Communication Systems Group Blog

On Oct 29 2012 in the evening the storm surge that hurricane Sandy caused hit the east coast of North America, and in particular New Jersey and New York. Wikipedia reports that in total 22 US states and a large portion of Eastern Canada are suffering from the direct consequences of the storm. The implications on the people living in these areas can hardly be imagined, and we send our sympathies and our best hopes for a fast recovery from the damage. Indeed, the damage done is large enough to have global impact. Even Internet reachability is impaired, and the results can be perceived from far-away Europe, as will be detailed in this blog post.

Dominik Schatzmann, a Ph.D. student in Bernhard Plattner‘s group (EDIT 2012-11-30: now Dr Schatzmann), has been investigating Internet reachability problems for his thesis for the last 4 years. His approach is orthogonal to conventional techniques which rely on control plane information or active probing for finding outages. In contrast, Dominik is using the information contained in NetFlow data from live traffic to detect which destinations could not be reached. The rational behind this approach is two-fold. First, by using passive measurements which are conducted for billing purposes anyway, there is no additional load on the Internet. Second, as the outage detection is driven by actual connection attempts, it is very simple to see which of the unreachable portions of the Internet are most important to the users. Both of these properties are desirable from an ISP’s perspective, as this reduces measurement cost and allows to solve the most important problems first. A summary about the Flow-Based Approach for Connectivity Tracking (FACT) used to analyze the impact of the hurricane on the Internet was recently presented at the Passive Active Measurement Conference (PAM). In the meanwhile, a master student of ours (thesis to be published) reduced the noise level of the approach by priming FACT with “stable server sockets”.

Remarkably, the technique is sensitive enough to detect data center and routing outages on a global level based on measurement data collected on the border of the SWITCH network, the swiss national research and education network. The plot below shows how many BGP prefixes have been found “unreachable” within 5 minute time bins by a certain number of local clients. The grey area corresponds to at least a single client, the red area to at least ten clients, and the blue area to at least ten clients, but filtered for US destinations only. The picture actually shows two independent incidents: First, the impact of Sandy on US reachability, and second a router outage several days later.

As can be seen a certain level of permanent background noise manifests in the gray area, showing a time-of-day pattern induced by the local client population. However, when comparing the outage periods that affect at least 10 clients we see that the noise is mostly canceled out and almost all of the affected prefixes are located in the US. The outages started only a few hours after Sandy entered the continent, and continued for a couple of days loosely following the time-of-day pattern with peaks around noon.

On Nov 2nd around midnight UTC a different kind of incident happened. In particular, a router inside the SWITCH network crashed due to a bug in the router firmware. This pattern looks quite different. First, the fraction of US based prefixes affected is a lot lower (note the log scale!). Second, the effect manifests in the early morning hours when typically there is a minimum in the time-of-day pattern. Yet, the overall magnitude is higher than for the outages induced by Sandy, thus highlighting the effect of locality.

We further broke down the locations of prefixes located in the US on the first day of the Sandy outage with the Maxmind geolocation database. The result is shown in the picture below.

There are two interesting observations. First, the prefixes hosted on the Bermudas – completely covered by the large red dot on the picture – caused a lot of discontent among SWITCH clients. One may be wondering why this is the case. Indeed, here are two factors involved. First, the QuoVadis certificate service, part of which is hosted on the Bermudas, was not reachable any more. And second, the connectivity to the Bermudas is relayed through New York, either directly or via New Jersey or, a few hops longer, through Brazil. Similar to the Bermudas, other locations in the US have been affected as well, including the center and the west coast. Checking the global picture, even some reachability impairment towards China could been observed.

Overall, we think it is fair to claim that Sandy had a global impact on Internet reachability. FACT can be used to detect such problems and quantify their importance from an ISP’s perspective. As such it is complementary to control plane analysis and to active measurement based approaches.

Dominik will defend his Ph.D. thesis tomorrow. We all wish him the best of luck! Moreover, we want to thank SWITCH and in particular Simon Leinen for supporting us and making this research possible.

EDITED 2012-12-18: Gave Dr Schatzmann his proper title — neuhaus

Yesterday’s post was about the exciting keynote at this year’s MetriSec. Today’s post is about another highlight, the panel.

One of the biggest problems in empirical studies about computer security is the data. Usually you can’t control the data acquisition process yourself; instead, you need to take other people’s work and use that. For example, you could be using Mozilla Foundation Security Advisories, or the National Vulnerability Database. Then the question is, to what extent can you trust this information to be complete and unbiased?

The answer is that you cannot, at least not without knowing the process by which these databases are created. For example, many researchers have for years believed that the NVD constitutes some kind of ground truth. If that were true, then one would expect that entries that have been in the NVD for some time will in general not change. Work currently being done here at ETH indicates, however, that the amount of change, or churn, in the NVD is quite high, and that even very old entries get changed!

The panel discussion at MetriSec will discuss these problems. I will moderate, and participants will be at least Laurie Williams, Peter Gutmann, and Fabio Massacci. All three have much experience with empirical work, so I expect a high-class discussion.

And this is why you should come to MetriSec 2012, too!

[Edit 2012-07-18: Added Fabio as panelist.]

This post is not a technical article, but in-house advertising.  I am a proud co-chair of MetriSec 2012, an international workshop on security metrics and related topics.  This year’s programme is a bit unusual. Sure, we have papers, but we also have two more big attractions: the keynote speech and a panel discussion. This post is about the keynote speech; the panel discussion will be the subject of a future post.

This year’s keynote will be given by Peter Gutmann, whose book Cryptographic Security Architecture: Design and Verification should be on every security practicioner’s bookshelf. I know Peter from way back, when we were members of the PGP 2.0 development team.  That must have been in 1992 or so. Peter is one of those rare people who have deep knowledge at magnifications spanning several orders of magnitude. You can talk to him about X.509 minutiae or about human factors in security engineering (a topic about which, in his own words, he occasionally grumbles about).

For most of us mere mortals, even a single paper at Usenix Security is a lifetime dream that often goes unfulfilled. Peter has seven papers published at Usenix Security, the first in 1996 and then in six straight years from 1998 to 2003. (One wonders what happened in 1997.) His most often cited paper is at the same time his most misunderstood: Secure Deletion of Data from Magnetic and Solid-State Memory (Usenix Security 1996) showed, first, how overwriting data on MFM- or RLL-encoded hard drives leaves enough traces of the original data to allow its eventual recovery, and, second, how to choose bit patterns that will cause the magnetic fields generated by the write head to fluctuate in just the right manner that deletion will be “deep” and recovery of the original data all but impossible. The paper gave 35 such bit patterns that resulted from an analysis of the specific data encodings, but of course, what happened later was that the article was very badly misunderstood. It’s worth quoting from Peter’s epilogue to his paper:

In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don’t understand that statement, re-read the paper). If you’re using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, “A good scrubbing with random data will do about as well as can be expected”. This was true in 1996, and is still true now.

Indeed, when you use Apple’s Disk Utility to securely delete data on a drive, you will find three options: the first option is to use one pass (probably with zeroes or pseudorandom data), the second option uses seven passes (probably a variation of DoD 5220.22-M), and the third option, called “Most Secure”, uses, you guessed it, thirty-five passes. And this despite the fact that “you never need to perform all 35 passes”.

Peter’s keynote, From Revenue Assurance to Assurance: The Importance of Measurement in Computer Security, will draw lessons from the way telecoms used metrics to bill for mobile phone usage and apply them to the field of security. I am greatly looking forward to this talk, and if you are involved with security or measurement or both, I dare say you could benefit greatly from it.

So, do consider registering to MetriSec, I’m sure it will be worth your while.

[Edited 2012-07-09: Re-worded intro, fixed small language issues.]

A happy 2012 to all, from the Communication Systems Group!

I have recently read a book about the history of statistics, and the author made me aware of several books by R. A Fisher, or, to give his full name, Sir Ronald A. Fisher, Sc.D., FRS, one of the giants of the field.

Fisher produced three books in particular that are the main source of his fame. These are “Statistical Methods for Research Workers”, “The Design of Experiments”, and “Statistical Methods and Scientific Inference”, and all three are available in an omnibus edition for a reasonable price.

Continue reading →

Recently I was contacted on Facebook by a good-looking girl called Sonya Peter, roughly at my age. Like me, she is working at ETH Zurich and she even has a common friend with me. Also her taste of music matched mine quite well. But no matter how hard I tried, I couldn’t remember meeting her. Continue reading →

In conferences, I often come across science that is great. Results are amazing, people have done something that was thought not to be doable, or they have built a system that has incredible properties.

However, that same science is often presented in a way that makes it clear that the presenter has more confidence in his science than in the presentation.

Continue reading →