Computing systems now impact almost every aspect of our daily lives. As these systems evolve and develop, they often raise new challenges to our security and privacy, as well as to our commitments to equity and justice. To identify and mitigate the risks that these new technologies present, it is crucial to have scientific and technological experts participate in the conversation. But fully addressing these issues in government-through legislation, regulation, policy development, and executive actions-requires that experts engage with policy and legislative processes, to be ''in the room where it happens.'' In this talk, I'll reflect on my 18 months serving at the White House Office of Science and Technology Policy (OSTP) as Deputy U.S. Chief Technology Officer for Privacy. I'll provide an overview of the Biden-Harris Administration's work on fast-moving technologies such as AI as well as long-standing challenges such as privacy. I'll describe OSTP's role within the Executive Office of the President, and how OSTP works with and across the government to coordinate federal science and technology policy. Finally, I'll discuss the importance of members of computing-and the IMC community in particular-engaging with government. And I'll highlight opportunities to do so, ranging from responding to requests for information, to collaborative research projects, to tours of service and even careers in government.
The FCC's National Broadband Map aspires to provide an unprecedented view into broadband availability in the US. However, this map, which also determines eligibility for public grant funding, relies on self-reported data from service providers that in turn have incentives to strategically misrepresent their coverage. In this paper, we develop an approach for automatically identifying these low-quality service claims in the National Broadband Map. To do this, we develop a novel dataset of broadband availability consisting of 750k observations from more than 900 US ISPs, derived from a combination of regulatory data and crowdsourced speed tests. Using this dataset, we develop a model to classify the accuracy of service provider regulatory filings and achieve AUCs over 0.98 for unseen examples. Our approach provides an effective technique to enable policymakers, civil society, and the public to identify portions of the National Broadband Map that are likely to have integrity challenges.
Radiation shock waves from solar activities are known to be a menace to spaceborne electronic infrastructure. Recent deployments, like the SpaceX Starlink broadband mega-constellation, open up the possibility to measure such impact on Low Earth Orbit infrastructure at scale. Our tool, CosmicDance, enables a data-driven understanding of satellite orbital shifts due to solar radiations. CosmicDance could also signal corner cases, like premature orbital decay, that could lead to service holes in such globally spanning connectivity infrastructure. Our measurements with CosmicDance show that Starlink satellites experience both short and long-term orbital decay even after mild and moderate intensity solar events, often trespassing neighboring shells of satellites.
While Internet Service Providers (ISPs) have traditionally focused on marketing network throughput, it is becoming increasingly recognized that network latency also plays a significant role for the quality of experience. However, many ISPs lack the means to continuously monitor the latency of their network. In this work, we present a method to continuously monitor and aggregate network latency per subnet directly in the Linux kernel by leveraging eBPF. We deploy this solution on a middlebox in an ISP network and collect an extensive dataset of latency measurements for both the internal and external parts of the network. We find that our monitoring solution can monitor all subscriber traffic while maintaining a low overhead of only around 1% additional CPU utilization. Our analysis of the latency data reveals a wide latency tail in the last-mile access, which grows during busy periods in the evening. Furthermore, we dissect the external network latency and uncover the latency profiles for the most popular autonomous systems.
Although home wireless networks (WiFi) are increasingly becoming performance bottlenecks, there are no research studies based on long-running field deployments that document this phenomenon. Given both public and private investment in broadband Internet infrastructure, a rigorous study of this phenomenon---and accompanying public data, based on open-source methods, is critical. To this end, this study pioneers a system and measurement technique to directly assess WiFi and access network performance. This study is first to continuously and contemporaneously measure Internet performance along two segments---the wireless client to the access point, and from the access point to the ISP access network. It is also the largest and longest-running study of its kind, with public data spanning more than two years (and counting), and, to our knowledge, the first such study in nearly a decade. Our study is based on data from over 22,000 joint measurements across more than 50 broadband access networks. Our findings have important implications for both the development of access technologies and Internet policy. Notably, for users with access links that exceed 800~Mbps, the user's wireless network was the performance bottleneck 100% of the time. Such inflection points will continue to evolve, yet the contributions of this paper include not only the results, but also open-source tools, data, and ongoing continuous measurements.
Cellular networks rely on handovers (HOs) as a fundamental element to enable seamless connectivity for mobile users. A comprehensive analysis of HOs can be achieved through data from Mobile Network Operators (MNOs); however, the vast majority of studies employ data from measurement campaigns within confined areas and with limited end-user devices, thereby providing only a partial view of HOs. This paper presents the first countrywide analysis of HO performance, from the perspective of a top-tier MNO in a European country. We collect traffic from approximately 40M users for 4 weeks and study the impact of the radio access technologies (RATs), device types, and manufacturers on HOs across the country. We characterize the geo-temporal dynamics of horizontal (intra-RAT) and vertical (inter-RATs) HOs, at the district level and at millisecond granularity, and leverage open datasets from the country's official census office to associate our findings with the population. We further delve into the frequency, duration, and causes of HO failures, and model them using statistical tools. Our study offers unique insights into mobility management, highlighting the heterogeneity of the network and devices, and their effect on HOs.
The advent of regulation, such as the Digital Markets Act, will foster greater interoperability across competing digital platforms. In such regulatory environments, decentralized platforms like Mastodon have pioneered the principles of social data portability. Such platforms are composed of thousands of independent servers, each of which hosts their own social community. To enable transparent interoperability, users can easily migrate their accounts from one server provider to another. In this paper, we examine 8,745 users who switch their server instances in Mastodon. We use this as a case study to examine account portability behavior more broadly. We explore the factors that affect users' decision to switch instances, as well as the impact of switching on their social media engagement and discussion topics. This leads us to build a classifier to show that switching is predictable, with an F1 score of 0.891. We argue that Mastodon serves as an early exemplar of a social media platform that advocates account interoperability and portability. We hope that this study can bring unique insights to a wider and open digital world in the future.
The pitfalls of centralized social networks, such as Facebook and Twitter/X, have led to concerns about control, transparency, and accountability. Decentralized social networks have emerged as a result with the goal of empowering users. These decentralized approaches come with their own trade-offs, and therefore multiple architectures exist. In this paper, we conduct the first large-scale analysis of Bluesky, a prominent decentralized microblogging platform. In contrast to alternative approaches (e.g. Mastodon), Bluesky decomposes and opens the key functions of the platform into subcomponents that can be provided by third party stakeholders. We collect a comprehensive dataset covering all the key elements of Bluesky, study user activity and assess the diversity of providers for each sub-components.
Ads are often designed visually, with images and videos conveying information. In this work, we study the accessibility of ads on the web to users of screen readers. We approach this in two ways: first, we conducted a measurement and analysis of 90 websites over a month, collecting ads and auditing their behavior against a subset of best practices established by the Web Content Accessibility Guidelines (WCAG). Then, to put our measurement findings in context, we interviewed 13 blind participants who navigate the web with a screen reader to understand their experiences with (in)accessible ads. We find that the overall web ad ecosystem is fairly inaccessible in multiple ways: many images are missing alt-text, unlabeled links make it confusing for folks to navigate, and closing ads can be tricky. But, there are straightforward ways to improve: because only a few large companies dominate the ad ecosystem, making small changes to the way they enforce accessibility standards can make a large difference.
We present the first measurement of the user-effect and privacy impact of "Related Website Sets," a recent proposal to reduce browser privacy protections between two sites if those sites are related to each other. An assumption (both explicitly and implicitly) underpinning the Related Website Sets proposal is that users can accurately determine if two sites are related via the same entity. In this work, we probe this assumption via measurements and a user study of 30 participants, to assess the ability of Web users to determine if two sites are (according to the Related Website Sets feature) related to each other. We find that this is largely not the case. Our findings indicate that 42 (36.8%) of the user determinations in our study are incorrect in privacy-harming ways, where users think that sites are not related, but would be treated as related (and so due less privacy protections) by the Related Website Sets feature. Additionally, 22 (73.3%) of participants made at least one incorrect evaluation during the study. We also characterise the Related Website Sets list, its composition over time, and its governance.
Over 65% of web traffic originates from mobile devices. However, much of this traffic is not from mobile web browsers but rather from mobile apps displaying web content. Android's WebView has been a common way for apps to display web content, but it entails security and privacy concerns, especially for third-party content. Custom Tabs (CTs) are a more recent and recommended alternative.
In this paper, we conduct a large-scale empirical study to examine if the top ~146.5K Android apps use WebViews and CTs in a manner that aligns with user security and privacy considerations. Our measurements reveal that most apps still use WebViews, particularly to display ads, with only ~20% using CTs. We also find that while some popular SDKs have migrated to CTs, others (e.g., financial services) benefiting from CT's properties have not yet done so. Through semi-manual analysis of the top 1K apps, we uncover a handful of apps that use WebViews to show arbitrary web content within their app while modifying the web content behavior. Ultimately, our work seeks to improve our understanding of how mobile apps interact with third-party web content and shed light on real-world security and privacy implications.
Third-party web cookies are often used for privacy-invasive behavior tracking. Partly due to privacy concerns, browser vendors have started to block all third-party cookies in recent years. To understand the effects of such third-party cookieless browsing, we crawled and measured the top 10,000 Tranco websites. We developed a framework to remove third-party cookies and analyze the differences between the appearance of web pages with and without these cookies. We find that disabling third-party cookies has no substantial effect on website appearance including layouts, text, and images. This validates the industry-wide shift towards cookieless browsing as a way to protect user privacy without compromising on the user experience.
Since ZMap's debut in 2013, networking and security researchers have used the open-source scanner to write hundreds of research papers that study Internet behavior. In addition, ZMap has been adopted by the security industry to build new classes of enterprise security and compliance products. Over the past decade, much of ZMap's behavior---ranging from its pseudorandom IP generation to its packet construction---has evolved as we have learned more about how to scan the Internet. In this work, we quantify ZMap's adoption over the ten years since its release, describe its modern behavior (and the measurements that motivated changes), and offer lessons from releasing and maintaining ZMap for future tools.
Port scanning is the de-facto method to enumerate active hosts and potentially exploitable services on the Internet. Over the last years, several studies have quantified the ecosystem of port scanning. Each work has found drastic changes in the threat landscape compared to the previous one, and since the advent of high-performance scanning tools and botnets a lot has changed in this highly volatile ecosystem.
Based on a unique dataset of Internet-wide scanning traffic collected in a large network telescope, we provide an assessment of Internet-wide TCP scanning with measurement periods in the last 10 years (2015 to 2024). We collect over 750 million scanning campaigns sending more than 45 billion packets and report on the evolution and developments of actors, their tooling, and targets. We find that Internet scanning has increased 30-fold over the last ten years, but the number and speed of scans have not developed at the same pace. We report that the ecosystem is extremely volatile, where targeted ports and geographical scanner locations drastically change at the level of weeks or months. We thus find that for an accurate understanding of the ecosystem we need longitudinal assessments. We show that port scanning becomes heavily commoditized, and many scanners target multiple ports. By 2024, well-known scanning institutions are targeting the entire IPv4 space and the entire port range.
The research measurement community needs methods and datasets to identify user concentrations and to accurately weight ASes against each other for analyzing measurements' coverage. However, academic researchers traditionally lack visibility into how many users are in each network or how much traffic flows to each network and so often fall back on treating all IP addresses or networks equally. As an alternative, some recent studies have used the APNIC per AS Population Estimates dataset, but it is unvalidated and its methodology is not fully public.
In this work, we validate its use as a fairly reliable user population indicator. Our approach includes a detailed comparative analysis using a global CDN dataset, providing concrete evidence of the APNIC dataset's accuracy. We find that the APNIC per-AS user estimates closely align with the Content Delivery Network (CDN) per-AS user estimates in 51.2% of countries and correctly identify the largest networks in 93.9% of cases. When we investigate the agreement with CDN traffic volume, the APNIC dataset closely aligns in 36.5% of countries, increasing to 91.0% when focusing only on larger networks. We also evaluate the limitations of the APNIC dataset, particularly its inability to accurately identify user populations for ASes in certain countries. To address this, we introduce new methods to improve its usability by focusing on the statistical representativeness of the underlying data collection process and ensuring consistency across several public datasets.
The Internet measurement community has significantly advanced our understanding of the Internet by documenting its various components. Subsequent research often builds on these efforts, using previously published datasets. This process is fundamental for researchers, but a laborious task due to the diverse data formats, terminologies, and areas of expertise involved. Additionally, the time-consuming task of merging datasets is undertaken only if the expected benefits are worthwhile, posing a barrier to simple exploration and innovation. In this paper we present the Internet Yellow Pages (IYP), a knowledge graph for Internet resources. By leveraging the flexibility of graph databases and ontology-based data integration, we compile datasets (currently 46) from diverse and independent sources into a single harmonized database where the meaning of each entity and relationship is unequivocal. Using simple examples, we illustrate how IYP allows us to seamlessly navigate data coming from numerous underlying sources. As a result, IYP significantly reduces time to insight, which we demonstrate by reproducing two past studies and extending them by incorporating additional datasets available in IYP. Finally, we discuss how IYP can foster the sharing of datasets as it provides a universal platform for querying and describing data. This is a seminal effort to bootstrap what we envision as a community-driven project where dataset curation and ontology definitions evolve with the Internet measurement community.
In the era of increasing network-based threats, particularly IP spoofing, Source Address Validation (SAV) is paramount for network security. The effective deployment of Inbound Source Address Validation (ISAV) is crucial yet often inadequate, posing significant risks to Internet infrastructure. This study presents ICMP_Sonar, a measurement system that deploys "rumors" -carefully crafted spoofed ICMP packets-to probe the network's defenses, revealing the "wise" networks with their robust ISAV implementations. ICMP_Sonar introduces two novel approaches that exploit the characteristics of ICMP unreachable messages and ICMP fragment needed messages, and exhibits the advantages of high coverage, fine granularity, low error rates, and the ability to measure in both IPv4 and IPv6. We also evaluate the applicability and security risks of ICMP error messages. Through large-scale measurements, ICMP_Sonar successfully covers 86M IPv4 hosts (0.8M IPv6 hosts), 3.5M IPv4 /24 subnets (24K IPv6 /40 subnets), and 59K IPv4 ASes (8.3K IPv6 ASes), surpassing the state-of-the-art dual-stack method's coverage by 16.2 (51.6), 2.9 (2.34), and 1.7 (1.7) times, respectively. The broad coverage across multiple granularities enables us to capture a more comprehensive and fine-grained view of ISAV deployment. Measurements show that while the percentage of ASes with no ISAV deployment is lower than previously identified, the percentage of ASes with partial ISAV deployment is much higher, indicating significant gaps in overall security. The analysis also reveals that ISAV deployment practices vary across different networks and between IPv4 and IPv6.
Transport Layer Security (TLS) is widely recognized as the essential protocol for securing Internet communications. While numerous studies have focused on investigating server certificates used in TLS connections, our study delves into the less explored territory of mutual TLS (mTLS) where both parties need to provide certificates to each other. By utilizing TLS connection logs collected from a large campus network over 23 months, we identify over 2.2 million unique server certificates and over 3.4 million unique client certificates used in over 1.2 billion mutual TLS connections. By jointly analyzing TLS connection data (e.g., port numbers) and certificate data (e.g., issuers for server/client certificates), we quantify the prevalent use of untrusted certificates and uncover potential security concerns resulting from misconfigured certificates, sharing of certificates between servers and clients, and long-expired certificates. Furthermore, we present the first in-depth study on the wide range of information included in CommonName (CN) and Subject Alternative Name (SAN), drawing comparison between client and server certificates, as well as revealing sensitive information.
We present a global, large-scale measurement of Internet traffic shadowing, a less-studied yet covert format of on-path manipulation. As part of pervasive monitoring, data within packets is silently observed, retained, and then leveraged to produce additional, unsolicited requests. To depict the landscape of such behaviors, we generate a collection of decoy traffic that lures on-path exhibitors, spread them via 4,364 vantage points recruited from commercial VPN providers, and capture unsolicited requests triggered by them. We find traffic shadowing against DNS, HTTP, and TLS protocols; DNS queries to several public resolvers are most susceptible, by being observed on a wide range of Internet paths. Through hop-by-hop tracerouting, we find observers of DNS queries associated with destinations, while HTTP messages are mostly observed on the wire. User data can be retained for long, e.g., over 10 days, and can be leveraged for more than once. While a notable portion of unsolicited requests originate from addresses labeled by blocklists, we find most of them are performing reconnaissance, and we see no evidence of exploits attempted in the collected traffic.
Network Telescopes, often referred to as darknets, capture unsolicited traffic directed toward advertised but unused IP spaces, enabling researchers and operators to monitor malicious, Internet-wide network phenomena such as vulnerability scanning, botnet propagation, and DoS backscatter. Detecting these events, however, has become increasingly challenging due to the growing traffic volumes that telescopes receive. To address this, we introduce DarkSim, a novel analytic framework that utilizes Dynamic Time Warping to measure similarities within the high-dimensional time series of network traffic. DarkSim combines traditional raw packet processing with statistical approaches, identifying traffic anomalies while enabling rapid time-to-insight. We evaluate our framework against DarkGLASSO, an existing method based on the Graphical LASSO algorithm, using data from the UCSD Network Telescope. Based on our manually classified detections, DarkSim showcased perfect precision and an overlap of up to 91% of DarkGLASSO's detections in contrast to DarkGLASSO's maximum of 73.3% precision and detection overlap of 37.5% with the former. We further demonstrate DarkSim's capability to detect two real-world events in our case studies: (1) an increase in scanning activities surrounding CVE public disclosures, and (2) shifts in country- and network-level scanning patterns that indicate aggressive scanning. DarkSim provides a detailed and interpretable analysis framework for time-series anomalies, representing a new contribution to network security analytics.
Motivated by the impressive but diffuse scope of DDoS research and reporting, we undertake a multistakeholder (joint industry-academic) analysis to seek convergence across the best available macroscopic views of the relative trends in two dominant classes of attacks - direct-path attacks and reflection-amplification attacks. We first analyze 24 industry reports to extract trends and (in)consistencies across observations by commercial stakeholders in 2022. We then analyze ten data sets spanning industry and academic sources, across four years (2019-2023), to find and explain discrepancies based on data sources, vantage points, methods, and parameters. Our method includes a new approach: we share an aggregated list of DDoS targets with industry players who return the results of joining this list with their proprietary data sources to reveal gaps in visibility of the academic data sources. We use academic data sources to explore an industry-reported relative drop in spoofed reflection-amplification attacks in 2021-2022. Our study illustrates the value, but also the challenge, in independent validation of security-related properties of Internet infrastructure. Finally, we reflect on opportunities to facilitate greater common understanding of the DDoS landscape. We hope our results inform not only future academic and industry pursuits but also emerging policy efforts to reduce systemic Internet security vulnerabilities.
The probability of hitting an active IPv6 address by chance is virtually zero; instead, it appears more promising to analyze ICMPv6 error messages that are returned in case of an undeliverable packet. In this paper, we investigate the implementation of ICMPv6 error messages by different router vendors, whether a remote network's deployment status might be inferred from them, and analyze ICMPv6 error messaging behavior of routers in the IPv6 Internet. We find that Address Unreachable with a delay of more than a second indicates active networks, whereas Time Exceeded, Reject Route and Address Unreachable with short delays pinpoint inactive networks. Furthermore, we found that ICMPv6 rate-limiting implementations, used to protect routers, allow the fingerprinting of vendors and OS-versions. This enabled us to detect more than a million periphery routers relying on Linux kernels from 2018 (or before); these kernels have reached end of life (EOL) and no longer receive security updates.
Large-scale Internet scanning is a vital research tool. While IPv4 can be exhaustively probed, the size of IPv6 precludes complete enumeration, limiting large-scale measurement. Target Generation Algorithms (TGAs)---algorithms which ingest lists of prediscovered addresses ("seeds") and produce new addresses to scan---have begun bridging this IPv6 measurement gap. To date, there has been limited exploration of how changes in seed addresses, scanning methods, and dataset composition impact TGA-driven IPv6 host discovery.
In this work, we provide a roadmap for how to use TGAs for Internet-wide scanning by evaluating how changes to input datasets, preprocessing, liveness, alias detection, and metrics impact TGA performance. We also explore how choice of scan target-ICMP Echo, TCP80, TCP443, or UDP53-across both inputs and outputs, impact discovered addresses.
From this analysis, we provide guidance on how to properly preprocess a TGA input (seed) dataset and the importance of removing aliases; simple preprocessing at scan time can significantly improve network diversity and can increase discovered hosts by over 700% across combined approaches. We further compare TGA generation budgets, analyze discovered populations, and demonstrate the utility of running multiple TGAs together. Finally, we summarize recommendations for effective TGA use for Internet-wide IPv6 scanning.
People can extract various kinds of information about the Internet from BGP routes tagged with BGP community values with known semantics. In this paper, we conduct a study on the following three issues related to BGP community semantics. First, we design a method to automatically collect self-reported semantics from the Internet and assemble the collected semantics described in natural language into a structured dictionary. The comparison with prior dictionaries shows many community values are exclusively covered by ours and many of them had been used when prior dictionaries were constructed, which confirms the effectiveness of our method. Second, based on this large-size dictionary, we are able to re-evaluate two recent algorithms designed for categorizing community values with unknown semantics, which is a task that, while easier than inferring the detailed semantics, is also very valuable. Our evaluation uncovers some issues within the algorithms that can contribute to their performance improvement. Third, we investigate the fundamental issue in extracting information using community semantics: whether ISPs' behavior is consistent with the published semantics. Our preliminary best-effort investigation reveals the potential risks of using the semantics of some categories of community values.
IPv4 addresses have become a commodity with monetary value since the exhaustion of unallocated IPv4 space. This led to the rise of a secondary market for buying, selling, and leasing IPv4 addresses. While prior work has studied the IPv4 transfer behavior, the IPv4 leasing ecosystem remains largely unexplored. In this paper, we analyze the IPv4 leasing ecosystem by designing a methodology to infer leased address space for all RIRs and study its impact on routing and hosting security. We infer that 4.1% of all advertised IPv4 prefixes (0.9% of routed v4 address space) were leased in April 2024. Our method achieves 98% precision when evaluated against our validated dataset. Finally, we show that leased address space is five times more likely to be abused compared to non-leased space.
Despite prior efforts, the vast majority of the AS-level topology of the Internet remains hidden from BGP and traceroute vantage points. In this work, we introduce metAScritic, a novel system inspired by recommender system literature, designed to infer interconnections within a given metro. metAScritic uses the intuition that the connectivity matrix at a given metro is a low-rank system, since ASes employ similar peering strategies according to their infrastructures, traffic profiles, and business models. This approach allows metAScritic to accurately reconstruct the complete peering connectivity by measuring a strategic subset of interconnections that capture ASes' underlying peering strategies. We evaluate metAScritic's performance across six large metropolitan areas, achieving an average F-score of 0.88 on various validation datasets, including ground truth. metAScritic measures more than 86K edges and infers more than 368K edges, compared to the 13K edges observed for this subset of ASes in public BGP feeds -- an increase of (24X) what is currently seen. We study the impact of our inferred links on Internet properties, illustrating the extent of the Internet's flattening and demonstrating our ability to better predict the impact of route leaks and prefix hijacks, compared to relying only on the existing public view.
The Routing Policy Specification Language (RPSL) enables operators to specify routing policies in public registries. These policies contain information for traffic engineering, troubleshooting routing incidents, and automatically configuring route filters to improve security. RPSL information is also valuable for researchers to better understand the Internet. However, the RPSL's complexities make these policies challenging to interpret programmatically. We introduce RPSLyzer, a tool that can parse and interpret 99.99% of RPSL policies. We use RPSLyzer to characterize the RPSL policies of 78,701 Autonomous Systems (ASes) and verify 779 million BGP routes against these policies. We find RPSL usage varies widely among ASes, identify common RPSL misuses that explain most route verification failures, and offer operators recommendations to improve RPSL usage.
QUIC, a rapidly evolving protocol, has gained prominence with its standardization and increased adoption as HTTP/3 on the World Wide Web. Originating from Google in 2014, QUIC has seen significant changes in transitioning from Google QUIC (gQUIC) to an IETF standard in 2021. Understanding the performance of the current version of QUIC in comparison to its predecessors is crucial given its evolution and widespread adoption.
This study conducts a comprehensive performance evaluation of two versions of QUIC: Google QUIC version 37 (gQUICv37, 2017) and IETF QUIC version 1 (QUICv1, 2021). Following parameters and methodologies established by a notable QUIC paper from 2017, we replicate their experiments on gQUICv37 and extend it to QUICv1, leveraging the Emulab testbed to facilitate reproducible research.
We show that the performance advantages of QUIC over TCP, given by core features like 0-RTT and multiple streams, are consistent in gQUICv37 and QUICv1. However, notable performance differences arise between the versions due to the implementation of the new BBR congestion control algorithm and an updated loss-detection strategy in QUICv1, resulting in improved performance for QUICv1 under packet reordering scenarios. By utilizing Emulab and sharing our scripts, we enable replication and extension of our study for future QUIC versions.
In this paper, we present a detailed performance analysis of QUIC instant~ACK, a standard-compliant approach to reduce waiting times during the QUIC connection setup in common CDN deployments. To understand the root causes of the performance properties, we combine numerical analysis and the emulation of eight QUIC implementations using the QUIC Interop Runner. Our experiments comprehensively cover packet loss and non-loss scenarios, different round trip times, and TLS certificate sizes. To clarify instant ACK deployments in the wild, we conduct active measurements of 1M~popular domain names. For almost all domain names under control of Cloudflare, Cloudflare uses instant ACK, which in fact improves performance. We also find, however, that instant ACK may lead to unnecessary retransmissions or longer waiting times under some network conditions, raising awareness of drawbacks of instant ACK in the future.
The rise of proprietary and novel congestion control algorithms (CCAs) opens questions about the future of Internet utilization, latency, and fairness. However, fully analyzing how novel CCAs impact these properties requires understanding the inner workings of these algorithms. We thus aim to reverse-engineer deployed CCAs' behavior from collected packet traces to facilitate analyzing them. We present Abagnale, a program synthesis pipeline that helps users automate the reverse-engineering task. Using Abagnale, we discover simple expressions capturing the behavior of 9 of the 16 CCAs distributed with the Linux kernel and analyze 7 CCAs from a graduate networking course.
Domain Name System Security Extensions (DNSSEC) enhanced the security of conventional DNS by providing data integrity and origin authentication, but enabled zone walking as a side effect. To address this issue, the Next Secure (NSEC3) resource record provides an authenticated denial of existence mechanism based on hashes of domain names. However, an improper selection of the NSEC3 parameters may significantly degrade the performance of resolvers and authoritative name servers alike. RFC 9276 (Guidance for NSEC3 Parameter Settings) imposes additional constraints on hash computation parameters, crucial in light of emerging security threats such as CPU resource exhaustion attacks. Despite this guideline, our analysis of over 302 M registered domain names reveals that 87.8 % of 15.5 % NSEC3-enabled domains fail to adhere to RFC 9276 with a dozen using 500 additional hash iterations. Furthermore, 78.3 % of 114 K open and closed validating resolvers impose the RFC's additional constraints on hash iterations with 18.4 % returning SERVFAIL, possibly rendering non-compliant domains unreachable.
The DNS HTTPS resource record is a new DNS record type designed for the delivery of configuration information and parameters required to initiate connections to HTTPS network services. In addition, it is a key enabler for TLS Encrypted ClientHello (ECH) by providing the cryptographic keying material needed to encrypt the initial exchange. To understand the adoption of this new DNS HTTPS record, we perform a longitudinal study on the server-side deployment of DNS HTTPS for Tranco top million domains, as well as an analysis of the client-side support for DNS HTTPS through snapshots from major browsers. To the best of our knowledge, our work is the first longitudinal study on DNS HTTPS server deployment, and the first known study on client-side support for DNS HTTPS. Despite the rapidly growing trend of DNS HTTPS adoption, our study highlights challenges and concerns in the deployment by both servers and clients, such as the complexity in properly maintaining HTTPS records and connection failure in browsers when the HTTPS record is not properly configured.
In this study, we measure all root servers over a period of 174 days from 675 vantage points in 523 networks and 62 countries using IPv4 and IPv6. Using this data, we first investigate the co-location between root servers, finding that almost 70% of clients observe co-location of at least two servers. Second, we monitor the integrity of zone transfers, finding rare issues like bitflips or stale zone files. Finally, by enriching our data with passive ISP and IXP data, we quantify the role of IPv6 for performance and behavior under change, finding that even seemingly similar subsets of root servers can differ considerably.
Malicious actors exploit the DNS namespace to launch spam campaigns, phishing attacks, malware, and other harmful activities. Combating these threats requires visibility into domain existence, ownership and nameservice activity that the DNS protocol does not itself provide. To facilitate visibility and security-related study of the expanding gTLD namespace, ICANN introduced the Centralized Zone Data Service (CZDS) that shares daily zone file snapshots of new gTLD zones. However, a remarkably high concentration of malicious activity is associated with domains that do not live long enough make it into these daily snapshots. Using public and private sources of newly observed domains, we discover that even with the best available data there is a considerable visibility gap in detecting short-lived domains. We find that the daily snapshots miss at least 1% of newly registered and short-lived domains, which are frequently registered with likely malicious intent. In reducing this critical visibility gap using public sources of data, we demonstrate how more timely access to TLD zone changes can provide valuable data to better prevent abuse. We hope that this work sparks a discussion in the community on how to effectively and safely revive the concept of sharing Rapid Zone Updates for security research. Finally, we release a public live feed of newly registered domains, with the aim of enabling further research in abuse identification.
We present the first large-scale analysis of the adoption of third-party serving infrastructures in government digital services. Drawing from data collected across 61 countries spanning every continent and region, capturing over 82% of the world's Internet population, we examine the preferred hosting models for public-facing government sites and associated resources. Leveraging this dataset, we analyze government hosting strategies, cross-border dependencies, and the level of centralization in government web services. Among other findings, we show that governments predominantly rely on third-party infrastructure for data delivery, although this varies significantly, with even neighboring countries showing contrasting patterns. Despite a preference for third-party hosting solutions, most government URLs in our study are served from domestic servers, although again with significant regional variation. Looking at overseas located servers, while the majority are found in North America and Western Europe, we note some interesting bilateral relationships (e.g., with 79% of Mexico's government URLs being served from the US, and 26% of China's government URLs from Japan). This research contributes to understanding the evolving landscape of serving infrastructures in the government sector, and the choices governments make between leveraging third-party solutions and maintaining control over users' access to their services and information.
This study examines Meta's enforcement of its political advertising policies across 16 European Union countries. Leveraging a comprehensive dataset provided by Meta under the European Digital Services Act, encompassing all ads targeting EU countries, our analysis exposes shortcomings in Meta's ad moderation. In particular, over 60% of the ads moderated as political by Meta do not fall under Meta's guidelines. Also, we estimate that only 7.7% of undeclared political ads, i.e., political ads that are not declared as such by advertisers, undergo moderation by Meta. These results highlight substantial deficiencies in Meta's regulation of political advertisements, underscoring the need for enhanced measures to safeguard democratic discourse.
Children's and adolescents' online data privacy are regulated by laws such as the Children's Online Privacy Protection Act (COPPA) and the California Consumer Privacy Act (CCPA). Online services that are directed towards general audiences (i.e., including children, adolescents, and adults) must comply with these laws. In this paper, first, we present DiffAudit, a platform-agnostic privacy auditing methodology for general audience services. DiffAudit performs differential analysis of network traffic data flows to compare data processing practices (i) between child, adolescent, and adult users and (ii) before and after consent is given and user age is disclosed. We also present a data type classification method that utilizes GPT-4 and our data type ontology based on COPPA and CCPA, allowing us to identify considerably more data types than prior work. Second, we apply DiffAudit to a set of popular general audience mobile and web services and observe a rich set of behaviors extracted from over 440K outgoing requests, containing 3,968 unique data types we extracted and classified. We reveal problematic data processing practices prior to consent and age disclosure, lack of differentiation between age-specific data flows, inconsistent privacy policy disclosures, and sharing of linkable data with third parties, including advertising and tracking services.
In this paper, we present and evaluate an automated pipeline for the large-scale analysis of corporate privacy policies. Organizations usually develop their privacy policies in isolation to best balance their business needs, user rights, as well as regulatory requirements. A wide-ranging and structured analysis of corporate privacy policies is essential to facilitate a deeper understanding of how organizations have balanced competing requirements. Our approach consists of a web crawler that can navigate to and scrape content from web pages that contain privacy policies, and a set of AI chatbot task prompts to process and extract structured/labeled annotations from the raw data. The analysis includes the types of collected user data, the purposes for which data is collected and processed, data retention and protection practices, and user rights and choices. Our validation shows that our annotations are highly accurate and consistent. We use this architecture to gather data on the privacy policies of companies in the Russell 3000 index, resulting in hundreds of thousands of annotations across all categories. Analysis of the resulting data allows us to obtain unique insights into the state of the privacy policy ecosystem as a whole.
Smartphones and mobile applications are staple tools in the operation of current-age public demonstrations, where they support organizers and participants in, \eg scaling the management of the events or communicating live about their objectives and traction. % The widespread use of mobile services during protests also presents interesting opportunities to observe the dynamics of these manifestations from a digital perspective. Previous studies in that direction have focused on the analysis of content posted in selected social media so as to forecast, survey or ascertain the success of public protests. In this paper, we take a different viewpoint and present a holistic characterization of the consumption of the whole spectrum of mobile applications during social protests. Hinging upon pervasive measurements in the production network of the incumbent network operator and focusing on the 2023 French pension reform strikes, we unveil how large masses of protesters generate a clearly recognizable footprint on mobile service demands in the examined events. In fact, the footprint is so strong that it lets us develop models informed by the usage of selected mobile applications that are capable of (i) tracking the spatiotemporal evolution of the target demonstrations and (ii) estimate the time-varying number of attendees from aggregate network operator data only. We demonstrate the utility of such privacy-preserving models to perform a-posteriori analyses of the public protests that reveal, e.g., the precise progression of the marches, alternate minor routes taken by participants or their dispersal at the end of the events.
With rapid evolution of mobile core network (MCN) architectures, large-scale control-plane traffic (CPT) traces are critical to studying MCN design and performance optimization by the R&D community. The prior-art control-plane traffic generator SMM heavily relies on domain knowledge which requires re-design as the domain evolves. In this work, we study the feasibility of developing a high-fidelity MCN control plane traffic generator by leveraging generative ML models. We identify key challenges in synthesizing high-fidelity CPT including generic (to data-plane) requirements such as multimodality feature relationships and unique requirements such as stateful semantics and long-term (time-of-day) data variations. We show state-of-the-art, generative adversarial network (GAN)-based approaches shown to work well for data-plane traffic cannot meet these fidelity requirements of CPT, and develop a transformer-based model, CPT-GPT, that accurately captures complex dependencies among the samples in each traffic stream (control events by the same UE) without the need for GAN. Our evaluation of CPT-GPT on a large-scale control-plane traffic trace shows that (1) it does not rely on domain knowledge yet synthesizes control-plane traffic with comparable fidelity as SMM; (2) compared to the prior-art GAN-based approach, it reduces the fraction of streams that violate stateful semantics by two orders of magnitude, the max y-distance of sojourn time distributions of streams by 16.0%, and the transfer learning time in deriving new hourly models by 3.36×.
As the utilization of network traces for the network measurement research becomes increasingly prevalent, concerns regarding privacy leakage from network traces have garnered the public's attention. To safeguard network traces, researchers have proposed the trace synthesis that retains the essential properties of the raw data. However, previous works also show that synthesis traces with generative models are vulnerable under linkage attacks.
This paper introduces NetDPSyn, the first system to synthesize high-fidelity network traces under privacy guarantees. NetDPSyn is built with the Differential Privacy (DP) framework as its core, which is significantly different from prior works that apply DP when training the generative model. The experiments conducted on three flow and two packet datasets indicate that NetDPSyn achieves much better data utility in downstream tasks like anomaly detection. NetDPSyn is also 2.5 times faster than the other methods on average in data synthesis.
Due to the widespread adoption of "work-from-home" policies, videoconferencing applications (e.g., Zoom) have become indispensable for remote communication. However, they often lack immersiveness, leading to "Zoom fatigue" and degrading communication efficiency. The recent debut of Apple Vision Pro, a mobile headset that supports "spatial personas", offers an immersive telepresence experience. In this paper, we conduct a first-of-its-kind in-depth and empirical study to analyze the performance of immersive telepresence with FaceTime, Webex, Teams, and Zoom on Vision Pro. We find that only FaceTime provides a truly immersive experience with spatial personas, whereas others still operate 2D personas. Our measurements reveal that (1) FaceTime delivers semantic data to optimize bandwidth consumption, which is even lower than that of 2D personas for other applications, and (2) it employs visibility-aware optimizations to reduce rendering overhead. However, the scalability of FaceTime remains limited, with a simple server-allocation strategy that potentially leads to high network delay for users.
Internet Service Providers (ISPs) bear the brunt of being the first port of call for poor video streaming experience. ISPs can benefit from knowing the user's device type (e.g., Android, iOS) and software agent (e.g., native app, Chrome) to troubleshoot platform-specific issues, plan capacity and create custom bundles. Unfortunately, encryption and NAT have limited ISPs' visibility into user platforms across video streaming providers. We develop a methodology to identify user platforms for video streams from four popular providers, namely YouTube, Netflix, Disney, and Amazon, by analyzing network traffic in real-time. First, we study the anatomy of the connection establishment process to show how TCP/QUIC and TLS handshakes vary across user platforms. We then develop a classification pipeline that uses 62 attributes extracted from the handshake messages to determine the user device and software agent of video flows with over 96% accuracy. Our method is evaluated and deployed in a large campus network (mimicking a residential broadband network) serving users including dormitory residents. Analysis of 100+ million video streams over a four-month period reveals insights into the mix of user platforms across the video providers, variations in bandwidth consumption across operating systems and browsers, and differences in peak hours of usage.
As the demand for online video content drives up bandwidth costs for content providers (CPs), there have been efforts to integrate cost-effective techniques to mitigate their bandwidth expenditure (e.g. using set-top boxes to share content). However, the use of such resources requires considerable effort to balance cost vs. user-perceived quality of service. This paper serves as a first step to quantify this trade-off. We collect and analyze data from a major CP that serves millions of users per day using both traditional CDN resources and alternative cheaper resources. Our analysis reveals that introducing cheaper alternative resources does not always yield anticipated cost savings and may lead to a reduction in quality of experience for users. We provide insights into the reasons behind these issues and propose strategies for better utilization of alternative network resources. We work with a major CP to deploy our proposals, and offer insights on how to better leverage different kinds of bandwidth resources for improved cost-efficiency and streaming delivery.
With the exponential rise in video traffic, researchers and developers require more effective tools to validate the efficacy of designed algorithms for Video-on-Demand (VoD) system. However, traditional experimental platforms face two main challenges: a lack of realistic testing and the need for longer and significant effort. To overcome these limitations, we propose Magpie, an efficient experimental platform tailored for VoD systems. Magpie leverages a realistic operational setting, rapid testing, and high reproducibility to closely simulate online user environments without impacting production systems. Compared to conventional simulations, our evaluation demonstrates that Magpie reduces the disparity with online experiments by 85.6%. Deployed within our company-a leading video content provider in China-Magpie has efficiently validated over tens of algorithms, with 80% demonstrating enhanced performance in subsequent online tests.
Recent years have seen growing interest and support for IPv6 in residential networks. While nearly all modern networking devices and operating systems support IPv6, it remains unclear how this basic support translates into higher-layer functionality, privacy, and security in consumer IoT devices. In this paper, we present the first comprehensive study of IPv6 usage in smart homes in a testbed equipped with 93 distinct, popular consumer IoT devices. We investigate whether and how they support and use IPv6, focusing on factors such as IPv6 addressing, configuration, DNS and destinations, and privacy and security practices.
We find that, despite most devices having some degree of IPv6 support, in an IPv6-only network just 20.4% transmit data to Internet IPv6 destinations, and only 8.6% remain functional, indicating that consumer IoT devices are not yet ready for IPv6 networks. Furthermore, 16.1% of devices use easily traceable IPv6 addresses, posing privacy risks. Our findings highlight the inadequate IPv6 support in consumer IoT devices compared to conventional devices such as laptops and mobile phones. This gap is concerning, as it may lead to not only usability issues but also privacy and security risks for smart home users.
In this work, we characterize the potential information leakage from IoT platforms during their setup phase. Setup involves an IoT device, its ''app'', and a cloud-based service. We assume that the on-device firmware is inaccessible, e.g., read-protected. We focus on the combination of information that can be extracted from analyzing the app and the local communication between the app and the IoT device. An attacker can trivially obtain the app, analyze its operation, and potentially eavesdrop on the wireless communication occurring during the setup phase. We develop a semi-automated general methodology involving off-the-shelf tools to examine information disclosure during the setup phase. We tested our methodology on twenty commodity-grade IoT devices. The outcome reveals a wide range of device-dependent choices for encryption at various layers and the potential for exposure of, among other things, device-identifying information and local networking (WiFi) credentials. Our methodology contributes towards a means to assess and ''certify'' IoT devices.
Smart TVs implement a unique tracking approach called Automatic Content Recognition (ACR) to profile viewing activity of their users. ACR is a Shazam-like technology that works by periodically capturing the content displayed on a TV's screen and matching it against a content library to detect what content is being displayed at any given point in time. While prior research has investigated third-party tracking in the smart TV ecosystem, it has not looked into second-party ACR tracking that is directly conducted by the smart TV platform. In this work, we conduct a black-box audit of ACR network traffic between ACR clients on the smart TV and ACR servers. We use our auditing approach to systematically investigate whether (1) ACR tracking is agnostic to how a user watches TV (e.g., linear vs. streaming vs. HDMI), (2) privacy controls offered by smart TVs have an impact on ACR tracking, and (3) there are any differences in ACR tracking between the UK and the US. We perform a series of experiments on two major smart TV platforms: Samsung and LG. Our results show that ACR works even when the smart TV is used as a ''dumb'' external display, opting-out stops network traffic to ACR servers, and there are differences in how ACR works across the UK and the US.
In this paper, we use empirical measurements to show that container network startup is a key factor that contributes to the slow startup of secure containers in multi-tenant clouds, especially in the scenario of serverless computing, where the issue is pronounced by high-volume concurrent container invocations. We conduct extensive and detailed analysis on existing Container Network Interface (CNI) plugins and show that even the fastest one doubles the startup time from the no-network scenario. We show that the major cause of the blowup in total startup time is that enabling networking significantly increases the contention among different startup stages, particularly for global Linux kernel locks, including the Routing Table NetLink (RTNL) mutex lock and various spin locks. We reveal that contending for these locks hinders startup performance in three ways, including directly increasing stage time, causing poor pipeline overlap and wasting CPU resources. To mitigate such kernel lock contention, we propose a multi-stage concurrency control mechanism based on Bayesian optimization to limit the concurrency of each contended stage. Our results show that this lightweight mechanism can effectively reduce the end-to-end container startup time by 18.8% with negligible extra overhead.
While sketch-based network telemetry is attractive, realizing its potential benefits has been elusive in practice. Existing sketch solutions offer low-level interfaces and impose high effort on operators to satisfy telemetry intents with required accuracies. Extending these approaches to reduce effort results in inefficient deployments with poor accuracy-resource tradeoffs. We present SketchPlan, an abstraction layer for sketch-based telemetry to reduce effort and achieve high efficiency. SketchPlan takes an ensemble view across telemetry intents and sketches, instead of existing approaches that consider each intent-sketch pair in isolation. We show that SketchPlan improves accuracy-resource tradeoffs by up-to 12x and up-to 60x vs. baselines, in single-node and network-wide settings. SketchPlan is open-sourced at: https://github.com/milindsrivastava1997/SketchPlan.
Abnormal email bounces seriously disrupt user lives and company transactions. Proliferating security protocols and protection strategies have made email delivery increasingly complex. A natural question is how and why email delivery fails in the wild. Filling this knowledge gap requires a representative global email delivery dataset, which is rarely disclosed by email service providers (ESPs).
In this paper, we first systematically reveal the scale and root causes of email bounces, and evaluate the email squatting risk in the real world. Through a 15-month passive dataset from a large ESP, we present a unique global view of 298M emails delivered to 3M receiver mail servers in 169 countries. We find that 38M (12.93%) emails fail to be delivered in the first attempt, about one-third of which could be successfully delivered after retrying, while the rest are permanently undeliverable. Delving deeper into bounce reasons, we observe that poor server reputation and network communication quality are significant factors leading to temporary email bounces. In particular, spam blocklists affect many normal email deliveries. The misconfiguration of authentication mechanisms and email address typos result in many permanently undeliverable emails. More seriously, many email addresses with significant residual value can be exploited by squatting attackers. Overall, we call for the community to revisit email delivery failures, especially to improve standards for email bounce reporting and resolution.
In datacenters, common incast traffic patterns are challenging because they violate the basic premise of bandwidth stability on which TCP congestion control convergence is built, overwhelming shallow switch buffers and causing packet losses and high latency. To understand why these challenges remain despite decades of research on datacenter congestion control, we conduct an in-depth investigation into high-degree incasts both in production workloads at Meta and in simulation. In addition to characterizing the bursty nature of these incasts and their impacts on the network, our findings demonstrate the shortcomings of widely deployed window-based congestion control techniques used to address incast problems. Furthermore, we find that hosts associated with a specific application or service exhibit similar and predictable incast traffic properties across hours, pointing the way toward solutions that predict and prevent incast bursts, instead of reacting to them.
In this paper, we address the prevalent issue of account takeover (ATO) fraud, which significantly impacts businesses through stolen user information. Websites have adopted risk-based authentication, incorporating browser fingerprinting techniques to counteract this threat. However, attackers have adapted by using anti-detect browsers, referred to as fraud browsers, to spoof user information effectively. While traditional fingerprinting methods are capable of identifying fraud browsers, they encounter scalability and performance challenges in risk-based systems. To address these issues, we developed Browser Polygraph, an ML-based tool that applies coarse-grained privacy-preserving fingerprints to assess browser authenticity and assigns risk factors to suspicious sessions. Coarse-grained fingerprints, by design, cannot be used for user tracking but only for fraud detection purposes. Deployed at a major financial company, Browser Polygraph has flagged suspicious sessions, enabling more targeted identification of potential fraud, thus enhancing the company's ability to tackle ATO attempts.
The Internet's combination of low communication cost, global reach, and functional anonymity has allowed fraudulent scam volumes to reach new heights. Designing effective interventions requires first understanding the context: how scammers reach potential victims, the earnings they make, and any potential bottlenecks for durable interventions. In this short paper, we focus on these questions in the context of cryptocurrency giveaway scams, where victims are tricked into irreversibly transferring funds to scammers under the pretense of even greater returns. Combining data from Twitter (also known as X), YouTube and Twitch livestreams, landing pages, and cryptocurrency blockchains, we measure how giveaway scams operate at scale. We find that 1 in 1000 scam tweets, and 4 in 100,000 livestream views, net a victim, and that scammers managed to extract nearly $4.62 million from just hundreds of victims during our measurement window.
Ethereum smart contracts are executable programs deployed on a blockchain. Once deployed, they cannot be updated due to their inherent immutability. Moreover, they often manage valuable assets that are worth millions of dollars, making them attractive targets for attackers. The introduction of vulnerabilities in programs due to the reuse of vulnerable code posted on Q&A websites such as Stack Overflow is not a new issue. However, little effort has been made to analyze the extent of this issue on deployed smart contracts.
In this paper, we conduct a study on the impact of vulnerable code reuse from Q&A websites during the development of smart contracts and provide tools uniquely fit to detect vulnerable code patterns in complete and incomplete Smart Contract code. This paper proposes a pattern-based vulnerability detection tool that is able to analyze code snippets (i.e., incomplete code) as well as full smart contracts based on the concept of code property graphs. We also propose a methodology that leverages fuzzy hashing to quickly detect code clones of vulnerable snippets among deployed smart contracts. Our results show that our vulnerability search, as well as our code clone detection, are comparable to state-of-the-art while being applicable to code snippets. Our large-scale study on 18,660 code snippets reveals that 4,596 of them are vulnerable, out of which 616 can be found in 17,852 deployed smart contracts. These results highlight that the reuse of vulnerable code snippets is indeed an issue in currently deployed smart contracts.
Ethereum Name Service (ENS) domains allow users to map human-readable names (such as gold.eth) to their cryptocurrency addresses, simplifying cryptocurrency transactions. Like traditional DNS domains, ENS domains must be periodically renewed. Failure to renew leads to expiration, making them available for others to register (a phenomenon known as dropcatching). This presents a security risk where attackers can register expired domains to leverage the residual trust associated with them and, in the context of ENS, receive transactions intended for their previous owners. In this paper, we conduct the first large-scale study on dropcatching in ENS domains. We curate and analyze a dataset comprising 3.1M ENS domains and 9.7M Ethereum transactions, finding that 241K of these domains were re-registered by new owners after expiration. Our findings indicate a preference for domains linked to high-income wallets in re-registrations. We identify 2,633 transactions that were misdirected to new owners, averaging the equivalent of thousands of US dollars. Lastly, we highlight the lack of countermeasures by digital wallet providers, and suggest straightforward approaches that they can use to minimize financial losses due to ENS dropcatching.
In this paper, we present a new mechanism for estimating the data sending rates of BBR congestion control algorithm using machine learning. Results show that machine learning can estimate the data sending rates of BBR with high accuracy.
Domain top lists are widely used in Internet measurement and security analysis among the Internet community. To improve the manipulation resistance and stability of top lists, many efforts have been devoted, such as the passive DNS (pDNS)-based top list, Secrank, and the aggregated list, Tranco. However, it remains unexamined how robust these newly-built top lists are against ranking manipulation. In this study, we study the pitfall of the pDNS data and propose RaMOF, a novel Ranking Manipulation approach based on Open Forwarders, leveraging the inherent forwarding relationships between open forwarders and public DNS services. Our experiments show that both pDNS-based top lists and aggregated lists are prone to be affected by RaMOF attacks.
In this study, we present PublicDNSEnum, a lightweight and accurate tool to enumerate anycast instances of public DNS services. Leveraging the open and forwarding features of DNS resolvers, PublicDNSEnum enables researchers to trigger and conduct anycast enumeration of public DNS anycast instances on a single vantage host. It transforms a massive number of open forwarders into distributed measurement nodes by utilizing the forwarding relationship between open forwarders and public DNS. Experiments on Google Public DNS show that PublicDNSEnum achieves better recall than the state-of-the-art technique, including iGreedy.
Malware is recognized as one of the most severe cybersecurity threats today. Although malware attacks are as old as the Internet, our understanding of which part of the Internet infrastructure is used to distribute malware software is still rather limited.
In this work, we analyze more than 3 million sessions established with honeypots deployed in 55 countries that are associated with the download and execution of malware binaries. We identify two main tactics to load malware to infected machines: injection of malware by hosts initiating the connection (clients) and downloading malware from third parties (loaders). The latter tactic contributes to more than 80% of this class of sessions but involves a smaller number of cloud and content delivery servers with very different profiles than that of the clients. Our analysis also shows that it is not uncommon for different malware families to rely on the same hosting infrastructures for downloading malware. Further investigation into the code executed to download and activate malware shows that criminals tend to hide their traces by deleting their history and modifying logs and files on the compromised machines.
This poster presents the first steps towards a data-driven methodology to design material for raising awareness on personal data collection and use by smartphone apps for mobility services (e.g., trip planning). Through an online survey, we collected a sample of 300 responses from regular users of these apps in the Paris region, in France, who share their perspectives on privacy concerns and their need to be better informed.
We investigate how environmental data collected from a low-cost, distributed Internet-of-Things platform can be used to identify factors affecting air quality in highly dense urban environments. In this work, we focus on the the case of Bangkok. We use data collected from the SEA-HAZEMON platform to analyze the incidence of several parameters on PMx level and assess its potential to forecast CO2 emission.
This study examines Airalo, a "thick" Mobile Network Aggregator. We analyze its unique use of multiple base operators for eSIM provisioning and its decoupling of internet gateways from operators' home countries. Our methodology combines measurements from volunteers in 24 countries using a mix of personal and instrumented Android devices, providing a comprehensive analysis of Airalo's operational model and impact on global mobile connectivity.
The Interplanetary File System (IPFS) [1] is a popular Peer-to-Peer (P2P) overlay network with a focus on content-addressed data exchange. While IPFS offers decentralized file storage, improving resilience, it suffers from privacy challenges [3]. In particular Bitswap, the data exchange protocol suffers under these challenges. That is, Bitswap contacts all neighbors for content discovery revealing interest to many participants.
SMS scams have surged over the recent years. However, little empirical research has been done to understand this rising threat due to the lack of an updated dataset. In the UK, mobile network operators run a firewall to block illicit messages. To this end, we collaborate with a major UK mobile network operator, which provides us with 3.58m SMS messages flagged by their firewall. These messages originated from over 42k unique sender IDs and were sent to 2.23m mobile numbers between December 2023 and February 2024. This is the first research to examine the current threats in the SMS ecosystem and categorize illicit SMS messages into eight sectors, including spam. We present the distribution of SMS messages successfully blocked by the mobile network operator's firewall and those that successfully evade detection.
Optimizing mobile networks in the rapidly evolving field of wireless communication is increasingly challenging due to two main issues associated with current methods. First, the technical complexity of the Radio Access Network (RAN) with multiple technologies, frequency bands, and cell sizes makes it difficult for manual processing to keep pace with the growing number of issues to be resolved. Second, network optimization usually focuses on data gathered by network equipment, i.e. base stations, and overlooks user-side information, which can offer data with better spatial precision and more accurate Quality of Service (QoS) as seen by the end user.
One of the main problems for alternative mobile network optimization methods that exploit user-related information is that they also require network-related knowledge, such as the deployed infrastructure and network load, which may not be available. However, network quality measurements at the User Equipment (UE), such as Reference Signal Received Quality (RSRQ) in LTE networks, contain information about the total power received in the entire cell bandwidth, from which a proxy for cell load may be derived. In this work, we propose a generalized method to derive cell load from RSRQ, and test it in a commercial mobile network using crowdsourced measurements.
Low-Earth-Orbit satellite networks (LSNs) are enabling low-latency high-bandwidth internet connectivity at a global scale. However, majority of the traffic on the Internet is currently handled by Content Delivery Networks (CDNs), which rely on geographical proximity to deliver content. In this work, we examine CDN performance for the commercial largest LSN, i.e. Starlink, by performing active measurements through our web browser plugin and passive analysis of Cloudflare speed tests globally. Comparing this to terrestrial networks, we highlight significant performance degradation for Starlink users due to the asymmetries between satellite and terrestrial infrastructure.
This paper presents a methodology for extracting and structuring information from Internet Autonomous Systems peering policy documents using natural language processing techniques. We trained a named entity recognition model to identify and extract key entities related to peering practices. The resulting structured dataset, made publicly available, provides valuable insights into autonomous system peering requirements, preferences, and routing practices. This dataset serves as a foundation for understanding and modelling the peer selection processes of autonomous systems on the Internet. Our ongoing work focuses on developing a policy-aware approach to select peering partners based on compatibility scores derived from the extracted policy requirements.
Internet shutdowns, often enforced by governments to control communication and access to information, have significant socio-political and economic implications. This study presents a machine learning approach to predict the likelihood of internet shutdowns, developing an Internet Shutdown Risk Score using public datasets from 125 countries. A Random Forest classifier, achieving an AUC of 0.97, was used to calculate risk scores. Key features were identified using the Shapley algorithm, highlighting factors like political unrest, economic conditions, and digital infrastructure. Case studies in Pakistan, India, and Sudan demonstrate rising shutdown risks due to protests from 2019 to 2022. Globally, the Internet Shutdown Risk Index has been consistently high since 2019, indicating increased threats of internet shutdowns in politically unstable regions.
The Border Gateway Protocol (BGP) is the de facto routing protocol of the Internet. In BGP, networks (Autonomous Systems, ASes) advertise to neighboring ASes the IP address blocks (IP prefixes) they host and the ones hosted by other ASes towards which they have a path. Two ASes can announce themselves as the host (origin) of the same IP prefix (Multiple Origin AS prefix, MOAS). Alternatively, one AS can advertise itself as the host of an IP prefix, and another can advertise itself as the host of a subset of that same prefix (SubMOAS prefix). If MOAS and SubMOAS can be legitimate, they can also result in misdirected Internet traffic (BGP hijacking), whether the cause is intentional or not. Thus, network operators need a mechanism to differentiate between unauthorized and legitimate route announcements. The Global Routing Intelligence Platform (GRIP) is state-of-the-art regarding MOAS and SubMOAS detection. GRIP automatically detects SubMOAS and MOAS, then performs initial filtering to tag obvious benign events and reduce the number of cases to investigate. Between January 1, 2020, and January 1, 2023, GRIP detected 4.5M MOAS and SubMOAS, and classified 4.36M as benign, leaving 134k events without explanation. We call them unexplained events. Likely, there are still many benign cases in those 134K events, and only a few should generate an alert. This work aims to uncover AS behaviors that could cause benign MOAS or SubMOAS events but are not currently considered in BGP hijacking detection systems. Upon examining these GRIP events between January 1, 2020, and January 1, 2023, we find that they are primarily caused by a small number of ASes. Therefore, we manually investigate these ASes repeatedly causing MOAS and SubMOAS, leveraging the data collected by GRIP. For example, this data includes the BGP AS path attribute and RPKI status. In addition, we also use RIPE Stat API (routing history and ASN neighbor history), as well as WHOIS data (mainly aut-num/ASNumber and inet-num/NetRange objects).
The increasing prevalence of Internet of Things (IoT) devices have made them attractive targets for malware, highlighting the critical need to understand the dynamics of IoT Command and Control (C&C). While previous research observed short-lived C&Cs, recent observations indicate that the lifespan of domain names linked to IoT botnets is extending, deviating from previously recorded survival rates. To understand and characterize this emerging trend, we collected and examined 1049 IoT malware samples from late 2022 to early 2023, identifying 549 unique domains contacted by these samples. Domains were classified as malicious if detected by VirusTotal or followed a Domain Generation Algorithm pattern. Using data from WhoisXMLAPI and DNSDB Scout, we analyzed registration information and historical DNS resolutions, and identified relationships. Our findings reveal that the majority of C&C domains belong to Qsnatch and Mirai malware families, with an average lifespan of 2.7 years. Notably, seven active domains had an average lifespan of 5.7 years. We also observed a significant number of domains under the .vg and .ws TLDs, but with lack of passive DNS and registration information.
While personalized recommendations improve user experience by aligning information with interests, they are alleged to narrow information acquisition, leading to a filter bubble. Prior studies have shown mixed findings on whether these systems limit or enhance content diversity. This study examines whether the YouTube recommendation system forms the filter bubbles and allows exits from the filter bubbles by ensuring the diversity of information. To assess the information dynamics by user-accessible data, we propose embedding similarity analysis based on feed-level video information. Through simulations of diverse user scenarios, our results demonstrate the dual role of recommendation systems in both fostering and hindering information diversity. It highlights the user's role in breaking the filter bubble on YouTube and suggests applications that help users recognize the current state of personalization.
Traffic delivery is fundamental for user experience on the Internet. To achieve this, Autonomous Systems (ASes) rely on their multiple connectivity options and manipulate prefix announcements to influence neighboring ASes' route decisions. One crucial aspect not yet investigated is how traffic engineering techniques may affect the prefix suitability of being hijacked or impacted by a route leak. We aim to examine how AS's connectivity and inbound traffic engineering techniques influence routing security. We use the PEERING Testbed combined with data and control plane measurements to offer systematical analyses of these aspects. Our preliminary evaluation indicates that connectivity plays an important role and that using ASPP directly influences the security impacts.
QUICv2 and the "Greasing the QUIC Bit'' have features designed to prevent the ossification (aka slowed progress in evolution) of the QUIC protocol. Historically, network middleboxes can become reliant on, for example, specific values or uses of header fields in QUIC packets. When changes are made to the fields, even though allowed by the specifications or for a new version of QUIC, middleboxes can negatively impact valid traffic or force a fallback to an older version of the protocol.
QUIC, a modern transport protocol, already encrypts all of its payload and most of its headers, making it less susceptible to a middlebox inspection and interference. However, there are still a few fields that are visible to observers. To counter ossification, QUIC has two extensions: QUICv2 and Greasing the QUIC Bit. Despite their importance, there has been no comprehensive study examining whether these anti-ossification features are actually adopted on the Internet. Adoption is crucial, as only widespread use can prevent middleboxes from ossifying QUIC.
We take the first step in comprehensively measuring the adoption of QUICv2 and the ''Greasing the QUIC Bit''. Unfortunately, our preliminary internet measurement of these features show minimal adoption so far, with less than 0.013% of QUICv1 domains in our sample supporting the Greasing the QUIC bit and fewer than 0.003% adopting QUICv2. Future work will map out which domains, software stacks, and entities are leaders in adoption.
Routers are the core building block of the Internet infrastructure. Maintaining a secure router deployment is critical for protecting networks and providing uninterrupted, smooth operation. In this work, we take a first step toward analyzing routers' security on the Internet. We focus on the potential attack surface for routers, i.e., publicly exposed services. Specifically, we investigate what services are commonly running on known router IPv4 addresses. While exposed services may not pose an immediate risk, they do highlight failure to follow best practices, e.g., strict access control lists. We found that more than 40% of known router IPv4 addresses have at least one public-facing service. We also highlight the lack of consistency in applying network-wide security policies.
Large-scale Internet disruptions, ranging from complete disconnections to service degradations, are increasingly common, due to factors such as government-ordered shutdowns, infrastructure failures, and sophisticated traffic manipulation techniques. While existing detection platforms are effective at identifying complete disconnections, they fail to detect service degradations, such as those caused by throttling, intentional rerouting, or network attacks, which degrade performance without blocking connectivity. In this poster, we discuss our plan to improve Internet disruption investigation through additional metrics (loss, latency) and measurement techniques (traceroutes) to help identify such events and provide researchers with the network-level information necessary for investigation. Our method not only helps to identify service degradations missed by traditional connectivity checks but also provides data for generating insights into the underlying causes and impacts of Internet disruptions.
Efficient traffic delivery is a key aspect of Internet operations. To achieve this goal, network operators rely on expanding their footprint and performing inbound traffic engineering to influence other ASes' route decisions.
Internet eXchange Points (IXPs) are fundamental elements as they allow the interconnection of thousands of Autonomous Systems (ASes). The decision of where to interconnect directly impacts the AS' traffic delivery as each IXP offers different connectivity options. We analyze routing data from five relevant IXPs to understand the announced address space, whether ASes connected to multiple IXPs use traffic engineering to indicate a preferable IXP to exchange traffic, and the traffic engineering techniques used to try to influence other ASes' routing decisions.
While previous research focused on understanding the ecosystem and benefits of joining IXPs [2, 4], the traffic engineering aspects have not been deeply investigated. Motivated by this gap, we analyzed routing data from five IXPs. Our study examines the announced address space, evaluates whether ASes connected to multiple IXPs employ traffic engineering to signal a preferred IXP for traffic exchange, and explores the traffic engineering techniques utilized to influence routing decisions of other ASes.
We identify that half of the IXP members announce their entire address space at the IXP. We also observe that ASes connected to multiple IXPs tend to announce the same prefixes in both. Finally, when giving preference to a particular IXP, most ASes use a single inbound traffic engineering technique but have no clear preference for a given technique.
In May 2024, Rio Grande do Sul, Brazil's southernmost state, endured a month of severe rainfall, leading to extensive infrastructure damage in more than 400 cities. This major climatic event caused widespread disruptions to the state's infrastructure, including roads, bridges, electrical plants, data centers, communication systems, and homes, affecting millions of people. In this paper, we describe the datasets we are collecting from various sources, including official reports, IXP connectivity and routing information, Internet quality measurements, and failure reports from data centers, the ISPs assotiation in the region, and the Brazilian National Research and Education Network. These datasets are being used to provide the first analyses of how these events affected the resilience of the Communication Technology (ICT) infrastructure in Rio Grande do Sul. We plan to make these datasets available to the community for future studies on the climate impact on communications infrastructure and to better identify the challenges faced when resilience is critically tested. Additionally, we hope this data can outline improvements in ICT infrastructure to enhance operations and aid in the reconstruction process.
The Internet has become an important part of our lives today, hence ensuring its security and reliability is critical. Internet outages happen frequently due to various factors, including human inter- ventions, natural disasters, and power outages. A key question is whether hosts become vulnerable when a network recovers from an outage impacting Internet infrastructure. This could happen if firewalls malfunction, even for a short while, allowing some ports to become unexpectedly open. This can potentially lead to expo- sure of previously restricted services to external users, making the network vulnerable to security threats. Previous work has shown that, in general, unnecessary open ports can increase vulnerabil- ities in systems. This study proposes a practical approach to examine network security post-outage by identifying newly open ports that can increase system vulnerability. The goal of this work is to show that such risks can indeed arise after an outage and that the proposed methodology detects these new ports.
Although the Internet ecosystem in East Africa has experienced significant growth as evidenced by the 115% increment in Internet users in Sub-Sharan Africa, we understand very little about the infrastructure's performance which is crucial, particularly in DNS resolution, ISP peering, and the use of IXPs. Previous studies highlighting the importance of IXPs and their positive impact on connectivity are qualitative with limited participants, limiting their completeness. To achieve a nuanced understanding of the East African Internet landscape, a more extensive and diverse sample size is needed, integrating both context from qualitative with the scale from quantitative methods. Additionally, prior studies focus on the period following the installation of submarine fiber-optic cables, which may not fully capture the current state of the Internet ecosystem. This study aims to use a mixed methods approach to provide a comprehensive assessment of the Internet infrastructure in East Africa.
The relationships between Autonomous Systems (ASes) is a crucial aspect of the Internet, as they reveals how it operates and influence in the routing decision, as well as identifying BGP anomalies. However, most of the time this information is confidential, given that each AS is independently manage by different entities. This work aims to infer the types of relationships between ASes using Graph Neural Network (GNN).
The Type of Relationship (ToR) problem has been a topic of studied for the past two decades, with most solutions being heuristic. One of the biggest challenges this problem presents is the lack of ground truth information to validate the results.
Our preliminary results show an accuracy of 0.943 for binary classification and 0.936 for multiclass classification.
Resource Public Key Infrastructure (RPKI) is a critical component in securing the inter-domain routing infrastructure today. More than 50% of the routed IPv4 and IPv6 prefixes are covered by RPKI Route Origin Authorizations (ROAs). ROAs are cryptographically verifi- able records of the Autonomous System (AS) authorized to originate routes to a set of prefixes. Network operators are increasingly rely- ing on RPKI to validate routing information and reduce the spread of BGP hijacks and misconfigurations. RPKI infrastructure has five root authorities maintained by the five Regional Internet Registries (RIRs). Each root authority independently implements its RPKI in- frastructure, choosing how to manage certificate production from its self-signed root of trust certificate. In this poster, we study the different designs of RPKI infrastructure across the five roots and how these differences impact the characteristics of the RPKI Cer- tificate repository, such as scalability and compute requirements. We discover that some RPKI repositories are computationally more expensive than others due to their design.
Africa lags behind in broadband connectivity and performance. The internet cost remains significantly higher compared to the Global North, and users experience network delays, availability issues, and slow speeds. Several studies demonstrated that measuring internet performance in Africa will provide a better understanding of the reasons underpinning poor broadband performance and ultimately driving substantial improvements. While internet measurement is critical on the continent, effective measurement requires robust infrastructure. We recognize that robust network measurement is expensive but need to be context-based and involve all the internet stakeholders from users to regulators to service providers and more. However, current measurement tools are mostly designed in the West and do not necessarily reflect Africa's broadband measurement challenges. To address this, we propose in this work a cost-effective and context-based mobile broadband measurement infrastructure.
Modern websites are complex and fetch content from a multitude of different servers or domains. When measuring the complexity of the modern web, an open question is how content that is fetched from these domains contribute to the rendered output of the website. In this poster, we present the Web Dependency Analyzer, a tool that is designed to automatically infer the domains that a website depends on and further analyze the impact of each domain on the rendered output of the site. Our Web Dependency Analyzer instructs a headless web browser to infer the resource dependencies from a large set of input domains and outputs the visual impact of the unavailability of each domain.