IMC 2017 was a three-day conference that focused on internet measurements and analysis. The IMC is an internationally renowned conference that only accepts the best research papers for presentation. The acceptance rate in 2017 was 23%.
The IMC is relevant for SIDN Labs because it’s all about the notion underpinning the Dutch saying “meten is weten” (which can be roughly translated as “to measure is to know”). Specifically, it's about measuring as a means of improving things such as the security, stability, and resilience of the internet. It’s also relevant because the IMC attracts both academics and internet infrastructure operators. That enables us to pick up on new measurement research that other people are doing, and to share and discuss our own work with the IMC community.
Our second IMC publication in a row
We presented our research paper “Recursives in the Wild: Engineering Authoritative DNS servers”, in which we use measurements obtained with over 9000 RIPE Atlas probes, together with root and .nl traffic traces, to analyse how recursive DNS resolvers select authoritative name servers. We wrote the paper together with researchers at the University of Twente and the University of Southern California, who also operate B-root.
The main conclusion of our work is that the majority of resolvers prefer faster-responding name servers – but not exclusively. We therefore recommend replacing all unicast name servers with anycast services. Our colleagues on SIDN’s operations team will be taking up that recommendation and aim to create an authoritative set-up where every server is reachable via anycast.
Strong Dutch research presence in London
The Dutch internet measurements community was very well represented at the IMC, with SIDN Labs and the University of Twente's DACS group both present. Our DACS colleagues even managed to present three other publications at IMC 2017, in addition to our joint paper!
Mattijs Jonker and Anna Sperotto, together with researchers from CAIDA and Saarland University, used four different data sets to analyse distributed denial-of-service (DDoS) attacks over two years. Their finding: one-third of all /24 networks suffered at least one DoS over the measurement period – with an average of over 28,000 attacks every single day. The most targeted services were web, gaming and MySQL. Services that suffered attacks were more likely to migrate to a DDoS protection service.
DACS's second publication analysed a topic that is close to SIDN's heart: DNSSEC deployment. Except in .nl and a few other country-code TLDs, DNSSEC deployment remains very low. Taejoong Chung from Northeastern University, Roland van Rijswijk-Deij from the University of Twente and colleagues from University of Maryland and Duke University therefore had a look at the role that registrars play in the deployment of DNSSEC.
They found that many leading registrars don’t support DNSSEC, provide only partial support, or require users to follow cumbersome procedures to deploy DNSSEC. Some registrars would even allow an attacker to upload bogus DNSSEC DS records for any domain name, thereby making the domain effectively unavailable for a large part of the internet.
Not surprisingly, DACS's third publication related to DNS as well and even had a funky-sounding name (in Dutch, at least): Broad and Load-Aware Anycast Mapping with Verfploeter. The work was carried out by Wouter de Vries, together with Ricardo de O. Schmidt and John Heidemann, who are also part of our team of authors, and colleagues from USC.
They developed the Verfploeter tool to give operators more insight into their anycast deployments, in particular how the reachability of different anycast sites changes when adding a new site to an anycast service. Verfploeter uses active probing to make even small changes in an anycast catchment visible, giving operators the opportunity to fine-tune their deployments – even before the service is set up. The tool is publicly available.
And there's more
Those were of course not the only exciting publications presented at IMC 2017. There were many others, covering a wide range of topics such as measuring the adoption of BGP Blackholing, internet censorship, internet fraud and protocol deployment.
For example, Vasileios Giotsas and his co-authors found that the use of BGP blackholing – a popular tactic adopted by network operators to deal with DDoS attacks – is on the rise. Between 2014 and 2017, the number of blackholed prefixes increased six-fold.
Another challenging piece of work was the paper by Zhongjie Wang et al., who analysed the behaviour of state-level internet-scale censorship. Understanding such censorship is crucial if we want to develop circumvention strategies.
Internet fraud is common in the advertising industry, and DeBlasio et al. explored the dynamics of search advertiser fraud. One of their findings is that 50 per cent of new advertising accounts on the search engine Bing are fraudulent. However, the majority of those accounts are shut down within one day.
Mechanics for improving HTTPS security were analysed by Amann et al. Their findings show that, even though a number of mechanisms have been proposed to address the vulnerabilities of HTTPS and the underlying ecosystem, only a few of them have been adopted. The more complex solutions in particular have been widely ignored so far.
You can find lots more interesting papers on the website of the conference and we recommend taking some time to go through them.
We came back from London with a lot of new insights and inspiration for our current and future projects. We hope to be at the IMC again next year, when Boston is the host city. And of course we're aiming for a hat-trick of acceptances!