CS 6250 Test 3
What is the simplest approach to select a cluster? What are the limitations of this approach?
"As the crow flies": Pick the closest geographic cluster Limitations: actually picking the location closest to the Local Domain Name Server, not the user. The closest geographical server may also not be the best in end-to-end performance
What are the key ideas behind ARTEMIS?
ARTEMIS is a system run locally to safeguard its own prefixes against malicious BGP hijack attacks. Key ideas are: Configuration file: Lists prefixes owned by the network Mechanism for receiving BGP updates
How are the metrics for cluster selection obtained?
Active measurements: LDNS can probe multiple clusters. Most cannot do this though and it would create a lot of traffic Passive measurements: server in CDN can track performance metrics based on current traffic conditions. This would require a real-time controller with real-time view at all cluster-client pairs
Explain the problem of bandwidth under-estimation with rate-based adaptation.
As bitrate gets lower, chunk size reduces, which leads to bitrate going even lower
What are the strategies for server selection? What are the limitations of these strategies?
Assign server randomly: might end up assigning server with high workload while lower workload was available Load-Balancing to route to least-loaded server: not all servers have same content so they'd need to fetch all content for every server
Describe a Reflection and Amplification attack.
Attack uses set of servers (reflectors) to send response to request. Master has slaves send spoofed requests to reflectors directed at victim.
Explain the scenario of hijacking a path.
Attacked manipulates an advertisement and claims to have direct path to an AS (which it doesn't). Other ASes adopt the fake path to the AS. Traffic for the AS is routed through the attacker
Explain the scenario of prefix hijacking.
Attacker uses a router to announce a prefix belonging to another AS Announcement causes conflict among ASes. They compare announcement with RIB. If the announcement leads to a new best route, they believe the announcement and update their routes. Traffic meant for legit AS will be sent to attacker
(BGP hijacking) What is the classification by affected prefix?
Attacks on IP prefixes advertised by the BGP. Include exact prefix hijacking, sub-prefix hijacking, and squatting.
What developments lead to the popularity of consuming media content over the Internet?
Bandwidth increase Video Compression Digital Rights Movement
How to handle network and user device diversity?
Bitrate adaption: videos are segmented and encoded at multiple bitrates. When requesting a video, the device also determines the bitrate
What are the main data sources to identify hosts that likely belong to rogue networks, used by FIRE (FInding Rogue nEtworks system)?
Botnet command and control providers: 2 main types are IRC and HTTP. Hosted on networks where they are unlikely to be taken down Drive-by-download hosting providers: web pages with exploits for vulnerable browsers Phish house providers: contains URLs of servers that host phishing pages. Hosted on compromised servers usually up for a short amount of time
Explain buffer-filling rate and buffer-depletion rate calculation.
Buffer-filling rate: network bandwidth divided by chunk bitrate Buffer-depletion rate: how much buffer is lost (watching a video = 1, 1 sec to watch 1 sec of video)
How to identify DNS manipulation via machine learning with Iris?
Model learns from controlled servers. If the global queries behave like the control, it is normal. Otherwise, potentially manipulated
Explain the distributed system that uses a 2-layered system. What are the challenges of this system?
Coarse-grained global layer: Operates at large time scales. Has global view of client quality metrics. Builds prediction model of video quality Fine-grained per-client layer: Operates at millisecond timescale. Makes decisions upon client request Challenges: Hard to design a centralized system with scale of today's networks. Needs data for different subnet pairs, so some clients need to be routed to sub-optimal clusters
How is it possible to achieve connectivity disruption using routing disruption approach?
Communication is disrupted/disabled on critical routers, it can result in unreachability of large parts of a network. (easier to detect)
What are the properties of secure communication?
Confidentiality Integrity Authentication Availability
What metrics does Iris use to identify DNS manipulation once data annotation is complete? Describe the metrics. Under what condition, do we declare the response as being manipulated?
Consistency Metrics: domain access should have consistency, network properties, infrastructure, or content. Independent Verifiability Metrics: HTTPS certificate, etc. If neither metrics are satisfied, response is deemed manipulated.
What is the difference between constant bitrate encoding and variable bitrate encoding (CBR vs VBR)?
Constant Bitrate Encoding: Output size of video is fixed over time Variable Bitrate Encoding: Output remains same on average, but varies occasionally based on scene complexity
Provide a high-level overview of adaptive video streaming.
Content is created, typically at high quality Compressed using encoding algorithm Compressed content is secured using DRM and hosted over a server End-user downloads content over Internet Video is decoded and rendered on the screen
Explain the structure of a DDoS attack.
DDoS attack is an attempt to compromise a server or network resource with a flood of traffic by compromising and deploying flooding servers (slaves)
What is the role of DNS in the way CDN operates?
DNS intercepts requests so that CDNs can choose where to direct users based on location/other conditions
What are the three steps involved in DNS injection?
DNS probe sent to DNS resolver Probe is checked against blocklist of domains and keywords For domain level blocking, a fake DNS A record is sent back
What is one of the major drawbacks of BGP blackholing?
Destination under attack becomes unreachable since all traffic to it is dropped
How does DNS injection work?
Most common censorship technique of GFW. Uses ruleset to determine when to inject DNS replies to censor network traffic
How does DNS-based content delivery work?
Distribute the load amongst servers at a single location as well as distributing servers across the world. When accessing the name of the service using DNS, CDN computes and returns 'nearest edge server' using network topology and link characteristics. Content is 'closer' to DNS client leading to better responsiveness and availability. Lower TTL than RRDNS.
Our understanding of censorship around the world is relatively limited. Why is it the case? What are the challenges?
Diverse measurements Need for scale Identifying the intent to restrict content access Ethics and minimizing risk
Summarize how progressive download works.
Download video parts of video at a time instead of the entire thing
How does the bitrate adaptation work in DASH?
Dynamic Streaming over HTTP (DASH): dynamic bitrate adaption Utilizes a bitrate adaption algorithm when downloading video chunks to determine video quality based on network conditions
What are three QoS VoIP metrics?
End-to-end delay Jitter Packet loss
Compare the "enter deep" and "bring home" approach of CDN server placement.
Enter Deep: Deploy many small networks around the world. Goal is to make distance between user and closest server as small as possible Bring Home: Deploy fewer, larger servers in critical areas. Fewer clusters to maintain, but users will experience higher delay and slower throughput
What steps does a simple rate-based adaptation algorithm perform?
Estimation: estimate future bandwidth based on last few chunks Quantization: continuous throughput mapped to discrete bitrate. (pick max bitrate < throughput)
How do Fast-Flux Service Networks work?
Extends RRDNS and CDN. Lower TTL. Once TTL expires, it returns a different set of A records from larger set of comprised machines. Comprised machines act as proxies forming a robust one-hop overlay network.
Compare the three major methods for dealing with packet loss in VoIP protocols.
Fast Error Concealment: transmit redundant data so that lost data can be replaced Interleaving: Mixes chunks of audio together so if a chunk is lost, it is at least not consecutive. Prefer many small gaps to one large gap Error concealment: "guessing" what the lost audio packet is. In small snippets there is similarity between consecutive pieces. (what allows for compression)
How does error concealment technique deal with the packet loss in VoIP?
Fills in missing packets with best guess. Examples would be repeating the previous packet of finding a middle between the before and after packets
Explain a scenario of connectivity disruption detection in case of the outbound blocking.
Filtering occurs on outgoing path from reflector. IP ID increments in step 3, but RST never reaches the site. Site continues to send SYN-ACKs Probe by machine shows IP ID has again increased by 2, meaning retransmission of packets has occurred
Why is video compression unable to use P-frames all the time?
Frames are very different when scenes change Increases decoding time when user skips ahead in video
What is the drawback to using the traditional approach of having a single, publicly accessible web server?
Geographical distance to all users Wasteful for a single data center to send the same data over and over Single point of failure
What are the limitations of main censorship detection systems?
Hard to rely on volunteers. Hard to measure from every vantage point (IP-based disruptions vs DNS-based manipulations)
Why does DNS use a hierarchical scheme?
Hierarchy scheme solves the scaling issue
What are the characteristics of conversational voice and video over IP?
Highly delay sensitive Less-tolerant applications - hard to conceal glitches
What are the causes or motivations behind BGP attacks?
Human Error Targeted Attack High Impact Attack
Explain video compression and temporal redundancy using I-, B-, and P-frames.
I-frame: First image in a scene P-frame: Predicted frame, the difference between 2 frames. All frames between 2 I-frames are know as a Group of Pictures (GoP) B-frame: Encoding a frame as a function of past and future I or P-frame
Describe the DNS message format.
ID: So client can match queries with responses Flags: Specifications about DNS message, query, etc Question: Info about the query like the hostname Answer: Resource record for hostname that was queried Authority: Resource records for more authoritative servers Additional Info
What kind of disruptions does Augur focus on identifying?
IP-Based
What is HTTP Redirection?
If a client sends a GET request to a server A, it can redirect the client to another server B by sending a HTTP response with code 3xx and name of new server. Can slow things down but useful for load balancing. Does not require any central coordination
Explain IXP blackholing.
If an AS member of an IXP is attacked, it send blackholing message to IXP route server. Router server announces message to all connected IXP member ASes, which drop the traffic toward blackholed prefix. Null interface is specified by the IXP.
Explain the problem of bandwidth over-estimation with rate-based adaptation.
If bandwidth changes rapidly, player takes time to converge to correct estimate
(BGP hijacking) What is the classification by AS-Path announcement?
Illegitimate AS announces AS-path for prefix for which it doesn't own. Type-0 (above), Type-N (above to create fake path between ASes), and Type-U (changes prefix but not path)
What are the major shifts that have impacted the evolution of the Internet ecosystem?
Increased demand for online content, especially videos "Topological Flattening"
How does interleaving deal with the packet loss in VoIP/streaming stored audio? What are the tradeoffs of interleaving?
Increased latency while collecting consecutive chunks of audio
List five DNS censorship techniques and briefly describe their working principles.
Packet Dropping: all traffic going to a set of IP addresses is discarded. DNS Poisoning: no answer or an incorrect answer is sent to redirect or mislead a user request Content Inspection: all traffic passes through a proxy where it is examined for content and rejected if requests serve objectionable content. Blocking with Resets: TCP reset (RST) is sent to block individual connections with requests containing objectionable content. Immediate Reset of Connections: suspend traffic coming from a source immediately for a short period of time
How is it possible to achieve connectivity disruption using packet filtering approach?
Packets matching a certain criteria can be blocked, disrupting the normal forwarding action. (harder to detect)
What are the six major challenges that Internet applications face?
Peering point congestion Inefficient routing protocols Unreliable networks Inefficient communication protocols Scalability Application limitations
What are the steps involved in the global measurement process using DNS resolvers?
Perform global DNS queries: query thousands of domains of open DNS resolvers. Also include 3 DNS domains under their control for baseline Annotate DNS responses with auxiliary informations: geolocation, AS, port 80 responses, etc Additional PTR and TLS scanning
What is the difference between iterative and recursive DNS queries?
Iterative: querying host is referred to a different DNS server in the chain until it can fully resolve the request Recursive: querying host and each DNS server in chain queries next server and delegates query to it
What are the mitigation techniques for delay jitter?
Jitter Buffer/play-out buffer
What is DNS censorship?
Large scale network traffic filtering strategy to enforce control and censorship over Internet to suppress "objectionable" material
What are the properties of GFW (Great Firewall of China)?
Locality of GFW nodes Centralized management Load balancing
What are the goals of bitrate adaptation?
Low or zero re-buffering High video quality Low video quality variations Low startup latency
What are the services offered by DNS, apart from hostname resolution?
Mail server/Host aliasing Load distribution
(BGP hijacking) What is the classification by data plane traffic manipulation?
Manipulate the network traffic on its way to the receiving AS. Dropping (black-hole attack), Eavesdropping or manipulating (man-in-the-middle attack), or impersonating (imposture)
What are the two main steps in CDN server selection?
Map a client to a cluster Select a server from the cluster
What is a DNS resource record?
Mapping between hostnames and IP addresses
Explain a scenario of connectivity disruption detection in case when no filtering occurs.
Measurement machine probes IP ID of a reflector Measurement machine performs perturbation by sending spoofed TCP SYN to site Site sends a TCP SYN-ACK packet to reflector and gets a RST in response. IP ID of reflector is incremented by 1 MM again probes IP ID of reflector. It sees difference of 2 between steps 1 and 4 meaning communication occurred between hosts
What are 3 classes of features used to determine the likelihood of a security breach within an organization?
Mismanagement symptoms: misconfigurations in an organization's network Malicious Activities Security Incident Reports
What is a CDN?
Multiple geographically distributed data centers with copies of content that direct users to server to best serve their request.
What are the three major categories of VoIP encoding schemes?
Narrowband Broadband Multimode (can operate on either)
What are the different signals that can serve as an input to a bitrate adaptation algorithm?
Network throughput Video buffer
What metrics could be considered when using measurements to select a cluster?
Network-layer metrics: delay, bandwidth Application-layer metrics: re-buffering ratio, average bitrate
What is DNS caching?
Once a server receives the DNS reply of mapping any host to IP address, it stores that info in the Cache memory before sending it to the client
What was the original vision of the application-level protocol for video content delivery and why was HTTP chosen eventually?
Original: Video Servers that remembered the state of the clients HTTP: content providers could use existing CDN infrastructure. Made bypassing middleboxes and firewalls easier
What are two findings from ARTEMIS?
Outsource the task of BGP announcements to 3rd parties Prefix filtering is less optimal than BGP outsourcing
Which DNS censorship technique is susceptible to overblocking?
Packet Dropping
What are the functions that signaling protocols are responsible for?
User location Session establishment Session negotiation Call participant management
What are the two automated techniques used by ARTEMIS to protect against BGP hijacking?
Prefix deaggregation: in an attack scenario, affected network can either contact other networks or deaggregate the targeted prefixes by announcing more specific prefix Mitigation with Multiple Origin AS (MOAS): 3rd party organizations and services providers handle BGP announcements for a network. If attack occurs, 3rd party receives notification and announces the hijacked prefixes. Network traffic is then attracted to the 3rd party, scrubbed, and tunneled to legit AS
How does the encoding of analog audio work (in simple terms)?
Quantization: audio is sampled and rounded to a discrete number with a range in order to be represented digitally
How does FEC (Forward Error Correction) deal with the packet loss in VoIP? What are the tradeoffs of FEC?
Replacement data may be lower quality. The more redundant data, the higher bandwidth consumed
What is the structure of DNS hierarchy?
Root DNS servers Top level domain (TLD) servers Authoritative servers Local DNS servers
What is IP Anycast?
Route a client to the "closest" server as determined by BGP.
What is spoofing, and how is related to DDoS attack?
Setting false IP addr in source field of packet in order to impersonate a legitimate server. In DDoS: source IP is spoofed so response is sent elsewhere OR source and destination IP are the same so server send replies to itself
What are the characteristics of streaming live audio and video?
Similar to stored (above) Many simultaneous users across geographical areas Delay sensitive
Why would a centralized design with a single DNS server not work?
Single point of failure Difficult to handle all volume of querying traffic Cannot be close to all clients Updating a huge db for every host on Internet
What are the strengths and weaknesses of "packet dropping" DNS censorship technique?
Strengths: Easy to implement, low cost Weaknesses: Overblocking
What are the strengths and weaknesses of "DNS poisoning" DNS censorship technique?
Strengths: No overblocking
What are the strengths and weaknesses of "content inspection" DNS censorship technique?
Strengths: Precise censorship, flexible Weakness: Not scalable
Which protocol is preferred for video content delivery - UDP or TCP? Why?
TCP: Provides reliability and has built in congenital control
What are the most common types of resource records?
TYPE=A: domain name - IP address TYPE=NS: domain name - DNS server that can get IP addresses for hosts in that domain TYPE=CNAME: alias hostname - canonical name TYPE=MX: alias hostname of mail server - canonical name of email server
How does Iris counter the issue of lack of diversity while studying DNS manipulation? What are the steps associated with the proposed process?
Uses open DNS resolvers around the world. It then restricts the dataset to a few thousand that are part of the internet structure. 1. Scanning the Internet's IPv4 for space for open DNS resolvers 2. Identifying Infrastructure DNS Resolvers
What is consistent hashing? How does it work?
Tends to balance load by assigning roughly the same number of content IDs, and little movement is needed as nodes join and leave the system. (uniform circle example)
What kind of delays are including in "end-to-end delay"?
Time to decode the audio Time to put it in packets Any network delays Playback delay Decoding delay
What are the defenses against DDoS attacks?
Traffic Scrubbing Services: Incoming traffic is diverted to specialized server to be "scrubbed" into clean or unwanted traffic ACL Filters: Access control list filters are deployed by ISPs or IXs at AS border routers to filter unwanted traffic. BGP Flowspec: allows rules to be created of traffic flows and take corresponding actions
The design of ASwatch is based on monitoring global BGP routing activity to learn the control plane behavior of a network. Describe 2 phases of this system.
Training phase: system learns control-plane behavior of legitimate and bulletproof ASes. Operational phase: Given an unknown AS, it calculates a reputation score for the AS. After several days with a low reputation score, it identifies it as malicious.
What are the four steps of JPEG compression?
Transform into color component (chrominance or Cb, Cr) and brightness component (luminance or Y) Apply discrete Cosine Transformation to turn each image into a frequency domain. Output is 8*8 table representing spectral power Compress matrix using pre-defined Quantization table. Table is stored in header of image for decoding later (lossy step) Perform lossless encoding to store coefficients
How does Round Robin DNS (RRDNS) work?
Used by large websites to distribute the load of incoming requests to several servers at a single physical location. It responds to requests with a lists of DNS A records, which it then cycles through in a RR manner
What are the main steps that a host takes to use DNS?
User host runs client side of DNS application Browser extracts hostname and passes it to client side of DNS application DNS client sends a query containing the hostname of DNS DNS client receives a reply including IP address for the hostname Host can initiate TCP connection to HTTP server at that port IP
Explain provider-based blackholing.
Victim AS uses BGP to communicate attacked destination prefix to upstream AS, which drops the attack traffic towards this prefix. Provider will advertise a more specific prefix and modify the next-hop address to divert attack traffic to null interface.
Compare the bit rate for video, photos, and audio.
Video > Photos > Audio
What are the characteristics of streaming stored video?
Video begins playing as data is received Interactive - fast-forward, pause, etc Continuous playout (no freezing in the middle) Generally stored on CDN
Explain a scenario of connectivity disruption detection in case of the inbound blocking.
When filtering occurs on the path from the site to the reflector. Step 3 never reaches reflector so IP ID of reflector never increases. Difference in IP ID of step 1 and 4 is 1, meaning there was filtering on path from site to reflector.
How does "delay jitter" occur?
When voice packets have different amounts of delay
What are two ways to achieve efficient video compression?
Within an image - nearby pixels tend to be similar (spatial redundancy) Across images - consecutive images in a continuous scene are similar (temporal redundancy)
