysis of outflow from reported addresses uncovers differences in graph properties and flow patterns among illicit addresses and between abuse categories. These findings provide valuable insights into the distribution, temporal dynamics, and interconnections within various categories of Bitcoin transactions related to illicit activities. The increased understanding of the diverse landscape of Bitcoin transactions related to illegal activities and the insights gained from this study offer important empirical guidance for informed decision-making and policy development in the ongoing effort to address the challenges presented by illicit activities within the cryptocurrency space.
- 13:55 - 14:05 - Break
- 14:05 - 15:00 - Traffic - Session Chair: Robin Marx
-
Promises and Potential of BBRv3 Best Paper AwardDanesh Zeynali (Max Planck Institute for Informatics), Emilia Weyulu (Max Planck Institute for Informatics), Seifeddine Fathalli (Max Planck Institute for Informatics), Balakrishnan Chandrasekaran (VU University Amsterdam), Anja Feldmann (Max Planck Institute for Informatics)Abstract: The Bottleneck-Bandwidth and Round-trip (BBR) congestion control algorithm was introduced by Google in 2016. Unlike prior congestion-control algorithms (CCAs), BBR does not rely on signals that are weakly correlated with congestion (e.g., packet loss and transient queue delay). Instead, it characterizes a path using two parameters, bottleneck bandwidth and round-trip propagation time, and is designed to converge with a high probability to Leonard Kleinrock's optimal operating point. Essentially, in stable state, BBR maximizes throughput while minimizing delay and loss. Google has used BBR for a significant fraction of its network traffic both within its datacenters and on its WAN since 2016. Unsurprisingly, BBR's interaction dynamics with Cubic, the widely used CCA in the Internet, has received intense scrutiny: Some studies observed BBR to be unfair to Cubic, or generally loss-based CCAs. Google, to its credit, has diligently revised BBR's design to address the criticisms. This paper focuses on characterizing the promises and potential of the third, and most recent, revision of BBR---introduced to the public in July 2023. We empirically evaluate BBRv3's performance across a range of network scenarios, e.g., considering different buffer sizes, round-trip times, packet losses, and flow-size distributions. Our evaluations highlight whether BBRv3 holds its promises, and, if not, where there is potential for further improvement. We show, for instance, that despite the improvements and optimizations introduced in BBRv3, it struggles to achieve an equitable sharing of bandwidth when competing with Cubic, the widely used CCA in the Internet, in a wide range of network conditions.
-
QUIC Hunter: Finding QUIC Deployments and Identifying Server Libraries Across the InternetJohannes Zirngibl (Technical University of Munich), Florian Gebauer (Technical University of Munich), Patrick Sattler (Technical University of Munich), Markus Sosnowski (Technical University of Munich), Georg Carle (Technical University of Munich)Abstract: The diversity of QUIC implementations poses challenges for Internet measurements and the analysis of the QUIC ecosystem. While all implementations follow the same specification and there is general interoperability, differences in performance, functionality, but also security (e.g., due to bugs) can be expected. Therefore, knowledge about the implementation of an endpoint on the Internet can help researchers, operators and users to better analyze connections, performance and security. In this work, we improved the detection rate of QUIC scans to find more deployments and provide an approach to effectively identify QUIC server libraries based on CONNECTION_CLOSE frames and transport parameter orders. We performed Internet-wide scans and identified at least one deployment for 18 QUIC libraries. In total, we can identify the libraries with 8.8 M IPv4 and 2.5 M IPv6 addresses. Our approach provides a comprehensive view of the landscape of competing QUIC libraries.
-
Data Augmentation for Traffic ClassificationChao Wang (Eurecom and Huawei Technologies France SASU), Alessandro Finamore (Huawei Technologies France SASU), Pietro Michiardi (Eurecom), Massimo Gallo (Huawei Technologies France SASU), Dario Rossi (Huawei Technologies France SASU)Abstract: Data Augmentation (DA)—enriching training data by adding synthetic samples—is a technique widely adopted in Computer Vision (CV) and Natural Language Processing (NLP) tasks to improve models performance. Yet, DA has struggled to gain traction in networking contexts, particularly in Traffic Classification (TC) tasks. In this work, we fulfill this gap by benchmarking 18 augmentation functions applied to 3 TC datasets using packet time series as input representation and considering a variety of training conditions. Our results show that (i) DA can reap benefits previously unexplored, (ii) augmentations acting on time series sequence order and masking are better suited for TC than amplitude augmentations and (iii) basic models latent space analysis can help understanding the positive/negative effects of augmentations on classification performance.
- 15:00 - 15:30 - Break
- 15:30 - 16:30 - Routing - Session Chair: Shuai Hao
-
WHOIS Right? An Analysis of WHOIS and RDAP Consistency Community Contribution AwardSimon Fernandez (Univ. Grenoble Alpes, Grenoble INP, LIG), Olivier Hureau (Univ. Grenoble Alpes, Grenoble INP, LIG), Andrzej Duda (Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG), Maciej Korczynski (Univ. Grenoble Alpes, CNRS, Grenoble INP, LIG)Abstract: Public registration information on domain names, such as the accredited registrar, the domain name expiration date, or the abuse contact is crucial for many security tasks, from automated abuse notifications to botnet or phishing detection and classification systems. Various domain registration data is usually accessible through the WHOIS or RDAP protocols—a priori they provide the same data but use distinct formats and communication protocols. While WHOIS aims to provide human-readable data, RDAP uses a machine-readable format. Therefore, deciding which protocol to use is generally considered a straightforward technical choice, depending on the use case and the required automation and security level. In this paper, we examine the core assumption that WHOIS and RDAP offer the same data and that users can query them interchangeably. By collecting, processing, and comparing 164 million entries for a sample of 55 million domain names, we reveal that while the data obtained through WHOIS and RDAP is generally consistent, 7.6% of the observed domains still present inconsistent data on critical fields like nameservers, IANA ID, or creation date. Such inconsistency should be carefully considered by the security actors that rely on the accuracy of these fields.
-
Insights into SAV Implementations in the InternetHaya Shulman (Goethe-University Frankfurt, ATHENE), Shujie Zhao (Fraunhofer SIT, ATHENE)Abstract: Source Address Validation (SAV) is designed to block packets with spoofed IP addresses. Obtaining insights into the deployment and implementation of SAV is essential for understanding the potential impact of attacks that exploit spoofed IP addresses and also poses an interesting research question. No current approaches for identifying networks deploying SAV enable inferring information on the specific SAV techniques employed by the network operators. To address this gap, we present the first study of the SAV implementation techniques: Access Control Lists (ACLs) and unicast Reverse Path Forwarding (uRPF). While uRPF is more effective than ACLs, our large-scale Internet measurement reveals that network operators underutilize uRPF, possibly due to concerns for accidental traffic loss and the complexity of implementations. Our study highlights the need for addressing these concerns to incentivize uRPF adoption and achieve broader network security benefits.
-
A tale of two synergies: Uncovering RPKI practices for RTBH at IXPsIoana Livadariu (Simula Metropolitan), Romain Fontugne (IIJ Research Laboratory), Amreesh Phokeer (Internet Society), Massimo Candela (NTT), Massimiliano Stucchi (AS58280)Abstract: Denial of Service (DoS) attacks and route hijacking have become the most predominant network attacks. To address these threats, network operators currently rely on mitigation services like Remotely Triggered Black Hole (RTBH) and Resource Public Key Infrastructure (RPKI). In this paper, we seek to understand how operators leverage both of these mechanisms. Using data collected at multiple IXPs we infer network operators that use RTBH services. We collect RPKI data for the same set of organizations and determine which of those rely on both RTBH and RPKI. One-third of the selected operators do not use any of these services, while most of the ASes that trigger blackholes also deploy RPKI. Some of these operators employ poor RPKI practices that make their prefixes vulnerable to attacks. However, most operators rely on an RTBH-agnostic approach indicating the need to devise an approach that combines effectively these two mechanisms.
-
Anycast Polarization in The WildASM Rizvi (University of Southern California / Information Sciences Institute / Akamai Technologies), Tingshan Huang (Akamai Technologies), Rasit Esrefoglu (Akamai Technologies), John Heidemann (University of Southern California / Information Sciences Institute)Abstract: IP anycast is a commonly used method to associate users with services provided across multiple sites, and if properly used, it can provide efficient access with low latency. However, prior work has shown that polarization can occur in global anycast services, where some users of that service are routed to an anycast site on another continent, adding 100 ms or more latency compared to a nearby site. This paper describes the causes of polarization in real-world anycast and shows how to observe polarization in third-party anycast services. We use these methods to look for polarization and its causes in 7986 known anycast services. We find that polarization occurs in more than a quarter of services, and identify incomplete connectivity to Tier-1 transit providers and route leakage by regional ISPs as common problems. Finally, working with a commercial CDN, we show how small routing changes can often address polarization, improving latency for 40% of clients, by up to 54%.
Wednesday, 13 March, 2024 ( All times are UTC! Click here to see your timezome )
- 13:00 - 13:40 - Gaming - Session Chair: Kyle Schomp
-
Inside the Engine Room: Investigating Steam’s Content Delivery Platform Infrastructure in the Era of 100GB GamesChristoff Visser (IIJ Research Laboratory), Romain Fontugne (IIJ Research Laboratory)Abstract: As the size of video games continues to get bigger, new games and updates are becoming more visible in network operations. This research, coinciding with the 20th anniversary of the Steam store, provides an insightful exploration of a large-scale video game distribution platform. We place the operations of Steam under the lens and break down the details of its content delivery infrastructure. As part of this, we undertake a deep analysis of its data centres and cache locations. Recognising the trends in game development, this investigation acknowledges the dawn of the 100GB game era and the increasing pressure on distribution systems as a result. Our research showcases the significant impact of major video game releases and provides an extensive investigation into the capacity of Steam cache servers, illuminating the strategies deployed when demand overshadows capacity. Players downloaded a monumental 44.7 exabytes from Steam in 2022 alone. With no signs of slowing down in 2023, Steam served an average of 15 Tbps of traffic between February and October, with peaks up to 146 Tbps. This study lays bare the intricacies and operational challenges inherent to the digital game distribution landscape
-
Network Anatomy and Real-Time Measurement of Nvidia GeForce NOW Cloud GamingMinzhao Lyu (University of New South Wales), Sharat Chandra Madanapalli (Canopus Networks), Arun Vishwanath (Canopus Networks), Vijay Sivaraman (University of New South Wales)Abstract: Cloud gaming, wherein game graphics is rendered in the cloud and streamed back to the user as real-time video, expands the gaming market to billions of users who do not have gaming consoles or high-power graphics PCs. Companies like Nvidia, Amazon, Sony and Microsoft are investing in building cloud gaming platforms to tap this large unserved market. However, cloud gaming requires the user to have high-bandwidth and stable network connectivity -- whereas a typical console game needs about 100-200 kbps, a cloud game demands minimum 10-20 Mbps. This makes the Internet Service Provider (ISP) a key player in ensuring the end-user's good gaming experience. In this paper we develop a method to detect user experience to detect Nvidia’s GeForce NOW cloud gaming sessions over their network infrastructure, and measure associated user experience. In particular, we envision ISPs taking advantage of our method to provision network capacity at the right time and in the right place to support growth in cloud gaming at the right experience level; as well as identify the role of contextual factors such as user setup (browser vs app) and connectivity type (wired vs wireless) in performance degradation. We first present a detailed anatomy of flow establishment and volumetric profiles of cloud gaming sessions over multiple platforms, followed by a method to detect gameplay and measure key experience aspects such as latency, frame rate and resolution via real-time analysis of network traffic. The insights and methods are also validated in the lab for XBox Cloud Gaming platform. We then implement and deploy our method in a campus network to capture gameplay behaviors and experience measures across various user setups and connectivity types which we believe are valuable for network operators.
- 13:40 - 14:30 - Breaking new ground - Session Chair: George Smaragdakis
-
Exploring the Discovery Process of Fresh IPv6 Prefixes: An Analysis of Scanning Behavior in Darknet and HoneynetLiang Zhao (Sokendai), Satoru Kobayashi (Okayama University), Kensuke Fukuda (NII/Sokendai)Abstract: Internet-wide scanners can efficiently scan the expansive IPv6 network by targeting the active prefixes and responsive addresses on the hitlists. However, it is not clear enough how scanners discover fresh prefixes, which include newly assigned or deployed prefixes, as well as previously unused ones. This paper studies the whole discovery process of fresh prefixes by scanners. We implement four DNS-based address-exposing methods, analyze the arrival sequence of scans from distinct ASes, and examine the temporal and spatial scan patterns, with darknet and honeynet. Over six months, our custom-made darknet and probabilistic responsive honeynet collected 33M packets (1.8M sessions) of scans from 116 distinct ASes and 18.8K unique source IP addresses. We investigate the whole process of fresh prefix discovery, including address-exposing, initial probing, hitlist registration, and large-scale scan campaigns. Furthermore, we analyze the difference in scanning behavior by ASes, and categorize the scanners into three types, honeynet-exclusive, honeynet-predominant and balanced, based on the respective ratio of scans to darknet and honeynet. Besides, we analyze the intentions of scanners, such as network reconnaissance or scanning responsive targets, and the methods they used to obtain potential targets, such as by sending DNS queries or using public hitlist. These findings bring insights into the process of fresh prefixes attracting scanners and highlight the vital role of responsive honeynet in analyzing scanner behaviors.
-
Following the Data Trail: An Analysis of IXP DependenciesMalte Tashiro (Sokendai / IIJ), Romain Fontugne (IIJ), Kensuke Fukuda (NII / Sokendai)Abstract: Internet exchange points (IXPs) play a vital role in the modern Internet. Envisioned as a means to connect physically close networks, they have grown into large hubs connecting networks from all over the world, either directly or via remote peering. It is therefore important to understand the real footprint of an IXP to quantify the extent to which problems (e.g., outages) at an IXP can impact the surrounding Internet topology. An IXP footprint computed only from its list of members as given by PeeringDB, or the IXP’s website, is usually depicting an incomplete view of the IXP as it misses downstream networks whose traffic may transit via an IXP although they are not directly peering there. In this paper we propose a robust approach that uncovers this dependency using traceroute data from two large measurement platforms. Our approach converts traceroutes to paths that include both autonomous systems (ASes) and IXPs and computes AS Hegemony to infer their inter-dependencies. This technique discovers thousands of dependent networks not directly connected to IXPs and emphasizes the role of IXPs in the Internet topology. We also look at the geolocation of members and dependents and find that only 3% of IXPs with dependents are entirely local: all members and dependents are in the same country as the IXP. Another 52% connect international members, but only have domestic dependents.
-
From Power to Water: Dissecting SCADA Networks Across Different Critical InfrastructuresNeil Ortiz (University of California Santa Cruz), Martin Rosso (Eindhoven University of Technology), Emmanuele Zambon-Mazzocato (Eindhoven University of Technology), Jerry den Hartog (Eindhoven University of Technology), Alvaro Cardenas (University of California Santa Cruz)Abstract: In recent years, there has been an increasing need to understand the SCADA networks that oversee our essential infrastructures, networks that encompass sectors from power to water. While previous studies have focused on some isolated network characteristics in a single sector, few have taken a comparative approach across multiple critical infrastructures. In this paper, we dissect the SCADA networks of three essential services: power grids, gas distribution, and water treatment systems, using real-world data. Our analysis reveals some distinct and shared behaviors of these networks, shedding light on their operation and network configuration. It also uncovers considerable variations: a non-standard configuration and periodic traffic patterns in the gas distribution network, a high packet transmission rate in the water treatment network, and a wide variety of message types in the power grid. Through these observations, our study helps to develop a more realistic conception of these networks by dispelling previous misconceptions and establishing the fact that even within the realm of 'essential services,' SCADA networks manifest substantial diversity. Our findings challenge some of the previous perceptions of SCADA networks and emphasize the need for specialized approaches tailored to each critical infrastructure. With this research, we pave the way for better network characterization for cybersecurity measures and more robust designs in intrusion detection systems. To the best of our knowledge, our study is the first to tackle the analysis of SCADA networks at this level across multiple industrial networks of essential services.
- 14:30 - 15:00 - Break
- 15:00 - 16:00 - Understanding Networks - Session Chair: Rob Beverly
-
A First Look At NAT64 Deployment In-The-WildAmanda Hsu (Georgia Institute of Technology), Frank Li (Georgia Institute of Technology), Paul Pearce (Georgia Institute of Technology), Oliver Gasser (Max Planck Institute for Informatics)Abstract: IPv6 is a fundamentally different Internet Protocol than IPv4, and IPv6-only networks cannot, by default, communicate with the IPv4 Internet. This lack of interoperability necessitates complex mechanisms for incremental deployment and bridging networks so that non-dual-stack systems can interact with the whole Internet. NAT64 is one such bridging mechanism by which a network allows IPv6-only clients to connect to the entire Internet, leveraging DNS to identify IPv4-only networks, inject IPv6 response addresses pointing to an internal gateway, and seamlessly translate connections. To date, our understanding of NAT64 deployments is limited; what little information exists is largely qualitative, taken from mailing lists and informal discussions. In this work, we present a first look at the active measurement of NAT64 deployment on the Internet focused on deployment prevalence, configuration, and security. We seek to measure NAT64 via two distinct large-scale measurements: 1) open resolvers on the Internet, and 2) client measurements from RIPE Atlas. For both datasets, we broadly find that despite substantial anecdotal reports of NAT64 deployment, measurable deployments are exceedingly sparse. While our measurements do not preclude the large-scale deployment of NAT64, they do point to substantial challenges in measuring deployments with our existing best-known methods. Finally, we also identify problems in NAT64 deployments, with gateways not following the RFC specification and also posing potential security risks.
-
Ebb and Flow: Implications of ISP Address DynamicsGuillermo Baltra (University of Southern California), Xiao Song (University of Southern California), John Heidemann (University of Southern California / ISI)Abstract: Address dynamics are changes in IP address occupation as userscome and go, ISPs renumber them for privacy or for routing maintenance. Address dynamics affect address reputation services, IP geolocation, network measurement, and outage detection, with implications of Internet governance, e-commerce, and science. While prior work has identified diurnal trends in address use, we show the effectiveness of LOESS decomposition to identify both daily and weekly trends. We use ISP-wide dynamics to develop IAS, a new algorithm that is the first to automatically detect ISP maintenance events that move users in the address space. We show that 20% of such events result in /24 IPv4 address blocks that become unused for days or more, andcorrecting nearly 50k false outages per quarter. Our analysis provides a new understanding about ISP address use: while only about 2.8% of ASes (1,730) are diurnal, some diurnal ASes show more than 20% changes each day. It also shows greater fragmentation in IPv4 address use compared to IPv6.
-
Swamp of Reflectors: Investigating the Ecosystem of Open DNS ResolversRamin Yazdani (University of Twente), Mattijs Jonker (University of Twente), Anna Sperotto (University of Twente)Abstract: DNS reflection-based DDoS attacks rely on open DNS resolvers to reflect and amplify attack traffic towards victims. While the majority of these resolvers are considered to be open because of misconfiguration, there remains a lot to be learned about the open resolver ecosystem. In this paper, we investigate and characterize open DNS resolvers from multiple angles. First, we look at indicators that likely suggest an intention behind the existence of open resolvers. To this end, we cross open resolver IP addresses with reverse DNS measurement data and show that a relatively small group of open resolvers unmistakably indicate their service in hostnames (i.e., PTR records). Second, we investigate the extent to which anycast technique is used among open resolvers and show that this is mainly driven by hypergiants. Additionally, we take a look at the exposure of the authoritative nameservers as open recursive resolvers and show that a non-negligible number of authoritative nameservers also serve as open recursors. Finally, we look at the persistency of open resolvers over time. We study open resolvers longitudinally over a three-year period and show that 1% of open resolvers persistently appear in more than 95% of the measurement snapshots.
-
You can Find me Here: A Study of the Early Adoption of GeofeedsRahel A. Fainchtein (Georgetown University, Johns Hopkins University Applied Physics Laboratory), Micah Sherr (Georgetown University)Abstract: IP-geolocation is a popular mechanism for determining the physical locations of Internet-connected devices. However, despite its widespread use, IP-geolocation is known to be inaccurate, especially for devices in less industrialized nations. In 2020, geofeeds were standardized by the IETF, providing a mechanism for owners of IP addresses (e.g., autonomous systems) to self-report the physical locations of IP blocks under their control. Assuming IP address owners accurately report these locations, geofeeds conceptually have the potential to enable “groundtruth” location data. This short paper takes a first look at the roll-out of geofeeds. We examine the adoption, or opt-in rates of geofeeds by autonomous systems, and infer the use of geofeed data by two major IP geolocation providers. Over the course of our 14-month data collection efforts (August 2022–October 2023), the number of IP addresses covered by geofeeds has increased tenfold; however, the adoption rate is still low—less than 1% of the IPv4 address space is covered by geofeeds. We find that the rollout is also uneven, with more industrialized nations opting into geofeeds at rates higher than those of less industrialized ones. Moreover, our comparison of geofeed data to locations reported by commercial IP-geolocation services suggests that these commercial services are beginning to incorporate geofeed data into their resolutions. We discuss the implications of our findings, including the potential that uneven adoption rates may further disenfranchise Internet users in less industrialized nations.
- 16:00 - 16:05 - Closing - Session Chair: Philipp Richter, Vaibhav Bajpai and Esteban Carisimo