Final Exam
What spurred the development of Software Defined Networking (SDN)?
> SDN arose to make CN more programmable > Networks are complex to manage due to diversity of equipment on the network > Made CN highly complex, slow to innovate, and drove up costs of running a network SDN divides network into 2 planes (separation of tasks): 1. Control plane 2. Data plane
SDN layer perspective: Network OS
> SDN eases network management and solves networking problems by using a logically centralized controller - the network (NOS) > Provides abstractions, essential services and common APIs to developers > Such systems propel more innovation by reducing inherent complexity of creating new network protocols and applications
what are 3 classes of features used to determine the likelihood of a security breach within an organization?
1. Mismanagement symptoms 2. Malicious Activities 3. Security Incident Reports
describe the 3 perspectives of the SDN landscape
1. A plane oriented view > management plane, control plane, data plane 2. The SDN layers > network apps, PL, language-based virtualization, northbound interface, network OS, network hypervisor, southbound interface, and network infrastructure 3. A system design > network apps, network OS and network hypervisors, and hardware
how are the metrics for cluster selection obtained?
1. Active measurements: > the LDNS could probe multiple clusters, such as by sending a ping request to multiple clusters for monitoring the RTT and then use the "closest" server 2. Passive measurements: > Another strategy could be that the CDN's name server system uses passive measurements to keep track of the network conditions
What are the 3 phases in the history of SDN?
1. Active networks 2. Control and data plane separation 3. OpenFlow API and network operating systems
what are the applications of SDX in the domain of wide-area traffic delivery?
1. Application specific peering: configures custom rules for flows matching a certain criteria at the SDX 2. Inbound traffic engineering: enables an AS to control how traffic enters its network 3. Wide-area server load balancing: SDX supports modification of packet headers, therefore destination IP addresses of packets can be modified at exchange points to the desired backend server based on the request load 4. Redirection through middle boxes: SDN identifies and redirects desired traffic through a sequence of middleboxes to avoid unnecessary traffic
what is the structure of the DNS hierarchy? why does DNS use a hierarchical scheme?
1. Client requests IP for amazon.com 2. Client first contacts root server, which returns IP of a top level domain server 3. Then, client contacts top level domain server to receive a referral to the authoritative server for amazon.com 4. Finally, client will make a query to that authoritative server to receive the domain-to-IP mapping and to finally reach amazon.com DNS uses hierarchical scheme to solve the scalability problem
what are the 3 layers of SDN controllers?
1. Communication layer: communicating between the controller and network elements (routers, switches, etc.) 2. Network-wide state-management layer: stores info of network-state (state of hosts, switches, routers, etc.) 3. Interface to the network-control application layer: communicates between controller and applications
What are the properties of secure communication?
1. Confidentiality: ensure that message from sender to receiver is only available to the 2 parties 2. Integrity: ensure message is not modified in transit 3. Authentication: ensure the 2 parties are who they say they are 4. Availability: ensure that multiple aspects of communication channel are functioning appropriately
what are the 2 main operations of P4 forwarding model?
1. Configure: set of operations used to program the parser. They specify the header fields to be processed 2. Populate: decides the policies to be applied to the packets
what are the 3 steps involved in DNS injection?
1. DNS probe is sent to the open DNS resolvers. 2. The probe is checked against the blocklist of domains and keywords. 3. For domain level blocking, a fake DNS A record response is sent back. There are two levels of blocking domains: the first one is by directly blocking the domain, and the second one is by blocking it based on keywords present in the domain
what steps does a simple rate-based adaptation algorithm perform?
1. Estimation: estimating the future bandwidth. This is done by considering the throughput of the last few downloaded chunks 2. Quantization: the continuous throughput is mapped to discrete bitrate. Basically, we select the maximum bitrate that is less than the estimate of the throughput, including a factor in this selection.
what are 3 information sources provided by the OpenFlow protocol?
1. Event-based messages sent by forwarding devices to controller given a link/port change 2. Flow statistics generated by forwarding devices and collected by controller 3. Packet messages are sent by forwarding devices to controller when they do not know what to do with a new incoming flow
compare the 3 major methods for dealing with packet loss in VoIP protocols
1. FEC (Forward Error Concealment): > works by transmitting redundant data alongside the main transmission, which allows the receiver to replace lost data with the redundant data. > This redundant data could be a copy of the original data, by breaking the audio into chunks and cleverly using exclusive OR (XOR) with n previous chunks. This redundant data could also be a lower-quality audio stream transmitted alongside the original stream - similar to how a spare tire in a car may be of lower quality than the normal tires, but enough to get by in the case of a flat tire. > tradeoff: the more redundant data transmitted, the more bandwidth is consumed. 2. Interleaving: > does not transmit ANY redundant data, so it doesn't add extra bandwidth requirements > works by mixing chunks of audio together so that if one set of chunks is lost, the lost chunks aren't consecutive. The idea is that many smaller audio gaps are preferable to one large audio gap > tradeoff: the receiving side has to wait longer to receive consecutive chunks of audio, and that increases latency 3. Error Concealment: > "guessing" what the lost audio packet might be > with really small audio snippets, there's some similarity between one audio snippet and the next audio snippet > computationally cheap, and works pretty well in a lot of cases
what are the 4 defining features of an SDN architecture?
1. Flow-based forwarding 2. Separation of data plane/control plane 3. Network control functions 4. A programmable network
what are the causes/motivations behind BGP attacks?
1. Human Error: accidental routing misconfiguration due to manual errors 2. Targeted Attack: hijacking AS intercepts network traffic while operating in stealth mode to remain under the radar on the control plane 3. High Impact Attack: attacker is obvious in their intent to cause widespread disruption of services
WHY separate the control plane from the data plane?
1. Independent evolution and development > routers only focus on forwarding > improvement in routing algorithms can take place without affecting any existing routers > by limiting the interplay between these 2 functions, we can develop them more easily 2. Control from high-level software program > in SDN, we use software to compute the forwarding tables. > therefore, we can easily use higher-order programs to control the routers' behavior > the decoupling of functions makes debugging and checking the behavior of the network easier
what are the services offered by DNS, apart from hostname resolution?
1. Mail server/Host aliasing: > Email servers have to have simple and mnemonic names. Eg @hotmail.com. > However, the canonical hostname can be difficult to remember eg relay2.west-coast.hotmail.com. > DNS is used to get the canonical hostname (and IP address) for an alias hostname. > Also, a host can have one or more names. If there are two hostnames then this usually is a combination of canonical and mnemonic hostnames. > DNS can be used to find the canonical hostname for a given host and also obtain an IP for that host. 2.Load distribution: > Busy websites may be replicated over multiple servers. > When a client makes a DNS query, the DNS server responds with the entire set of addresses but rotates the address ordering with each reply. > This helps in distributing the traffic across servers.
what are the 2 main steps in CDN server selection
1. Mapping the client to a cluster 2. Server selected from the cluster
what are the different signals that can serve as an input to a bitrate adaptation algorithm?
1. Network Throughput: Ideally, you would want to select a bitrate that is equal or lesser than the available throughput. Bitrate adaptation using this signal are known as rate-based adaptation. 2. Video Buffer: The amount of video in the buffer can also enable to decide the video bitrate of the next chunk. For instance, if the video buffer is full, then the player can possibly afford to download high-quality chunks. Similarly, if the video buffer is low, the player can download low-quality chunks so as to quickly fill-up the buffer and avoid any re-buffering. Bitrate adaptation based on the video buffer is known as buffer-based adaptation.
List 5 DNS censorship techniques and briefly describe their working principles
1. Packet Dropping > All network traffic going to a set of specific IP addresses is discarded. 2. DNS Poisoning > When a DNS receives a query for resolving hostname to IP address- if there is no answer returned or an incorrect answer is sent to redirect/mislead the request, this scenario is called DNS Poisoning. 3A. Proxy-based content inspection > Allows for all network traffic to pass through a proxy where the traffic is examined for content, and the proxy rejects requests that serve objectionable content. 3B. Intrusion detection system (IDS) based content inspection\ > An alternative approach is to use parts of an IDS to inspect network traffic. An IDS is easier and more cost effective to implement than a proxy based system as it is more responsive than reactive in nature, in that it informs the firewall rules for future censorship. 4. Blocking with Resets > The GFW employs this technique where it sends a TCP reset (RST) to block individual connections that contain requests with objectionable content. We can see this by packet capturing of requests that are normal and requests that contain potentially flaggable keywords. 5. Immediate Reset of Connections > Censorship systems like GFW have blocking rules in addition to inspecting content, to suspend traffic coming from a source immediately, for a short period of time. After sending a request with flaggable keywords (above), we see a series of packet trace, like this: > The reset packet received by the client is from the firewall. It does not matter that the client sends out legitimate GET requests following one "questionable" request. It will continue to receive resets from the firewall for a particular duration.
what are the 6 major challenges that Internet applications face?
1. Peering point congestion 2. Inefficient routing protocols: BGP was never designed for modern demands 3. Unreliable networks 4. Inefficient communication protocols: TCP was not designed for demands of modern internet 5. Scalability 6. Application limitations and slow rate of change adoption
What are the steps involved in the global measurement process using DNS resolvers?
1. Performing global DNS queries 2. Annotating DNS responses with auxiliary information 3. Additional PTR and TLS scanning
what are the 2 automated techniques used by ARTEMIS to protect against BGP hijacking?
1. Prefix deaggregation: the affected network can either contact other networks or it can deaggregate the prefixes that were targeted by announcing more specific prefixes of a certain prefix 2. Mitigation with Multiple Origin AS (MOAS): have 3rd party organizations and service providers do BGP announcements for a given network > network traffic from across the world is attracted to 3rd party organization, which then tunnels it to the legit AS
what are the primary goals of P4?
1. Reconfigurability: the way parsing and processing of packets tacking place in the switches should be modifiable by the controller 2. Protocol independence: to enable switches to be independent of protocols, the controller defines a packet parser and a set of tables mapping matches and their actions 3. Target independence: the packet processing programs should be programmed independent of the underlying target devices
what are the main components of an SDN network and their responsibilities?
1. SDN-controlled network elements (switches/routers) > forwards network traffic based on rules computed by the SDN control plane 2. SDN controller > logically centralized entity; acts as interface between network elements and network-control applications 3. Network-control applications > programs that manage underlying network by collecting info on elements w/ help of controller
what are the main steps that a host takes to use DNS?
1. The user host runs the client side of the DNS application 2. The browser extracts the hostname www.someschool.edu (Links to an external site.) and passes it to client side of the DNS application. 3. DNS Client sends a query containing the hostname of DNS 4. DNS Client eventually receives a reply which included IP address for the hostname 5. As soon as the host receives the IP addresses, it can initiate a TCP connection to the HTTP server located at that port at that IP
provide a high-level overview of adaptive video streaming
1. The video content is first created 2. It is then compressed using an encoding algorithm 3. Typically content providers have their own data centers such as Google or use third-party Content delivery networks to replicate the content over multiple geographically distributed servers. This makes sure that the content can be delivered in a scalable manner. 4. The end-users download the video content over the Internet. 5. The downloaded video is decoded and rendered on the user's screen.
what are the applications of SDN? provide examples of each application
1. Traffic Engineering: optimizing traffic flow to minimize power consumption, judiciously use network resources, etc. > ElasticTree identifies and shuts down specific links and devices depending on traffic load 2. Mobility and Wireless: various wireless networks made easier w/ SDN > OpenRadio enables decoupling of the wireless protocols from the underlying hardware by providing an abstraction layer 3. Measurement and Monitoring: aims to add features to other networking services and improve existing features of SDNs > OpenSample and PayLess 4. Security and Dependability: enhance security by imposing policies on the entry point to the network > Monitoring the cloud infrastructures (CloudWatcher) 5. Data Center Networking: aims to offer services such as live migration of networks, troubleshooting, real-time monitoring of networks > FlowDIff is an app which detects abnormalities
what are the defenses against DDoS attacks?
1. Traffic Scrubbing Services: diverts the incoming traffic to a specialized server, where the traffic is "scrubbed" into either clean or unwanted traffic 2. ACL filters: deployed by ISPs or IXPs at their AS border routes to filter out unwanted traffic 3. BGP Flowspec: supports the deployment and propagation of fine-grained filters across AS domain borders
The design of ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network. Describe 2 phases of this system.
1. Training phase > The system learns control-plane behavior typical of both types of ASes > The system is given a list of known malicious and legitimate ASes > It then tracks the behavior of these ASes over time to track their business relationships with other ASes and their BGP updates/withdrawals patterns > ASwatch then computes statistical features of each AS > The system then uses supervised learning to capture the known behaviors and patterns with a trained model. 2. Operational phase > Given an unknown AS, it calculates the features for this AS > It uses the model to then assign a reputation score to the AS. > If the system assigns the AS a low reputation score for several days in a row (indicating consistent suspicious behavior), it flags it as malicious.
what are the strategies for server selection? what are the limitations of these strategies?
1. Use least-loaded server > another server could already have the requested content, but not selected b/c the client was loaded to a less-loaded server. thus, a client unnecessarily had to see higher delay 2. map requests based on content > cluster environment is quite dynamic and is characterized by frequent machine failures and load changes
what are the functions that signaling protocols are responsible for?
1. User location - the caller locating where the callee is 2. Session establishment - handling the callee accepting, rejecting, or redirecting a call 3. Session negotiation - the endpoints synchronizing with each other on a set of properties for the session 4. Call participation management - handling endpoints joining or leaving an existing session.
what is the drawback to using the traditional approach of having a single, publicly accessible web server?
1. With the modern Internet, users are located all over the globe. No matter where a single, massive data center is placed, there's potentially vast geographic distance between the users and the data center. 2. what happens when a video goes viral? Think of popular movie trailers, or important breaking news clips. Popular videos result not only in a spike in demand, but many, many requests for the exact same video clip, and thus, the exact same data. It's wasteful for a single massive data center to repeatedly be sending the exact same data over the same communication link over and over again 3. single point of failure. If there is a natural disaster or a massive power outage in the area, the entire data center could be taken temporarily or permanently offline. Likewise, if the data center's links to the Internet are disrupted, it will not be able to distribute video content.
what are 3 QoS VoIP metrics?
1. end-to-end delay 2. jitter 3. packet loss
what are the 3 major categories of VoIP encoding schemes?
1. narrowband 2. broadband 3. multimode (which can operate on either) For VoIP, the important thing is that we want to still be able to understand the speech and the words that are being said, while at the same time still using as little bandwidth as possible.
what are 2 findings from ARTEMIS?
1. outsource the task of BGP announcement to 3rd parties 2. Filtering is less optimal when compared against BGP announcements
what are the major shifts that have impacted the evolution of the Internet ecosystem?
1. the Internet wasn't designed for large scale content delivery, but that's what it has evolved into. There is an increased demand for online content, especially videos. 2. "topological flattening" - the traditional topology (hierarchical) has transitioned to more flat
what kind of delays are included in "end-to-end delay"?
1. the time it takes to encode the audio 2. the time it takes to put it in packets 3. all the normal sources of network delay that network traffic encounters such as queueing delays 4. "playback delay," which comes from the receiver's playback buffer 5. decoding delay, which is the time it takes to reconstruct the signal > VoIP apps typically have a "delay threshold", which discards packets with a delay greater than the threshold
what are the goals of bitrate adaptation?
> A bitrate adaptation algorithm essentially tries to optimize the user's viewing quality of experience. > A good quality of experience (QoE) is usually characterized by the following: 1. Low or zero re-buffering: users typically tend to close the video session if the video stalls a lot 2. High video quality: Better the video quality, better the user QoE. A higher video quality is usually characterized by high bitrate video chunk. 3. Low video quality variations: A lot of video quality variations are also known to reduce the user QoE. 4. Low startup latency: Startup latency is the time it takes to start playing the video since the user first requested to play the video
explain the distributed system that uses a 2-layer system. What are the challenges of this system?
> A coarse-grained global layer operates at larger time scales (timescale of a few tens of seconds (or minutes)). > This layer has a global view of client quality measurements. > It builds a data-driven prediction model of video quality. > A fine-grained per-client decision layer that operates at the millisecond timescale. It makes actual decisions upon a client request. > This is based on the latest (but possibly stale) pre-computed global model and up-to-date per-client state.
explain provider-based blackholing
> A network that offers blackholing service is known as a blackholing provider. > Network or customer providers act as blackholing providers at the network edge. > ISPs or IXPs act as blackholing providers at the Internet core. > If the blackholing provider is a peer or an upstream provider, the AS must announce its associated blackhole community along with the blackhole prefix.
how is it possible to achieve connectivity disruption using the routing disruption approach?
> A routing mechanism decides which part of the network can be reachable. > Routers use BGP to communicate updates to other routers in the network. > The routers share which destinations it can reach and continuously update its forwarding tables to select the best path for an incoming packet. > If this communication is disrupted or disabled on critical routers, it could result in unreachability of the large parts of a network. > Using this approach can be easily detectable, as previously advertised prefixes must be withdrawn or re-advertising them with different properties and therefore modifying the global routing state of the network, which is the control plane.
SDN layer perspective: Southbound interfaces
> Responsible for communication between SDN controller and the controlled devices > Sit between control and data plane, so play a crucial role in separating plane functionality
describe the SDX architecture
> AS 'A' has a virtual switch connecting to the virtual switches of ASes 'B' and 'C' > each AS can define forwarding policies as if its the only participant at the SDX, w/o influencing how other participants forward packets > each AS can have its own SDN applications for dropping/modifying/forwarding traffic. > policies can also be different based on direction of traffic > an inbound policy is applied on traffic coming from other SDX participants on virtual switch > an outbound policy is applied to traffic from participants virtual switch port towards other participants > the SDX is responsible to combine the policies from multiple participants into a single one for the physical switch
SDN layer perspective: Network programming languages
> Achieved using low-level or high-level programming languages. > Using low-level languages, it is difficult to write modular code, reuse it and it generally leads to more error-prone development. > HL programming languages in SDNs provide abstractions, make development more modular, code more reusable in the control plane, do away with device specific and low-level configurations, and generally allow faster development
how does the encoding of analog audio work?
> Analog audio is represented as a continuous wave > audio is encoded by taking many samples per second, then rounding each sample's value to a discrete number within a particular range
explain IXP blackholing
> At IXPs, if the AS is a member of an IXP infrastructure and it is under attack, it sends the blackholing messages to the IXP route server when a member connects to the route server. > The route server then announces the message to all the connected IXP member ASes, which then drops the traffic towards the blackholed prefix. > The null interface to which the traffic should be sent is specified by the IXP. > The blackholing message sent to the IXP should contain the IXP blackhole community.
How does DNS-based content delivery work?
> CDNs distribute the load among multiple servers at a single location, but also distributes servers across the world > when accessing the name of the service using DNS, the CDN computes the 'nearest edge server' and returns its IP to the DNS client > it uses sophisticated techniques based on network topology and current link characteristics to determine the nearest server. > this results in the content being moved 'closer' to the DNS client which increases responsiveness and availability
SDN layer perspective: Infrastructure
> Consists of networking equipment (routers, switches, etc.) > this physical networking equipment are merely forwarding elements that do a simple forwarding task, and any logic to operate them is directed from the centralized control system
Our understanding of censorship around the world is relatively limited. Why? What are the challenges?
> Diverse measurements: Such understanding would need a diverse set of measurements spanning different geographic regions, ISPs, countries, and regions within a single country > Need for scale: There is a need for methods and tools that are independent of human intervention and participation. > Identifying the intent to restrict content access: Identifying DNS manipulation requires that we detect the intent to block access to content. It poses its own challenges. So we need to rely on identifying multiple indications to infer DNS manipulation > Ethics and minimizing risks: Obviously, there are risks associated with involving citizens in censorship measurement studies, based on how different countries may be penalizing access to censored material. Therefore it is safer to stay away from using DNS resolvers or DNS forwarders in home networks of individual users. Instead, rely on open DNS resolvers that are hosted in Internet infrastructure, for example within Internet service providers or cloud hosting providers).
what is spoofing, and how is it related to a DDoS attack?
> IP spoofing is the act of setting a false IP address in the source field of a packet with the purpose of impersonating a legitimate server > In DDoS attacks, the source IP address is spoofed, resulting in the response of the server sent to some other client instead of the attacker's machine. > this results in wastage of network resources and the client resources while also causing denial of service to legitimate users > also, the attacker sets the same IP address in both the src/dst IP fields > this results in the server sending replies to itself, causing it to crash
SDN layer perspective: Network applications
> Implement the control plane logic and translate to commands in the data plane. > SDNs can be deployed on traditional networks, and can find itself in home area networks, data centers, IXPs etc. > Due to this, there is a wide variety of network applications such as routing, load balancing, security enforcement, end-to-end QoS enforcement, power consumption reduction, network virtualization, mobility management, etc.
SDN layer perspective: Language-based virtualization
> Important characteristic of virtualization is the ability to express modularity and allowing different levels of abstraction > For example, using virtualization we can view a single physical device in different way > Takes the complexity away from app devs without compromising on security which is inherently guaranteed.
what are the properties of GFW (Great Firewall of China)?
> Locality of GFW nodes > Centralized management > Load balancing
SDN layer perspective: Network virtualization
> Network infrastructure needs to provide support for arbitrary network topologies and addressing schemes > Existing virtualization constructs can provide full network virtualization, however they're connected by a box-by-box basis config and there is no unifying abstraction that can be leveraged to configure them globally, making network provisioning tasks as long as months/years.
how does ONOS achieve fault tolerance?
> ONOS redistributes the work of a failed instance to other remaining instances > each switch in the network connects to multiple ONOS instances w/ only one instance acting as master > upon failure of an ONOS instance, an election is held to choose a master for each of the switches that were controlled by the failed instance > for each switch, a master is selected among the remaining instances with which the switch had established connection
how is it possible to achieve connectivity disruption using the packet filtering approach?
> Packet filtering can be used to block packets matching a certain criteria disrupting the normal forwarding action. > This approach can be harder to detect and might require active probing of the forwarding path or monitoring traffic of the impacted network.
what are the characteristics of streaming live audio and video?
> Since these applications are live and broadcast-like, there are generally many simultaneous users, sometimes in very different geographic locations. > delay-sensitive, but not as much as conversational voice and video applications are - generally, a ten second delay is ok
what is a DNS resource record?
> The DNS servers store the mappings between hostnames and IP addresses as resource records (RRs). > These resource records are contained inside the DNS reply messages. > A DNS resource record has four fields: (name, value, Type, TTL). > The TTL specifies the time (in sec) a record should remain in the cache. > The name and the value depend on the type of the resource record.
explain buffer-filling rate and buffer-depletion rate calculation
> The buffer-filling rate is essentially the network bandwidth divided by the chunk bitrate. > For example, assume the available bandwidth is 10 Mbps, and the bitrate of the chunk is 1 Mbps. Then, in 1 second we can download 10s of video. Thus the buffer-filling rate is 10. > Now, the buffer-depletion rate or the output rate is simply 1. This is because 1s of video content gets played in 1s.
what are the characteristics of conversational voice and video over IP? (VoIP)
> These kinds of calls or video conferences often involve three or more participants. > highly delay-sensitive, since these calls and conferences are real-time and involve human users interacting > loss-tolerant: there are techniques that can conceal occasional glitches, and even if a word in the conversation gets garbled, human listeners are generally able to ask the other side to just repeat themselves.
what is ONOS?
> a distributed SDN control platform > several ONOS instances running in a cluster > these clusters/instances maintain a global network view > this view is built by using the topology and state info discovered by each instance > each ONOS instance serves as the master OpenFlow controller for a group of switches
what is P4?
> a language that was developed to offer programmability on the data plane > used to configure the switch programmatically and acts as a general interface between switches and the controller w/ its aim of allowing the controller to define how the switches operate
how to handle network and user device diversity?
> a single-bitrade encoded video is not optimal given diverse streaming context (the bitrate to watch on a phone will not be sufficient to watch on a large TV) > use bitrate adaptation to fix this
How does the bitrate adaptation work in DASH?
> a video in DASH is divided into chunks and each chunk is encoded into multiple bitrates > Each time the video player needs to download a video chunk, it calls the bitrate adaptation function, say f. > The function f that takes in some input and outputs the bitrate of the chunk to be downloaded: The bitrate adaptation algorithm at the client adapts the video bitrate or essentially the quality of video chunks to download based on its estimation of the network conditions.
Phase 1 of SDN: Active networks
> aim to open up network control > consisted mainly of creating a programming interface that exposed resource/network nodes and supported customization of functionalities for subsets of packets passing through the network > made 3 major contributions: 1. Programmable functions in the network to lower the barrier to innovation 2. Network virtualization, and the ability to demultiplex to software programs based on packet headers 3. The vision of a unified architecture for middlebox orchestration
explain the structure of a DDoS attack
> an attempt to compromise a server/network resources with a flood of traffic > the attacker deploys flooding servers (slaves) and then orders them to send a high volume of traffic to the victim > this results in the victim host becoming unreachable or in exhaustion of its bandwidth
what is DNS abuse?
> attackers have developed techniques abusing the DNS protocol to extend the uptimes of domains used for malicious purposes > goal: remain undetectable for longer
Phase 3 of SDN: OpenFlow API and network operating systems
> built on existing hardware and enabled more functions than earlier route controllers > each switch contains a table of packet-handling rules. each rule has a pattern, list of actions, set of counters and a priority. > when an OpenFlow switch receives a packet, it determines the highest priority matching rule, performs the associated action and increments the counter. > key effects: 1. generalized network devices and functions 2. vision of a network operating system 3. distributed state management techniques
what are the differences between centralized and distributed architectures of SDN controllers
> centralized controllers can't scale, while distributed controllers can > centralized controllers have a single POF (point of failure) while distributed do not (they have fault tolerance)
what is the purpose of SDX?
> in a traditional IXP, the participant ASes connect BGP-speaking border routers to a shared layer-2 network and a BGP route server > in SDX architecture, each AS has the illusion of its own virtual SDN switch that connects its border router to every other participant AS > each AS can define forwarding policies as if it is the only participant at the SDX, as well as having its own SDN applications for dropping/modifying/forwarding traffic
what are the mitigation techniques for delay jitter?
> maintaining a buffer, called the "jitter buffer" or the "play-out buffer." > helps to smooth out and hide the variation in delay between different received packets, by buffering them and playing them out for decoding at a steady rate. There's a tradeoff here, though. > A longer jitter buffer reduces the number of packets that are discarded because they were received too late, but that adds to the end-to-end delay. > A shorter jitter buffer will not add to the end-to-end delay as much, but that can lead to more dropped packets, which reduces the speech quality.
How does Round Robin DNS (RRDNS) work?
> mechanism used by large websites to distribute the load of incoming requests to several servers at a single physical location > Responds to a DNS request with a list of DNS A records, which it then cycles through in a round robin manner > the DNS client can then choose a record using different strategies (choose first record each time, use closest record in terms of network proximity, etc.) > each "A" record also has a TTL for this mapping which specifies the # of seconds the response is valid > if the lookup is repeated while the mapping is still active, the client will receive the same set of records
Phase 2 of SDN: Control and data plane separation
> network operators looking for better network-management functions such as control over paths to deliver traffic > identified challenge in network management depended on the way existing routers/switches tightly integrated the control/data planes > efforts to separate the 2 began > results: 1. logically centralized control using an open interface to the data plane 2. distributed state management
what metrics could be considered when using measurements to select a cluster?
> network-layer metrics such as delay, available bandwidth or both. > application-layer metrics, such as re-buffering ratio and average bitrate can be used in cluster selection > for web-browsing, application-layer performance indicators such as page load time can be used.
what was the original vision of the application-level protocol for video content delivery, and why was HTTP chosen eventually?
> original vision was to have specialized video servers that remembered the state of the clients. > These servers would control the sending rate to the client. In the case, client paused the video, it would send a signal to the server and the server would stop sending video. > Thus, all the intelligence would be stored at a centralized point and the clients, which can be quite diverse, would have to do minimal amount of work. > However, all this required content providers to buy specialized hardware. > Another option was to use the already existing HTTP protocol. > In this case, the server is essentially stateless and the intelligence to download the video will be stored at the client. > A major advantage of this is that content providers could use the already existing CDN infrastructure. > Moreover, it also made bypassing middleboxes and firewalls easier as they already understood HTTP. > Because of the above advantages, the original vision was abandoned and content providers ended up using HTTP for video delivery.
what is HTTP Redirection?
> protocol works at the HTTP-layer in the network stack. > when a client sends a GET request to a server, say A, it can redirect the client to another server, say B, by sending an HTTP response with a code 3xx and the name of the new server > this is useful if an HTTP server is getting overwhelmed w/ requests, it can redirect some requests to other less-loaded servers
which BGP limitations can be addressed by using SDN?
> routing only on destination IP prefix > networks have little control over e2e paths > SDN can perform multiple actions on the traffic by matching over various header fields
SDN layer perspective: Northbound interfaces
> separates the management plane and control plane > used by controller and network-control applications to interact w/ eachother
Network control functions (SDN)
> the SDN control plane consists of 2 components: the controller and the network applications controller: > maintains up-to-date network state info about the network devices and elements (switches, routers, links) and provides it to the network-control applications > this information is used by the applications to monitor and control the network devices
Separation of data/control plane (SDN)
> the SDN-controlled switches operate on the data plane and they only execute the rules in the flow tables > those rules are computed, installed, and managed by software that runs on separate servers
what developments lead to the popularity of consuming media content over the internet?
> the bandwidth for both the core network and last-mile access links have increased tremendously over the years > the video compression technologies have become more efficient. This enables to stream high-quality video without using a lot of bandwidth > the development of Digital Rights Management culture has encouraged content providers to put their content on the Internet.
A programmable network (SDN)
> the network-control applications act as the "brain" of the SDN control plane by managing the network
Flow-based forwarding (SDN)
> the rules for forwarding packets in the SDN-controlled switches can be computed based on any # of header field values in various layers > this differs from the traditional approach where only the destination IP address determines the forwarding of a packet
what are the characteristics of streaming stored video?
> the video starts playing within a few seconds of receiving data, instead of waiting for the entire file to download first. > interactive, which means that the user can pause, fast forward, skip ahead or move back in the video, and then see the response within a few seconds. > continuous playout, which means that it should play out the same way it was recorded without freezing up in the middle
core functions of an SDN controller?
> topology, statistics, notifications, device management, shortest path forwarding, security mechanisms
Why did the SDN lead to opportunities in various areas such as data centers, routing, enterprise networks, and research networks?
>Data centers: SDN makes management of large data centers easier > Routing: SDN provides more control over path selection > Enterprise networks: Using SDN, it is easier to protect a network from volumetric attacks such as DDOS if we drop the attack traffic at strategic locations on the network > Research networks: SDN allows research networks to coexist with production networks
why would a centralized design with a single DNS server not work?
A simple design for DNS would have been based on a centralized model where we have a single DNS server that contains all the hostnames-to-IP mappings, and clients simply direct all their queries to this single DNS server, and this server responds directly to the querying clients. Why it doesn't work: 1. Introduces a single point of failure. If that single server collapses then the entire Internet would not be able to work either! 2. it would be very difficult for a single server to handle all the volume of the querying traffic. A single DNS server would have to process a very large number of DNS queries. 3. this model is based on a centralized database which cannot be close to all querying clients. This model would cause significant delays and slow performance for the clients which are geographically distant and thus they might have to communicate over slow or congested links. 4. maintaining this centralized database would be a big problem as we would have to update a huge database with updates for every single host in the Internet.
(BGP hijacking) What is the classification by AS-Path announcement?
An illegitimate AS announces the AS-path for a prefix it does not own a. Type-0 hijacking: an AS announcing a prefix not owned by itself b. Type-N hijacking: the counterfeit AS announces an illegitimate path for a prefix that it does not own to create a fake path between different ASes c. Type-U hijacking: the hijacking AS does not modify the AS-PATH but may change the prefix
explain the scenario of hijacking a path
Attacker manipulates received updates before propagating them to neighbors. > AS1 advertises the prefix 10.10.0.0/16. > AS2 and AS3 receive and propagate legitimately the path for the prefix. > At AS4, attacker compromises update for the path by changing it to 4, 1 and propagates it to the neighbors AS3, AS2, and AS5. Therefore it claims that it has a direct link to AS1 so that others believe the new false path. > AS5 receives the false path (4,1) "believes" the new false path and it adopts it. But the rest of the ASes don't adopt the new path because they either have a shorter path already or an equally long path to AS1 for the same prefix.The attacker does not need not to announce a new prefix, but rather it manipulates an ad before propagating it.
explain the scenario of prefix hijacking
Attacker uses a router at AS4 to send false announcements and hijack the prefix 10.10.0.0/16 that belongs to AS1. > The attacker uses a router to announce the prefix 10.10.0.0/16 that belongs to AS1, with a new origin AS4, pretending that the prefix belongs to AS4. > This new announcement causes a conflict of origin for the ASes that receive it. > As a result of the new announcement, AS2, AS3 and AS5 receive the false ads and compare it with the previous entries in their RIB. > AS2 will not select the route as the best route as it has the same path length with an existing entry. > AS3 and AS5 believe the new ad, and they will update their entries (10.10.0.0/16 with path 4,2,1) to (10.10.0.0/16 with path 4). Therefore AS5 and AS3 will send all traffic for prefix 10.10.0.0/16 to AS4 instead of AS1.
What metrics does Iris use to identify DNS manipulation once data annotation is complete? Describe the metrics. Under what condition, do we declare the response as being manipulated?
Consistency Metrics > Domain access should have some consistency, in terms of network properties, infrastructure or content, even when accessed from different global vantage points. Some consistency metrics used are IP address, Autonomous System, etc Independent Verifiability Metrics > Use metrics that can be externally verified using external data sources. Some of the independent verifiability metrics used are: HTTPS certificate. Neither metric is satisfied, response = manipulated.
what is consistent hashing? how does it work?
Consistent hashing tends to balance load by assigning roughly the same number of content IDs, and requires relatively little movement of these content IDs when nodes join and leave the system. main idea: servers and the content objects are mapped to the same ID space
Compare the "enter deep" and "bring home" approach of CDN server placement.
Enter Deep: > CDNs place many smaller server clusters "deep" into the access networks around the world. > the goal is to make the distance between a user and the closest server cluster as small as possible, which reduces the delay and increases the available throughput for each user. > Downside: it is much more difficult to manage and maintain so many clusters. Bring Home: > CDNs place fewer larger server clusters at key points (typically in IXPs, not in access networks), "bringing the ISPs home." > There's not as many server clusters to manage or maintain, so those tasks are easier > Downside: the users will experience higher delay and lower throughput
what is the role of DNS in the way CDN operates?
Example using movie website 1. User visits examplemovies.com, navigates to web page with Star Wars 2. User clicks link, user's host sends a DNS query for the domain "video.examplemovies.com" 3. DNS query goes to user's local DNS server, which issues DNS query for "video" to authoritative DNS server for examplemovies.com. DNS server sends back a hostname in ExampleCDN's domain 4. ExampleCDN returns IP address for appropriate ExampleCDN content server 5. User's local DNS returns ExampleCDN IP address to the user 6. User's client directly connects via TCP to the IP address provided by local DNS, sends HTTP GET request for video
How do Fast-Flux Service Networks work?
FFSN is based on a 'rapid' change in DNS answers, with a TTL lower than that of RRDNS and CDN
what are the main data sources used by FIRE (FInding Rogue nEtworks) to identify hosts that likely belong to rogue networks?
FIRE: a system that monitors the internet for rogue networks > Botnet command and control providers > Drive-by-download hosting providers > Phish housing providers
what are the limitations of main censorship detection systems?
Global censorship measurement tools were created by efforts to measure censorship by running experiments from diverse vantage points. > For example, CensMon used PlanetLab nodes in different countries. However, many such methods are no longer in use. One of the most common systems/approaches is the OpenNet Initiative where volunteers perform measurements on their home networks at different times since the past decade. > Relying on volunteer efforts makes continuous and diverse measurements very difficult
What kind of disruptions does Augur focus on identifying?
IP-based disruptions as opposed to DNS-based manipulations > measures reachability between 2 hosts > detects filtering
(BGP hijacking) What is the classification by data-plane traffic manipulation?
Intention of the attacker is to hijack the network traffic and to manipulate the redirected traffic on its way to the receiving AS traffic intercepted by the hijacker can be: a. Dropped, so that is never reaches destination (falls under category of blackholing [BH] attack) b. Eavesdropped or manipulated before it reaches AS (man-in-the-middle attack) c. Impersonated (imposture [IM] attack)
Which DNS censorship technique is susceptible to overblocking?
Packet dropping
How does Iris counter the issue of lack of diversity while studying DNS manipulation? What are the steps associated with the proposed process?
Iris uses open DNS resolvers located globally. In order to avoid using home routers (which are usually open due to configuration issues), this dataset is then restricted to a few thousand that are part of the Internet infrastructure. Steps: > Scanning the Internet's IPv4 space for open DNS resolvers > Identifying Infrastructure DNS Resolvers
describe the purpose of each component of ONOS (Open Networking Operating System)
ONOS aims to provide a global view of the network to the applications, scale-out performance and fault tolerance 1. Application 2. Network view 3. OF manager > view is built by using the network topology and state info (port, link/host info, etc.) discovered by each instance > to make forwarding and policy decisions, the applications consume info from the view and then update these decisions back to the view > the corresponding OpenFlow managers receive the changes the applications make to the view, and the appropriate switches are programmed
what is DNS caching?
One way to make the DNS resolution faster, is to cache the responses. > This will help in reducing the performance delay and make it more efficient. > The idea of DNS Caching is that, in both iterative and recursive queries, after a server receives the DNS reply of mapping from any host to IP address, it stores this information in the Cache memory before sending it to the client.
explain a scenario of connectivity disruption detection in the case of outbound blocking
Outbound blocking is the filtering imposed on the outgoing path from the reflector. > Here, the reflector receives the SYN-ACK packet and generates a RST packet. > As per our example, in step 3, the IP ID increments to 7. However, the RST packet does not reach the site. > When the site doesn't receive a RST packet, it continues to resend the SYN-ACK packets at regular intervals depending on the site's OS and its configuration. > This is shown in step 5 of the figure. It results in further increment of the IP ID value of the reflector. > In step 6, the probe by the measurement machine reveals the IP ID has again increased by 2, which shows that retransmission of packets has occurred. In this way, outbound blocking can be detected.
(BGP hijacking) What is the classification by affected prefix?
Primarily concerned with the IP prefixes advertised by BGP. There are different ways the prefix can be targeted: a. Exact prefix hijacking: when 2 different ASes (one legit, one counterfeit) announce a path for the same prefix b. Sub-prefix hijacking: the hijacking AS works with a sub-prefix of the genuine prefix of the real AS. This exploits the BGP characteristic to favor more SPECIFIC prefixes c. Squatting: hijacking AS announces a prefix that has not yet been announced by the owner AS
describe a Reflection and Amplification attack
Reflection attack: > Attackers use a set of reflectors to initiate an attack on the victim. A reflector is any server that sends a response to a request. > The master directs the slaves to send spoofed requests to a very large number of reflectors. The slaves set the source address of the packets to the victim's IP address, thereby redirecting the response of the reflectors to the victim. Thus, the victim receives responses from millions of reflectors resulting in exhaustion of its bandwidth. In addition, the victim's resources are wasted in processing these responses, making it unable to respond to legitimate requests. > The master commands the three slaves to send spoofed requests to the reflectors, which in turn sends traffic to the victim. > This is in contrast with the conventional DDoS attack we saw in the previous section, where the slaves directly send traffic to the victim. Victims can easily identify the reflectors from the response packets but reflectors can't identify the slave sending the spoofed requests. Amplification: > If the requests are chosen in such a way that the reflectors send large responses to the victim, it is a reflection and amplification attack. Not only would the victim receive traffic from millions of servers, the response sent would be large in size, making it further difficult for the victim to handle it.
what are the strengths and weaknesses of the "DNS poisoning" DNS censorship technique
Strength > No overblocking: Since there is an extra layer of hostname translation, access to specific hostnames can be blocked versus blanket IP address blocking. Weakness > blocks entire domain
what are the strengths and weaknesses of the "packet dropping" DNS censorship technique
Strengths > Easy to implement > Low cost Weaknesses > Maintenance of blocklist - Challenging to stay updated on list of IP addresses to block > Overblocking - If two websites share same IP address and the intention is to only block one, there's a risk of blocking both
What are the strengths and weaknesses of "content inspection" DNS censorship technique?
Strengths > Precise censorship: A very precise level of censorship can be achieved, down to the level of single web pages or even objects within the web page. > Flexible: Works well with hybrid security systems e.g. with a combination of other censorship techniques like packet dropping and DNS poisoning Weakness > Not scalable: They are expensive to implement on a large scale network as the processing overhead is large (through a proxy)
which protocol is preferred for video content delivery - UDP or TCP? Why?
TCP, as it provides reliability > An additional benefit of using TCP was that it already provides congestion control > UDP used for audio
what is IP Anycast?
The main goal of IP anycast is to route a client to the "closest" server, as determined by BGP > assigns same IP address to multiple servers on different clusters > each server uses standard BGP to advertise this IP > in the end, the shortest path is chosen of these differing paths
what are the most common types of resource records?
The most common types are four: > TYPE=A: the name is a domain name and value is the IP address of the hostname. (abc.com, 190.191.192.193, A) > TYPE=NS: the name is the domain name, and the value is the appropriate authoritative DNS server that can obtain the IP addresses for hosts in that domain. (abc.com, dns.abc.com, NS) > TYPE=CNAME: the name is the alias hostname, and the value is the canonical name, (abc.com, relay1.dnsserver.abc.com, CNAME) > TYPE=MX: the name is the alias hostname of a mail server, and the Value is the canonical name of the email server. (abc.com, mail.dnsserver.abc.com, MX)
explain a scenario of connectivity disruption detection in the case of inbound blocking
The scenario where filtering occurs on the path from the site to the reflector is termed as inbound blocking. > In this case, the SYN-ACK packet sent from the site in step 3 does not reach the reflector. > Hence, there is no response generated and the IP ID of the reflector does not increase. > The returned IP ID in step 4 will be 7 (IPID(t4)) as shown in the figure. Since the measurement machine observes the increment in IP ID value as 1, it detects filtering on the path from the site to the reflector.
explain a scenario of connectivity disruption detection in the case when no filtering occurs
The sequence of events is as follows: > The measurement machine probes the IP ID of the reflector by sending a TCP SYN-ACK packet. It receives a RST response packet with IP ID set to 6 (IPID (t1)). > Now, the measurement machine performs perturbation by sending a spoofed TCP SYN to the site. > The site sends a TCP SYN-ACK packet to the reflector and receives a RST packet as a response. > The IP ID of the reflector is now incremented to 7. > The measurement machine again probes the IP ID of the reflector and receives a response with the IP ID value set to 8 (IPID (t4)). > The measurement machine thus observes that the difference in IP IDs between steps 1 and 4 is 2 and infers that communication has occurred between the two hosts.
main purpose of southbound interfaces?
They're the separating medium between the control plane and data plane functionality SOUTHBOUND INTERFACE
what is the relationship between forwarding and routing?
Traditional approach: > routing algorithms (control plane) and forwarding function (data plane) are closely coupled > the router runs and participates in the routing algorithms > from there, it is able to construct the forwarding table which it consults for the forwarding SDN approach: > a remote controller computes/distributes the forwarding tables to be used by every router > this controller is physically separate from the router > routers are solely responsible for forwarding > the remote controllers and solely responsible for computing/distributing forwarding tables
Compare the bit rate for video, photos, and audio.
Video: > The first defining property for video is high bit rate, (between 100 kbps to over 3Mbps) depending on the quality of the video. Photo: > Much lower than video Audio: > lower bit rate than video, but glitches in audio are generally more noticeable than glitches in video. For example, in a video conference, it's generally ok if the video cuts out or freezes for a few seconds here and there, but if the audio also cuts out or gets garbled, you'd probably end up having to cancel or reschedule the conference.
Describe a pipeline of flow tables in OpenFlow
When a packet arrives, the lookup process starts in the first table and ends either with a match in one of the tables of the pipeline of with a miss (no rule found). Actions for the packet include: > forward to outgoing port > encapsulate and forward to controller > drop packet > send packet to normal processing pipeline > send to next flow table
explain BGP blackholing
a counter to DDoS attack > all traffic to a targeted DDoS destination is dropped at a null location > the premise is that the traffic is stopped closer to the source of the attack and before it reaches the targeted victim
what defines 'packet loss' in VoIP?
a packet is lost if: > it never arrives > it arrives after its scheduled playout
what are the key ideas behind ARTEMIS?
a system run locally by network operators to safeguard its own prefixes against BGP hijacking attempts 1. A configuration file: where all prefixes owned by network are listed for reference 2. A mechanism for receiving BGP updates: this allows receiving updates from local routers and monitoring services > using the local config file as reference, for the received BGP updates, ARTEMIS can check for prefixes and AS-PATH fields and trigger alerts when there are anomalies
summarize how progressive download works
allows a user to access a file's contents before the download has been completed > byte-range requests for part of the video are sent > once a portion of the video has been watched, it sends requests for more content
how does "delay jitter" occur?
between all the different buffer sizes/queueing delays/network congestion levels that a packet might experience, different voice packets can end up with different amounts of delay > with large jitter, we end up with more delayed packets that end up getting discarded, leading to a gap in the audio
how does DNS injection work?
censorship technique, where a ruleset determines when to inject DNS replies to censor network traffic
what is the function of the control and data planes?
control plane: > controls forwarding behavior of routers, such as routing protocols and network middlebox configurations data plane: > performs actual forwarding as dictated by the control plane > IP forwarding and layer 2 switching
what is virtualization?
creating a software-based version of something
what is the difference between iterative and recursive DNS queries?
iterative query process: > the querying host is referred to a different DNS server in the chain, until it can fully resolve the request recursive query process: > the querying host, and each DNS server in the chain queries the next server and delegates the query to it
what is a CDN (Content Distribution Network)?
networks of multiple, geographically distributed servers and/or data centers, with copies of content (videos, but also many other types of Web content), that direct users to a server or server cluster that can best serve the user's request.
what is the simplest approach to selecting a cluster? What are the limitations of this approach?
pick the geographically closest cluster limitation: > may not be the best cluster choice in terms of actual end-to-end network performance
what is one of the major drawbacks of BGP blackholing?
the destination under attack becomes unreachable since all the traffic (including legit traffic) is dropped
when would a distributed controller be preferred to a centralized controller?
to prevent a single point of failure and scaling issues
What is DNS censorship?
traffic filtering strategy to enforce control/censorship over Internet infrastructure to suppress material which they deem as objectionable
explain the problem of bandwidth over-estimation with rate-based adaptation
under the case when the bandwidth changes rapidly, the player takes some time to converge to the right estimate of the bandwidth this can sometimes lead to overestimation of the future bandwidth.
explain the problem of bandwidth under-estimation with rate-based adaptation
while TCP is fair, it takes time for the flows to converge to their fair share of bandwidth
