Attackers can render distributed denial-ofservice attacks more difficult to defend against by bouncing their flooding traffic off of reflectors; that is, by spoofing requests from the victim to a large set of Internet servers that will in turn send their combined replies to the victim. The resulting dilution of locality in the flooding stream complicates the victim's abilities both to isolate the attack traffic in order to block it, and to use traceback techniques for locating the source of streams of packets with spoofed source addresses, such as ITRACE [Be00a], probabilistic packet marking [SWKA00], [SP01], and SPIE [S+01]. We discuss a number of possible defenses against reflector attacks, finding that most prove impractical, and then assess the degree to which different forms of reflector traffic will have characteristic signatures that the victim can use to identify and filter out the attack traffic. Our analysis indicates that three types of reflectors pose particularly significant threats: DNS and Gnutella servers, and TCP-based servers (particularly Web servers) running on TCP implementations that suffer from predictable initial sequence numbers. We argue in conclusion in support of "reverse ITRACE" [Ba00] and for the utility of packet traceback techniques that work even for low volume flows, such as SPIE.

The DARPA Internet uses the Domain Name System (DNS), a distributed database, to map host names to network addresses, and vice-versa. Using a vulnerability rst noticed by P.V. Mockapetris, we demonstrate how the DNS can be abused to subvert system security. Wealso show what tools are useful to the attacker. Possible defenses against this attack, including one implemented by Berkeley in response to our reports of this problem, are discussed, and the limitations on their applicability are demonstrated. This paper was written in 1990, and was withheld from publication by the author. The body of the paper is unchanged, even to the extreme of giving the size of the Internet as 200,000 hosts. An epilogue has been added that discusses why it was held back, and whyitisnowbeing released. 1

Internet backbone networks are under constant flux in order to keep up with demand and to offer new features. The pace of change in features and technology often outstrips the pace of introduction of the associated fault monitoring capabilities that are built into today’s IP protocols and routers. Moreover, some of these new technologies cross networking layers, raising the potential for unanticipated interactions and service disruptions, which the built-in monitoring capabilities in each layer may not detect. In these instances, operators typically employ higher-layer monitoring techniques such as end-to-end liveness probing to detect lower- or cross-layer failures, but lack tools to precisely determine where a detected failure may have occurred. In this paper, we evaluate the effectiveness of using risk modeling to translate high-level failure notifications into lower-layer root causes. We show that a simple greedy heuristic works with accuracy exceeding 80 % for many failure scenarios in realistic topologies, while delivering extremely high precision (greater than 80%). We further report our operational experience using risk modeling to isolate optical component and MPLS controlplane failures in a tier-1 ISP.

: : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : xii 1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1 1. The problem : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 1 2. Overview of thesis : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2 3. Contribution of our work : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 3 2 Taxonomy of traffic characteristics : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 1. Aggregation granularity : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 5 2. Host versus network centric perspective : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 7 3. Host centric perspective : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 7 1. Delay and jitter : : : : : ...

product, having over a million lines of Erlang code. This product (the AXD301) is thought to be one of the most reliable products ever made by Ericsson.

Alternate path routing has been well-explored in telecommunication networks as a means of decreasing the call blocking rate and increasing network utility. However, aside from some work applying these concepts to unicast flows, alternate path routing has received little attention in the Internet community. We describe and evaluate an architecture for alternate path routing for multicast flows. For path installation, we design a receiver-oriented alternate path protocol and prove that it reconfigures multicast trees without introducing loops. For path computation, we propose a scalable local search heuristic that allows receivers to find alternate paths using only partial network information. We use a simulation study to demonstrate the ability of local search to find alternate paths approximately as well as a link-state protocol, with much lower overhead. I.

We describe the CARD (Cluster Administration using Relational Databases) system 1 for monitoring large clusters of cooperating computers. CARD scales both in capacity and in visualization to at least 150 machines, and can in principle scale far beyond that. The architecture is easily extensible to monitor new cluster software and hardware. CARD detects and automatically recovers from common faults. CARD uses a Java applet as its primary interface allowing users anywhere in the world to monitor the cluster through their browser.

Ubiquitous computing applications are increasingly leveraging contextual information from several sources to provide users with behavior appropriate to the environment in which they reside. If these sources of contextual information are used and deployed in an ad hoc manner, however, they may provide overlapping functionality, fail to provide needed functionality, and require the use of inconsistent interfaces by applications. To overcome these problems, we introduce a concise organization of services and a single service interface that provide applications with contextual information in a unified manner. We show, via example applications and services that we have implemented, how our service organization and interface can be used to allow proactive applications to adapt their behavior to match a user's current environment.

Enterprise networks are important, with size and complexity even surpassing carrier networks. Yet, the design of enterprise networks remains ad-hoc and poorly understood. In this paper, we show how a systematic design approach can handle two key areas of enterprise design: virtual local area networks (VLANs) and reachability control. We focus on these tasks given their complexity, prevalence, and time-consuming nature. Our contributions are three-fold. First, we show how these design tasks may be formulated in terms of networkwide performance, security, and resilience requirements. Our formulations capture the correctness and feasibility constraints on the design, and they model each task as one of optimizing desired criteria subject to the constraints. The optimization criteria may further be customized to meet operator-preferred design strategies. Second, we develop a set of algorithms to solve the problems that we formulate. Third, we demonstrate the feasibility and value of our systematic design approach through validation on a large-scale campus network with hundreds of routers and VLANs.

Knowledge of the up-to-date physical (i.e., layer-2) topology of an Ethernet network is crucial to a number of critical network management tasks, including reactive and proactive resource management, event correlation, and root-cause analysis. Given the dynamic nature of today's IP networks, keeping track of topology information manually is a daunting (if not impossible) task. Thus, effective algorithms for automatically discovering physical network topology are necessary. In this paper, we propose the first complete algorithmic solution for discovering the physical topology of a large, heterogeneous Ethernet network comprising multiple subnets as well as (possibly) dumb or uncooperative network elements. Our algorithms rely on standard SNMP MIB information that is widely supported in modern IP networks and require no modifications to the operating system software running on elements or hosts. Furthermore, we formally demonstrate that our solution is complete for the given MIB data; that is, if the MIB information is sufficient to uniquely identify the network topology then our algorithm is guaranteed to recover it. To the best of our knowledge, ours is the first solution to provide such a strong completeness guarantee.