Dasu: pushing experiments to the internet's edge
nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
| Hi-index | 0.00 |
As the use of networks is increasingly becoming an important part of daily life, the measurement and analysis of these networks is becoming important as well. This dissertation first introduces a network measurement infrastructure designed to collect these measurements from end-hosts on the Internet. Then, utilizing these measurements, studies are made on the behavior of the network and network users as well as the security issues affecting the Internet. Finally, the public release of the collected data is discussed. The NETI@home network measurement infrastructure is a distributed approach to passively gathering end-to-end network performance measurements. The client is designed to run on virtually any machine connected to the Internet and measurements are reported to a server located at the Georgia Institute of Technology. This tool gives researchers much needed data on the end-to-end performance of the Internet, as measured by end-users. NETI@home's basic approach is to sniff packets sent from and received by the host and infer performance metrics based on these observed packets. NETI@home users are able to select a privacy level that determines what types of data are gathered, and what is not reported. NETI@home is designed to be an unobtrusive software system that runs quietly in the background with little or no intervention by the user, and using few resources. We conduct a flow-based comparison of honeynet traffic, representing malicious traffic, and NETI@home traffic, representing typical end-user traffic. We present a cumulative distribution function of the number of packets for a TCP flow and learn that a large portion of these flows in both datasets are failed and potentially malicious connection attempts. Next, we look at a histogram of TCP port activity over large time scales to gain insight into port scanning and worm activity. One key observation is that new worms can linger on for more than a year after the initial release date. We go on to look at activity relative to the IP address space and observe that the sources of malicious traffic are spread across the allocated range. Finally, we discuss other security-related observations including suspicious use of ICMP packets and attacks on our own NETI@home server. We present some observations and conclusions based on the behavior of the network and networking protocols, from the unique perspective of the end-user. An analysis of hop counts, based on observed TTL values, is presented. The frequency and use of network address translation (NAT) and the private IP address space are studied. Finally, several other options and flags of various protocols are analyzed to determine their adoption and use by the Internet community. The simulation of computer networks requires accurate models of user behavior. To this end, we present empirical models of end-user network traffic derived from the analysis of NETI@home data. There are two forms of models presented. The first models traffic for a specific TCP or UDP port. The second models all TCP or UDP traffic for an end-user. These models are meant to be network-independent and contain aspects such as bytes sent, bytes received, and user think time. The empirical models derived in this study can then be used to enable more realistic simulations of computer networks and are implemented in GTNetS. Finally, we further discuss our approaches to anonymizing the dataset and how these anonymized data and their associated analysis tools will be distributed.