Mark Allman

Mark Allman
University of California, Berkeley | UCB

About

156
Publications
19,402
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
8,647
Citations

Publications

Publications (156)
Preprint
Full-text available
The closed design of mobile devices -- with the increased security and consistent user interfaces -- is in large part responsible for their becoming the dominant platform for accessing the Internet. These benefits, however, are not without a cost. Their operation of mobile devices and their apps is not easy to understand by either users or operator...
Conference Paper
The Domain Name System (DNS) leverages nearly 1K distributed servers to provide information about the root of the Internet's namespace. The large size and broad distribution of the root nameserver infrastructure has a number of benefits, including providing robustness, low delays to topologically close root servers and a way to cope with the immens...
Preprint
Obtaining sound inferences over remote networks via active or passive measurements is difficult. Active measurement campaigns face challenges of load, coverage, and visibility. Passive measurements require a privileged vantage point. Even networks under our own control too often remain poorly understood and hard to diagnose. As a step toward the de...
Article
Authoritative DNS servers are susceptible to being leveraged in denial of service attacks in which the attacker sends DNS queries while masquerading as a victim---and hence causing the DNS server to send the responses to the victim. This reflection off innocent DNS servers hides the attackers identity and often allows the attackers to amplify their...
Conference Paper
Authoritative DNS nameservers are vulnerable to being used in denial of service attacks whereby an attacker sends DNS queries while masquerading as a victim---hence coaxing the DNS server to send the responses to the victim. Reflecting off innocent DNS servers both hides the attackers identity and often amplifies the attackers traffic by turning sm...
Conference Paper
We develop and validate Internet path measurement techniques to distinguish congestion experienced when a flow self-induces congestion in the path from when a flow is affected by an already congested path. One application of this technique is for speed tests, when the user is affected by congestion either in the last mile or in an interconnect link...
Conference Paper
We develop and validate Internet path measurement techniques to distinguish congestion experienced when a flow self-induces congestion in the path from when a flow is affected by an already congested path. One application of this technique is for speed tests, when the user is affected by congestion either in the last mile or in an interconnect link...
Conference Paper
The right vantage point is critical to the success of any active measurement. However, most research groups cannot afford to design, deploy, and maintain their own network of measurement endpoints, and thus rely measurement infrastructure shared by others. Unfortunately, the mechanism by which we share access to measurement endpoints today is not f...
Article
In this paper we investigate the vulnerability of the Internet Group Management Protocol (IGMP) to be leveraged for denial-of-service (DoS) attacks. IGMP is a connectionless protocol and therefore susceptible to attackers spoofing a third-party victim's source address in an e?ort to coax responders to send their replies to the victim. We find 305K...
Article
Measurement has become fundamental to the operation of networks and at-scale services---whether for management, security, diagnostics, optimization, or simply enhancing our collective understanding of the Internet as a complex system. Further, measurements are useful across points of view---from end hosts to enterprise networks and data centers to...
Conference Paper
Full-text available
As ISPs face IPv4 address scarcity they increasingly turn to network address translation (NAT) to accommodate the address needs of their customers. Recently, ISPs have moved beyond employing NATs only directly at individual customers and instead begun deploying Carrier-Grade NATs (CGNs) to apply address translation to many independent and disparate...
Article
The most important consideration is how the collection of measurements may affect a person's well-being.
Article
Full-text available
Third-party services form an integral part of the mobile ecosystem: they allow app developers to add features such as performance analytics and social network integration, and to monetize their apps by enabling user tracking and targeted ad delivery. At present users, researchers, and regulators all have at best limited understanding of this third-...
Article
As the Internet grows in size, complexity, and the role it plays in modern society, measuring the Internet is increasingly critical to guide its continued evolution. Yet the scale, diversity, opacity, and ethical implications of conducting Internet experiments make it difficult to obtain an accurate and representative understanding of the network's...
Article
Full-text available
As ISPs face IPv4 address scarcity they increasingly turn to network address translation (NAT) to accommodate the address needs of their customers. Recently, ISPs have moved beyond employing NATs only directly at individual customers and instead begun deploying Carrier-Grade NATs (CGNs) to apply address translation to many independent and disparate...
Conference Paper
We present techniques for detecting unauthorized DNS root servers in the Internet using primarily endpoint-based measurements from RIPE Atlas, supplemented with BGP routing announcements from RouteViews and RIPE RIS. The first approach analyzes the latency to the root server and the second approach looks for route hijacks. We demonstrate the import...
Conference Paper
The Domain Name System (DNS) is a critical component of the Internet infrastructure as it maps human-readable hostnames into the IP addresses the network uses to route traffic. Yet, the DNS behavior of individual clients is not well understood. In this paper, we present a characterization of DNS clients with an eye towards developing an analytical...
Conference Paper
As part of TCP's steady evolution, recent standards have recommended mechanisms to protect against weaknesses in TCP. But adoption, configuration, and deployment of TCP improvements can be slow. In this work, we consider the resilience of deployed TCP implementations to blind in-window attacks, where an off-path adversary disrupts an established co...
Article
Full-text available
Despite our growing reliance on mobile phones for a wide range of daily tasks, we remain largely in the dark about the operation and performance of our devices, including how (or whether) they protect the information we entrust to them, and with whom they share it. The absence of easy, device-local access to the traffic of our mobile phones present...
Article
With the ongoing exhaustion of free address pools at the registries serving the global demand for IPv4 address space, scarcity has become reality. Networks in need of address space can no longer get more address allocations from their respective registries. In this work we frame the fundamentals of the IPv4 address exhaustion phenomena and connecte...
Conference Paper
The Domain Name System (DNS) is a critical component of the Internet infrastructure that has many security vulnerabilities. In particular, shared DNS resolvers are a notorious security weak spot in the system. We propose an unorthodox approach for tackling vulnerabilities in shared DNS resolvers: removing shared DNS resolvers entirely and leaving r...
Article
Understanding, measuring, and debugging IP networks, particularly across administrative domains, is challenging. One particularly daunting aspect of the challenge is the presence of transparent middleboxes---which are now common in today's Internet. In-path middleboxes that modify packet headers are typically transparent to a TCP, yet can impact en...
Conference Paper
We aim to broadly study the ways that modern applications use the underlying protocols and networks. Such an understanding is necessary when designing and optimizing lower-layer protocols. Traditionally—as prior work shows—applications have been well represented as bulk transfers, often preceded by application-layer handshaking. Recent suggestions...
Conference Paper
The Domain Name System (DNS) is a critical component of the Internet infrastructure as it maps human-readable names to IP addresses. Injecting fraudulent mappings allows an attacker to divert users from intended destinations to those of an attacker’s choosing. In this paper, we measure the Internet’s vulnerability to DNS record injection attacks—in...
Article
Spam is a never-ending issue that constantly consumes resources to no useful end. In this paper, we envision spam filtering as a pipeline consisting of DNS blacklists, filters based on SYN packet features, filters based on traffic characteristics and filters based on message content. Each stage of the pipeline examines more information in the messa...
Conference Paper
The Domain Name System (DNS) is a critical component of the Internet infrastructure. It allows users to interact with Web sites using human-readable names and provides a foundation for transparent client request distribution among servers in Web platforms, such as content delivery networks. In this paper, we present methodologies for efficiently di...
Article
The Internet crucially depends on the Domain Name System (DNS) to both allow users to interact with the system in human-friendly terms and also increasingly as a way to direct traffic to the best content replicas at the instant the content is requested. This paper is an initial study into the behavior and properties of the modern DNS system. We pas...
Article
The computer science research paper review process is largely human and time-intensive. More worrisome, review processes are frequently questioned, and often non-transparent. This work advocates applying computer science methods and tools to the computer science review process. As an initial exploration, we data mine the submissions, bids, reviews,...
Conference Paper
For analyzing network performance issues, there can be great utility in having the capability to measure directly from the perspective of end systems. Because end systems do not provide any external programming interface to measurement functionality, obtaining this capability today generally requires installing a custom executable on the system, wh...
Article
Full-text available
In this paper we offer an initial sketch of a new vantage point we are developing to study "the Web" and users' interactions with it: we have instrumented the Web browser itself. The Google Chrome browser provides an API to developers that allows the building of extensions to the base functionality. As part of this system, Chrome allows developers...
Article
There are many deployed approaches for blocking unwanted traffic, either once it reaches the recipient's network, or closer to its point of origin. One of these schemes is based on the notion of traffic carrying capabilities that grant access to a network and/or end host. However, leveraging capabilities results in added complexity and additional s...
Article
This paper discusses a way to communicate without relying on fixed infrastructure at some central hub. This can be useful for bootstrapping loosely connected peer-to-peer systems, as well as for circumventing egregious policy-based blocking (e.g., for censorship purposes). Our techniques leverage the caching and aging properties of DNS records to c...
Article
The Internet has changed dramatically in recent years. In particular, the fundamental change has occurred in terms of who generates most of the content, the variety of applications used and the diverse ways normal users connect to the Internet. These factors have led to an explosion of the amount of user-specific meta-information that is required t...
Conference Paper
Full-text available
Previous work has shown that the network dynamics experienced by both the initial packet and an entire connection carrying an email can be leveraged to classify the email as spam or ham. In the case of packet properties, the prior work has investigated their efficacy based on models of traffic collected from around the world. In this paper, we firs...
Article
In this paper we propose a system that will allow people to communicate their status with friends and family when they find themselves caught up in a large disaster (e.g., sending "I'm fine" in the immediate aftermath of an earthquake). Since communication between a disaster zone and the non-affected world is often highly constrained we design the...
Conference Paper
Full-text available
Timeouts play a fundamental role in network protocols, controlling numerous aspects of host behavior at different layers of the protocol stack. Previous work has documented a class of Denial of Service (DoS) attacks that leverage timeouts to force a host to preserve state with a bare minimum level of interactivity with the attacker. This paper cons...
Conference Paper
In this paper we analyze three and a half years of HTTP traffic o b- served at a small research institute to characterize the evo lution of various facets of web operation. While our dataset is modest in terms of user population, it is unique in its temporal breadth. We leverage the longitudinal data to study var- ious characteristics of the traffi...
Article
Full-text available
This document proposes a new mechanism for TCP and Stream Control Transmission Protocol (SCTP) that can be used to recover lost segments when a connection’s congestion window is small. The "Early Retransmit" mechanism allows the transport to reduce, in certain special circumstances, the number of duplicate acknowledgments required to trigger a fas...
Conference Paper
Today's networks discriminate towards or against traffic for a wide range of reasons, and in response end users and their applications increasingly attempt to evade monitoring and control, resulting in an ongoing tussle whose roots run deep. In this work we explore an architectural paradigm that can accommodate such tussles in a systematic and tran...
Conference Paper
Full-text available
Although TCP behavior is one of the most studied as- pects of Internet traffic, little is known about TCP per- formance within modern enterprise networks. In this pa- per we analyze aspects of TCP performance observed in packet traces taken over four months from a medium- sized enterprise. We assess the prevalence of bro- ken TCP transactions, appl...
Article
Careless selection of the ephemeral port number portion of a transport protocol's connection identifier has been shown to potentially degrade security by opening the connection up to injection attacks from "blind" or "off path" attackers—or, attackers that cannot directly observe the connection. This short paper empirically explores a number of alg...
Conference Paper
While residential broadband Internet access is popular in many parts of the world, only a few studies have examined the characteristics of such traffic. In this paper we describe observations from monitoring the network activity for more than 20,000 residential DSL customers in an urban area. To ensure privacy, all data is immediately anonymized. W...
Conference Paper
Full-text available
Web hosting providers are increasingly looking into dynamic hosting to reduce costs and improve the performance of their platforms. Instead of provisioning fixed resources to each customer, dynamic hosting maintains a variable number of application instances to satisfy current demand. While ex- isting research in this area has mostly focused on the...
Conference Paper
Full-text available
The complexity of modern enterprise networks is ever-increasing, and our understanding of these important networks is not keeping pace. Our insight into intra-subnet traffic (staying within a single LAN) is particularly limited, due to the widespread use of Ethernet switches that preclude ready LAN-wide monitoring. We have re- cently undertaken an...
Conference Paper
Full-text available
Security in the WWW architecture is based on authenticating the source server and securing the data during transport without considering the content itself. The traditional assumption is that a page is as secure as the server hosting it. However, modern web sites have often a composite structure where components of the web page are authored by diff...
Article
This document proposes a small modification to the way TCP increases its congestion window. Rather than the traditional method of increasing the congestion window by a constant amount for each arriving acknowledgment, the document suggests basing the increase on the number of previously unacknowledged bytes each ACK covers. This change improves the...
Article
Full-text available
This document presents some observations on "simple best-effort traffic", defined loosely for the purposes of this document as Internet traffic that is not covered by Quality of Service (QOS) mechanisms, congestion-based pricing, cost-based fairness, admissions control, or the like. One observation is that simple best-effort traffic serves a useful...
Conference Paper
Often when assessing complex network behavior a single measure- ment is not enough to gain a solid understanding of the root causes of the behav- ior. In this initial paper we argue for thinking about "measurement" as a process rather than an event. We introduce reactive measurement (REM), which is a tech- nique in which one measurement's results a...
Conference Paper
In this paper we describe a new measurement framework that re- searchers can use to abstract away some of the mundane logistic details that tend to dog every measurement project. The measurement community has outlined the need for better ways to gather assessments from a multitude of vantage points and our system is designed to be an open community...
Article
Flow records gathered by routers provide valuable coarse-granularity traffic information for several measurement-related network applications. However, due to high volumes of traffic, flow records need to be sampled before they are gathered. Current ...
Conference Paper
I provide several lessons learned from running a number of conference program committees over the past decade, as well as some additional thoughts on conference organization and the reviewing process. Topics include how to deal with poor or absent reviewers, ...
Conference Paper
We argue that for both defending against attacks and ap- prehending the scope of attacks after they are detected, there is great utility in attaining views of network activ- ity that are unified across time and space. By this we mean enabling operators to apply particular analyses to both past and future activity in a coherent fashion, and applied...
Article
This report describes a method for using spurious retransmission timeouts to determine when the retransmission timeout is not accurately capturing the delay variance in the network. We account for this by adapting the way TCP's retransmission timeout is computed in an effort to avoid subsequent unnecessary retransmissions.
Conference Paper
In this note we discuss issues surrounding how to provide and use network measurement data made available for sharing among re- searchers. While previous work has focused on the technical de- tails of enabling sharing via traffic anonymization, we focus on higher-level aspects of the process such as potential harm to the provider (e.g., by de-anony...
Article
Determining an appropriate sending rate when beginning data transmission into a network with unknown characteristics is a fundamental issue in best-effort networks. Traditionally, the slow-start algorithm has been used to probe the network path for an appropriate sending rate. This paper provides an initial exploration of the efficacy of an alterna...
Conference Paper
Incessant scanning of hosts by attackers looking for vulnerable servers has become a fact of Internet life. In this paper we present an initial study of the scanning activity observed at one site over the past 12.5 years. We study the onset of scanning in the late 1990s and its evolution in terms of characteristics such as the number of scanners, t...
Article
Full-text available
The Internet's architecture largely and implicitly assumes full-time connectivity, a notion that is embodied in key networking principles including fate sharing, soft state, and the end-to-end principle. In contrast, efforts to allow for more graceful operation in the presence of forced dis- connectedness have recently been undertaken that change t...
Article
Cryptographic security mechanisms often assume that keys or certificates are strongly tied to a party's iden- tity. This requirement can in practice impose a high bar on making effective use of the cryptographic protections, because securing the coupling between credentials and actual identity can prove to be an arduous process. We frame a more rel...
Article
Measurements related to security are being carried out on many sites on the Internet at network ingress points, be- tween specic points on the Internet, and across the wide area Internet. The goals range from identifying sources of and possibly ltering unwanted trafc, to characteriz- ing and coming up with new mechanisms for deterring attacks. Most...
Article
Full-text available
Releasing network measurement data---including packet traces---to the research community is a virtuous activity that promotes solid research. However, in practice, releasing anonymized packet traces for public use entails many more vexing considerations than just the usual notion of how to scramble IP addresses to preserve privacy. Publishing trace...
Article
Full-text available
In this paper we propose an architecture for using cross- organization information sharing to identify members of a group of hosts enslaved for malicious purposes on the Internet. We root our system in so-called "detectives"— savvy network monitors like sophisticated intrusion de- tection systems or honeyfarms that have a deep under- standing of ma...
Article
Full-text available
We present an architecture for large-scale sharing of past behavioral patterns about network actors (e.g., hosts or email addresses) in an effort to inform policy decisions about how to treat future interactions. In our system, entities can submit reports of certain observed behavior (particularly attacks) to a distributed database. When deciding w...
Article
Full-text available
In this paper we explore the evolution of both the Internet's most heavily used transport protocol, TCP, and the current network environment with respect to how the network's evolution ultimately impacts end-to-end protocols. The traditional end-to-end assumptions about the Internet are increasingly challenged by the introduction of intermediary ne...
Article
Full-text available
In this note we explore the various causes of micro-bursting in TCP connections and also the behavior of several mitigations that have been suggested in the literature along with extensions we develop herein. This note methodically sketches the behavior of the mitigations and presents the tradeoffs of various schemes as a data point in the ongoing...
Conference Paper
Full-text available
Periodically in the transport protocol research community, the idea of introducing a burst mitigation strategy is voiced. In this paper we assess the prevalence and implications of bursts in the context of real TCP trac in order to better inform a decision on whether TCP's congestion control algorithms need to incorporate some form of burst suppres...
Article
Full-text available
This paper explores the Quick-Start mechanism, designed to allow transport protocols to explicitly request permis-sion from the routers along a network path to send at a higher rate than normally allowed by traditional congestion control mechanisms. If the routers are underutilized, they may approve the sender's request for a higher sending rate; o...
Conference Paper
Full-text available
While wide-area Internet traffic has been heavily studied for many years, the characteristics of traffic inside Inter- net enterprises remain almost wholly unexplored. Nearly all of the studies of enterprise traffic available in the liter- ature are well over a decade old and focus on individual LANs rather than whole sites. In this paper we presen...
Article
Current congestion control algorithms treat packet loss as an indication of network congestion, under the assumption that most losses are caused by router queues overflowing. In response to losses (congestion), a sender reduces its sending rate in an effort to reduce contention for shared network resources. In network paths where a non-negligible p...
Article
Wireless and satellite networks often have non-negligible packet corruption rates that can significantly degrade TCP performance. This is due to TCP’s assumption that every packet loss is an indication of network congestion (causing TCP to reduce the transmission rate). This problem has received much attention in the literature. In this paper, we t...
Conference Paper
Full-text available
In this paper we explore the evolution of both the Internet's most heavily used transport protocol, TCP, and the current network environment with respect to how the network's evolution ultimately impacts end-to-end protocols. The traditional end-to-end assumptions about the Internet are increasingly challenged by the introduction of intermediary ne...
Article
Estimating loss rates along a network path is a problem that has received much attention within the research community. However, deriving accurate estimates of the loss rate from TCP transfers has been largely unaddressed. In this paper, we first show that using a simple count of the number of retransmissions yields inaccurate estimates of the loss...
Article
Wireless and satellite networks have non-negligible error rates that can significantly influence TCP performance because TCP considers every packet loss as an indicator of congestion, and thus throttles the packet transmission rate. Explicit transport error notification (ETEN) mechanisms can aid TCP in distinguishing packets that are lost due to co...
Article
This paper presents a preliminary performance analysis of a complex middlebox infrastructure in a real-world production environment that serves several thousand people. While prevalent, middleboxes ( rewalls, NATs, etc.) have yet to be systematically measured. This paper makes two contributions: (i) we outline several methodologies and metrics by w...
Article
Routers making use of Random Early Detection (RED) queueing take action to notify sources of growing congestion levels in the network before their resources are exhausted. The RED system hinges on two calculations: tracking the average queue size and the probability that an incoming packet is marked for congestion. These two calculations can be don...
Article
This paper explores the complexity and performance of the XML-RPC system for remote method invocation. We developed a program that can use either XML-RPC-based network communication or a hand-rolled version of networking code based on the java.net package. We first compare our two implementations using traditional object-oriented metrics. In additi...
Article
Full-text available
This document presents a conservative loss recovery algorithm for TCP that is based on the use of the selective acknowledgment (SACK) TCP option. The algorithm presented in this document conforms to the spirit of the current congestion control specification (RFC 2581), but allows TCP senders to recover more effectively when multiple segments are lo...