Christos Papadopoulos

Named data networking

Named Data Networking (NDN) is one of five projects funded by the U.S. National Science Foundation under its Future Internet Architecture Program. NDN has its roots in an earlier project, Content-Centric Networking (CCN), which Van Jacobson first publicly presented in 2006. The NDN project investigates Jacobsons proposed evolution from todays host-centric network architecture (IP) to a data-centric network architecture (NDN). This conceptually simple shift has far-reaching implications for how we design, develop, deploy, and use networks and applications. We describe the motivation and vision of this new architecture, and its basic components and operations. We also provide a snapshot of its current design, development status, and research challenges. More information about the project, including prototype implementations, publications, and annual reports, is available on named-data.net.

A framework for classifying denial of service attacks

Launching a denial of service (DoS) attack is trivial, but detection and response is a painfully slow and often a manual process. Automatic classification of attacks as single- or multi-source can help focus a response, but current packet-header-based approaches are susceptible to spoofing. This paper introduces a framework for classifying DoS attacks based on header content, and novel techniques such as transient ramp-up behavior and spectral analysis. Although headers are easily forged, we show that characteristics of attack ramp-up and attack spectrum are more difficult to spoof. To evaluate our framework we monitored access links of a regional ISP detecting 80 live attacks. Header analysis identified the number of attackers in 67 attacks, while the remaining 13 attacks were classified based on ramp-up and spectral analysis. We validate our results through monitoring at a second site, controlled experiments, and simulation. We use experiments and simulation to understand the underlying reasons for the characteristics observed. In addition to helping understand attack dynamics, classification mechanisms such as ours are important for the development of realistic models of DoS traffic, can be packaged as an automated tool to aid in rapid response to attacks, and can also be used to estimate the level of DoS activity on the Internet.

An error control scheme for large-scale multicast applications

Retransmission based error control for large scale multicast applications is dificult because of implosion and exposure. Existing schemes (SRM, RMTe TMTe LBRRM) have good solutions to implosion, but only approximate solutions to exposure. We present a scheme that achieves finer grain fault recovery by exploiting new forwarding services that allow us to create a dynamic hierarchy of receivers. We extend the IP Multicast service model so that routers provide a more refined form of multicasting (which may be useful to other applications), that enables local recovery. The new services are simple to implement and do not require routers to examine or store application packets; hence, they do not violate layering. Besides providing better implosion control and less exposure than other schemes, our scheme integrates well with the current IP model, has small recovery latencies (it requires no back-off delays), and completely isolates group members from topology. Our scheme can be used with a variety of multicast routing protocols, including DVMRP and PIM. We have implemented our scheme in NetBSD Unix, using about 250 lines of new C-code. The implementation requires two new IP options, 4 additional bytes in each routing entry and a slight modiJication to IGMP reports. The forwarding overhead incurred by the new services is actually lower than forwarding normal multicast trafic.

Cossack: coordinated suppression of simultaneous attacks

DDoS attacks are highly distributed, well coordinated, offensive assaults on services, hosts, and infrastructure of the Internet. Effective defensive countermeasures to DDoS attacks require equally sophisticated, well coordinated, monitoring, analysis, and response. The Cossack project is developing technology to thwart such attacks by deploying a set of watchdogs at edge networks, which employ distributed coordination to rapidly detect, and neutralize attacks.

Eliminating Steganography in Internet Traffic with Active Wardens

Active wardens have been an area of postulation in the community for nearly two decades, but to date there have been no published implementations that can be used to stop steganography as it transits networks. In this paper we examine the techniques and challenges of a high-bandwidth, unattended, real-time, active warden in the context of a network firewall. In particular, we concentrate on structured carriers with objectively defined semantics, such as the TCP/IP protocol suite rather than on the subjective, or unstructured carriers such as images that dominate the information hiding literature. We introduce the concept of Minimal Requisite Fidelity (MRF) as a measure of the degree of signal fidelity that is both acceptable to end users and destructive to covert communications. For unstructured carriers, which lack objective semantics, wardens can use techniques such as adding noise to block subliminal information. However, these techniques can break the overt communications of structured carriers which have strict semantics. We therefore use a specification-based approach to determine MRF. We use MRF to reason about opportunities for embedding covert or subliminal information in network protocols and develop both software to exploit these channels, as well as an active warden implementation that stops them. For unstructured carriers, MRF is limited by human perception, but for structured carriers, well known semantics give us high assurance that a warden can completely eliminate certain subliminal or covert channels.

Census and survey of the visible internet

Prior measurement studies of the Internet have explored traffic and topology, but have largely ignored edge hosts. While the number of Internet hosts is very large, and many are hidden behind firewalls or in private address space, there is much to be learned from examining the population of visible hosts, those with public unicast addresses that respond to messages. In this paper we introduce two new approaches to explore the visible Internet. Applying statistical population sampling, we use censuses to walk the entire Internet address space, and surveys to probe frequently a fraction of that space. We then use these tools to evaluate address usage, where we find that only 3.6% of allocated addresses are actually occupied by visible hosts, and that occupancy is unevenly distributed, with a quarter of responsive /24 address blocks (subnets) less than 5% full, and only 9% of blocks more than half full. We show about 34 million addresses are very stable and visible to our probes (about 16% of responsive addresses), and we project from this up to 60 million stable Internet-accessible computers. The remainder of allocated addresses are used intermittently, with a median occupancy of 81 minutes. Finally, we show that many firewalls are visible, measuring significant diversity in the distribution of firewalled block size. To our knowledge, we are the first to take a census of edge hosts in the visible Internet since 1982, to evaluate the accuracy of active probing for address census and survey, and to quantify these aspects of the Internet.

Experimental evaluation of SUNOS IPC and TCP/IP protocol implementation

Results of a study that characterizes the performance of SunOS Inter-Process Communication (IPC) and TCP/IP protocol implementation for distributed high-bandwidth applications are presented. Components studied include queuing in different layers, protocol control mechanisms (such as flow and error control), per-packet processing, buffer requirements, and interaction with the operating system. The Unix kernel and two public-domain tools for IPC measurement are reviewed. >

From remote media immersion to Distributed Immersive Performance

We present the architecture, technology and experimental applications of a real-time, multi-site, interactive and collaborative environment called Distributed Immersive Performance (DIP). The objective of DIP is to develop the technology for live, interactive musical performances in which the participants - subsets of musicians, the conductor and the audience - are in different physical locations and are interconnected by very high fidelity multichannel audio and video links. DIP is a specific realization of broader immersive technology - the creation of the complete aural and visual ambience that places a person or a group of people in a virtual space where they can experience events occurring at a remote site or communicate naturally regardless of their location. The DIP experimental system has interaction sites and servers in different locations on the USC campus and at several partners, including the New World Symphony of Miami Beach, FL. The sites have different types of equipment to test the effects of video and audio fidelity on the ease of use and functionality for different applications. Many sites have high-definition (HD) video or digital video (DV) quality images projected onto wide screen wall displays completely integrated with an immersive audio reproduction system for a seamless, fully three-dimensional aural environment with the correct spatial sound localization for participants. The system is capable of storage and playback of the many streams of synchronized audio and video data (immersidata), and utilizes novel protocols for the low-latency, seamless, synchronized real-time delivery of immersidata over local area networks and wide-area networks such as Internet2. We discuss several recent interactive experiments using the system and many technical challenges common to the DIP scenario and a broader range of applications. These challenges include: (1). low latency continuous media (CM) stream transmission, synchronization and data loss management; (2). low latency, real-time video and multichannel immersive audio acquisition and rendering; (3). real-time continuous media stream recording, storage, playback; (4). human factors studies: psychophysical, perceptual, artistic, performance evaluation; (5). robust integration of all these technical areas into a seamless presentation to the participants.

Routing policies in named data networking

Modern inter-domain routing with BGP is based on policies rather than finding shortest paths. Network operators devise and implement policies affecting route selection and export independently of others. These policies are realized by tuning a variety of parameters, or knobs, present in BGP. Similarly, NDN, a information-centric future Internet architecture, will utilize a policy-based routing protocol such as BGP. However, NDN allows a finer granularity of policies (content names rather than hosts) and more traffic engineering opportunities. This work explores what routing policies could look like in an NDN Internet. We describe the knobs available to network operators and their possible settings. Furthermore, we explore the economic incentives present in an NDN Internet and reason how they might drive operators to set their policies.

Identification of Repeated Denial of Service Attacks

Denial of Service attacks have become a weapon for extortion and vandalism causing damages in the millions of dollars to commercial and government sites. Legal prosecution is a powerful deterrent, but requires attribution of attacks, currently a difficult task. In this paper we propose a method to automatically fingerprint and identify repeated attack scenarios—a combination of attacking hosts and attack tool. Such fingerprints not only aid in attribution for criminal and civil prosecution of attackers, but also help justify and focus response measures. Since packet contents can be easily manipulated, we base our fingerprints on the spectral characteristics of the attack stream which are hard to forge. We validate our methodology by applying it to real attacks captured at a regional ISP and comparing the outcome with header-based classification. Finally, we conduct controlled experiments to identify and isolate factors that affect the attack fingerprint.