Worm containment must be automatic because worms can spread too fast for humans to respond. Recent work proposed network-level techniques to automate worm containment; these techniques have limitations because there is no information about the vulnerabilities exploited by worms at the network level. We propose Vigilante, a new end-to-end architecture to contain worms automatically that addresses these limitations. In Vigilante, hosts detect worms by instrumenting vulnerable programs to analyze infection attempts. We introduce dynamic data-flow analysis: a broad-coverage host-based algorithm that can detect unknown worms by tracking the flow of data from network messages and disallowing unsafe uses of this data. We also show how to integrate other host-based detection mechanisms into the Vigilante architecture. Upon detection, hosts generate self-certifying alerts (SCAs), a new type of security alert that can be inexpensively verified by any vulnerable host. Using SCAs, hosts can cooperate to contain an outbreak, without having to trust each other. Vigilante broadcasts SCAs over an overlay network that propagates alerts rapidly and resiliently. Hosts receiving an SCA protect themselves by generating filters with vulnerability condition slicing: an algorithm that performs dynamic analysis of the vulnerable program to identify control-flow conditions that lead

There is a growing interest in discovery of internet topology at the interface level. A new generation of highly distributed measurement systems is currently being deployed. Unfortunately, the research community has not examined the problem of how to perform such measurements efficiently and in a network-friendly manner. In this paper we make two contributions toward that end. First, we show that standard topology discovery methods (e.g., skitter) are quite inefficient, repeatedly probing the same interfaces. This is a concern, because when scaled up, such methods will generate so much traffic that they will begin to resemble DDoS attacks. We measure two kinds of redundancy in probing (intra- and inter-monitor) and show that both kinds are important. We show that straightforward approaches to addressing these two kinds of redundancy must take opposite tacks, and are thus fundamentally in conflict. Our second contribution is to propose and evaluate Doubletree, an algorithm that reduces both types of redundancy simultaneously on routers and end systems. The key ideas are to exploit the treelike structure of routes to and from a single point in order to guide when to stop probing, and to probe each path by starting near its midpoint. Our results show that Doubletree can reduce both types of measurement load on the network dramatically, while permitting discovery of nearly the same set of nodes and links. ∗ The authors are participants in the traceroute@home project.This work was supported by: the RNRT project

This paper discusses SCoLE, a scalable system to estimate Internet latencies. SCoLE is based on GNP, which models Internet latencies in an ¢-dimensional Euclidean space. In contrast to GNP and other GNP-based systems, however, SCoLE does not employ any global space whose parameters must typically be negotiated by the participating hosts. Instead, it allows each host to construct its “private” space and model inter-host latencies in that space. The private space parameters as well as the modeling algorithm can be adjusted on a per-host basis, which improves system flexibility. More importantly, the mutual independence of private spaces results in higher SCoLE scalability, which is bound neither by the global negotiation of space parameters nor by global knowledge of any kind. We show that latency estimates performed in different private spaces are highly correlated. This allows SCoLE to be used in largescale applications where consistent latency estimates need to be performed simultaneously by many independent hosts. 1

Abstract — Topology discovery systems are starting to be introduced in the form of easily and widely deployed software. Unfortunately, the research community has not examined the problem of how to perform such measurements efficiently and in a network-friendly manner. This paper describes several contributions towards that end. These were first presented in the proceedings of ACM SIGMETRICS 2005. We show that standard topology discovery methods (e.g., skitter) are quite inefficient, repeatedly probing the same interfaces. This is a concern, because when scaled up, such methods will generate so much traffic that they will begin to resemble DDoS attacks. We propose two metrics focusing on redundancy in probing and show that both are important. We also propose and evaluate Doubletree, an algorithm that strongly reduces redundancy while maintaining nearly the same level of node and link coverage. The key ideas are to exploit the tree-like structure of routes to and from a single point in order to guide when to stop probing, and to probe each path by starting near its midpoint. Following the SIGMETRICS work, we implemented Doubletree, and deployed it in a real network environment. This paper describes that implementation, as well as preliminary favorable results. Index Terms — network topology, traceroute, cooperative algorithms. I.

We present Hubble, a system that operates continuously to find Internet reachability problems in which routes exist to a destination but packets are unable to reach the destination. Hubble monitors at a 15 minute granularity the data-path to prefixes that cover 89 % of the Internet’s edge address space. Key enabling techniques include a hybrid passive/active monitoring approach and the synthesis of multiple information sources that include historical data. With these techniques, we estimate that Hubble discovers 85 % of the reachability problems that would be found with a pervasive probing approach, while issuing only 5.5 % as many probes. We also present the results of a three week study conducted with Hubble. We find that the extent of reachability problems, both in number and duration, is much greater than we expected, with problems persisting for hours and even days, and many of the problems do not correlate with BGP updates. In many cases, a multi-homed AS is reachable through one provider, but probes through another terminate; using spoofed packets, we isolated the direction of failure in 84 % of cases we analyzed and found all problems to be exclusively on the forward path from the provider to the destination. A snapshot of the problems Hubble is currently monitoring can be found at

This article proposes a distributed admission control (AC) model based on on-line monitoring to manage the quality of Internet multimedia services and Service Level Specifications (SLSs). The AC strategy covers intra and inter-domain operation, controls quality-of-service (QoS) without adding significant complexity to the network control plane and involves only edge nodes. While ingress nodes perform implicit or explicit AC resorting to service-oriented rules for SLS and QoS parameters control, egress nodes collect service metrics providing them as inputs for AC. The end-to-end approach is viewed as a cumulative and repetitive process of AC and available service computation. We evaluate the AC criterion as regards its ability to ensure service commitments while achieving high network utilization. The results show that the proposed model provides a good compromise between simplicity, service guarantee levels and network usage, even for services with strict QoS requirements

Abstract. Mapping the internet’s topology is a challenge in itself, and studying its dynamics is even more difficult. Achieving this would however provide key information on the nature of the internet, crucial for modeling and simulation. Moreover, detecting anomalies in this dynamics is a key issue for security. We introduce here a new measurement approach which makes it possible to capture internet dynamics at a scale of a few minutes in a radar-like manner. By conducting and analyzing large-scale measurements of this kind, we rigorously and automatically detect events in the observed dynamics, which is totally out of reach of previous approaches. Since the end of the 90s, mapping the internet as a large set of nodes and links received much attention. However, due to its distributed nature and its sheer size, accurately measuring this topology is extremely difficult. The main method to do so relies on the classical traceroute tool [8], which gives a path from a machine connected to the internet (called monitor) to any other (called destination). Such paths are composed of ip addresses of internet routers and links between them. One may then obtain a (partial) map of the internet by running traceroute from many monitors to many destinations, and merging the obtained paths, see Figure 1. For various reasons, however, this is far from trivial and the obtained maps are not satisfactory [6, 3, 4]. Therefore, much effort

The ability to measure, monitor and control the service quality experienced by network traffic is becoming increasingly important as multiple traffic types are aggregated onto IP networks. Assessing the real-time performance of the application flows is an essential requirement for network operations and service management, as well as for identifying how the different traffic types and transports interact and behave, when they are carried over the end-to-end Internet infrastructure. This paper introduces a novel measurement technique for assessing the performance of IPv6 network flows. By exploiting IPv6 extension headers, measurement triggers and the instantaneous measurement indications are carried in the same packets as the payload data itself, providing a high level of probability that the behaviour of the real user traffic flows is being observed. The measurement mechanism is applied at the network layer and provides for a generic technique able to measure any type of traffic, without depending on particular transports nor on specific measurement architectures. A prototype implementation of this technique is also described and evaluated by measuring performance properties of application flows, over different-capacity IPv6 environments. End-to-end delay and jitter of video streams have been measured, as well as the goodput for services operating on top of reliable transport. This measurement technique can be the basis for low-overhead, scalable, transparent and reliable measurement of individual and aggregate network flows, and can be dynamically deployed where and when required in a multi-service IP environment.

This paper introduces a methodology for interpreting measurement obtained over Internet. The paper is motivated by the fact that a large number of published papers in empirical networking analysis follow a generic framework that might be formalized and generalized to a large class of problem. The objective of this paper is to present an interpretation framework and to illustrate it by examples coming from the networking literature. The aim of the paper is rather to give to the researcher who is confronted to measurements coming from a network some guidelines on how to formalize the way to address interpretation of observations.

Recently, a first step towards a highly distributed IP-level topology discovery tool has been made with the introduction of the Doubletree algorithm. Doubletree is an efficient cooperative algorithm that allows the discovery of a large portion of nodes and links in the network while strongly reducing probing redundancy on nodes and destinations as well as the amount of probes sent. In this paper, we propose to reduce more strongly the load on destinations and, more essentially, the communication cost required for the cooperation by introducing a probing stopping rule based on CIDR address prefixes.