We present Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network/service. Traffic that is considered anomalous is processed by a “shadow honeypot ” to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular (“production”) instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. Contrary to regular honeypots, our architecture can be used both for server and client applications. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Honeypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a considerable overhead in the instrumentation of the shadow honeypot (up to 20 % for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives. 1

Network researchers face a significant problem when deploying software in routers, either for experimentation or for pilot deployment. Router platforms are generally not open systems, in either the open-source or the open-API sense. In this paper we discuss the problems this poses, and present an eXtensible Open Router Platform (XORP) that we are developing to address these issues. Key goals are extensibility, performance and robustness. We show that different parts of a router need to prioritize these differently, and examine techniques by which we can satisfy these often conflicting goals. We aim for XORP to be both a research tool and a stable deployment platform, thus easing the transition of new ideas from the lab to the real world. 1 VALIDATING INTERNET RESEARCH A yawning gap exists between research and practice concerning

We revisit the problem of scaling software routers, motivated by recent advances in server technology that enable highspeed parallel processing—a feature router workloads appear ideally suited to exploit. We propose a software router architecture that parallelizes router functionality both across multiple servers and across multiple cores within a single server. By carefully exploiting parallelism at every opportunity, we demonstrate a 35Gbps parallel router prototype; this router capacity can be linearly scaled through the use of additional servers. Our prototype router is fully programmable using the familiar Click/Linux environment and is built entirely from off-the-shelf, general-purpose server hardware. 1

We describe an approach to explore the design space of architectures of packet processing devices on the system level. Our method is specific to the application domain of network packet processors and is based on (1) models for packet processing tasks, a specification of the workload generated by traffic flows, and a description of the feasible space of architectures involving computation and communication resources, (2) a measure to characterize the performance of network processors under different usage scenarios, (3) a new method to estimate end-to-end packet delays and queuing memory, taking task scheduling policies and bus arbitration schemes into account, and (4) an evolutionary algorithm for multi-objective design space exploration. Our method is analytical and is based on a high level of abstraction, where the goal is to quickly identify interesting architectures, which may then be subjected to a more detailed evaluation, e.g. using simulation. The feasibility of our approach is shown by a detailed case study, where the final output is three candidate architectures, representing different cost versus performance tradeoffs.

Designing ASICs for each new generation of backbone routers is a time intensive and fiscally draining process. In this paper we focus on the design of a programmable architecture for backbone routers, based on the manipulation of wide irregular memory words, that can provide a feasible design alternative to custom ASICs. We propose a pipelined memory design that emphasizes worst-case throughput over latency, and co-explore architectural tradeoffs with the design of several important network algorithms. Through this co-exploration, we show that a programmable architecture can efficiently exploit behavior inherent to most common network algorithms to keep up with next generation network speeds.

In recent years, overlay networks have become an important vehicle for delivering Internet applications. Overlay network nodes are typically implemented using general purpose servers or clusters. We investigate the performance benefits of more integrated architectures, combining general-purpose servers with high performance Network Processor (NP) subsystems. We focus on PlanetLab as our experimental context and report on the design and evaluation of an experimental PlanetLab platform capable of much higher levels of performance than typical system configurations. To make it easier for users to port applications, the system supports a fast path/slow path application structure that facilitates the mapping of the most performance-critical parts of an application onto an NP subsystem, while allowing the more complex control and exception-handling to be implemented within the programmer-friendly environment provided by conventional servers. We report on implementations of two sample applications, an IPv4 router, and a forwarding application for the Internet Indirection Infrastructure. We demonstrate an 80 × improvement in packet processing rates and comparable reductions in latency. This work supported in part by NSF (grants 0520778 and 0626661).

Abstract not found

We describe and evaluate a quad 100T ethernet network interface built using an Intel IXP1200 network processor on a commonly available Radisys ENP2505 PCI board. The network interface exports a raw ethernet interface either to the host kernel or to user level for cluster computing applications. We describe the firmware architecture and internal design decisions, then evaluate the resulting network interface against 100T and gigabit network interfaces using CLF, a lightweight reliable datagram layer.

Abstract-- There is growing interest in network processor technologies capable of processing packets at line rates. In this paper, we present the design, implementation and evaluation of NetBind, a high performance, flexible and scalable binding tool for dynamically constructing data paths in network processor-based routers. The methodology that underpins NetBind balances the flexibility of network programmability against the need to process and forward packets at line speeds. Data paths constructed using NetBind seamlessly share the resources of the same network processor. We compare the performance of NetBind to the MicroACE system developed by Intel to support binding between software components running on Intel IXP1200 network processors. We evaluate these alternative approaches in terms of their binding overhead, and discuss how this can affect the forwarding performance of IPv4 data paths running on IXP1200 network processor-based routers. We show that NetBind provides better performance in comparison to MicroACE with smaller binding overhead. The NetBind source code described and evaluated in this paper is freely available on the Web (comet.columbia.edu/genesis/netbind) for experimentation.. I.

Abstract Two important trends are expected to guide the de-sign of next-generation networks. First, with the commercialization of the Internet, providers will usevalue-added services to differentiate their service offerings from other providers; such services requirethe use of sophisticated resource scheduling mechanisms in routers. Second, to enable extensibilityand the deployment of new services in a rapid and cost-effective manner, routers will be instantiated us-ing programmable network processors. In this research, our goal is to develop sophisticated multipro-cessor scheduling mechanisms that would enable networks that deploy such router platforms to provideservice guarantees to applications. Existing multiprocessor scheduling techniques are either not applicableto router platforms due to their complexity or simplistic assumptions, or are not based on rigorous for-malism, which is necessary to enable strong assertions about service guarantees. In this work, we proposeto address these limitations. This paper presents our current ideas and planned future directions. 1 Introduction Routers are the basic building blocks of wide-area networks such as the Internet. Conventionally, routers have been built using application-specific integrated circuits (ASICs) that enable highspeed packet switching. Unfortunately, ASIC designs take months to develop, and routers built using them are costly to deploy. In order to enable router extensibility in a rapid and costeffective manner, significant effort is now be*Work supported by NSF grants CCR 9972211, CCR 9988327, ITR 0082866, and CCR 0204312. ing invested in a different approach: implementing routers on programmable network processors (NPs) [1, 2, 3, 34].