RIPE NCC

Amsterdam, Netherlands
Amsterdam, Netherlands
SEARCH FILTERS
Time filter
Source Type

News Article | May 21, 2017
Site: www.prlog.org

Joint cooperation with MENOG & RIPE NCC to help further utilise DNSSEC in developing Saudi Internet Domain Name System


Holterbach T.,ETH Zurich | Aben E.,RIPE NCC | Pelsser C.,University of Strasbourg | Bush R.,Internet Initiative Japan | Vanbever L.,ETH Zurich
ANRW 2017 - Proceedings of the Applied Networking Research Workshop, Part ofIETF-99 Meeting | Year: 2017

It is a challenge to select the most appropriate vantage points in a measurement platform with a wide selection. RIPE Atlas [2], for example currently has over 9600 active measurement vantage points, with selections based on AS, country, etc. A user is limited to how many vantage points they can use in a measurement. This is not only due to limitations the measurement platform imposes, but data from a large number of vantage points would produce a large volume to analyse and store. So it makes sense to optimize for a minimal set of vantage points with a maximum chance of observing the phenomenon in which the user is interested. Network operators often need to debug with only limited information about the problem ("Our network is slow for users in France!"). doing a minimal set of measurements that would allow testing through a wide diversity of networks could be a valuable add-on to the tools available to network operators. Given platforms with numerous vantage points, we have the luxury of testing a large set of end-customer outgoing paths. A diversity metric would allow selection of the most dissimilar vantage points, while exploring from as diverse angles as possible, even with a limited probing budget. If one finds an interesting network phenomenon, one could use the similarity metric to advantage by selecting the most similar vantage points to the one exhibiting the phenomenon, to validate the phenomenon from multiple vantage points. We propose a novel means of selecting vantage points, not based on categorical properties such as origin AS, or geographic location, but rather on topological (dis)similarity between vantage points. We describe a similarity metric across RIPE Atlas probes, and show how it performs better for the purpose of topology discovery than the default probe selection mechanism built into RIPE Atlas. © 2017 ACM.


Candela M.,RIPE NCC | Di Bartolomeo M.,Third University of Rome | Di Battista G.,Third University of Rome | Squarcella C.,Sysdig Inc.
IEEE Transactions on Visualization and Computer Graphics | Year: 2017

Several projects deploy probes in the Internet. Probes are systems that continuously perform traceroutes and other networking measurements (e.g. ping) towards selected targets. Measurements can be stored and analyzed to gain knowledge on several aspects of the Internet, but making sense of such data requires suitable methods and tools for exploration and visualization. We present Radian, a tool that allows to visualize traceroute paths at different levels of detail and to animate their evolution during a selected time interval. We also describe extensive tests of the tool using traceroutes performed by RIPE Atlas Internet probes. IEEE


Dainotti A.,University of Naples Federico II | Ammann R.,Auckland University of Technology | Aben E.,RIPE NCC | Claffy K.C.,University of California at San Diego
Computer Communication Review | Year: 2012

Unsolicited one-way Internet traffic, also called Internet background radiation (IBR), has been used for years to study malicious activity on the Internet, including worms, DoS attacks, and scanning address space looking for vulnerabilities to exploit. We show how such traffic can also be used to analyze macroscopic Internet events that are unrelated to malware. We examine two phenomena: country-level censorship of Internet communications described in recent work [17], and natural disasters (two recent earthquakes). We introduce a new metric of local IBR activity based on the number of unique IP addresses per hour contributing to IBR. The advantage of this metric is that it is not affected by bursts of traffic from a few hosts. Although we have only scratched the surface, we are convinced that IBR traffic is an important building block for comprehensive monitoring, analysis, and possibly even detection of events unrelated to the IBR itself. In particular, IBR offers the opportunity to monitor the impact of events such as natural disasters on network infrastructure, and in particular reveals a view of events that is complementary to many existing measurement platforms based on (BGP) control-plane views or targeted active ICMP probing.


News Article | November 2, 2016
Site: motherboard.vice.com

For pretty much any crime involving the internet, often the first step in an investigation is trying to figure out who is behind an IP address. But, according to the FBI and other law enforcement agencies, there is a problem: often it's unclear which organisations are actually in a position to respond to legal orders for information, because of the way that IP addresses are distributed by internet service providers (ISPs). In response, several law enforcement agencies are pushing for a change in how WHOIS data, the basic contact information of who is affiliated with an IP address, is recorded. Although likely not a privacy risk, the move, which will probably come into effect sometime in 2017, still presents a significant shake-up in how ISPs retain information. In the most innocuous cases, this problem can just be a waste of time, but in others it can present an urgent dilemma, FBI Supervisory Special Agent Robert Flaim told Motherboard in a phone call. According to a presentation from Flaim and other staff from the DEA and the Royal Canadian Mounted Police (RCMP), one case involved the online sexual extortion of a young girl. Because the WHOIS information was inaccurate, it took three months before law enforcement found the right ISP, all the while the girl was continually victimised. The issue is that it can take several attempts for agencies, including public safety and law enforcement, to find the right ISP to serve that court order on, because of how IP addresses are handled and allocated down a long chain of companies and organisations. At the top sit the five Regional Internet Registries (RIRs) which manage the allocation of IP addresses within different parts of the world. There's ARIN, or the American Registry for Internet Numbers; LACNIC, or the Latin American and Caribbean Network Information Centre; and so on. The FBI, DEA and RCMP have proposed a solution: each time an ISP sub-allocates some addresses, that is recorded in the WHOIS. RIRs allocate IP addresses to different ISPs. Then these ISPs may pass on those IP addresses to more local ISPs or other services. It's these smaller organisations that are typically the issue. "As you continue to get further down the chain with sub-allocations, many are not putting that information in the WHOIS," Flaim told Motherboard. What this means, according to Flaim, is that agencies end up getting bounced from one ISP to another before they eventually find the right one to start the legal process with: law enforcement don't know exactly who will actually be able to help from the outset. "Sometimes it may be one layer down, sometimes it can be four, five," Flaim said. Sub-allocation of IP addresses and unreliable WHOIS information can also allow cybercriminals to hijack blocks of addresses, and send spam. So the FBI, DEA and RCMP have proposed a solution: each time an ISP sub-allocates some addresses, that is recorded in the WHOIS. This way, agencies won't have to go asking around trying to find the ISP that just happens to have this data. They can just go to whoever is actually handling the respective IP address. Most of the RIRs declined to comment for this story, but RIPE NCC, which handles IP addresses for Europe, was supportive of the proposed policy. "The RIPE NCC applauds law enforcement for approaching RIPE and the other Regional Internet Registry (RIR) communities to find a solution to this issue. Accurate WHOIS data is crucial to effective Internet operations as well as criminal investigations," Marco Hogewoning, External Relations Officer, Technical Advisor with the RIPE NCC, told Motherboard in a statement. According to Flaim, after each of the RIRs hold their spring 2017 meetings, and if the policy is accepted, which may only be slightly different for each region, it could come into effect by the end of next year.


Dainotti A.,University of Naples Federico II | Squarcella C.,Third University of Rome | Aben E.,RIPE NCC | Claffy K.C.,CAIDA UCSD | And 3 more authors.
Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC | Year: 2011

In the first months of 2011, Internet communications were disrupted in several North African countries in response to civilian protests and threats of civil war. In this paper we analyze episodes of these disruptions in two countries: Egypt and Libya. Our analysis relies on multiple sources of large-scale data already available to academic researchers: BGP interdomain routing control plane data; unsolicited data plane traffic to unassigned address space; active macroscopic traceroute measurements; RIR delegation files; and MaxMind's geolocation database. We used the latter two data sets to determine which IP address ranges were allocated to entities within each country, and then mapped these IP addresses of interest to BGP-announced address ranges (prefixes) and origin ASes using publicly available BGP data repositories in the U.S. and Europe. We then analyzed observable activity related to these sets of prefixes and ASes throughout the censorship episodes. Using both control plane and data plane data sets in combination allowed us to narrow down which forms of Internet access disruption were implemented in a given region over time. Among other insights, we detected what we believe were Libya's attempts to test firewall-based blocking before they executed more aggressive BGP-based disconnection. Our methodology could be used, and automated, to detect outages or similar macroscopically disruptive events in other geographic or topological regions. © 2011 ACM.


Dainotti A.,University of California at San Diego | Squarcella C.,Third University of Rome | Aben E.,RIPE NCC | Claffy K.C.,University of California at San Diego | And 3 more authors.
IEEE/ACM Transactions on Networking | Year: 2014

In the first months of 2011, Internet communications were disrupted in several North African countries in response to civilian protests and threats of civil war. In this paper, we analyze episodes of these disruptions in two countries: Egypt and Libya. Our analysis relies on multiple sources of large-scale data already available to academic researchers: BGP interdomain routing control plane data, unsolicited data plane traffic to unassigned address space, active macroscopic traceroute measurements, RIR delegation files, and MaxMind's geolocation database. We used the latter two data sets to determine which IP address ranges were allocated to entities within each country, and then mapped these IP addresses of interest to BGP-announced address ranges (prefixes) and origin autonomous systems (ASs) using publicly available BGP data repositories in the US and Europe. We then analyzed observable activity related to these sets of prefixes and ASs throughout the censorship episodes. Using both control plane and data plane data sets in combination allowed us to narrow down which forms of Internet access disruption were implemented in a given region over time. Among other insights, we detected what we believe were Libya's attempts to test firewall-based blocking before they executed more aggressive BGP-based disconnection. Our methodology could be used, and automated, to detect outages or similar macroscopically disruptive events in other geographic or topological regions. © 2014 IEEE.


Fanou R.,IMDEA Madrid Institute for Advanced Studies | Fanou R.,Charles III University of Madrid | Francois P.,Charles III University of Madrid | Aben E.,RIPE NCC
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) | Year: 2015

With IP networking booming in Africa, promotion of BGP peering in the region emerge, and changes in the transit behavior of ISPs serving Africa are expected. However, little is known about the IP transit topology currently forming the African Internet. Enhancing the RIPE Atlas infrastructure, we evaluate the topology interconnecting ISPs based on the continent. We reveal a variety of ISP transit habits, depending on a range of factors such as the official language or the business profile of the ISP. We highlight the emergence of IXPs in Africa, evaluating its impact on end-to-end connectivity. Our results however emphasize the remaining dominance of ISPs based outside Africa, for the provision of intra-continental paths. We study the impact of this aspect on AS path length and end-to-end delay. Such results illustrate that performing measurements from a broad, diversified, range of vantage points is necessary to assess interdomain routing on the continent. © Springer International Publishing Switzerland 2015.


Dhamdhere A.,University of California at San Diego | Luckie M.,University of California at San Diego | Huffaker B.,University of California at San Diego | Claffy K.,University of California at San Diego | And 2 more authors.
Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC | Year: 2012

We use historical BGP data and recent active measurements to analyze trends in the growth, structure, dynamics and performance of the evolving IPv6 Internet, and compare them to the evolution of IPv4. We find that the IPv6 network is maturing, albeit slowly. While most core Internet transit providers have deployed IPv6, edge networks are lagging. Early IPv6 network deployment was stronger in Europe and the Asia-Pacific region, than in North America. Current IPv6 network deployment still shows the same pattern. The IPv6 topology is characterized by a single dominant player - Hurricane Electric - which appears in a large fraction of IPv6 AS paths, and is more dominant in IPv6 than the most dominant player in IPv4. Routing dynamics in the IPv6 topology are largely similar to those in IPv4, and churn in both networks grows at the same rate as the underlying topologies. Our measurements suggest that performance over IPv6 paths is comparable to that over IPv4 paths if the AS-level paths are the same, but can be much worse than IPv4 if the AS-level paths differ. © 2012 ACM.


Benson K.,University of California at San Diego | Dainotti A.,University of California at San Diego | Claffy K.C.,University of California at San Diego | Aben E.,RIPE NCC
2013 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2013 | Year: 2013

Internet Background Radiation (IBR) is unsolicited network traffic mostly generated by malicious software, e.g., worms, scans. In previous work, we extracted a signal from IBR traffic arriving at a large (/8) segment of unassigned IPv4 address space to identify large-scale disruptions of connectivity at an Autonomous System (AS) granularity, and used our technique to study episodes of government censorship and natural disasters [1]. Here we explore other IBR-derived metrics that may provide insights into the causes of macroscopic connectivity disruptions. We propose metrics indicating packet loss (e.g., due to link congestion) along a path from a specific AS to our observation point. We use three case studies to illustrate how our metrics can help identify packet loss characteristics of an outage. These metrics could be used in the diagnostic component of a semi-automated system for detecting and characterizing large-scale outages. © 2013 IEEE.

Loading RIPE NCC collaborators
Loading RIPE NCC collaborators