High Speed Networks Laboratory @ Budapest University of Technology and Economics High Speed Networks Laboratory Monitoring Network.

High Speed Networks Laboratory@ Budapest University of Technology and Economics

http://hsnlab.tmit.bme.hu

High Speed Networks Laboratory

Monitoring Network Bias

A joint project with Prof. Aleksandar Kuzmanovic (Northwestern University)Supported by NSF CAREER Award No. 0746360

Gergely BiczókPhD Candidate

[email protected]

High Speed Networks Laboratoryhttp://hsnlab.tmit.bme.hu

| 2008-06-29 | FuturICT 20092

Outline

• Motivation: network neutrality• Internet Audit• System design• Implementation• Future work

High Speed Networks Laboratoryhttp://hsnlab.tmit.bme.hu

| 2008-06-29 | FuturICT 20093

Net neutrality: basics

• “… a network free of restrictions on equipment, modes of communication allowed, on content, sites, and platforms and where communication is not unreasonably degraded by other communication streams …” – Wikipedia

• Own definition: you get what you asked/paid for • not less (e.g. blocking some websites)• not more (e.g. ISP-embedded content to websites)

• Debate in public, struggle in legislation, war in the Internet• Pro net neutrality: content providers (e.g., Google) and

freedom activists• www.savetheinternet.com

• Anti net neutrality: Internet Service Providers (with infrastructure, e.g., AT&T)• http://www.handsoff.org/blog/

High Speed Networks Laboratoryhttp://hsnlab.tmit.bme.hu

| 2008-06-29 | FuturICT 20094

Net Neutrality: incentives and history

• (Access) ISPs have incentives to violate NN• “Resource management” (Comcast)• Potential side deals with content providers (AT&T)• Larger profit through own proprietary services (blocking Skype in favor of

own VoIP service)

• 2005: FCC enforcing net neutrality involving Madison River Communications that blocked Vonage VoIP

• 2006: China using Narus middleboxes to block Skype• 2007: Comcast actively poisoning BitTorrent uploads• 2008: YouTube outage, routing black hole caused by Pakistani ISP’s

regulatory policy• 2009: BitTorrent portals are blocked around the world

• 2005-: Rogers (Canada) blocks/shapes P2P, shapes all encrypted (!) traffic, forces users to its own SMTP servers, embed own content (!) into third-party webpages, …• http://ihaterogers.ca

High Speed Networks Laboratoryhttp://hsnlab.tmit.bme.hu

| 2008-06-29 | FuturICT 20095

Internet Audit

• Goal: not to take sides in the net neutrality debate, but rather to design a system capable of making the Internet more transparent

• A distributed system to enable network accountability:• What happened, where did it happen, and who is responsible?

• Challenges:• Non-repudiable identification of discriminating network elements• Detect unfair service favoring, e.g., content provider/ISP alliances• Explore a range of threat models

• from open DoS attacks to using network policies in destructive ways

• First step: monitoring biased network behavior• provide the users with information

High Speed Networks Laboratoryhttp://hsnlab.tmit.bme.hu

| 2008-06-29 | FuturICT 20096

Monitoring network bias

• An active measurement system which is• Distributed• Large-scale• For all end-users• Targeting access ISPs

• Capable of• Detecting DPI, blocking, shaping, DNS hijacking, …• Locating the discriminatory network element• Finding out the subtype of biased behavior (e.g., shaping based on

DPI vs. shaping)

• Provides an online service for end-users• With feedback

High Speed Networks Laboratoryhttp://hsnlab.tmit.bme.hu

| 2008-06-29 | FuturICT 20097

System overview

High Speed Networks Laboratoryhttp://hsnlab.tmit.bme.hu

| 2008-06-29 | FuturICT 20098

Measurement methodology

• Collect reported/possible means of discrimination applied by ISPs

• Create active probes that likely trigger these mechanism• We mostly emulate application/protocols

• e.g., BitTorrent-like traffic pattern without implementing a client• Minimal user action is required

• Filtering• Shaping (HTTP, FTP, SSL, BitTorrent)• WWW bias (DNS hijacking, torrent portal blocking, …)

• Locating middleboxes• By executing probes from multiple vantage points to the same

end-host• Correlating results• Vantage point selection is critical (IP/geo, iPlane)

High Speed Networks Laboratoryhttp://hsnlab.tmit.bme.hu

| 2008-06-29 | FuturICT 20099

Filtering details

• Port-based• Sending packets with random payload to well-defined ports

• Signature-based• Deep Packet Inspection• List of byte signatures for applications/protocols• We derived a list based on

• open-source DPI: ipp2p, l7-filter• protocol definitions• own packet traces

• Flow-pattern based for P2P applications• Header inspection plus spatial correlation of flows• Random payload• Data exchange: Parallel TCP connections from the same IP to several others

in a port range• Control: Parallel UDP connections from the same IP to different IPs to the

same port

• With the correct order of probes the subtype can be determined

High Speed Networks Laboratoryhttp://hsnlab.tmit.bme.hu

| 2008-06-29 | FuturICT 200910

Implementation issues

• PlanetLab is widely used• De facto standard test network• Lot of users, slice-based access, ~20 active slices on one node• Nodes go down at times

• M-Lab: dedicated to network transparency research• Founded by: Open Technology Institute, Google, PlanetLab

Consortium and researchers• Administered by PlanetLab• Limited number of users, ~1 slice per CPU core• Ideal for active probing

• We are deploying our system to both platforms currently

High Speed Networks Laboratoryhttp://hsnlab.tmit.bme.hu

| 2008-06-29 | FuturICT 200911

• Conduct a large-scale measurement campaign• Evaluate and draw the global map of biased network behavior

More on the Internet Audit project athttp://networks.cs.northwestern.edu/internet-audit/

NetBias tool will be available at the M-Lab website soonhttp://www.measurementlab.net/

Future work

Thank you for your attention!