Program

Abstract:

Abstract: Passively monitoring Internet traffic is one of the best and most interesting ways to learn about how machines on the Internet interact with each other. However, running a large-scale passive measurement effort also comes with a number of technical practical challenges. We ran a large-scale, distributes passive measurement of the SSL/TLS protocols for more than a decade. During that time, we got information about the outgoing SSL/TLS connections from our data sources, consisting mostly of large University and Research networks.In my talk, I will concentrate on the lessons that were learned when running a large-scale passive measurement effort. The talk will discuss some of the easy to miss problems that one can encountered when setting up such measurements. It will also highlight some of the unexpected results that we found in our dataset, and highlight the symbiotic nature that can exist between passive and active measurement efforts.Furthermore, I will show some results from our work to highlight how encrypted traffic on the Internet evolved since the early 2010s.

Abstract: Logos give a website a familiar feel and promote trust. Scammers take advantage of that by using well-known organizations’ logos on malicious websites. Unsuspecting Internet users see these logos and think they are looking at a government website or legitimate webshop, when it is a phishing site, a counterfeit webshop, or a site set up to spread misinformation. We present the largest logo detection study on websites to date. We analyze 6.2M domain names from the Netherlands’ country-code top-level domain .nl, in two case studies to detect logo misuse for two organizations: the Dutch national government and Thuiswinkel Waarborg, an organization that issues certified webshop trust marks. We show how we can detect phishing, spear phishing, dormant phishing attacks, and brand misuse. To that end, we developed LogoMotive, an application that crawls domain names, generates screenshots, and detects logos using supervised machine learning. LogoMotive is operational in the .nl registry, and it is generalizable to detect any other logo in any DNS zone to help identify abuse.

Abstract: Spam domains are sources of unsolicited mails and one of the primary vehicles for fraud and malicious activities such as phishing campaigns or malware distribution. Spam domain detection is a race: as soon as the spam mails are sent, taking down the domain or blacklisting it is of relative use, as spammers have to register a new domain for their next campaign. To prevent malicious actors from sending mails, we need to detect them as fast as possible and, ideally, even before the campaign is launched. In this paper, using near-real-time passive DNS data from Farsight Se- curity, we monitor the DNS traffic of newly registered domains and the contents of their TXT records, in particular, the configuration of the Sender Policy Framework, an anti-spoofing protocol for domain names and the first line of defense against devastating Business Email Compro- mise scams. Because spammers and benign domains have different SPF rules and different traffic profiles, we build a new method to detect spam domains using features collected from passive DNS traffic. Using the SPF configuration and the traffic to the TXT records of a do- main, we accurately detect a significant proportion of spam domains with a low false positives rate demonstrating its potential in real-world deployments. Our classification scheme can detect spam domains before they send any mail, using only a single DNS query and later on, it can refine its classification by monitoring more traffic to the domain name.

Abstract: Certificates are the foundation of secure communication over the internet. However, not all certificates are created and managed in a consistent manner and the certificate authorities (CAs) issuing certificates achieve different levels of trust. Furthermore, user trust in public keys, certificates, and CAs can quickly change. Combined with the expectation of 24/7 encrypted access to websites, this quickly evolving landscape has made careful certificate management both an important and challenging problem. In this paper, we first present a novel server-side characterization of the certificate replacement (CR) relationships in the wild, including the reuse of public keys. Our data-driven CR analysis captures management biases, highlights a lack of industry standards for replacement policies, and features successful example cases and trends. Based on the characterization results we then propose an efficient solution to an important revocation problem that currently leaves web users vulnerable long after a certificate has been revoked.

Abstract: Web-based speed tests are popular among end-users for measuring their network performance. Thousands of measurement servers have been deployed in diverse geographical and network locations to serve users worldwide. However, most speed tests have opaque methodologies, which makes it difficult for researchers to interpret their highly aggregated test results, let alone leverage them for various studies. In this paper, we propose WebTestKit, a unified and configurable framework for facilitating automatic test execution and cross-layer analysis of test results for five major web-based speed test platforms. Only capturing packet headers of traffic traces, WebTestKit performs in-depth analysis by carefully extracting HTTP and timing information from test runs. Our testbed experiments showed WebTestKit is lightweight and accurate in interpreting encrypted measurement traffic. We applied WebTestKit to compare the use of HTTP requests across speed tests and investigate the root causes for impeding the accuracy of latency measurements, which play an important role in test server selection and throughput estimation.

Abstract: Advances in cloud computing have simplified the way that both software development and testing are performed. This is not true for battery testing for which state of the art test-beds simply consist of one phone attached to a power meter. These test-beds have limited resources, access, and are overall hard to maintain; for these reasons, they often sit idle with no experiment to run. In this paper, we propose to share existing battery testbeds and transform them into vantage points of BatteryLab, a power monitoring platform offering heterogeneous devices and testing conditions. We have achieved this vision with a combination of hardware and software which allow to augment existing battery test-beds with remote capabilities. BatteryLab currently counts three vantage points, one in Europe and two in the US, hosting three Android devices and one iPhone 7. We benchmark BatteryLab with respect to the accuracy of its battery readings, system performance, and platform heterogeneity. Next, we demonstrate how measurements can be run atop of BatteryLab by developing the “Web Power Monitor” (WPM), a tool which can measure website power consumption at scale. We released WPM and used it to report on the energy consumption of Alexa’s top 1,000 websites across 3 locations and 4 devices (both Android and iOS).

Abstract: This paper uses two commercial datasets of IP addresses from smartphones, geolocated through the Global Positioning System (GPS), to characterize the geography of IP address subnets from mobile and broadband ISPs. Datasets that geolocate IP addresses based on GPS offer superlative accuracy and precision for IP geolocation and thus provide an unprecedented opportunity to understand both the accuracy of existing geolocation databases as well as other properties of IP addresses, such as mobility and churn. We focus our analysis on three large cities in the United States. After evaluating the accuracy of existing geolocation databases, we analyze the circumstances under which IP geolocation databases may be more or less accurate. Within our sample, we find that geolocation databases are more accurate on fixed-line than mobile networks, that IP addresses on university networks can be more accurately located than those from consumer or business networks, and that often the paid versions of these databases are not significantly more accurate than the free versions. We then characterize how quickly subnets associated with fixed-line networks change geographic locations, and how long residential broadband ISP subscribers retain individual IP addresses. We find, generally, that most IP address assignments are stable over two months, although stability does vary across ISPs. Finally, we evaluate the suitability of existing IP geolocation databases for understanding Internet access and performance in human populations within specific geographies and demographics. Although the median accuracy of IP geolocation is better than 3 km in some contexts – fixed-line connections in New York City, for instance – we conclude that relying on IP geolocation databases to understand Internet access in densely populated regions such as cities is premature.

Abstract: We investigate a novel approach to the use of jitter to infer network congestion using data collected by probes in access networks. We discovered a set of features in jitter and jitter dispersion —a jitter- derived time series we define in this paper— time series that are char- acteristic of periods of congestion. We leverage these concepts to create a jitter-based congestion inference framework that we call Jitterbug. We apply Jitterbug’s capabilities to a wide range of traffic scenarios and discover that Jitterbug can correctly identify both recurrent and one-off congestion events. We validate Jitterbug inferences against state-of-the- art autocorrelation-based inferences of recurrent congestion. We find that the two approaches have strong congruity in their inferences, but Jitter- bug holds promise for detecting one-off as well as recurrent congestion. We identify several future directions for this research including lever- aging ML/AI techniques to optimize performance and accuracy of this method in operational settings.

Abstract: Augmented Reality (AR) promises unprecedented interactive and immersive experiences to users by augmenting physical objects in the real world with computer-generated perceptual information. However, recent studies have shown that multi-user AR apps can experience very high end-to-end latency (12.5 s in the median case) when running over LTE networks, which significantly impacts the user QoE. This work conducts to our knowledge the first experimental study of the feasibility of enabling multi-user AR with 5G mmWave. Our analysis shows that, in spite of the much higher bandwidth and lower latency compared to LTE, not only does 5G mmWave not improve the end-to-end latency of multi-user AR apps but also results in higher energy consumption. We uncover the root causes of the low performance and make recommendations for enabling multi-user AR apps over cellular networks.

Abstract: This paper reports on measuring the effect of engineering egress traffic to peering ASes using Segment Routing, called BGP-EPE. BGP-EPE can send packets destined to arbitrary prefixes to arbitrary eBGP peers regardless of the BGP path selection. This ability enables us to measure external connectivity from a single AS in various perspectives; for example, does the use of paths other than the BGP best paths improve performance? We conducted an experiment to measure latency to the Internet from an event network, Interop Tokyo ShowNet, where SR-MPLS and BGP-EPE were deployed. Our findings from the experiment show BGP-EPE improves latency for 77% of target prefixes, and peering provides shorter latency than transit. We further show factors on which the degree of improvement depends, e.g., the performance-obliviousness of BGP and the presence of remote peering. Also, we find 91% of peer ASes forwarded packets towards prefixes that the peers did not advertise.

Abstract: Accurate inference of interdomain paths between arbitrary source and destination is the foundation for many research areas, especially for the security of the Internet routing system. The widely used method to solve this problem is using standard policies based on the business relationship model, but it is far from satisfactory. We conduct an in-depth analysis on the inherent limitations of the path inference by standard routing policies and show that the routing behaviors of ISPs are diverse and standard import policies are oversimplified. Then we develop RouteInfer, an algorithm for accurately inferring interdomain paths by capturing ISP routing behaviors diversity and generality. RouteInfer uses a 3-layer policy model to extract the fine-grained policies and coarse-grained policies of ASes and can achieve high accuracy as well as good generalization ability. After extracting policies, we find another inherent challenge that there is still a huge number of ASes without inferred policies. To overcome this challenge, RouteInfer formulates the prediction of route decisions as a ranking problem and develops a learning-based approach especially for predicting route decisions. We carefully design node, link, and path features based on the understanding of actual route decisions. Overall, on average, RouteInfer achieves 81.64% accuracy. Compared with state-of-the-art inference algorithms, RouteInfer increases the inference accuracy by about 30.04% to 182.3%. Furthermore, we analyze the inferred policies and the route decision model to understand routing behaviors deeply. We find that many ASes set fine-grained policies for CDN ASes. Besides, most of the violations of the standard preference rule are related to p2p links in European IXPs.

Abstract: DNS root servers are deployed using multiple globally distributed anycast instances, and the scale of instances across the globe has been rapidly growing. This paper presents a measurement study that investigates the practical effect of root server instances deployed in the Chinese mainland. Our analysis of this issue includes two-fold. First, we measure the catchment area of the root server instances and answer the question about which domestic networks are served. Our results show that some of the instances are not accessible from major ISP networks due to limits of BGP routing policies, and a number of root queries still turn to further instances outside the international gateway. Second, we evaluate the impact of deploying new instances on query performance and root server selection in resolvers. We confirm that root instances contribute to lowered query delay from networks within their catchment area. Through reviewing source code of mainstream DNS implementations, we find that less-latent root servers are generally preferred thus deploying root server instances increase their possibilities to absorb DNS root requests from nearby resolvers. We make recommendations to improve the operational status of the DNS root server system.

Abstract: Abstract. DNS latency is a concern for many service operators: CDNs exist to reduce service latency to end-users but must rely on global DNS for reachability and load-balancing. Today, DNS latency is monitored by active probing from distributed platforms like RIPE Atlas, with Verfploeter, or with commercial services. While Atlas coverage is wide, its 10k sites see only a fraction of the Internet. In this paper we show that passive observation of TCP handshakes can measure live DNS latency, continuously, providing good coverage of current clients of the service. Estimating RTT from TCP is an old idea, but applying this approach to DNS has never been scrutinized like this before. We show that there is sufficient TCP DNS traffic today to provide good operational coverage (particularly of IPv6), and very good temporal coverage (better than existing approaches), enabling near-real time evaluation of DNS latency from real clients. We also show that DNS servers can optionally solicit TCP to broaden coverage. We quantify coverage and show that esti- mates of DNS latency from TCP is consistent with UDP latency. Our approach finds previously unknown, real problems: DNS polarization is a new problem where a hypergiant sends global traffic to one anycast site rather than taking advantage of the global anycast deployment. Cor- recting polarization in Google DNS cut its latency from 100 ms to 10 ms; and from Microsoft Azure cut latency from 90 ms to 20 ms. We also show other instances of routing problems that add 100–200 ms latency. Finally, real-time use of our approach for a European country-level domain has helped detect and correct a BGP routing misconfiguration that detoured European traffic to Australia. We have integrated our approach into several open source tools: ENTRADA, our open source data warehouse for DNS, a monitoring tool (Anteater), which has been operational for the last 2 years on a country-level top-level domain, and a DNS anonymization tool in use at a root server since March 2021.

Abstract: Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6 M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%.

Abstract: NASA’s Deep Space Network (DSN) serves as the Earth end of an interplanetary communications network. The DSN communicates with and helps to navigate the world’s space missions that venture beyond Geosynchronous Earth orbit. These currently include spacecraft at various planets, near the Sun, and in Interstellar Space – representing ~35 separate space missions. In many ways, this network is similar to the terrestrial Internet – but it also differs in some key areas. We will investigate the similarities and differences and also discuss plans for the future, working toward extending Internet-like connectivity across the Solar System

Abstract: The Internet Route Registry (IRR) and Resource Public Key Infrastructure (RPKI) both emerged as different solutions to improve routing security in the Border Gateway Protocol (BGP) by allowing networks to register information and develop route filters based on information other networks have registered. RPKI is a crypto system, with associated complexity and policy challenges; it has seen substantial but slowing adoption. IRR databases often contain inaccurate records due to lack of validation standards. Given the widespread use of IRR for routing security purposes, this inaccuracy merits further study. We study IRR accuracy by quantifying the consistency between IRR and RPKI records, analyze the causes of inconsistency, and look at which ASes are contributing correct IRR information. In October 2021, we found ROAs for around 20% of RADB IRR records, and a consistency of 38% and 60% in v4 and v6. For RIPE IRR, we found ROAs for 47% records and a consistency of 73% and 82% in v4 and v6. For APNIC IRR, we found ROAs for 76% records and a high consistency of 98% and 99% in v4 and v6. For AFRINIC IRR, we found ROAs for only 4% records and a consistency of 93% and 97% in v4 and v6.

Abstract: Internet Exchange Points (IXPs) became a fundamental building block of inter-domain routing throughout the last decade. Today, they offer their members access to hundreds—–if not thousands—–of possible networks to peer. In this paper, we pose the question: How far can peering at those large IXPs get us in terms of reachable prefixes and services? To approach this question, we first analyze and compare Route Server snapshots obtained from eight of the world’s largest IXPs. Afterwards, we perform an in- depth analysis of bi-lateral and private peering at a single IXP based on its peering LAN traffic and queries to carefully selected, nearby looking glasses. To assess the relevance of the prefixes available via each peering type, we utilize two orthogonal metrics: the number of domains served from the prefix and the traffic volume that a large eyeball network egress towards it. Our results show that multi-lateral peering can cover ̃20 % and ̃40 % of the routed IPv4 and IPv6 address space, respectively. We observe that many of those routes lead to out-of-continent locations reachable only via three or more AS hops. Yet, most IXP members only utilize ”local” (i.e., single hop) routes. We further infer that IXP members can reach more than half of all routed IPv4 and more than one-third of all routed IPv6 address space via bi-lateral peering. These routes contain almost all of the top 10K egress prefixes of our eyeball network, and hence they would satisfy the reachability requirements of most end users. Still, they miss up to 20 % of the top 10K prefixes that serve the most domains. We observe that these missing prefixes often belong to large transit and Tier 1 providers.

Abstract: Internet Exchange Points (IXPs) play an essential role in the Internet, providing a fabric for thousands of Autonomous Systems (ASes) to interconnect. Initially designed to keep local traffic local, IXPs now interconnect ASes all over the world, and the premise that IXP routes should be shorter and faster than routes through a transit provider may not be valid anymore. Using BGP views from eight IXPs (three in Brazil, two in the U.S., and one each in London, Amsterdam, and Johannesburg), a transit connection at each of these locations, and latency measurements we collected in May 2021, we compare the latency to reach the same addresses using routes from remote peers, local peers, and transit providers. For four of these IXPs, at least 71.4% of prefixes advertised by remote peers also had a local peering route, BGP generally preferred the remote route due to its shorter AS path, but the local route had lower latency than the remote route in the majority of cases. When a remote route was the only peering route available at an IXP, it had slightly lower latency than a corresponding transit route available outside the IXP for >57.6% of the prefixes for seven of the eight IXPs.

Abstract: Online gaming generated $178 billion globally in 2020, with the popular shooter, action-adventure, role-playing, and sporting titles commanding hundreds of millions of players worldwide. Most online games require only a few hundred kbps of bandwidth but are very sensitive to latency. Internet Service Providers (ISPs) keen to reduce "lag" by tuning their peering relationships and routing paths to game servers are hamstrung by lack of visibility on: (a) gaming patterns, which can change day-to-day as games rise and fall in popularity; and (b) locations of gaming servers, which can change from hour-to-hour across countries and cloud providers depending on player locations and matchmaking. In this paper, we develop methods that give ISPs visibility into online gaming activity and associated server latency. As our first contribution, we analyze packet traces of ten popular games and develop a method to automatically generate signatures and accurately detect game sessions by extracting key attributes from network traffic. Field deployment in a university campus identifies 31k game sessions representing 9,000 gaming hours over a month. As our second contribution, we perform BGP route and Geolocation lookups, coupled with active ICMP and TCP latency measurements, to map the AS-path and latency to the 4,500+ game servers identified. We show that the game servers span 31 Autonomous Systems, distributed across 14 countries and 165 routing prefixes, and routing decisions can significantly impact latencies for gamers in the same city. Our study gives ISPs much-needed visibility so they can optimize their peering relationships and routing paths to better serve their gaming customers.

Abstract: In this paper, we empirically analyze two examples of a Western (DE) versus Middle-East (SA) Online Social Messaging App. By focussing on the system interactions over time in comparison, we identify inherent differences in user engagement. We take a deep dive and shed light onto differences in user attention shifts and showcase their structural implications to the user experience. Our main findings show that in comparison to the German counterparts, the Saudi communities prefer creating content in longer conversations, while voting more conservative.

Abstract: Rich offline experience, periodic background sync, push notification functionality, network requests control, improved performance via requests caching are only few of the functionalities provided by the Service Workers API. This new technology, supported by all major browsers, can significantly improve users’ experience by providing the publisher with the technical foundations that would normally require a native application. Albeit the capabilities of this new technique and its important role in the ecosystem of Progressive Web Apps (PWAs), it is still unclear what is their actual purpose on the web, and how publishers leverage the provided functionality in their web applications. In this study, we shed light in the real world deployment ofService Workers, by conducting the first large scale analysis of the prevalence of Service Workers in the wild. We see that Service Workers are becoming more and more popular, with the adoption increased by 26% only within the last 5months. Surprisingly, besides their fruitful capabilities, we see that Service Workers are being mostly used for In-Page Push Advertising, in 65.08% of the Service Workers that connect with 3rd parties. We highlight that this is a relatively new way for advertisers to bypass ad-blockers and render ads on the user’s displays natively.

Abstract: Since the early 2000's, Internet topology discovery has been an active research topic, providing data for various studies such as Internet modeling, network management, or to assist and support network protocol design. Within this research area, ISP mapping at the router level has attracted little interest despite its utility to perform intra-domain routing evaluation. Since Rocketfuel (and, to a smaller extent, mrinfo), no new tool or method has emerged for systematically mapping intra-domain topologies. In this paper, we introduce Anaximander, a new efficient approach for probing and discovering a targeted ISP in particular. Considering a given set of vantage points, we implement and combine several predictive strategies to mitigate the number of probes to be sent without sacrificing the ISP coverage. To assess the ability of Anaximander to efficiently extract a given ISP map, we rely on a large dataset with ISPs of distinct nature and demonstrate how Anaximander can be tuned with a simple parameter to control the trade-off between ISP coverage and probing budget.

Abstract: Industrial Control Systems (ICS) are critical systems to our society. Yet they are less studied given their closed nature and often the unavailability of data. While few studies focus on wide-area SCADA systems, e.g., power or gas distribution networks, mission critical networks that control power generation are not yet studied. To address this gap, we perform the first measurement study of Distributed Control System (DCS) by analyzing traces from all network levels from several operational power plants. We show that DCS networks feature a rather rich application mix compared to wide-area SCADA networks and that applications and sites can be fingerprinted with statistical means. While traces from operational power plants are hard to obtain, we analyze to which extent easier to access training facilities can be used as vantage points. Our study aims to shed light on traffic properties of critical industries that were not yet analyzed given the lack of data.

Abstract: While the DNS protocol encompasses both UDP and TCP as its underlying transport, UDP is commonly used in practice. At the same time, increasingly large DNS responses and concerns over amplification denial of service attacks have heightened interest in conducting DNS interactions over TCP. This paper surveys the support for DNS-over-TCP in the deployed DNS infrastructure from several angles. First, we assess resolvers responsible for over 66.2% of the external DNS queries that arrive at a major content delivery network (CDN). We find that 2.7% to 4.7% of the resolvers, contributing around 1.1% to 4.4% of all queries arriving at the CDN from the resolvers we study, do not support DNS-over-TCP even when forced by authoritative servers, a substantial number when considering the corresponding loss of website customers. Second, we find authoritative DNS servers, serving some popular websites and a number of CDNs, that do not support DNS-over-TCP. These ADNS would deny service to (RFC-compliant) resolvers that choose to switch to TCP-only interactions. Third, we describe a race condition in TCP connection reuse by DNS actors that may become a significant issue should DNS-over-TCP and other TCP-based DNS protocols, such as DNS-over-TLS, become widely used.

Abstract: Most online communications rely on DNS to map domain names to their hosting IP address(es). Previous work has shown that DNS-based network interference is widespread due to the unencrypted and unauthenticated nature of the original DNS protocol. In addition to DNS, accessed domain names can also be monitored by on-path observers during the TLS handshake when the SNI extension is used. These lingering issues with exposed plaintext domain names have led to the development of a new generation of protocols that keep accessed domain names hidden. DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) hide the domain names of DNS queries, while Encrypted Server Name Indication (ESNI) encrypts the domain name in the SNI extension. We present DNEye, a measurement system built on top of a network of distributed vantage points, which we used to study the accessibility of DoT/DoH and ESNI, and to investigate whether these protocols are tampered with by network providers (e.g., for censorship). Moreover, we evaluate the efficacy of these protocols in circumventing network interference when accessing content blocked by traditional DNS manipulation. We find evidence of blocking efforts against domain name encryption technologies in several countries, including China, Russia, and Saudi Arabia. At the same time, we discover that domain name encryption can help with unblocking more than 55% and 95% of censored domains in China and other countries where DNS-based filtering is heavily employed.

Abstract: The DNS is one of the most crucial parts of the Internet. Since the original DNS specifications defined UDP and TCP as the underlying transport protocols, DNS queries are inherently unencrypted, making them vulnerable to eavesdropping and on-path manipulations. Consequently, concerns about DNS privacy have gained attention in recent years, which resulted in the introduction of the encrypted protocols DNS over TLS (DoT) and DNS over HTTPS (DoH). Although these protocols address the key issues of adding privacy to the DNS, they are inherently restrained by their underlying transport protocols, which are at strife with, e.g., IP fragmentation or multi-RTT handshakes — challenges which are addressed by QUIC. As such, the recent addition of DNS over QUIC (DoQ) promises to improve upon the established DNS protocols. However, no studies focusing on DoQ, its adoption, or its response times exist to this date — a gap we close with our study. Our active measurements show a slowly but steadily increasing adoption of DoQ and reveal a high week-over-week fluctuation, which reflects the ongoing development process: As DoQ is still in standardization, implementations and services undergo rapid changes. Analyzing the response times of DoQ, we find that roughly 40% of measurements show considerably higher handshake times than expected, which traces back to the enforcement of the traffic amplification limit despite successful validation of the client’s address. However, DoQ already outperforms DoT as well as DoH, which makes it the best choice for encrypted DNS to date.

Abstract: Zoom is a popular videoconferencing application for remote work and learning. In 2020, our university adopted Zoom for delivering online lectures during work-from-home restrictions. Starting in September 2021, however, our university offered both in-person and online classes. In this paper, we study Zoom network traffic in two different ways. First, we perform small-scale active measurements on individual Zoom test sessions to understand communication patterns and traffic structure. Second, we use large-scale passive measurement of campus-level Zoom traffic to understand usage patterns and performance problems. Our results identify 2-4x growth in Zoom traffic on our campus network since 2020, as well as network-related issues that affect Zoom session quality.

Abstract: The first wave of the COVID-19 pandemic hit North America in March 2020, disrupting personal and professional lives, and leading to work-from-home mandates in many jurisdictions. In this paper, we examine two years of empirical network traffic measurement data from our campus network to study the effects of the pandemic on a post-secondary education environment. Our study focuses on the online meeting applications and services used, as well as traffic volumes, directionality, and diurnal patterns, as observed from our campus edge network. The main highlights from our study include: changes to inbound and outbound traffic volumes; reduced traffic asymmetry; significant growth in Zoom, Microsoft Teams, and VPN traffic; structural changes in workday traffic patterns; and a more global distribution of campus network users.

Abstract: Over the past decade, video streaming on the Internet has become the primary source of our media consumption. Billions of users stream online video on multiple devices with an increasing expectation that video will be delivered at high quality without any rebuffering or other events that affect their Quality of Experience (QoE). Video streaming platforms leverage Content Delivery Networks (CDNs) to achieve this at scale. However, there is a gap in how the quality of video streams is monitored. Current solutions rely on client-side beacons that are issued actively by video players. While such approaches may be feasible for streaming platforms that deploy their own CDN, they are less applicable for third-party CDNs with multiple tenants and diverse video players. In this paper, we present a characterization of video workload from a global multi-tenant CDN and develop SSQoE: a methodology deployed on the server side which estimates rebuffering experienced by video clients using passive measurements. Using this approach, we calculate a QoE score which represents the health of a video stream across multiple consumers. We present our findings using this QoE score for various scenarios and compare it to traditional server and network monitoring metrics. We also demonstrate the QoE score’s efficacy during large streaming events such as the 2020 Superbowl LIV. We show that this server-side QoE estimation methodology is able to track video performance at an AS or user agent level and can easily pinpoint regional issues at the CDN, making it an attractive solution to be explored by researchers and other CDNs.

Abstract: DDoS attacks are one of the biggest threats to the modern Internet as their magnitude is constantly increasing. They are highly effective because of the amplification and reflection potential of different Internet protocols. In this paper, we show how a single DNS query triggers a response packet flood to the query source. We argue that the responses originate from middleboxes located in networks with routing loops. We send DNS A requests to 3 billion routable IPv4 hosts and find 15,909 query destinations from 1,742 autonomous systems that trigger up to 46.7 million repeating responses. We perform traceroute measurements towards the biggest amplifiers, locate 37 routing loops on the way, and notify corresponding network operators. Finally, we analyze two years of historical scan data and find that such "mega amplifiers" are prevalent. In the worst case, a single DNS A request triggered 655 million responses, all returned to a single host.

Abstract: Almost all popular Internet services are hosted in a select set of countries, forcing other nations to rely on international connectivity to access them. We identify nations where traffic towards a large portion of the country is serviced by a small number of Autonomous Systems, and, therefore, may be exposed to observation or selective tampering by these ASes. We introduce the Country-level Transit Influence (CTI) metric to quantify the significance of a given AS on the international transit service of a particular country. By studying the CTI values for the top ASes in each country, we find that 34 nations have transit ecosystems that render them particularly exposed, where a single AS is privy to traffic destined to over 40% of their IP addresses. In the nations where we are able to validate our findings with in-country operators, our top-five ASes are 90% accurate on average. In the countries we examine, CTI reveals two classes of networks frequently play a particularly prominent role: submarine cable operators and state-owned ASes.

Abstract: Keeping server software patched and up-to-date is a never-ending struggle for system administrators that is crucial for security. Nevertheless, we know little about how well or how consistently software updates are applied over time across the Internet. We shed light on software update behavior on publicly addressable networks by utilizing Internet-wide scans of OpenSSH banners. We primarily focus on OpenSSH banners which contain patch-level information in order to map accurate release dates. We augment this view by tracking which software security backports fix vulnerabilities in older OpenSSH versions. We find that the availability of backports, not CVE announcements or upstream software updates, trigger rapid updates. Unfortunately, we also determine that the lag in publishing backports (if they are published at all) combined with the steady cadence of new vulnerability reports ensures that most of the time, the vast majority of machines are vulnerable to at least one CVE. Additionally, we observe that major cloud hosting providers are consistently faster to apply patches