- High-Frequency Active Internet Topology Mapping
Current large-scale topology mapping systems require multiple days to
characterize the Internet due to the large amount of
probing traffic they incur. The accuracy of maps from existing
systems is unknown, yet empirical evidence suggests that additional
fine-grained probing exposes hidden links and temporal dynamics.
Through longitudinal analysis of data from the Archipelago and iPlane
systems, in conjunction with our own active probing, we examine how to
shorten Internet topology mapping cycle time. In particular, this
work develops discriminatory primitives that maximize topological
fidelity while being efficient.
- IPv6 Measurement and Mapping
As part of a collaboration with CAIDA funded by the NSF, we
are actively investigating IPv6 measurement, including:
topology, security, and adoption. Recent work has developed
new methods for performing IPv6 alias resolution.
- Tamper-evident TCP
TCP-HICCUPS (Handshake-based Integrity Check of Critical Underlying Protocol
Semantics) is a tamper-evident extension of TCP designed to shed light on
currently opaque middlebox behavior, revealing packet header manipulation to
both sides of a TCP. HICCUPS introduces no new options or TCP/IP field
semantics, is incrementally deployable, and "raises the bar" on middleboxes
that seek to evade detection.
- Network and Topology Deception
Among available network security defenses is the class of deceptive
network strategies. More advanced deception includes not only providing a
believable target, but actively influencing the adversary through deceit.
Our work seeks to both implement and discover various forms of network
and topology deception.
- Furious MAC
Furious MAC is a project to understand, map, and correlate
wireless hardware identifiers.
- Transport-Layer Abusive Traffic Detection and Mitigation
Abusive traffic abounds on the Internet, often originating from "botnets,"
distributed collections of compromised hosts under common control. We are
investigating a unique approach to detecting bots, botnet infrastructure, and
mitigating abusive traffic via transport-level (i.e. TCP) traffic signal
analysis. Our key insight is that local botnet behavior manifests remotely as
a discriminative signal. Rather than relying on content signatures or
reputation measures, we exploit botnets' basic requirement to source large
amounts of data, be it attacks, scam-hosting, spam, or other yet-to-be imagined
malicious traffic. By using statistical traffic signal characterization
methods, we can provide a difficult-to-subvert discriminator. This IP and
content agnostic approach is privacy preserving, permitting deployment within
the network core and offering the possibility to stanch malicious traffic
before it saturates access links.
- Understanding the Efficacy of IP Source Address Validation
IP source address forgery, or "spoofing," is a long-recognized consequence of
the Internet's lack of packet-level authenticity. Despite historical precedent
and filtering and tracing efforts, attackers continue to utilize spoofing for
anonymity, indirection, and amplification. Using a distributed infrastructure
and active measurement, we collect data on the prevalence and efficacy of
current best-practice source address validation techniques. We uncover
significant differences in filtering depending upon network geographic region,
type, and size. We provide initial longitudinal results on the evolution of
spoofing revealing no mitigation improvement over four years of measurement.
Our analysis provides an empirical basis for evaluating incentive and
coordination issues surrounding existing and future Internet packet