Online magazines and newspapers reported the news, which triggered some debate in the research community about the ethical implications of using such data for research purposes. A more fundamental question received less attention: since the authors went out of their way to remain anonymous, and the only data available about this event is the data they provide, how do we know this scan actually happened? If it did, how do we know that the resulting data is correct?

Since we could not find any third-party validation of this event, we looked for evidence in the traffic captured at the UCSD Network Telescope (a large darknet). From this traffic we selected probing packets consistent with the default nmap host probe (comprised of four different types of packets) that the carna botnet used. The visualization below shows, for each day of 2012, the total number of probes we observed at the telescope in bins of 1 day (blue line). While these probes may have been generated by any host on the Internet, the large increase visible between April and September 2012 matches the logs distributed by the authors of the botnet (red line), showing evidence of this scanning activity.

We also found that some of the raw logs of the carna botnet erroneously reported that a large number of IPs in our darknet were active, and specifically accepting connections on port TCP 80 (darknet IP addresses are inactive by definition, thus not accepting connections). A preliminary analysis suggests that this measurement error is likely due to the presence of HTTP proxies in some of the networks that hosted scanning bots. The default nmap host probe sends four different packets trying to solicit a response from the target: (i) ICMP echo request, (ii) ICMP timestamp, (iii) TCP ack on port 80, (iv) TCP syn on port 443.  For darknet addresses that the carna logs report as inactive, we observed all four of these packets, but for the addresses misreported as active, packets of type (iii) did not reach the telescope. We suspect that these packets were intercepted by HTTP proxies whose replies caused the bots to falsely report the target IP address as listening on port TCP 80.
Assuming these bots probed the rest of the IPv4 Internet proportionally to their probing of the darknet we can observe, about 3% of the host probe logs and port scan logs of the carna botnet could potentially be affected by this particular problem. The maps and animations they published seem unaffected by this issue because they were based on ICMP pings and actual (application-layer) responses from the target hosts.

We have only briefly investigated the carna botnet scan, but there are clearly epistemological issues related to any potential scientific use of the data published by the botnet authors. There are even more complex ethical issues related to using this data set, as well as with its original collection. We have previously mentioned efforts to provide ethical guidance to Internet researchers; the debate continues and this data set will likely become an interesting part of it.

Building on the success of our first two workshops in this series [WIE09,WIE11], we held the 3rd Workshop on Internet Economics (WIE). The theme for this year’s workshop was “Definitions and Data”, motivated by our sense that many of the debates today about effective regulation are clouded by lack of clarity about terms and concepts, and lack of real information about the current state of the communications infrastructure. Concepts that have resisted clean definition include network neutrality, reasonable network management, market power, and reliability. Stakeholders disagree on fundamental parameters of central concepts in the industry, such as interconnection, or the metrics for broadband quality itself.

Equally missing is good data on what is actually happening. Whether measurements are undertaken by the FCC, as with the current SamKnows effort, or by the research community or industry, good definition must precede good measurement, because collectively we must be consistent and clear what we are proposing to measure and why. A guiding premise of this workshop was that attention to definitions can inform research in data gathering, which in turn can inform regulatory debate. Workshop discussions also focused on the impacts of the limitations of currently available data (such as undersampling) and how to gain more relevant data with minimal impact on personal privacy.

The workshop format focused discussion around six pre-selected topics: defining broadband (wired and wireless); Interconnection; definitions and metrics of market power; the emergence of private IP networks; regulatory distinctions in a converged world; and defining acceptable practice for data-gathering. We spent about two hours per topic, with at least two 10-minute talks followed by an hour for each discussion. Three promising future research directions emerged. First, we reached rough consensus on a proposed practical approach to measure a user’s “quality of experience” (QoE), one that could frame not only a stable definition of broadband Internet service but also enable more rigorous description of “willingness to pay” for different applications. Second, most participants agreed that the rise of private IP networks as an alternative platform to the public Internet (and to the economically unsustainable PSTN) promise an even more opaque future at a time when it has become clear that much of current communications regulation lacks empirical basis. Third, there was recognition that both scientific research and sound public policy share the need to develop, maintain, and archive some classic data sets to develop some sense of history and to inform general models of network behavior. One possible goal for a future workshop is try articulate an argument for data that might be valuable in the future, not only to support specific policy questions but also to begin to establish historical baselines and promote scientific inquiry. More formal and transparent ties between policymakers and researchers could frame ethical use of such data.

Subsequent sections of the report are:
2. Regulatory Distinctions Amid Convergence
3. Defining Broadband
4. Defining Market Power
5. Interconnection
6. The Emergence of Private IP Networks
7. Acceptable Practices for Data-gathering
8. Future Research Directions

Full report: http://www.caida.org/publications/papers/2013/wie2012_report/
Other materials from workshop: http://www.caida.org/workshops/wie/1212.
Feedback welcome. Thanks to all who participated.

We recently analyzed the reputation of a country’s Internet (IPv4) addresses by examining the number of blacklisted IPv4 addresses that geolocate to a given country. We compared this indicator with two qualitative measures of each country’s governance. We hypothesized that countries with more transparent, democratic governmental institutions would harbor a smaller fraction of misbehaving (blacklisted) hosts. The available data confirms this hypothesis. A similar correlation exists between perceived corruption and fraction of blacklisted IP addresses.

For more details of data sources and analysis, see:
http://www.caida.org/research/policy/country-level-ip-reputation/

x:Corruption Perceptions Index y:IP population %	x:Democracy Index y:IP population %	x:Democracy Index y:IP infection %

Interactive graph and analysis on the CAIDA website

In many respects, the deployment, adoption, use, and performance of IPv6 has received more recent attention than IPv4. Certainly the longitudinal measurement of IPv6, from its infancy to the exhaustion of ICANN v4 space to native 1% penetration (as observed by Google), is more complete than IPv4. Indeed, there are many vested parties in (either the success or failure) of IPv6, and numerous IPv6 measurement efforts afoot.

Researchers from Akamai, CAIDA, ICSI, NPS, and MIT met in early January, 2013 to firstly share and make sense of current measurement initiatives, while secondly plotting a path forward for the community in measuring IPv6. A specific objective of the meeting was to understand which aspects of IPv6 measurement are “done” (in the sense that there exists a sound methodology, even if measurement should continue), and which IPv6 questions/measurements remain open research problems. The meeting agenda and presentation slides are archived online.

To this end, it’s important to note that one of the central observations of claffy’s CCR editorial from July 2011 is that the eventual fate of IPv6 remains undecided. Similarly, whether there will be a “forcing function” that leads to non-trivial IPv6 deployment is still unclear.

Thomas Blood of NPS’s central IT organization spoke to this point with respect to DoD IPv6 compliance mandates where all internal DoD networks should be IPv6 compliant by 2014. The deadline for universal DoD v6 compliance has passed a remarkable four times already, with only 1% of organizations meeting the mandate as of June 2012. Despite pressure to adopt IPv6 within the US government, funding and security issues trump most efforts to deploy IPv6. Without any demand from users, there is little incentive to deploy IPv6 — especially given IT personnel effort in supporting and securing v6. There is not only a large amount of legacy equipment that cannot support IPv6, but also a wide range of products on the market today that do not properly support IPv6. Indeed, DREN has performed extensive vendor IPv6 testing, with mixed results, for example, discovering essential devices that do not support IPv6 ACLs, or those that do so with unacceptably low performance.

It is important for existing measurement efforts and methodologies to continue to collect data during this potential evolution — to understand the adoption of IPv6, or to better understand why IPv6 fails if its adoption languishes. Several components of the “data we need” have largely been addressed in the last year. For instance, while methodologies to assess IPv6 adoption are now well-understood, continued data collection is important. On the client-side, recent work from Zander et al. at IMC 2012 showed a clever way to leverage Google’s vast visibility of the edge to obtain a large and diverse sample of client IPv6 capability by embedding measurements into flash advertisements. Google and Akamai both publish IPv6 adoption data based on observing client behavior. Google now publishes non-whitelisted AAAA DNS records for its domains, and supports IPv6 end-to-end. On the server-side, significant insight can be gleaned from the DNS. For example, ICSI, in collaboration with the University of Michigan, is analyzing zone and query data from some of the TLD authorities to understand the penetration of infrastructure IPv6. While Claffy’s 2011 editorial noted that estimates of IPv6 penetration vary by orders of magnitude, these measurements are slowly converging to a more reliable estimate.

Performance comparisons between IPv4 and IPv6 have also received significant attention, including CAIDA’s IMC 2012 paper and Akamai’s measurements. Several independent sources have shown that, when paths are congruent at the AS-level, performance is largely the same — i.e. there is no data-plane performance penalty today to using IPv6. It will be important to continue performance measurements as more applications implement happy eyeballs.

Workshop participants also identified areas where additional research is needed: a) measuring the extent of carrier grade NAT in the Internet; b) understanding IPv6 topology; c) characterizing IPv6 security issues; d) incorporating economic models.

Given IPv4 address exhaustion and economic incentives against adopting IPv6, providers may choose to deploy carrier grade NAT rather than (or in addition to) investing in IPv6. Little data exists today to understand the extent and use of carrier grade NAT. Arthur Berger and Nick Weaver exchanged several ideas for finding carrier grade NATs during the meeting and Nick hopes to place new functionality into Netalyzer to more broadly study their deployment.

With respect to economics, Steven Bauer presented a thought-provoking assessment of the (lack of) time-series IPv6 data in residential broadband performance studies (e.g., Samknows, Bismark, etc). In particular, when evaluating speed measurements and overall user experience, how should one weight IPv4 versus IPv6? Further, recent work that has evaluated the graph-theoretic centrality of AS interconnection in an effort to quantify market power (e.g. with respect to recent de-peering arguments, etc), have not examined IPv6 peering — suggesting avenues of exploration that may be valuable in understanding IPv6.

Topology is a second area where slow but steady progress is being made — yet much more remains to be done. Researchers from NPS and CAIDA are collaborating on efforts to perform IPv6 alias resolution to reduce interface-level topologies (i.e. as collected by traceroute) to the more useful router-level topologies. Their most recent work will appear at PAM 2013; they are continuing the collaboration with a focus on scaling to Internet-size topologies, i.e., large-scale IPv6 alias resolution. Further, researchers from NPS, Akamai, and ICSI are collaborating on efforts to infer “sibling” relationships between IPv4 and IPv6 addresses, with the eventual goal of enabling comparative topology mapping, sound performance comparisons, and informing reputation and geolocation engines.

Lastly, there was consensus among participants that security is one of IPv6′s Achilles’ heels. At the meeting, Chris Eagle, one of the organizers for previous Defcon CTF exercises, spoke about their recent use of IPv6 in the challenge, which pretty much stumped all the security experts participating in the contest. IPv6 as deployed today is largely unsecured with respect to known vulnerabilities in IPv4, while introducing a raft of new attack vectors. As a result, NPS is undertaking an effort to better support IPv6 in the spoofer project, as well as continuing to use IPv6 attack traffic for opportunistic measurement insight.

Much exciting work is in progress!

An initial task of our NSF-funded DALS SaTC project is to refine and extend indicators to support real-time detection and rapid characterization of Internet connectivity outage events. We used several darknet-based metrics in our studies of country-wide censorship and the impact of political and geophysical events. This latest metric characterizes the number of TCP SYN packets sent from selected networks to the UCSD Network Telescope, to help determine whether packet loss (e.g., because of congestion) is associated with the outage.  Since the UCSD Network Telescope receives traffic sent to unassigned IP addresses but does not respond, TCP connection attempts are comprised of only SYN packets. Conficker-like packets comprise the vast majority of these packets, known as Internet Background Radiation.  Conficker-infected hosts are known to send two SYN packets per connection attempt, a consistent behavior that allows us to infer packet loss when the number of packets per connection attempt decreases for this type of traffic.

The poster highlights two case studies. In the “Dodo-Telstra” Routing Leakage, caused by a BGP leak, the metric γ decreases significantly, consistent with a bottleneck preceding the outage.

However, during the Libyan Internet Blackout of 2011, where the Libyan government used packet filtering to implement country wide censorship, the value of  γ did not change when a few hosts were allowed through the “firewall”.  This behavior is consistent with filtering decreasing the number of sources sending traffic without changing its per-flow characteristics.

Our poster was voted as one of the top 8 of the student workshop; these 8 were presented at the main CoNEXT conference.

Several organizations with access to different sources of data that illuminate aspects of the blackout have released their data analyses. Renesys and BGPmon used BGP routing data to monitor the systematic withdrawal of routes to networks in Syria. Arbor Networks used traffic flow data collected from their globally distributed ATLAS infrastructure, which serves hundreds of customers. Akamai has traffic data from their own content distribution network infrastructure, and released a graph showing an abrupt drop in the volume of (HTTP) traffic Akamai servers sent to Syrian hosts. While the RIPE NCC allowed users to follow the BGP update activity for Syrian prefixes in near-realtime.

We provide another lens through which the blackout could be observed: a drop in unsolicited traffic generated by malware-infected Syrian PCs. Malware (worms, viruses, etc) often spreads to other vulnerable computers over the Internet by way of random scanning by infected hosts. A signal-producing side effect of a country-level Internet blackout is that Internet access is also denied to malware attempting to infect other hosts. This drop in unsolicited traffic can be observed in data captured from a darknet such as the UCSD Network Telescope. A darknet is a block of globally reachable but unassigned IP addresses; all traffic destined to such addresses is unsolicited, most of it from malware-infected PCs. We have previously used this technique to analyze the Internet blackouts in Egypt and Libya during the Arab Spring uprisings of last year and the impact of the earthquakes in Japan and New Zealand in early 2011.

The Syrian Internet Blackout in Nov 2012 as seen at the UCSD Network Telescope

This graph shows the number of unique Syrian source IP addresses per hour sending traffic that reaches the UCSD Network Telescope. Our data confirms the findings of other groups, showing an abrupt decrease in the number of transmitting Syrian hosts between 10 and 11am UTC on the 29th. For the following 48 hours we received almost no traffic from Syrian hosts. To determine that an IP address belongs to a Syrian host, we constructed a list of prefixes officially delegated by RIPE NCC to Syrian organizations, augmented with the 5 prefixes advertised by Tata Communications (as reported by BGPmon), which were the last to be withdrawn. We then validated the addresses found in the telescope data against the Maxmind GeoLite Country database and through manual traceroutes.

During the period of the blackout we received a total of 6 packets from 3 sources inside Syrian address space. These packets had source IP addresses (which could be spoofed, we are still investigating) within the networks advertised by Tata Communications. We observed this traffic after these routes had been withdrawn (according to BGPmon), so it is possible that some Syrian networks were still able to send traffic by way of default routes, as was the case for some hosts during the Egyptian blackout (see our IMC2011 paper). Traffic began returning to pre-blackout levels just after 2pm UTC on December 1st.

This activity is part of our NSF SATC-funded project on Internet outages (NSF CNS-1228994), and is also supported by measurement and data curation made possible by DHS S&T’s PREDICT and Cybersecurity programs (Cooperative Agreement FA8750-12-2-0326 and Contract N66001-12-C-0130).

Team: Alistair King, Karyn Benson, Brad Huffaker, Marina Fomenkov, Emile Aben, Alberto Dainotti, KC Claffy

This PI meeting included social science, economic, policy, as well as technical perspectives on cybersecurity through plenary talks, breakout sessions, posters, and an adventurous one-on-one researcher “speed dating” experiment. We presented a poster that summarized our current NSF SATC-funded effort to build a platform for online monitoring and analysis of large-scale Internet infrastructure outages. The poster (reproduced below) displays highlights of our previous results from analyzing large outages in Egypt and Libya during the so called “Arab Spring”, and the impact of the earthquakes in Japan and New Zealand in 2011. More soon, as we are still analyzing the most recent large-scale Internet outage in the news (Syria).

This annual report covers CAIDA’s activities in 2011, summarizing highlights from our research, infrastructure, data-sharing and outreach activities. Our current research projects span topology, routing, traffic, economics, future Internet architectures, and policy. Our infrastructure activities continue to support measurement-based studies of the Internet’s core infrastructure, with focus on the health and integrity of the global Internet’s topology, routing, addressing, and naming systems. We are also dedicating resources to support the infrastructure measurement and data sharing interests and needs of two U.S. federal agency programs: the National Science Foundation’s International Research Network Connections (IRNC) program, and the Department of Homeland Security’s Protected Repository of Data on Internet CyberThreats (PREDICT) data-sharing project.

We continue to expand our Internet active measurement platform Ark in scale and functionality, and use this platform to collect and share the largest Internet topology data sets (IPv4 and IPv6) available to academic researchers, and share many aggregated annotated derivative data sets publicly. Our topology measurement platform supports IPv6 — by the end of 2011, 28 of our 57 Ark hosting sites provided IPv6 connectivity and topology measurements. We have dramatically improved existing techniques for IP address alias resolution for large Internet graphs; we submitted a paper describing and evaluating the performance of our algorithms in late 2011, hopefully for publication in 2012. (Preliminary technical report available on the web site now, see Topology section of the report.) Using these new techniques, we collected, analyzed, processed and released two Internet Topology Data Kit (ITDK) Datasets, reflecting measurements taken in April and October 2011. Each 2011 ITDK includes two related router-level topologies, router-to-AS assignments; geographic location of each router; and DNS lookups of all observed IP addresses. We are still working on improving and validating our AS relationship inference algorithm so that we can add additional annotations to future ITDKs.

On the theoretical side of topology research, we continued investigation of the geometric model we developed last year to study the structure and function of complex networks. This model assumes that hyperbolic geometry underlies many complex networks, which if true provides a natural explanation for the heterogeneous degree distributions and strong clustering that characterize so many complex networks, i.e., they are simple reflections of the negative curvature and metric property of the underlying hyperbolic geometry. We also showed that not only popularity but also similarity acts as a strong force in shaping complex network structure and dynamics. We developed a framework where new connections, instead of preferring popular nodes, optimize certain trade-offs between popularity and similarity. The optimization framework more accurately describes large-scale Internet evolution (new links) than previous models, e.g., preferential attachment. The mathematically inclined will appreciate our related recent investigation of random bipartite networks using a hidden variable formalism that facilitates study of the structure and function of complex networks, as well as inference of individual characteristics, attributes, and annotations of nodes in real bipartite networks. Particular applications of interest are network geometry and navigability.

We gained momentum on our economics and policy research agenda, focused primarily on explanatory and predictive modeling of the economics of transit and peering interconnections in the Internet. Two historical developments contribute to a persistent disconnect between economic models and actual operational practices on the Internet. First, the Internet became too complex – in traffic dynamics, topology, and economics – for currently available analytical tools to allow realistic modeling. Second, the data needed to parameterize more realistic models is simply not available. The problem is fundamental, and familiar: simple models are not valid, and complex models cannot be validated. We are making progress in both dimensions: creating more powerful, empirically parameterized computational tools, and enabling broader validation than previously possible. We also held the second interdisciplinary Workshop on Internet Economics (WIE) in December, connecting academic researchers, commercial Internet facilities and service providers, theorists, policy makers, and pundits of Internet economics to frame an Internet economics research agenda, and more specifically to improve the realism, utility, and predictive power of economic models of Internet topology and dynamics.

In the first months of 2011, Internet communications were disrupted in several North African countries in response to civilian protests and threats of civil war. We analyzed episodes of these disruptions in two countries: Egypt and Libya. Using both control plane and data plane data sets in combination allowed us to narrow down which forms of Internet access disruption were implemented in a given region over time. Among other insights, we detected what we believe were Libya’s attempts to test firewall-based blocking before they executed more aggressive BGP-based disconnection. Our methodology could be used, and automated, to detect outages or similar macroscopically disruptive events in other geographic or topological regions.

We are applying our theoretical, empirical, and practical understandings of the Internet’s evolution to engage in the NSF’s exciting Future Internet Architecture (FIA) Research program. In 2011 we participated in the Named Data Networking project, a 12-university collaboration funded by the FIA program to explore a generalization of the Internet architecture that allows naming more than just communication endpoints, i.e, the source and destination IP address, but also data (content) itself. This approach shifts the focus from where — addresses and hosts in today’s Internet — to what — the content that users and applications care about. By naming data instead of locations, the new architecture transforms data into a first-class entity while addressing the known technical challenges of the today Internet: routing scalability, network security, content protection and privacy. In 2011 we investigated combinations of name-space structure and network topology that optimize the efficiency of NDN algorithms and participated in NDN testbed development and evaluation.

Finally, as always, we engaged in a variety of tool development, data-sharing, and outreach activities, including web sites, peer-reviewed papers, technical reports, presentations, blogging, animations, and (six) workshops. Details of our activities are below. CAIDA’s program plan for 2010-2013 is available at http://www.caida.org/home/about/progplan/progplan2010/. Please do not hesitate to send comments or questions to info at caida dot org.

Full annual report:
http://www.caida.org/home/about/annualreports/2011/

Program plan for 2010-2013:
http://www.caida.org/home/about/progplan/progplan2010/

Given the apparent importance of congruent AS-level paths in IPv4 and IPv6, we measured to what extent such congruence exists today, and how this has evolved historically. We measure IPv4 and IPv6 AS paths from seven vantage points (ACOnet/AS1853, IIJ/AS2497, NTT/AS2914, Tinet/AS3257, HE/AS6939, AT&T/AS7018, NL-BIT/AS12859) which have provided BGP data to Routeviews and RIPE RIS since 2003. The figure below plots the fraction of dual-stack paths that are identical in IPv4 and IPv6 from each vantage point over time. According to this metric, IPv6 paths are maturing slowly. In January 2004, 10-20% of paths were the same for IPv4 and IPv6; eight years later, 40-50% of paths are the same for six of the seven vantage points.

Even though the fraction of congruent AS-level paths has been increasing, it is still only around 50%. It is interesting to study the reasons for the divergence. Is it the case that some ASes or AS links from the IPv4 graph are not present in IPv6? How strong could the congruence possibly be, given the set of AS links and ASes from the IPv4 graph that are already present in the IPv6 graph? For each link in an IPv4 AS path toward a dual-stacked origin AS, we examine whether that link is present in the IPv6 topology, regardless of the AS path on which it appears. The figure below shows that currently, 60-70% of AS paths could be link-identical in IPv4 and IPv6 without configuring a new BGP peering session, because for these paths each IPv4 link is already present in the IPv6 topology, just not yet part of an observable BGP-policy-compliant path between the edges.

We take a step further and examine what would happen if each IPv6-capable AS were to establish equivalent peerings in IPv6 and IPv4. For each AS in an IPv4 AS path toward a dual-stacked origin AS, we examine whether that AS is present in the IPv6 topology. The figure below shows the fraction of IPv4 AS paths where each AS on the IPv4 AS path is present in the IPv6 topology. If current IPv6-capable ASes established equivalent peerings in IPv4 and IPv6, 95% of AS paths could be node-identical in IPv4 and IPv6; that is, for an AS link on such a path, both ASes are present in the IPv6 topology, and both ASes already peer in IPv4. If these ASes also started IPv6 peering, we could see the AS paths converge.

These results are encouraging, but they are even more motivating when juxtaposed with the above performance measurements which show IPv4 and IPv6 data plane performance is comparable when the AS paths are the same. Together, these results demonstrate the undeniable benefit of BGP peering parity between IPv4 and IPv6 AS-level topologies.