Andre Broido

A nonstationary Poisson view of Internet traffic

Since the identification of long-range dependence in network traffic ten years ago, its consistent appearance across numerous measurement studies has largely discredited Poisson-based models. However, since that original data set was collected, both link speeds and the number of Internet-connected hosts have increased by more than three orders of magnitude. Thus, we now revisit the Poisson assumption, by studying a combination of historical traces and new measurements obtained from a major backbone link belonging to a Tier 1 ISP. We show that unlike the older data sets, current network traffic can be well represented by the Poisson model for sub-second time scales. At multisecond scales, we find a distinctive piecewise-linear nonstationarity, together with evidence of long-range dependence. Combining our observations across both time scales leads to a time-dependent Poisson characterization of network traffic that, when viewed across very long time scales, exhibits the observed long-range dependence. This traffic characterization reconciliates the seemingly contradicting observations of Poisson and long-memory traffic characteristics. It also seems to be in general agreement with recent theoretical models for large-scale traffic aggregation

Remote physical device fingerprinting

We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted devices known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall, and also when the devices system time is maintained via NTP or SNTP. One can use our techniques to obtain information about whether two devices an the Internet, possibly shifted in time or IP addresses, are actually the same physical device. Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP ID; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces.

Internet topology: connectivity of IP graphs

In this paper we introduce a framework for analyzing local properties of Internet connectivity. We compare BGP and probed topology data, finding that currently probed topology data yields much denser coverage of AS-level connectivity. We describe data acquisition and construction of several IP- level graphs derived from a collection of 220 M skitter traceroutes. We find that a graph consisting of IP nodes and links contains 90.5% of its 629 K nodes in the acyclic subgraph. In particular, 55% of the IP nodes are in trees. Full bidirectional connectivity is observed for a giant component containing 8.3% of IP nodes.

Comparison of public end-to-end bandwidth estimation tools on high-speed links

In this paper we present results of a series of bandwidth estimation experiments conducted on a high-speed testbed at the San Diego Supercomputer Center and on OC-48 and GigE paths in real world networks. We test and compare publicly available bandwidth estimation tools: abing, pathchirp, pathload, and Spruce. We also tested Iperf which measures achievable TCP throughput. In the lab we used two different sources of known and reproducible cross-traffic in a fully controlled environment. In real world networks we had a complete knowledge of link capacities and had access to SNMP counters for independent cross-traffic verification. We compare the accuracy and other operational characteristics of the tools and analyze factors impacting their performance.

Their Share: Diversity and Disparity in IP Traffic

The need to service populations of high diversity in the face of high disparity affects all aspects of network operation: planning, routing, engineering, security, and accounting. We analyze diversity/disparity from the perspective of selecting a boundary between mice and elephants in IP traffic aggregated by route, e.g., destination AS. Our goal is to find a concise quantifier of size disparity for IP addresses, prefixes, policy atoms and ASes, similar to the oft-quoted 80/20 split (e.g., 80% of volume in 20% of sources). We define crossover as the fraction c of total volume contributed by a complementary fraction 1-c of large objects. Studying sources and sinks at two Tier 1 backbones and one university, we find that splits of 90/10 and 95/5 are common for IP traffic. We compare the crossover diversity to common analytic models for size distributions such as Pareto/Zipf. We find that AS traffic volumes (by byte) are top-heavy and can only be approximated by Pareto with α=0.5, and that empirical distributions are often close to Weibull with shape parameter 0.2–0.3. We also find that less than 20 ASes send or receive 50% of all traffic in both backbones’ samples, a disparity that can simplify traffic engineering. Our results are useful for developers of traffic models, generators and simulators, for router testers and operators of high-speed networks.

Spectroscopy of DNS update traffic

We study attempts to dynamically update DNS records for private (RFC1918) addresses, by analyzing the frequency spectrum of updates observed at an authoritative nameserver for these addresses. Using a discrete autocorrelation algorithm we found that updates series have periods of 60 or 75 minutes, which we identified as default settings of out-of-the-box Microsoft Windows 2000 and XP DNS software.

Spectroscopy of traceroute delays

We analyze delays of traceroute probes, i.e. packets that elicit ICMP TimeExceeded messages, for a full range of probe sizes up to 9000 bytes as observed on unloaded high-end routers. Our ultimate motivation is to use traceroute RTTs for Internet mapping of router and PoP (ISP point-of-presence) level nodes, including potentially gleaning information on equipment models, link technologies, capacities, latencies, and spatial positions. To our knowledge it is the first study to examine in a reliable testbed setting the detailed statistics of ICMP response generation. We find that two fundamental assumptions about ICMP often do not hold in modern routers, namely that ICMP delays are a linear function of packet size and that ICMP generation rate is equal to the capacity of the inteface on which probes are received. The primary causes of these violations appear to be optimizations that suppress size dependence, e.g. buffer carving, and rate-limiting of internal ICMP packet and bit rates. Our results suggest that the linear model of packet delay as a function of packet size merits revisiting for many situations, especially for packets over 1500 bytes. Our findings also suggest possibilities of developing new techniques for bandwidth estimation and router fingerprinting.

Radon Spectroscopy of Packet Delay

Abstract We demonstrate the feasibility of Internet spectroscopy techniques for analysis of rate limiting, packet interarrival delay and passive bitrate estimation of cell-or slot-based broadband connections. Working with highly diverse packet trace data, we find that delays quantization in micro- and millisecond range is ubiquitous in todays Internet and that different providers have strong preferences for specific delay quanta in their infrastructures.

On the tail of the arrival process

We examine the cause of the tail of the distribution of the number of packet and byte arrivals at backbone routers. One possible cause is that sometimes there are a large number of active connections resulting in a large number of arrivals in a short period of time. Another possibility is that the tail is due to one or a few very fast connections. By examining time-stamped packet headers from several backbone links, we find that the tail is neither strictly from many users nor strictly from fast connections. Rather, at some times and some time-scales, we find that the tail (the skewness of the distribution in particular) is strongly influenced by the tail of the distribution of the number of active connections, while at other times, the tail of the number of arrivals is due to the tail of the distribution of the connection bit-rates.