CS498 Systems and Networking Lab

Spring 2012

Lab 2: Network administration and defense

Instructor: Matthew Caesar Due:

Performing measurement of the Internet is an important challenge. Inferring the structure of the deployed networks, and studying properties of Internet trafc, provides insights into how we can better design protocols and architectures to take advantage of properties we observe. The goal of this assignment is to gain familiarity with Internet measurement. Here, we will study several widely-used repositories of measurement traces, as well as perform some small-scale experiments on our own.

2.1 Measuring Internet topology with BGP Updates

A network topology consists of the interconnection and arrangement of equipment (routers, links) that makes up the network. The complete topology of the Internet is unknown. Yet knowing the structure of the Internet is crucial in designing simulation/evaluation environments to test new protocols, in understanding the nature of how different networks interconnect, in searching for weak points and analyzing resilience of the Internet, and in provisioning for future growth patterns. To deal with this problem, researchers perform measurements to infer the structure of the Internet graph on various levels. In this problem we will infer the AS-level (ISP-level) topology of the Internet graph. In particular, for each AS in the Internet, we will determine which other ASes are connected to it. This is a simpler problem than determining how many times ASes peer with one another, or determining the router-level Internet topology, or inferring what routing policies are used at each router, etc. (we will discuss these harder problems in lecture). The University of Oregon Route Views project (www.routeviews.org) maintains eBGP peering sessions with routers in a number of ASes. Route Views maintains historical records of BGP routing updates logged on each of these sessions. Analyzing these routing updates can provide insights into stability of the global routing system, distribution of addresses, and the structure of the Internet topology. Here, we will study the structure of the AS-level topology. Initial setup: Routing updates (UPDATES) and BGP table snapshots (RIBS) are located at http://archive.routeviews. org/bgpdata/ . Download the BGP table snapshot from July 1 2008. You can convert the snapshot to human-readable format by using the executable at http://www.cs.uiuc.edu/ homes/caesar/rba , which runs on Linux-based systems (e.g., csil-core1.cs.uiuc.edu). Help is available by executing the command rba -help. Analysis: 1. Using the vantage point 12.0.1.63 (one of the AT&T feeds) plot the CDF of AS outdegree (the number of links adjacent to an AS), over all ASes in the Internet. 2. Using the vantage point 12.0.1.63 how many ASes are there in the Internet on July 1 2008? How fast is this number growing over time (explain your methodology for arriving at this number you may have to look at RIBS on multiple dates). 3. Using the vantage point 12.0.1.63, how large are Internet routing tables (in terms of number of prexes) on July 1 2008? How fast is this number growing? 2-1

Lab 2

2-2

4. Using the vantage point 12.0.1.63, how many links (inter-AS adjacencies) are there in the Internet? 5. Using all vantage points in the trace, how many links are there in the Internet? Using all vantage points, how many ASes are there in the Internet? Are these answers different from your answers above? Explain why your results are different, or why they are the same. 6. Download the *UPDATE* le from http://archive.routeviews.org/bgpdata/2008.07/UPDATES/ updates.20080701.0005.bz2 . (a) How many links and ASes are there in the Internet? (b) Name one reason why you might expect the number of links to increase when you look at updates instead of RIB snapshots. (c) Name one reason why you might expect the number of links to decrease when you look at updates instead of RIB snapshots. 7. In addition to inferring the Internets AS-level topology, it is also useful to infer the way that trafc ows over that topology. The manner in which an AS advertises a route in the Internet can very commonly be classied into one of several categories: (a) provider-customer relationships, where a customer pays a provider money (typically) for service. In this case, the provider advertises all routes it receives to the customer, and advertises all routes from the customer to all its neighbors. (b) peer-peer relationships, where two ASes agree to peer out of their own mutual benet, and typically no money is exchanged. ASes almost always advertise all their routes from customers to peers. However, they almost always prevent provider/peer routes from being advertised to other provider/peers. Instead of performing this inference yourself, we will provide a le containing these relationships for you: http://www.cs.illinois.edu/caesar/courses/CS498.S12/as-rel.20071105.a0.01000. txt.bz2. This le was originally downloaded from http://www.caida.org/data/active/as-relationships/, and contains an AS-level graph annotated with inter-ISP relationships. The format of the le is explained in comments at the start of the le. Suppose an IP packet is sent from a computer in UIUC (AS 680) to YouTube (AS 36561). Using this le, name one possible sequence of ASes it may traverse.

2.2 Characterizing trafc aggregates with Netow

Characterizing Internet trafc is an important challenge. Studying Internet trafc allows ISPs to determine how to provision capacity, to perform more effective trafc engineering, and to localize sources of attacks and unwanted trafc (e.g., spam) owing through their networks. While maintaining logs of every packet traversing an ISPs network would provide the greatest degree of resolution into network activity, doing so is not tractable. The largest ISPs transit hundreds of terabytes of trafc every day, creating storage and analysis problems that seem intractable. To deal with this, Internet routers run a trafc characterization system known as Netow. Netow collects information about IP ows, as opposed to complete packet-level traces. A ow consists of a sequence of packets between a source IP/port and destination IP/port, that are observed within a xed window of time at the router collecting the Netow trace. To further improve scalability, Netow relies on sampling, i.e., where instead of looking at every packet, the router only looks at every nth packet. While Netow traces do not provide complete information about data trafc traversing a router, these traces are sufcient to observe a wide range of Internet trafc patterns. Further information about Netow is available at http://www.ietf.org/rfc/rfc3954.txt . In this problem, you will analyze Netow traces to compute statistics about trafc characteristics and utilization on the Abilene Internet2 ISP network. Setup: Download the Netow trace located at http://www.cs.illinois.edu/caesar/courses/CS498. S12/ft-v05.2005-11-26.001500+0000.gz. This trace was originally downloaded from Abilenes Internet2 Observatory web site (http://www.internet2.edu/observatory/). The Abilene Internet2 network

Lab 2

2-3

is an ISP run by a non-prot consortium, which provides high-bandwidth connectivity between universities, government agencies, and some corporations. Abilene only provides connectivity between these entities, and not to the global Internet so these traces only contain ows between Abilene-connected institutions. The provided trace was acquired from the router where UIUC connects to Abilene. For future reference, you can download traces from a larger set of routers and dates from the Abilene web site. To do this, you will need to sign up for an account by lling out the proposal process form on that site. To convert Netow traces into human-readable format, you will need to install the ow-tools package. For example, on Ubuntu/Debian, run sudo apt-get install ow-tools, on other systems download and install ftp://ftp.eng.oar. net/pub/flow-tools/flow-tools-0.66.tar.gz. Then, to convert the le to human-readable format, you can run the following command: : > zcat ./ft-v05.2005-11-26.001500+0000.gz | flow-cat | flow-export -f2 | head Analysis: 1. From a machine within UIUC, perform a traceroute to a machine at Princeton University. Give the IP address of the Abilene router which connects to UIUC. This is the router where hw2trace.gz was collected. 2. What fraction of trafc is BitTorrent trafc (ports 6881-6999), and what fraction is web request (port 80) trafc? 3. Plot a CDF of ow lengths measured in number of bytes per connection, and again in terms of number of packets per connection. 4. Assume UIUCs AS number is 680. What are the top ve /16s owned by Abilene-connected institutions to which UIUC sends trafc? Use whois to give the ASCII names of the companies/entities which own these prexes. e.g., whois -h whois.cymru.com -v AS10000 5. What are the top ve /16s owned by Abilene-connected institutions which send trafc to UIUC?

2.3 Analyzing packet-level trafc with tcpdump

While Netow-level traces are useful for studying Internet trafc on large scales, sometimes it becomes necessary to study trafc on a ner grain. For example, debugging protocol operation, or analyzing network attacks may require studying packet-level traces. Here, we will use packet-level traces to analyze behavior of the CodeRed Internet worm. This worm infected over 359,000 computers in less than 14 hours. In order to nd a patch to the vulnerability, to study the worms propagation behavior, or to trace back to the source of a networks infection, packet traces may be collected and manually analyzed using the approach you will perform below. Here, we will use the tcpdump tool to record and play back traces of packets. tcpdump allows a host to sniff network packets. It supports a exible ltering interface to limit the number of displayed packets, as well as the ability to log packets to a trace le, and to replay contents of traces. Analysis: 1. Next, we will use tcpdump to analyze the contents of an existing trace. Download http://www.cs.illinois. edu/caesar/courses/CS498.S12/CodeRedTraces.tgz. This le contains a trace of a small network infected by the Code Red worm. More details about the trace are given at http://www.bofh.sh/ CodeRed/index.html. You can display the contents of a trace by executing a command similar to tcpdump -n -r CRed.07-19-01.dump. The Code Red worms behavior is divided into stages: after initially infecting a

Lab 2

2-4

machine, it rst attempts to infect other machines for a period of 20 days. How many remote hosts did the infected machine (192.168.1.105) attempt to infect on July 19 2001? Also, what is the rate at which the infected machine attempted to infect remote hosts? 2. Find the rst TCP syn sent to a remote host in the trace CRed.07-19-01.dump. How long did it take to receive an ack? 3. 20 days after infection, the Code Red worm begins to DDoS the Whitehouses web server (198.137.240.91). On July 21 2001, what is the rate at which the infected machine sent packets to the Whitehouses web server? 4. On July 30, 2001, what do you observe about the worms behavior? Is it performing DDoS or infecting hosts at the same rate it did previously? 5. If you wanted to protect your machine from being infected by Code Red, what sort of lters might you install in your rewall?