-
Estimating the Impact of BGP Prefix Hijacking
Authors:
Pavlos Sermpezis,
Vasileios Kotronis,
Konstantinos Arakadakis,
Athena Vakali
Abstract:
BGP prefix hijacking is a critical threat to the resilience and security of communications in the Internet. While several mechanisms have been proposed to prevent, detect or mitigate hijacking events, it has not been studied how to accurately quantify the impact of an ongoing hijack. When detecting a hijack, existing methods do not estimate how many networks in the Internet are affected (before an…
▽ More
BGP prefix hijacking is a critical threat to the resilience and security of communications in the Internet. While several mechanisms have been proposed to prevent, detect or mitigate hijacking events, it has not been studied how to accurately quantify the impact of an ongoing hijack. When detecting a hijack, existing methods do not estimate how many networks in the Internet are affected (before and/or after its mitigation). In this paper, we study fundamental and practical aspects of the problem of estimating the impact of an ongoing hijack through network measurements. We derive analytical results for the involved trade-offs and limits, and investigate the performance of different measurement approaches (control/data-plane measurements) and use of public measurement infrastructure. Our findings provide useful insights for the design of accurate hijack impact estimation methodologies. Based on these insights, we design (i) a lightweight and practical estimation methodology that employs ** measurements, and (ii) an estimator that employs public infrastructure measurements and eliminates correlations between them to improve the accuracy. We validate the proposed methodologies and findings against results from hijacking experiments we conduct in the real Internet.
△ Less
Submitted 5 May, 2021;
originally announced May 2021.
-
Network-aware Recommendations in the Wild: Methodology, Realistic Evaluations, Experiments
Authors:
Savvas Kastanakis,
Pavlos Sermpezis,
Vasileios Kotronis,
Daniel Menasché,
Thrasyvoulos Spyropoulos
Abstract:
Joint caching and recommendation has been recently proposed as a new paradigm for increasing the efficiency of mobile edge caching. Early findings demonstrate significant gains for the network performance. However, previous works evaluated the proposed schemes exclusively on simulation environments. Hence, it still remains uncertain whether the claimed benefits would change in real settings. In th…
▽ More
Joint caching and recommendation has been recently proposed as a new paradigm for increasing the efficiency of mobile edge caching. Early findings demonstrate significant gains for the network performance. However, previous works evaluated the proposed schemes exclusively on simulation environments. Hence, it still remains uncertain whether the claimed benefits would change in real settings. In this paper, we propose a methodology that enables to evaluate joint network and recommendation schemes in real content services by only using publicly available information. We apply our methodology to the YouTube service, and conduct extensive measurements to investigate the potential performance gains. Our results show that significant gains can be achieved in practice; e.g., 8 to 10 times increase in the cache hit ratio from cache-aware recommendations. Finally, we build an experimental testbed and conduct experiments with real users; we make available our code and datasets to facilitate further research. To our best knowledge, this is the first realistic evaluation (over a real service, with real measurements and user experiments) of the joint caching and recommendations paradigm. Our findings provide experimental evidence for the feasibility and benefits of this paradigm, validate assumptions of previous works, and provide insights that can drive future research.
△ Less
Submitted 6 October, 2020;
originally announced October 2020.
-
O Peer, Where Art Thou? Uncovering Remote Peering Interconnections at IXPs
Authors:
George Nomikos,
Vasileios Kotronis,
Pavlos Sermpezis,
Petros Gigis,
Lefteris Manassakis,
Christoph Dietzel,
Stavros Konstantaras,
Xenofontas Dimitropoulos,
Vasileios Giotsas
Abstract:
Internet eXchange Points (IXPs) are Internet hubs that mainly provide the switching infrastructure to interconnect networks and exchange traffic. While the initial goal of IXPs was to bring together networks residing in the same city or country, and thus keep local traffic local, this model is gradually shifting. Many networks connect to IXPs without having physical presence at their switching inf…
▽ More
Internet eXchange Points (IXPs) are Internet hubs that mainly provide the switching infrastructure to interconnect networks and exchange traffic. While the initial goal of IXPs was to bring together networks residing in the same city or country, and thus keep local traffic local, this model is gradually shifting. Many networks connect to IXPs without having physical presence at their switching infrastructure. This practice, called Remote Peering, is changing the Internet topology and economy, and has become the subject of a contentious debate within the network operators' community. However, despite the increasing attention it attracts, the understanding of the characteristics and impact of remote peering is limited. In this work, we introduce and validate a heuristic methodology for discovering remote peers at IXPs. We (i) identify critical remote peering inference challenges, (ii) infer remote peers with high accuracy (>95%) and coverage (93%) per IXP, and (iii) characterize different aspects of the remote peering ecosystem by applying our methodology to 30 large IXPs. We observe that remote peering is a significantly common practice in all the studied IXPs; for the largest IXPs, remote peers account for 40% of their member base. We also show that today, IXP growth is mainly driven by remote peering, which contributes two times more than local peering.
△ Less
Submitted 12 November, 2019;
originally announced November 2019.
-
Validating IP Prefixes and AS-Paths with Blockchains
Authors:
Ilias Sfirakis,
Vasileios Kotronis
Abstract:
Networks (Autonomous Systems-AS) allocate or revoke IP prefixes with the intervention of official Internet resource number authorities, and select and advertise policy-compliant paths towards these prefixes using the inter-domain routing system and its primary enabler, the Border Gateway Protocol (BGP). Securing BGP has been a long-term objective of several research and industrial efforts during t…
▽ More
Networks (Autonomous Systems-AS) allocate or revoke IP prefixes with the intervention of official Internet resource number authorities, and select and advertise policy-compliant paths towards these prefixes using the inter-domain routing system and its primary enabler, the Border Gateway Protocol (BGP). Securing BGP has been a long-term objective of several research and industrial efforts during the last decades, that have culminated in the Resource Public Key Infrastructure (RPKI) for the cryptographic verification of prefix-to-AS assignments. However, there is still no widely adopted solution for securing IP prefixes and the (AS-)paths leading to them; approaches such as BGPsec have seen minuscule deployment. In this work, we design and implement a Blockchain-based system that (i) can be used to validate both of these resource types, (ii) can work passively and does not require any changes in the inter-domain routing system (BGP, RPKI), and (iii) can be combined with currently available systems for the detection and mitigation of routing attacks. We present early results and insights w.r.t. scalability.
△ Less
Submitted 7 June, 2019;
originally announced June 2019.
-
Inferring Catchment in Internet Routing
Authors:
Pavlos Sermpezis,
Vasileios Kotronis
Abstract:
BGP is the de-facto Internet routing protocol for exchanging prefix reachability information between Autonomous Systems (AS). It is a dynamic, distributed, path-vector protocol that enables rich expressions of network policies (typically treated as secrets). In this regime, where complexity is interwoven with information hiding, answering questions such as "what is the expected catchment of the an…
▽ More
BGP is the de-facto Internet routing protocol for exchanging prefix reachability information between Autonomous Systems (AS). It is a dynamic, distributed, path-vector protocol that enables rich expressions of network policies (typically treated as secrets). In this regime, where complexity is interwoven with information hiding, answering questions such as "what is the expected catchment of the anycast sites of a content provider on the AS-level, if new sites are deployed?", or "how will load-balancing behave if an ISP changes its routing policy for a prefix?", is a hard challenge. In this work, we present a formal model and methodology that takes into account policy-based routing and topological properties of the Internet graph, to predict the routing behavior of networks. We design algorithms that provide new capabilities for informative route inference (e.g., isolating the effect of randomness that is present in prior simulation-based approaches). We analyze the properties of these inference algorithms, and evaluate them using publicly available routing datasets and real-world experiments. The proposed framework can be useful in a number of applications: measurements, traffic engineering, network planning, Internet routing models, etc. As a use case, we study the problem of selecting a set of measurement vantage points to maximize route inference. Our methodology is general and can capture standard valley-free routing, as well as more complex topological and routing setups appearing in practice.
△ Less
Submitted 10 May, 2019;
originally announced May 2019.
-
CABaRet: Leveraging Recommendation Systems for Mobile Edge Caching
Authors:
Savvas Kastanakis,
Pavlos Sermpezis,
Vasileios Kotronis,
Xenofontas Dimitropoulos
Abstract:
Joint caching and recommendation has been recently proposed for increasing the efficiency of mobile edge caching. While previous works assume collaboration between mobile network operators and content providers (who control the recommendation systems), this might be challenging in today's economic ecosystem, with existing protocols and architectures. In this paper, we propose an approach that enab…
▽ More
Joint caching and recommendation has been recently proposed for increasing the efficiency of mobile edge caching. While previous works assume collaboration between mobile network operators and content providers (who control the recommendation systems), this might be challenging in today's economic ecosystem, with existing protocols and architectures. In this paper, we propose an approach that enables cache-aware recommendations without requiring a network and content provider collaboration. We leverage information provided publicly by the recommendation system, and build a system that provides cache-friendly and high-quality recommendations. We apply our approach to the YouTube service, and conduct measurements on YouTube video recommendations and experiments with video requests, to evaluate the potential gains in the cache hit ratio. Finally, we analytically study the problem of caching optimization under our approach. Our results show that significant caching gains can be achieved in practice; 8 to 10 times increase in the cache hit ratio from cache-aware recommendations, and an extra 2 times increase from caching optimization.
△ Less
Submitted 7 June, 2018;
originally announced June 2018.
-
A Survey among Network Operators on BGP Prefix Hijacking
Authors:
Pavlos Sermpezis,
Vasileios Kotronis,
Alberto Dainotti,
Xenofontas Dimitropoulos
Abstract:
BGP prefix hijacking is a threat to Internet operators and users. Several mechanisms or modifications to BGP that protect the Internet against it have been proposed. However, the reality is that most operators have not deployed them and are reluctant to do so in the near future. Instead, they rely on basic - and often inefficient - proactive defenses to reduce the impact of hijacking events, or on…
▽ More
BGP prefix hijacking is a threat to Internet operators and users. Several mechanisms or modifications to BGP that protect the Internet against it have been proposed. However, the reality is that most operators have not deployed them and are reluctant to do so in the near future. Instead, they rely on basic - and often inefficient - proactive defenses to reduce the impact of hijacking events, or on detection based on third party services and reactive approaches that might take up to several hours. In this work, we present the results of a survey we conducted among 75 network operators to study: (a) the operators' awareness of BGP prefix hijacking attacks, (b) presently used defenses (if any) against BGP prefix hijacking, (c) the willingness to adopt new defense mechanisms, and (d) reasons that may hinder the deployment of BGP prefix hijacking defenses. We expect the findings of this survey to increase the understanding of existing BGP hijacking defenses and the needs of network operators, as well as contribute towards designing new defense mechanisms that satisfy the requirements of the operators.
△ Less
Submitted 9 January, 2018;
originally announced January 2018.
-
ARTEMIS: Neutralizing BGP Hijacking within a Minute
Authors:
Pavlos Sermpezis,
Vasileios Kotronis,
Petros Gigis,
Xenofontas Dimitropoulos,
Danilo Cicalese,
Alistair King,
Alberto Dainotti
Abstract:
BGP prefix hijacking is a critical threat to Internet organizations and users. Despite the availability of several defense approaches (ranging from RPKI to popular third-party services), none of them solves the problem adequately in practice. In fact, they suffer from: (i) lack of detection comprehensiveness, allowing sophisticated attackers to evade detection, (ii) limited accuracy, especially in…
▽ More
BGP prefix hijacking is a critical threat to Internet organizations and users. Despite the availability of several defense approaches (ranging from RPKI to popular third-party services), none of them solves the problem adequately in practice. In fact, they suffer from: (i) lack of detection comprehensiveness, allowing sophisticated attackers to evade detection, (ii) limited accuracy, especially in the case of third-party detection, (iii) delayed verification and mitigation of incidents, reaching up to days, and (iv) lack of privacy and of flexibility in post-hijack counteractions, on the side of network operators. In this work, we propose ARTEMIS (Automatic and Real-Time dEtection and MItigation System), a defense approach (a) based on accurate and fast detection operated by the AS itself, leveraging the pervasiveness of publicly available BGP monitoring services and their recent shift towards real-time streaming, thus (b) enabling flexible and fast mitigation of hijacking events. Compared to previous work, our approach combines characteristics desirable to network operators such as comprehensiveness, accuracy, speed, privacy, and flexibility. Finally, we show through real-world experiments that, with the ARTEMIS approach, prefix hijacking can be neutralized within a minute.
△ Less
Submitted 27 June, 2018; v1 submitted 3 January, 2018;
originally announced January 2018.
-
Shortcuts through Colocation Facilities
Authors:
Vasileios Kotronis,
George Nomikos,
Lefteris Manassakis,
Dimitris Mavrommatis,
Xenofontas Dimitropoulos
Abstract:
Network overlays, running on top of the existing Internet substrate, are of perennial value to Internet end-users in the context of, e.g., real-time applications. Such overlays can employ traffic relays to yield path latencies lower than the direct paths, a phenomenon known as Triangle Inequality Violation (TIV). Past studies identify the opportunities of reducing latency using TIVs. However, they…
▽ More
Network overlays, running on top of the existing Internet substrate, are of perennial value to Internet end-users in the context of, e.g., real-time applications. Such overlays can employ traffic relays to yield path latencies lower than the direct paths, a phenomenon known as Triangle Inequality Violation (TIV). Past studies identify the opportunities of reducing latency using TIVs. However, they do not investigate the gains of strategically selecting relays in Colocation Facilities (Colos). In this work, we answer the following questions: (i) how Colo-hosted relays compare with other relays as well as with the direct Internet, in terms of latency (RTT) reductions; (ii) what are the best locations for placing the relays to yield these reductions. To this end, we conduct a large-scale one-month measurement of inter-domain paths between RIPE Atlas (RA) nodes as endpoints, located at eyeball networks. We employ as relays Planetlab nodes, other RA nodes, and machines in Colos. We examine the RTTs of the overlay paths obtained via the selected relays, as well as the direct paths. We find that Colo-based relays perform the best and can achieve latency reductions against direct paths, ranging from a few to 100s of milliseconds, in 76% of the total cases; 75% (58% of total cases) of these reductions require only 10 relays in 6 large Colos.
△ Less
Submitted 12 October, 2017;
originally announced October 2017.
-
Characterizing User-to-User Connectivity with RIPE Atlas
Authors:
Petros Gigis,
Vasileios Kotronis,
Emile Aben,
Stephen D. Strowes,
Xenofontas Dimitropoulos
Abstract:
Characterizing the interconnectivity of networks at a country level is an interesting but non-trivial task. The IXP Country Jedi is an existing prototype that uses RIPE Atlas probes in order to explore interconnectivity at a country level, taking into account all Autonomous Systems (AS) where RIPE Atlas probes are deployed. In this work, we build upon this basis and specifically focus on "eyeball"…
▽ More
Characterizing the interconnectivity of networks at a country level is an interesting but non-trivial task. The IXP Country Jedi is an existing prototype that uses RIPE Atlas probes in order to explore interconnectivity at a country level, taking into account all Autonomous Systems (AS) where RIPE Atlas probes are deployed. In this work, we build upon this basis and specifically focus on "eyeball" networks, i.e. the user-facing networks with the largest user populations in any given country, and explore to what extent we can provide insights on their interconnectivity. In particular, with a focused user-to-user (and/or user-to-content) version of the IXP Country Jedi we work towards meaningful statistics and comparisons between countries/economies. This is something that a general-purpose probe-to-probe version is not able to capture. We present our preliminary work on the estimation of RIPE Atlas coverage in eyeball networks, as well as an approach to measure and visualize user interconnectivity with our Eyeball Jedi tool.
△ Less
Submitted 17 July, 2017;
originally announced July 2017.
-
Investigating the Potential of the Inter-IXP Multigraph for the Provisioning of Guaranteed End-to-End Services
Authors:
Vasileios Kotronis,
Rowan Kloti,
Matthias Rost,
Panagiotis Georgopoulos,
Bernhard Ager,
Stefan Schmid,
Xenofontas Dimitropoulos
Abstract:
In this work, we propose utilizing the rich connectivity between IXPs and ISPs for inter-domain path stitching, supervised by centralized QoS brokers. In this context, we highlight a novel abstraction of the Internet topology, i.e., the inter-IXP multigraph composed of IXPs and paths crossing the domains of their shared member ISPs. This can potentially serve as a dense Internet-wide substrate for…
▽ More
In this work, we propose utilizing the rich connectivity between IXPs and ISPs for inter-domain path stitching, supervised by centralized QoS brokers. In this context, we highlight a novel abstraction of the Internet topology, i.e., the inter-IXP multigraph composed of IXPs and paths crossing the domains of their shared member ISPs. This can potentially serve as a dense Internet-wide substrate for provisioning guaranteed end-to-end (e2e) services with high path diversity and global IPv4 address space reach. We thus map the IXP multigraph, evaluate its potential, and introduce a rich algorithmic framework for path stitching on such graph structures.
△ Less
Submitted 10 November, 2016;
originally announced November 2016.
-
Evaluating the Effect of Centralization on Routing Convergence on a Hybrid BGP-SDN Emulation Framework
Authors:
Adrian Gamperli,
Vasileios Kotronis,
Xenofontas Dimitropoulos
Abstract:
A lot of applications depend on reliable and stable Internet connectivity. These characteristics are crucial for mission-critical services such as telemedical applications. An important factor that can affect connection availability is the convergence time of BGP, the de-facto inter-domain routing (IDR) protocol in the Internet. After a routing change, it may take several minutes until the network…
▽ More
A lot of applications depend on reliable and stable Internet connectivity. These characteristics are crucial for mission-critical services such as telemedical applications. An important factor that can affect connection availability is the convergence time of BGP, the de-facto inter-domain routing (IDR) protocol in the Internet. After a routing change, it may take several minutes until the network converges and BGP routing becomes stable again. Kotronis et al propose a novel Internet routing approach based on SDN principles that combines several Autonomous Systems (AS) into groups, called clusters, and introduces a logically centralized routing decision process for the cluster participants. One of the goals of this concept is to stabilize the IDR system and bring down its convergence time. However, testing whether such approaches can improve on BGP problems requires hybrid SDN and BGP experimentation tools that can emulate multiple ASes. Presently, there is a lack of an easy to use public tool for this purpose. This work fills this gap by building a suitable emulation framework and evaluating the effect that a proof-of-concept IDR controller has on IDR convergence time.
△ Less
Submitted 9 November, 2016;
originally announced November 2016.
-
Policy-Compliant Path Diversity and Bisection Bandwidth
Authors:
Rowan Kloti,
Vasileios Kotronis,
Bernhard Ager,
Xenofontas Dimitropoulos
Abstract:
How many links can be cut before a network is bisected? What is the maximal bandwidth that can be pushed between two nodes of a network? These questions are closely related to network resilience, path choice for multipath routing or bisection bandwidth estimations in data centers. The answer is quantified using metrics such as the number of edge-disjoint paths between two network nodes and the cum…
▽ More
How many links can be cut before a network is bisected? What is the maximal bandwidth that can be pushed between two nodes of a network? These questions are closely related to network resilience, path choice for multipath routing or bisection bandwidth estimations in data centers. The answer is quantified using metrics such as the number of edge-disjoint paths between two network nodes and the cumulative bandwidth that can flow over these paths. In practice though, such calculations are far from simple due to the restrictive effect of network policies on path selection. Policies are set by network administrators to conform to service level agreements, protect valuable resources or optimize network performance. In this work, we introduce a general methodology for estimating lower and upper bounds for the policy-compliant path diversity and bisection bandwidth between two nodes of a network, effectively quantifying the effect of policies on these metrics. Exact values can be obtained if certain conditions hold. The approach is based on regular languages and can be applied in a variety of use cases.
△ Less
Submitted 9 November, 2016;
originally announced November 2016.
-
Stitching Inter-Domain Paths over IXPs
Authors:
Vasileios Kotronis,
Rowan Kloti,
Matthias Rost,
Panagiotis Georgopoulos,
Bernhard Ager,
Stefan Schmid,
Xenofontas Dimitropoulos
Abstract:
Modern Internet applications, from HD video-conferencing to health monitoring and remote control of power-plants, pose stringent demands on network latency, bandwidth and availability. An approach to support such applications and provide inter-domain guarantees, enabling new avenues for innovation, is using centralized inter-domain routing brokers. These entities centralize routing control for mis…
▽ More
Modern Internet applications, from HD video-conferencing to health monitoring and remote control of power-plants, pose stringent demands on network latency, bandwidth and availability. An approach to support such applications and provide inter-domain guarantees, enabling new avenues for innovation, is using centralized inter-domain routing brokers. These entities centralize routing control for mission-critical traffic across domains, working in parallel to BGP. In this work, we propose using IXPs as natural points for stitching inter-domain paths under the control of inter-domain routing brokers. To evaluate the potential of this approach, we first map the global substrate of inter-IXP pathlets that IXP members could offer, based on measurements for 229 IXPs worldwide. We show that using IXPs as stitching points has two useful properties. Up to 91 % of the total IPv4 address space can be served by such inter-domain routing brokers when working in concert with just a handful of large IXPs and their associated ISP members. Second, path diversity on the inter-IXP graph increases by up to 29 times, as compared to current BGP valley-free routing. To exploit the rich path diversity, we introduce algorithms that inter-domain routing brokers can use to embed paths, subject to bandwidth and latency constraints. We show that our algorithms scale to the sizes of the measured graphs and can serve diverse simulated path request mixes. Our work highlights a novel direction for SDN innovation across domains, based on logically centralized control and programmable IXP fabrics.
△ Less
Submitted 8 November, 2016;
originally announced November 2016.
-
Control Exchange Points: Providing QoS-enabled End-to-End Services via SDN-based Inter-domain Routing Orchestration
Authors:
Vasileios Kotronis,
Xenofontas Dimitropoulos,
Rowan Kloti,
Bernhard Ager,
Panagiotis Georgopoulos,
Stefan Schmid
Abstract:
This paper presents the vision of the Control Exchange Point (CXP) architectural model. The model is motivated by the inflexibility and ossification of today's inter-domain routing system, which renders critical QoS-constrained end-to-end (e2e) network services difficult or simply impossible to provide. CXPs operate on slices of ISP networks and are built on basic Software Defined Networking (SDN)…
▽ More
This paper presents the vision of the Control Exchange Point (CXP) architectural model. The model is motivated by the inflexibility and ossification of today's inter-domain routing system, which renders critical QoS-constrained end-to-end (e2e) network services difficult or simply impossible to provide. CXPs operate on slices of ISP networks and are built on basic Software Defined Networking (SDN) principles, such as the clean decoupling of the routing control plane from the data plane and the consequent logical centralization of control. The main goal of the architectural model is to provide e2e services with QoS constraints across domains. This is achieved through defining a new type of business relationship between ISPs, which advertise partial paths (so-called pathlets) with specific properties, and the orchestrating role of the CXPs, which dynamically stitch them together and provision e2e QoS. Revenue from value-added services flows from the clients of the CXP to the ISPs participating in the service. The novelty of the approach is the combination of SDN programmability and dynamic path stitching techniques for inter-domain routing, which extends the value proposition of SDN over multiple domains. We first describe the challenges related to e2e service provision with the current inter-domain routing and peering model, and then continue with the benefits of our approach. Subsequently, we describe the CXP model in detail and report on an initial feasibility analysis.
△ Less
Submitted 8 November, 2016;
originally announced November 2016.
-
A Comparative Look into Public IXP Datasets
Authors:
Rowan Kloti,
Bernhard Ager,
Vasileios Kotronis,
George Nomikos,
Xenofontas Dimitropoulos
Abstract:
Internet eXchange Points (IXPs) are core components of the Internet infrastructure where Internet Service Providers (ISPs) meet and exchange traffic. During the last few years, the number and size of IXPs have increased rapidly, driving the flattening and shortening of Internet paths. However, understanding the present status of the IXP ecosystem and its potential role in sha** the future Intern…
▽ More
Internet eXchange Points (IXPs) are core components of the Internet infrastructure where Internet Service Providers (ISPs) meet and exchange traffic. During the last few years, the number and size of IXPs have increased rapidly, driving the flattening and shortening of Internet paths. However, understanding the present status of the IXP ecosystem and its potential role in sha** the future Internet requires rigorous data about IXPs, their presence, status, participants, etc. In this work, we do the first cross-comparison of three well-known publicly available IXP databases, namely of PeeringDB, Euro-IX, and PCH. A key challenge we address is linking IXP identifiers across databases maintained by different organizations. We find different AS-centric versus IXP-centric views provided by the databases as a result of their data collection approaches. In addition, we highlight differences and similarities w.r.t. IXP participants, geographical coverage, and co-location facilities. As a side-product of our linkage heuristics, we make publicly available the union of the three databases, which includes 40.2 % more IXPs and 66.3 % more IXP participants than the commonly-used PeeringDB. We also publish our analysis code to foster reproducibility of our experiments and shed preliminary insights into the accuracy of the union dataset.
△ Less
Submitted 8 November, 2016;
originally announced November 2016.
-
Routing Centralization Across Domains via SDN: A Model and Emulation Framework for BGP Evolution
Authors:
Vasileios Kotronis,
Adrian Gamperli,
Xenofontas Dimitropoulos
Abstract:
In this work, we propose a radical, incrementally-deployable Internet routing paradigm in which the control plane of multiple networks is centralized. This follows the Software Defined Networking (SDN) paradigm, although at the inter-domain level involving multiple Autonomous Systems (AS). Multi-domain SDN centralization can be realized by outsourcing routing functions to an external contractor, w…
▽ More
In this work, we propose a radical, incrementally-deployable Internet routing paradigm in which the control plane of multiple networks is centralized. This follows the Software Defined Networking (SDN) paradigm, although at the inter-domain level involving multiple Autonomous Systems (AS). Multi-domain SDN centralization can be realized by outsourcing routing functions to an external contractor, which provides inter-domain routing services facilitated through a multi-AS network controller. The proposed model promises to become a vehicle for evolving BGP and uses the bird's eye view over several networks to benefit aspects of inter-domain routing, such as convergence properties, policy conflict resolution, inter-domain troubleshooting, and collaborative security. In addition to the proposed paradigm, we introduce a publicly available emulation platform built on top of Mininet and the Quagga routing software, for experimenting in hybrid BGP-SDN AS-level networks. As a proof of concept we focus specifically on exploiting multi-domain centralization to improve BGP's slow convergence. We build and make publicly available a first multi-AS controller tailored to this use case and demonstrate experimentally that SDN centralization helps to linearly reduce BGP convergence times and churn rates with expanding SDN deployments.
△ Less
Submitted 8 November, 2016;
originally announced November 2016.
-
A Novel Framework for Modeling and Mitigating Distributed Link Flooding Attacks
Authors:
hristos Liaskos,
Vasileios Kotronis,
Xenofontas Dimitropoulos
Abstract:
Distributed link-flooding attacks constitute a new class of attacks with the potential to segment large areas of the Internet. Their distributed nature makes detection and mitigation very hard. This work proposes a novel framework for the analytical modeling and optimal mitigation of such attacks. The detection is modeled as a problem of relational algebra, representing the association of potentia…
▽ More
Distributed link-flooding attacks constitute a new class of attacks with the potential to segment large areas of the Internet. Their distributed nature makes detection and mitigation very hard. This work proposes a novel framework for the analytical modeling and optimal mitigation of such attacks. The detection is modeled as a problem of relational algebra, representing the association of potential attackers (bots) to potential targets. The analysis seeks to optimally dissolve all but the malevolent associations. The framework is implemented at the level of online Traffic Engineering (TE), which is naturally triggered on link-flooding events. The key idea is to continuously re-route traffic in a manner that makes persistent participation to link-flooding events highly improbable for any benign source. Thus, bots are forced to adopt a suspicious behavior to remain effective, revealing their presence. The load-balancing objective of TE is not affected at all. Extensive simulations on various topologies validate our analytical findings.
△ Less
Submitted 8 November, 2016;
originally announced November 2016.
-
On the Interplay of Link-Flooding Attacks and Traffic Engineering
Authors:
Dimitrios Gkounis,
Vasileios Kotronis,
Christos Liaskos,
Xenofontas Dimitropoulos
Abstract:
Link-flooding attacks have the potential to disconnect even entire countries from the Internet. Moreover, newly proposed indirect link-flooding attacks, such as 'Crossfire', are extremely hard to expose and, subsequently, mitigate effectively. Traffic Engineering (TE) is the network's natural way of mitigating link overload events, balancing the load and restoring connectivity. This work poses the…
▽ More
Link-flooding attacks have the potential to disconnect even entire countries from the Internet. Moreover, newly proposed indirect link-flooding attacks, such as 'Crossfire', are extremely hard to expose and, subsequently, mitigate effectively. Traffic Engineering (TE) is the network's natural way of mitigating link overload events, balancing the load and restoring connectivity. This work poses the question: Do we need a new kind of TE to expose an attack as well? The key idea is that a carefully crafted, attack-aware TE could force the attacker to follow improbable traffic patterns, revealing his target and his identity over time. We show that both existing and novel TE modules can efficiently expose the attack, and study the benefits of each approach. We implement defense prototypes using simulation mechanisms and evaluate them extensively on multiple real topologies.
△ Less
Submitted 8 November, 2016;
originally announced November 2016.
-
Towards Defeating the Crossfire Attack using SDN
Authors:
Dimitrios Gkounis,
Vasileios Kotronis,
Xenofontas Dimitropoulos
Abstract:
In this work, we propose online traffic engineering as a novel approach to detect and mitigate an emerging class of stealthy Denial of Service (DoS) link-flooding attacks. Our approach exploits the Software Defined Networking (SDN) paradigm, which renders the management of network traffic more flexible through centralised flow-level control and monitoring. We implement a full prototype of our solu…
▽ More
In this work, we propose online traffic engineering as a novel approach to detect and mitigate an emerging class of stealthy Denial of Service (DoS) link-flooding attacks. Our approach exploits the Software Defined Networking (SDN) paradigm, which renders the management of network traffic more flexible through centralised flow-level control and monitoring. We implement a full prototype of our solution on an emulated SDN environment using OpenFlow to interface with the network devices. We further discuss useful insights gained from our preliminary experiments as well as a number of open research questions which constitute work in progress.
△ Less
Submitted 5 December, 2014;
originally announced December 2014.