Rob Sherwood

Cooperative peer groups in NICE

A distributed scheme for trust inference in peer-to-peer networks is presented. Our work is in context of the NICE system, which is a platform for implementing cooperative applications over the Internet. We describe a technique for efficiently storing user reputation information in a completely decentralized manner, and show how this information can be used to efficiently identify noncooperative users in NICE. We present a simulation based study of our algorithms, in which we show our scheme scales to thousands of users using modest amounts of storage, processing, and bandwidth at any individual node. Lastly, we show that our scheme is robust and can form cooperative groups in systems where the vast majority of users are malicious.

P/sup 5/ : a protocol for scalable anonymous communication

We present a protocol for anonymous communication over the Internet. Our protocol, called P/sup 5/ (peer-to-peer personal privacy protocol) provides sender-, receiver-, and sender-receiver anonymity. P/sup 5/ is designed to be implemented over current Internet protocols, and does not require any special infrastructure support. A novel feature of P/sup 5/ is that it allows individual participants to trade-off degree of anonymity for communication efficiency, and hence can be used to scalably implement large anonymous groups. We present a description of P/sup 5/, an analysis of its anonymity and communication efficiency, and evaluate its performance using detailed packet-level simulations.

Slurpie: a cooperative bulk data transfer protocol

We present Slurpie: a peer-to-peer protocol for bulk data transfer. Slurpie is specifically designed to reduce client download times for large, popular files, and to reduce load on servers that serve these files. Slurpie employs a novel adaptive downloading strategy to increase client performance, and employs a randomized backoff strategy to precisely control load on the server. We describe a full implementation of the Slurpie protocol, and present results from both controlled local-area and wide-area testbeds. Our results show that Slurpie clients improve performance as the size of the network increases, and the server is completely insulated from large flash crowds entering the Slurpie network.

Touring the internet in a TCP sidecar

An accurate router-level topology of the Internet would benefit many research areas, including network diagnosis, inter-domain traffic engineering, and overlay construction. We present TCP Sidecar and Passenger, two elements of a system for router-level Internet topology discovery. Sidecar transparently injects measurement probes into non-measurement TCP streams, while Passenger combines TTL-limited probes with the often-ignored IP record route option. The combined approach mitigates problems associated with traceroute-based topology discovery, including abuse reports, spurious edge inference from multi-path routing, unresolved IP aliases, long network timeouts, and link discovery behind NATs and firewalls. We believe that we are the first mapping project to measure MPLS use with ICMP extensions and record route behavior when the TTL is not decremented. We are able to discover NATs when monitoring TCP connections that tunnel through them. In this paper, we present preliminary results for TCP Sidecar and Passenger on PlanetLab. Our experiments inject measurement probes into traffic generated both from the CoDeeN Web proxy project and from a custom web crawler to 166,745 web sites.

Fixing ally's growing pains with velocity modeling

Mapping the router topology is an important component of Internet measurement. Alias resolution, the process of mapping IP addresses to routers, is critical to accurate Internet mapping. Ally, a popular alias resolution tool, was developed to resolve aliases in individual ISPs, but its probabilistic accuracy and need to send O(n2) probes to infer aliases among n IP addresses make it unappealing for large-scale Internet mapping. In this paper, we present RadarGun, a tool that uses IP identifier velocity modeling to improve the accuracy and scalability of the Ally-based resolution technique. We provide analytical bounds on Allys accuracy and validate our predicted aliases against Ally. Additionally, we show that velocity modeling requires only O(n) probes and thus scales to Internet-sized mapping efforts.

P 5 : a protocol for scalable anonymous communication

We present a protocol for anonymous communication over the Internet. Our protocol, called P5 (Peer-to-Peer Personal Privacy Protocol) provides sender-, receiver-, and sender-receiver anonymity. P5 is designed to be implemented over the current Internet Protocols, and does not require any special infrastructure support. A novel feature of P5 is that it allows individual participants to trade-off degree of anonymity for communication efficiency, and hence can be used to scalably implement large anonymous groups. We present a description of P5 an analysis of its anonymity and communication efficiency, and evaluate its performance using detailed packet-level simulations.

Fighting Spam with the NeighborhoodWatch DHT

In this paper, we present DHTBL, an anti-spam blacklist built upon a novel secure distributed hash table (DHT). We show how DHTBL can be used to replace existing DNS-based blacklists (DNSBLs) of IP addresses of mail relays that forward spam. Implementing a blacklist on a DHT improves resilience to DoS attacks and secures message delivery, when compared to DNSBLs. However, due to the sensitive nature of the blacklist, storing the data in a peer-to-peer DHT would invite attackers to infiltrate the system. Typical DHTs can withstand fail-stop failures, but malicious nodes may provide incorrect routing information, refuse to return published items, or simply ignore certain queries. The neighborhoodwatch DHT is resilient to malicious nodes and maintains the O(logiV) bounds on routing table size and expected lookup time. NeighborhoodWatch depends on two assumptions in order to make these guarantees: (1) the existence of an on-line trusted authority that periodically contacts and issues signed certificates to each node, and (2) for every sequence of k + 1 consecutive nodes in the ID space, at least one is alive and non-malicious. We show how NeighborhoodWatch maintains many of its security properties even when the second assumption is violated. Honest nodes in NeighborhoodWatch can detect malicious behavior and expel the responsible nodes from the DHT.