Improving Internet Path Property Inference

Author: Tobias Bühler
Doctoral Thesis
PDF

Abstract

The Internet has become an inseparable part of our daily life and work activities. Due to its distributed nature, performant packet forwarding along a given Internet path only works if each individual network operates properly. This leads to an inherent challenge for network operators. They must provide high performance and select appropriate paths towards external destinations while limited to internal signals and traffic observations.

This dissertation focuses on one key solution, namely the inference of path properties, which supports network operators in monitoring, debugging, and threat detection tasks. To this end, we present two systems that focus on internal and external path properties, respectively.

First, we present Magnifier, a system that enhances existing sampled monitoring data with packet mirroring to produce validated network ingress and egress observations. One of Magnifier’s key insights is to mirror traffic where we do not expect to observe matching packets. This way, we profit from the advantages of mirroring (precise and fast feedback) without the typical drawbacks (significantly increased traffic amounts).

Second, we present Oscilloscope, a system that detects malicious hijacks of network traffic by analyzing changes in locally collected Round-Trip Time signals. Intuitively, a path change leads to an observable difference in a packet’s travel time. Oscilloscope combines hijack-typical patterns with statistical tests to increase its confidence that detected Round-Trip Time changes belong to hijack events.

Both systems use inferred path properties reactively. However, to prevent problems proactively, operators need to adapt their forwarding decisions based on inferred path properties.

Third, we explore how adding simple path properties to the existing path selection process improves routing decisions. For example, we prevent unnecessary packet losses by testing the reachability of a new path before blindly trusting it to carry all matching traffic. We advocate slowing down the traffic shift towards the new path to achieve that. Although that allows for more control, it poses new convergence and communication challenges.

People

Dr. Tobias Bühler
PhD student
2016—2023

BibTex

@PHDTHESIS{bühler2023improving,
	copyright = {In Copyright - Non-Commercial Use Permitted},
	year = {2023},
	type = {Doctoral Thesis},
	author = {Bühler, Tobias},
	size = {167 p.},
	abstract = {The Internet has become an inseparable part of our daily life and work activities. Due to its distributed nature, performant packet forwarding along a given Internet path only works if each individual network operates properly. This leads to an inherent challenge for network operators. They must provide high performance and select appropriate paths towards external destinations while limited to internal signals and traffic observations.This dissertation focuses on one key solution, namely the inference of path properties, which supports network operators in monitoring, debugging, and threat detection tasks. To this end, we present two systems that focus on internal and external path properties, respectively.First, we present Magnifier, a system that enhances existing sampled monitoring data with packet mirroring to produce validated network ingress and egress observations. One of Magnifier's key insights is to mirror traffic where we do not expect to observe matching packets. This way, we profit from the advantages of mirroring (precise and fast feedback) without the typical drawbacks (significantly increased traffic amounts).Second, we present Oscilloscope, a system that detects malicious hijacks of network traffic by analyzing changes in locally collected Round-Trip Time signals. Intuitively, a path change leads to an observable difference in a packet’s travel time. Oscilloscope combines hijack-typical patterns with statistical tests to increase its confidence that detected Round-Trip Time changes belong to hijack events.Both systems use inferred path properties reactively. However, to prevent problems proactively, operators need to adapt their forwarding decisions based on inferred path properties.Third, we explore how adding simple path properties to the existing path selection process improves routing decisions. For example, we prevent unnecessary packet losses by testing the reachability of a new path before blindly trusting it to carry all matching traffic. We advocate slowing down the traffic shift towards the new path to achieve that. Although that allows for more control, it poses new convergence and communication challenges.},
	keywords = {COMPUTER NETWORKS; NETWORK MONITORING (COMPUTER SYSTEMS); BGP hijacking; BGP monitoring},
	language = {en},
	address = {Zurich},
	publisher = {ETH Zurich},
	DOI = {10.3929/ethz-b-000626365},
	title = {Improving Internet Path Property Inference},
	school = {ETH Zurich}
}

Research Collection: 20.500.11850/626365