AIMS 2017: Workshop on Active Internet Measurements: Talk Abstracts

This page contains names, talk abstracts (if presenting), and topics the the participants are interested in discussing, as well as any related URLs. Participants are encouraged to read these ahead of time to anticipate workshop discussion.

Dates: March 1 (Wed) - March 3 (Fri), 2017
Place: Auditorium B210E/B211E Meeting Room,
San Diego Supercomputer Center, UCSD Campus, La Jolla, CA

Participant Abstracts

Erin Kenneally (Dept of Homeland Security) Talk Title: IMPACT Program- Operationalizing Interaction and Coordination Between Different Existing Measurement Infrastructures

Talk Abstract: Tee-up discussions about how to leverage the DHS IMPACT Program as a mechanism to operationalize the theme of this AIMS: interaction and coordination between different existing measurement infrastructures

Interested in Discussing: See above

David Clark (MIT) Talk Title: Policy impact of measurement.

Talk Abstract: There is a gap between the work done in the technical measurement community (typically reported at conferences such as IMC) and the utilization of that work by non-technical communities such as policy-makers and advocacy groups. My goal is to start a discussion as to the desirability of increasing the broader impact of the community's measurement work, and the best means of doing so.

Interested in Discussing: How can technical measurement results be made more relevant and accessible to non-technical people (e.g., policy makers). How can we insure that measurement work has the broadest impact.

Brian Trammell (ETH Zurich) Talk Title: Observing Internet Path Transparency

Talk Abstract: The presumed behavior and misbehavior of middleboxes is often cited as a reason for conservative decisions in protocol design. However, there is not much data available to justify these decisions quantifiably: a tradeoff that introduces a particular amount of complexity to a protocol makes little sense if it only improves performance or connectivity on a handful of access networks.

Building on earlier work in measurement of the risks of turning on Explicit Congestion Notification (ECN) by default, the MAMI project ( is building both an active measurement tool (PathSpider, and a Path Transparency Observatory for analysis and dissemination of measurements of the transparency of devices along a path to variety of protocols and protocol features in the Internet. The basic measurements are analogous to those used in detecting censorship or violations of network neutrality, but are focused on accidental or implementation-specific impairment of lower-level protocol features (e.g. ECN, TCP Fast Open, Multipath TCP). Given that the same kinds of impairment that break newer protocols also impair the use of tools like tracebox to localize these impairments, we use tomographic techniques to infer path- or site-dependency of detected failures.

Existing measurement studies with the observatory have focused on measurements from a small set of sources on unimpaired (data center) networks to public servers, in order to isolate impairments in the core of the Internet. Future work is focused on deployment on broadband and mobile access networks, as well as correlating these pairwise (source / target) "paths" with richer topological data (node- and AS level graphs).

Interested in Discussing: Measurement and localization of intentional and accidental impairment to the end-to-end principle in the Internet.

Vaibhav Bajpai (TU Munich) Talk Title: Measuring the Evolution of IPv6 Performance.

Talk Abstract: IPv6 measurement studies in the past have focussed on measuring IPv6 adoption [a, b, c] on the Internet. This involved measuring addressing, naming, routing and reachability aspects of IPv6. However, there has been very little work [b,d] on measuring the performance of delivered services over IPv6. This has largely been due to lack of the availability of content over IPv6. For instance, global IPv6 adoption during the time when these studies [b,d] were performed (2012) was less than 1%. In recent years, this has changed significantly due to efforts made by the IPv6 operations community thereby increasing the global IPv6 adoption as seen by Google to ~15% as of 2017. Even though IPv6 carries a noticeable amount of Internet traffic today, there has been very little work on measuring IPv6 performance in this changed landscape. The most recent work is by Geoff Huston (2015) where dual-stacked clients that use Google Ads are used to measure latencies towards APNIC servers. This work is orthogonal to our study since Geoff' goal is to sample large number of clients while our goal is to sample a large number of destinations. In fact, a recent study [c] that used an approximation of 10− and 20−hop round-trip times concedes that a measure of client-to-service network performance would be a more ideal metric today.


We close this gap by measuring IPv6 performance from the edge of the network using ~100 SamKnows probes comprising 58 different origin ASes towards operational dual-stacked content services on the Internet. In this talk, we highlight key results and lessons learned from collecting these longitudinal measurements for the past 4 years ('13-'17). We present metrics, tools, measurement insights and experience from studying geographically varied IPv6 networks. We provide a comparison of how content delivery [a, b] over IPv6 compares to that of IPv4 and how it has evolved [d] over time. We also identify and document glitches [c] in this content delivery that once fixed can help improve user experience over IPv6. Our longitudinal observations also identify areas of improvements [d] in the standards work for the IPv6 operations community within the IETF.

This talk is relevant for network operators that are either in the process of or are in early stages of IPv6 deployment. This talk also provides content providers insights towards how their service delivery compares over IPv6 to that of IPv4 and how it has evolved over time. The goal of the talk is not only to summarise [a, b, c, d] this dissertation work ('13-'16) on IPv6 performance, but also to leverage the AIMS workshop to introduce the infrastructure of ~100 dual-stacked SamKnows probes that we have maintained over the last 4 years. This infrastructure can be used for future collaborations with CAIDA and the active measurement community at large.

[d] 2959424.2959429

Interested in Discussing:

  • How to encourage the community to perform longitudinal measurements.
  • Identify potential areas of interests between the academic and operators community.
  • How to encourage reproducibility and identify/create events to publish reproducible research.

David Choffnes (Northeastern University) Talk Title: Exposing and Evading Middlebox Policies

Talk Abstract: TBD

Interested in Discussing: net neutrality, privacy, measurement platforms, Internet mapping...

Mike Wittie (Montana State University) Talk Title: I could do two potential presentations

Talk Abstract: Network performance requirements of Augmented Reality Systems or Cellular network measurement using Akamai's infrastructure

Interested in Discussing: I'm interested in network support of Augmented Reality (AR) systems. This problem is a combination of network performance and content distribution and both parts need to be measured and their performance with respect to application requirements understood.

Kirill Levchenko (UC San Diego (CSE)) Talk Title: PacketLab: A Universal Measurement Platform

Talk Abstract: For Internet measurement researchers, getting access to the right measurement vantage point can be one of the hardest parts of an experiment. Research groups invest considerable effort to secure access to such end hosts and operate them as measurement endpoints for their experiments. Unfortunately, for an independent researcher, the barrier to entry remains high because each measurement platform is tailored to specific experiments, and adding another experiment often requires changes to the measurement endpoints deployed in the field. Fortunately, we believe many of these obstacles are technical and not fundamental. We propose PacketLab, a unified measurement platform that addresses the technical barriers to efficient reuse of measurement endpoints by different research groups. To do so, PacketLab combines several innovating design elements that together allow groups to share measurement infrastructure with each other with very little overhead, extending its useful life and lowering the barrier to entry for researchers engaged in network measurement.

Interested in Discussing: Universal measurement platforms

James Martin (Clemson University) Talk Title: Things in a Fog (TGIF): A Framework to Support Multi-domain Research in the Internet of Things

Talk Abstract: Building upon several ongoing NSF-funded wireless infrastructure research projects at Clemson University, we have designed, prototyped and deployed a system to facilitate multi-disciplinary research in distributed computing systems that is inclusive of domain specific research that requires wireless infrastructure. The system, Things in a Fog (TGIF), is a framework to support research in the emerging Internet of Things. US government priorities in Connected Vehicles and in broader directions such as Smart Cities motivate the urgency of research in the areas of shared intelligent infrastructure that provides cost effective, secure and managed virtual slices of an IoT system. As the name implies, TGIF is based on an architecture that is similar in spirit to Fog or Edge Computing. TGIF consists of a number of types of nodes, including low end device and machine nodes, mobile and fixed edge nodes, and well-provisioned system nodes. All nodes, which currently are assumed to be compute platforms that can run Linux, run TGIF middleware that provides a set of services that are cast appropriately based on the platform node type. This talk will introduce TGIF and demonstrate the system by showing how the current US DOT standards-based Connected Vehicle framework can be supported and extended by a system such as TGIF.

Interested in Discussing: Edge Computing, Internet of Things, semantic data design, open data repositories

Erik Rye (US Naval Academy) Talk Title: SDN as Active Measurement Infrastructure

Talk Abstract: Active measurements are integral to the operation and management of networks, and invaluable to supporting empirical network research. Unfortunately, it is often cost-prohibitive and logistically difficult to widely deploy measurement nodes, especially in the core. In this work, we consider the feasibility of tightly integrating measurement within the infrastructure by using Software Defined Networks (SDNs). We introduce "SDN as Active Measurement Infrastructure" (SAAMI) to enable measurements to originate from any location where SDN is deployed, removing the need for dedicated measurement nodes and increasing vantage point diversity. We implement ping and traceroute using SAAMI, as well as a proof-of-concept custom measurement protocol to demonstrate the power and ease of SAAMI's open framework. Via a large-scale measurement campaign using SDN switches as vantage points, we show that SAAMI is accurate, scalable, and extensible.

Interested in Discussing: I am always interested in Bradley's AS-relationship inference work and what's new with large-scale measurement infrastructures like Ark and SamKnows.

Eric Gaston (Naval Postgraduate School) Talk Title: Yarrping the IPv6 Internet

Talk Abstract: The IPv6 Internet has grown significantly in size and importance in recent years. For example, the number of IPv6 routes in the BGP system has increased from fewer than 5,000 in 2011 to more than 35,000 today, while native IPv6 adoption and traffic continues its exponential increase. While there have been many studies on actively mapping the topology of the IPv4 Internet, there have been relatively few that examine the IPv6 Internet. Due to the sheer size of the IPv6 address space, prior work has either sparsely sampled the topology (for instance, tracerouting to the ::1 in each globally announced prefix), or expended considerable time and active probing budget (for instance, by exhaustively probing one address in all /48's).

In this work, we focus on the speed and scale of Internet-wide IPv6 active topology mapping by extending Yarrp (Yelling at Random Routers Progressively, a technique and tool appearing at IMC 2016). Yarrp provides the ability to map the IPv4 Internet at a much quicker speed then current tools, primarily by being stateless and randomizing the order of active probes. By extending Yarrp to probe IPv6, our hope is to advance the state-of-the-art in IPv6 active topology mapping.

IPv6 presents some unique challenges with regard to retaining the stateless nature of Yarrp. First, IPv6 headers have removed some of the fields used by Yarrp in IPv4 to encode state, for instance the 16-bit IP identification field which Yarrp uses to encode the originating probe's TTL. Second, IPv6 is known to more aggressively rate-limit ICMP6.

Conversely, ICMPv6 affords the advantage of complete packet quotations, thereby greatly simplifying state recovery. Rather than being forced to encode state into the probe's packet headers such that a partial packet quotation contains Yarrp state, the ICMPv6 RFC requires as much of the packet that induced the TTL exceeded message to be returned as possible. Not only does this allow us to encode and recover more state, it facilitates an easy path for changing the probe transport protocol from TCP to UDP or ICMPv6 - protocols that are known to elicit more (and different) responses.

Our planned active mapping experiments include both increased coverage and speed. For instance, while prior work probed a target in each /48 of all advertised /32 prefixes (equating to, at the time, 406,388,736 unique /48 prefixes) over a period of more than 4 month, we anticipate Yarrp6 completing the task in 36 hours at 100Kpps. Thus, our hope is that Yarrp6 will facilitate more complete scanning of the IPv6 Internet, and permit a better understanding of the IPv6 topology.

Interested in Discussing: Active Topology Mapping, IPv6

Scott Kirkpatrick (Hebrew University) Talk Title: Crowd-sourced active measurement from mobiles

Talk Abstract: Apps downloaded to a cellphone, either altruisticly ("help us to monitor the Internet") or as a collaboration ("We'll help you to find the best free Internet access") have the capability to observe data traffic in all carriers in all cities of the world, if they are stable and present in sufficient numbers. We have worked with about 3B measurements taken at times in 2014 to 2106 in five American cities, and applied them to study 3G to 4G evolution, paths for content distribution to the edge ("fog computing") and social issues such as commuting, shopping and eating patterns as functions of economic status. Monitoring for congestion in the internet, especially as it becomes dominated by edge participants, is possible, but will require coordination with more sophisticated interior probes.

Interested in Discussing: The role of active measurement from the edge in future monitoring of the Internet

Robert Kisteleki (RIPE NCC) Talk Title: RIPE Atlas infrastructure [provisional title]

Talk Abstract: I'll explore some aspects and curiosities of the RIPE Atlas data collection / storage / retrieval infrastructure and data sharing options.

Interested in Discussing: ATM I'm interested in anomaly detection and confirmation, especially across multiple measurement networks.

Neil Spring (University of Maryland) Talk Title: Why doesn't DNS anycast work?

Talk Abstract: Anycast-based distribution should, in theory, distribute queries to nearby replicas. After Maryland migrated the "D"-root DNS server to an address provided by anycast and deployed instances in dozens of locations, we still find that queries travel across continents to Virginia, passing by various closer replicas along the way. In this talk, I may place blame, and if we can figure it out, I'll talk about whether this affects the other servers as well. I will ask whether the failure of anycast to achieve reasonable performance is a pathology, a nuisance, or inconsequential.

Interested in Discussing: I am interested in the discussion about collaboration with policymakers, and remain particularly interested in ensuring consumers know whether their connections are reliable and performing with the expected bitrates.

Olivier Fourmaux (UPMC Sorbonne Universit├ęs) Talk Title: An Internet measurement platform for the e-learning community

Talk Abstract: FORGE ( was a European project that ran from 2013 to 2016 that developed the use of computer networking testbeds in e-learning. Through FORGE, teachers and students were given access to testbeds from the European Commission's FIRE initiative, and were able to create and execute scientific experiments on these testbeds in ways that were suitable to the classroom or self-study. The e-learning tools developed by FORGE have been made available as open educational resources.

We describe our work in FORGE, which consisted of making the PlanetLab Europe testbed ( available to a MOOC on internet measurements, so that MOOC students could conduct lab exercises in a real-world environment. The MOOC is described here:

Those who are familiar with PlanetLab know that it offers SSH access to a command line environment in which one has root privileges on Linux virtual machines at servers around the world. This sort of access is appropriate for researchers engaging in long-term scientific experiments, but was ill adapted for students in this mooc for a number of reasons, among them: offering individual PlanetLab Europe accounts to 1800 students was not scalable and was not compatible with the privacy policy of the mooc platform; purely anonymous access would be incompatible with the PlanetLab security policies; the mooc students were a diverse lot and we could not count upon their knowledge of the Linux command line environment; there was a risk of flash crowd effects disrupting PlanetLab Europe's nodes and servers.

Our solution was to develop a dedicated client-server system for mooc measurements including ping, traceroute, and iperf (this latter requiring the coordination of iperf processes on two separate PlanetLab nodes at a time). The client component, run as part of the mooc environment, provided an individualized control panel which each student could use to request measurements and see their own results. The server system is accessed through a RESTful webservices interface. The server does not learn the identities of the students, but a chain of responsibility is maintained, in case of any disruptive measurements, as the mooc administrators can identify their own students on the basis of job numbers provided them by the PlanetLab Europe administrators. The server maintains a queue of measurement requests and feeds them to PlanetLab Europe nodes at a controlled rate. Some basic sanity checks are performed to reduce the potential for disruptive measurements. The server returns standard output, standard error, the process return code, and beginning and ending timestamps for the measurement. This client-server system is currently being extended to enable measurements in other courses and on other testbeds.

Interested in Discussing: educational use of measurements

Ahmed Elmokashfi (Simula Research Laboratory) Talk Title: Measurements to inform policy makers and end consumers: the case of Norway

Talk Abstract: This talk shares a few stories that highlight the importance of having permanent measurement infrastructures to policy makers, service providers and end consumers. These case studies are related to Simula's ongoing efforts on measuring the reliability of cellular networks in Norway. Overall, we will touch upon experiences that range from identifying performance bottlenecks to advising on security threats.

Interested in Discussing: mobile networks, measurement infrastructures, quality of experience, outages detection and predication, measurements and policy.

Alexander Marder (University of Pennsylvania) Talk Title: bdrmap-IT: Mapping the Borders of IP Networks

Talk Abstract: Identifying the borders between IP networks has implications for network security, performance analysis, and public policy. Despite recent advances, several limitations hamper our ability to accurately identify the routers and interface IP addresses used to connect Autonomous Systems (ASes) at Internet-scale. Previous approaches are unable to work on router-level graphs and fail to identify borders of unresponsive networks, or require additional probing and cannot scale beyond their immediate network. bdrmap-IT is a novel graph refinement algorithm that accurately maps inferred routers to ASes, and identifies the IP links between Internet networks. It derives inferences from previously collected data and does not require additional probing. bdrmap-IT improves on previous approaches by working at Internet-scale, incorporating alias resolution, and mapping the borders of networks which do not respond to traceroute probes. Our approach can operate on both router-level and interface-level graphs. We ran bdrmap-IT on a publicly available router-level graph. We validate our approach using ground truth provided by network operators of small, medium, and large Internet networks. Our preliminary results show that bdrmap-IT identifies the correct AS for more than 92% of the routers, and achieves higher than 97% precision when inferring inter-AS links.

Interested in Discussing: Accurately identifying the IP addresses used for inter-AS links

Mattijs Jonker (University of Twente) Talk Title: OpenINTEL: an update and ongoing efforts

Talk Abstract: At the last AIMS, we presented OpenINTEL: a large-scale long term active measurement system for the DNS. This system collects daily measurements for 60% of the global DNS namespace and makes this data accessible for analysis via a Hadoop/Impala cluster. Our talk outlines the developments around OpenINTEL, and provides a glimpse at some of the research (ideas) that it has since yielded.

Since last year, we have worked to improve and extend OpenINTEL and added the following features and capabilities:

  • Our coverage has been extended to cover most new gTLDs, the .se, .nu, .ca, .fi and .at ccTLDs, and the .info and .mobi generic TLDs. This has grown our coverage to almost 200M domains.
  • We have extended our measurement to cover infrastructure elements; this means that in addition to requesting NS and MX records for domains, we now also resolver the A and AAAA records for the names in NS and MX records. This allows for new approaches to analysis, e.g. finding common IP addresses, prefixes or ASNs based on A/AAAA for NS and MX.
  • We have released substantial open access data sets for the Alexa top 1 million (1 year of data) and the .se and .nu ccTLDs (7 months of data). These data sets are updated on a daily basis and can be downloaded from
Participation in AIMS last year has led to collaborations with CAIDA and with Northeastern University. Within the foreseeable future we further:
  • plan to make publicly available a data set that covers the OpenDNS Top 1M;
  • And will determine if we could start measuring (cc)TLDs that allow a zone transfer and thus, are in effect, public. Examples are .bb, .np, and .sv.

While our talk outlines the developments around OpenINTEL, I'd also like to provide a glimpse at (published) research efforts that involve OpenINTEL data.

Interested in Discussing: In my talk I will outline ongoing and planned research efforts that involve both OpenINTEL data and other data sets. For example, the combination of active DNS measurements with the UCSD Telescope DDoS metadata (RSDOS). I hope that my outlining these ideas will lead to additional data sets to consider, or new, future research ideas.

John Heidemann (University of Southern California / Information Sciences Institute) Talk Title: Infrastructure for Experimental Replay and Mutation of DNS Queries

Talk Abstract: The DNS ecosystem today is revisiting basic design questions: should it encourage TCP? TLS? DTLS? Something completely new like QUIC or HTTP? While modeling and analysis help answer some of these questions, *experimental evaluation* is necessary for validation, and in some cases the only way to get accurate estimates of software memory use and performance. This talk will discuss our recent work in supporting experimental evaluation of DNS with components that support trace replay and evaluation. Trace replay is supported by a DNS data archive to prime replay with real data, and a query mutation system to support what-if evaluation using variations of that data.

The trace replay system is the work with Liang Zhu; this work is part of a larger system to support DNS experimentation, joint work with Wes Hardaker.

Talk Title: Collecting and Visualizing Outages Over the Long Haul

Talk Abstract: We have been collecting data about outages in the Internet since Oct. 2014. Our outage detection system, Trinocular, uses active probing from four sites to study about 4 million /24 IPv4 address blocks. Long-duration measurements bring challenges that don't occur in short observations. Most importantly, our target ("the Internet") changes as we measure it, as new blocks come on-line, old blocks are reused in different ways, and ISPs observe and sometimes block our traffic. Our measurement platform also sees occasional hardware failures. Visualization can assist detection of these problems, allowing human perception to detect changes in data collection that have not previously been anticipated. This talk will discuss the challenges of long-term outage measurement and describe our new algorithm that scales to support clustering of 4M blocks and 3 months of observations for visualization.

Our visualization is joint work with Yuri Pradkin, and analysis of our long-term outages includes work with Abdulla Alwabel.

Interested in Discussing: dns; shared research infrastructure

Scott Jordan (University of California, Irvine) Talk Title: How network measurement can inform telecommunications public policy

Talk Abstract: Many areas of telecommunications public policy can be informed by network measurement. In this talk, I'll outline a number of areas of policy in which properly designed network measurement would be beneficial, including fixed and mobile broadband Internet access service, IP interconnection, and various types of network management.

Interested in Discussing: Public policy aspects.

Robert Beverly (NPS) Talk Title: Yarrp6 and SAAMI

Interested in Discussing: Pragmatic aspects of management of large Internet measurement datasets (big data approaches for Internet measurement artifacts).

Darryl Veitch (University of Technology Sydney) Talk Title: Timing Update

Talk Abstract: I will present an overview of current and planned work within the Timing Project at the University of Technology Sydney. In particular I'll discuss NTP server health and choice, the evaluation of the Raspberry Pi as a timing platform, and RADclock support for the Pi.

Interested in Discussing: Timing server selection is currently based primarily on criteria of convenience rather than of accuracy. If a server vetting or validation capability were available, how would you like it to be set up/ interact with it?

Jae Hyun Park (CAIDA, UCSD CSE)

Interested in Discussing: BGP

Alberto Dainotti (CAIDA) Talk Title: Internet Outage Detection and Analysis

Talk Abstract: I'll present and demo IODA, a CAIDA project to develop an operational prototype system that monitors the Internet, in near-realtime, to identify macroscopic Internet outages affecting the edge of the network, i.e., significantly impacting an AS or a large fraction of a country.

Interested in Discussing: Everything

Vasileios Giotsas (UCSD/CAIDA) Talk Title: Detecting peering infrastructure outages in the wild

Talk Abstract: Network operators increasingly rely on advanced interconnection structures to cope with traffic demands and to reduce costs. Peering infrastructures, such as co-location facilities and Internet Exchange Points (IXPs) have evolved to be critical infrastructures where hundreds of networks interconnect and exchange traffic. However, this new interconnection paradigm introduces unforeseen, non-intuitive inter-dependencies that challenge our understanding of the Internet resilience at a regional and global level. The failure of even a small fraction of the Internet may cause unpredictable cascading effects, from the routing layer to the application layer, affecting critical services worldwide. Therefore, when studying the resilience of the Internet it is necessary to understand not only the global issues, but a large number of separate, but interconnected, local issues. However, The enormous scale of the Internet makes it hard to detect and measure the impact of outages of only specific infrastructures, therefore our understanding remains fundamentally limited.

In this talk I present Kepler, a novel and lightweight system for the detection of peering infrastructure outages. Our methodology relies on the observation that BGP communities, announced with routing updates, are an excellent source of information allowing us to pinpoint outage locations with high accuracy and low measurement overhead, and track the reaction of networks in near real-time. Our analysis unveils four times as many outages as compared to those publicly reported over the past five years. Moreover, we show that such outages have significant impact on remote networks and peering infrastructures in terms of routing instability. Our study provides a unique view of the behavior of the Internet under stress that often goes unreported.

Interested in Discussing: Routing, security, resilience, visualization

Ricky Mok (CAIDA/UCSD) Talk Title: Tracing the Internet from the crowd

Talk Abstract: Running Traceroute from the edge is one of the essential ways for diagnosing user's performance issues. A number of platforms, such as Ark and RIPE Atlas, has deployed dedicated devices for conducting network path measurement, including traceroute. However, these measurement platforms are difficult to interact with users to understand their application performance or the QoE.

In this talk, we will discuss the challenges and methods of orchestrating the public crowdsourcing platforms, such as Amazon Mechanical Turk, to collect network route information from their participants. We will show that, by combining with existing network data, it is feasible to find suitable participants who are experiencing the network degrading events. Furthermore, these participants can be employed to conduct subjective assessments regarding to their experiences in the network events.

Interested in Discussing: crowdsourcing, QoE, network measurement

Casey Deccio (Brigham Young University) Talk Title: Arming the Defenseless: An Incentive - based Approach to DNS Reflection Prevention

Talk Abstract: The Internet Protocol (IP) has been foundational for the Internet, making inter-network routing of datagrams possible. Yet the fact that IP routing is source agnostic has enabled abuse of the protocol. By spoofing source addresses an attacker can reflect - and amplify - traffic off of public services to unsuspecting victims and effectively overwhelm them, in a class of distributed denial of service attack (DDoS). Spoofing prevention mechanisms such as BCP38 have been largely unsuccessful because of the lack of incentive on the part of those required to deploy. We propose a mechanism wherein the parties required to act (the victims) have incentive to do so. In our proposed mechanism owners of network address space (the victims) deploy secure anti-spoofing technologies, such as DNS cookies, advertise their capabilities to the world, and public services (would be reflectors) respect and enforce the advertised capabilities to stop reflection and amplification altogether. We believe adoption of this technique will be successful because it is self-fulfilling, rather than altruistic.

Interested in Discussing: DDoS, DNS measurement

Ramakrishna Padmanabhan (University of Maryland) Talk Title: On static, dynamic, and proxy IPv4 addresses and their properties

Talk Abstract: Many applications use IP addresses as their unit of measurement - for example, IPv4 address space censuses count the number of active addresses, outage detection techniques find addresses affected by outages, and host reputation systems find addresses that are associated with malicious users. However, the use of IP addresses for these purposes is complicated by the diversity of usage of the IPv4 address space by ISPs. Some addresses may be static, where there could be just one device behind an address at any point of time. Others may be dynamic, where there could be many devices behind an address over a period of time - and yet others may be proxies, which can aggregate traffic from thousands of devices at the same point of time. Associating the portions of the IPv4 address space with their expected behavior will benefit the applications which use IP addresses as their unit of measurement.

In this work, we offer preliminary analyses of static, dynamic and proxy addresses using logs generated by a large CDN's download manager. The CDN's download manager, which is installed on users' desktop and laptops, records log lines when events such as a file download occur. Each such log line contains a unique installation ID, the user's current public IPv4 address, and the timestamp. We identify static addresses by looking for IDs that were continuously shown to be associated with the same address over time. We identify dynamic addresses by looking for evidence of IP address reassignment. We uncover proxies by finding IP addresses that are associated with tens of IDs within a short duration of time. Our preliminary results show properties associated with each class of addresses and we discuss directions of future research with these results.

Interested in Discussing: IPv4 and IPv6 addressing

Srikanth Sundaresan (Princeton) Talk Title: Understanding and improving speed tests

Talk Abstract: Speed tests measure the network capacity between two endpoints. Their simplicity has led to their widespread popularity and use, to the extent that they currently serve as a catch-all for the quality of the network. Surprisingly, they have evolved very little in years - they still don't tell us anything apart from available capacity to a server on the Internet. Recently, there have been some efforts to remedy this, in particular by using crowd-sourced speed tests to understand congestion in ISP interconnections. We show that we can go much further: how speed tests can, with very little modification can tell us a lot more about Internet paths. We show how we can use simple signatures using TCP RTT to understand whether a flow self-induced congestion, or was congested by an already congested link. We are also currently working on simple extensions to speed tests to help pinpoint the link in the path that is causing congestion.

Interested in Discussing: Congestion, measurement infrastructure.

Tanja Zseby (TU Wien) Talk Title: Using Measurement Data in Network Security Education

Talk Abstract: TU Wien offers two classes in network security with focus on network traffic data analysis. In the first set of practical exercises students analyze IP darkspace data collected at UCSD to learn methods for detecting and analyzing network attacks. In the second set of exercise they learn how to detect covert channels injected in TCP/IP traffic. The talk presents the experience with working with measurement data in university education and plans for the use of further data sets. Exercises, solver scripts and grading scheme are available for other teachers at

Interested in Discussing: data sets, data sharing

Matthew Zekauskas (Internet2) Talk Title: perfSonar 4.0 and User-Developed Active Measurements

Talk Abstract: perfSonar is a measurement framework, and a specific toolkit, for active measurement that is deployed on over 1200 nodes around the world, in both research and commercial networks. The next version, 4.0, will include a new unified scheduler, pscheduler, that allows both for easy inclusion of new active measurement tools as well as easy distribution of results to various archivers or other consumers. This talk with discuss the new architecture, pscheduler, and its potential for research use. [NOTE: I can also talk about the current state of measurements and sharing data with Internet2, opportunities for researchers to obtain data, and the current vision for research support, either as a short additional talk or as a mostly-orthogonal second segment of this one.]

Interested in Discussing: Here are two: (1) Locating infrastructure flaws by synthesizing hypothesis from multiple heterogeneous measurement sources. [could also be a variant of public policy questions, or used for public policy questions] (2) Security and Privacy versus usefulness or usability; both of a measurement infrastructure itself, and also how research uses might affect the network infrastructure.

Last Modified