Center for Applied Internet Data Analysis

NGI Cooperative Agreement No. N66001-98-2-8922

Project Title: Predictability and Security of High Performance Networks

Organization: University of California - San Diego

AO Number: G835

Contract Number: N66001-98-2-8922

Start Date: September 15, 1997

End Date: October 15, 2001

Principal Investigator:

Dr. Kimberly Claffy
9500 Gilman Dr.
CAIDA at San Diego Computer Center UCSD MS#0505
La Jolla, CA 92093-0505
Phone: (858) 534-8333
Fax: (858) 534-5113
Email: kc@caida.org

Level of Participation - Billed: $ 2,971,812.00

Project URL: https://www.caida.org/funding/ngi1998/

Overall Objective: UCSD/CAIDA is focusing on advancing the capacity to monitor, depict, and predict traffic behavior on current and advanced networks through developing and deploying tools to better engineer and operate networks, to identify traffic anomalies in real time, and to better visualize data. UCSD/CAIDA's NGI project is divided into four tasks and one option.

Summary of Completed NGI Tasks

Task 1, Coral OC48mon/Gigabit Ethernet Monitor

Objective:

Collaborate with major Internet service providers and the University of Waikato to develop hardware and analysis tools (Coral Monitors) capable of providing real-time monitoring of optical, high performance networks at OC48 and Gigabit Ethernet speeds. This initiative draws upon state of the art developments in computer processing, network engineering, and data storage to develop tools capable of line-speed monitoring of traffic up to OC48 speeds for research and engineering purposes. Coral Monitors are used to characterize traffic traversing a high-speed link (in bytes, packets or flows) as well as that link's application and protocol workloads and source/destination traffic flow matrices.

Methodology:

CAIDA and the University of Waikato are designing a capture card with an innovative architecture comprised of Vitesse's ATM and POS OC48 chipsets with Xilinx FPGAs. The resulting DAG 4.2 capture card permits capture of every packet in both directions on a full 2.4 GB OC48 speed link.

An additional part of the Coral project is the development of an array of software tools to enable post-collection analysis of Coral trace files, traffic characterization, and continuous monitoring. This library includes utilities for flow analysis, generation of Autonomous System (AS) traffic matrices, identification of traffic composition by application or other category, and various protocol-centric analyses. It is written for ease of extensibility. Therefore, additional modules for custom analysis tasks of use to the research community can be easily added.

Accomplishments:

OC48 monitors: The University of Waikato team has succeeded in using their DAG 4.2 card to capture traces lasting between one and 75 minutes of OC48 traffic and then to perform extensive postprocessing and trace analysis on the collected data. Traces lasting 75 minutes yield 32 Gigabyte tracefiles. Waikato's OC48 DAG card has not yet been integrated or tested with CoralReef but it has been integrated and tested using NeTraMet. CAIDA tested beta OC48 cards and drivers from Lucent in a parallel effort to try CoralReef with commercially available OC48 cards. These efforts were terminated once it became clear that bug-free Lucent cards wouldn't be available any sooner than DAG cards. An OC48 capture box from Narus has also been acquired for testing and calibration.

Gigabit Ethernet monitors: CAIDA has acquired and is testing some beta Gigabit Ethernet cards and drivers from Lucent. CoralReef access to these cards works well, but the cards and drivers continue to exhibit failures due to bugs and need to be improved by Lucent.

CoralReef: This comprehensive software suite (https://www.caida.org/tools/coralreef), consisting of a set of drivers, libraries, utilities, and analysis software, enables passive monitoring of ATM, POS and other high-speed network interfaces. CoralReef's toolbox paradigm offers a consistent API along with extensive tools and utilities to provide multiple ways to address a variety of passive monitoring requirements. The ability to use live pcap interfaces was recently added. This allows CoralReef to monitor a wide variety of common commercially available interfaces that support Unix-like operating systems. A paper highlighting CoralReef philosophy, architecture and capabilities was presented at PAM 2001 and can be found at https://www.caida.org/publications/papers/2001/CoralArch/ . A second paper "CoralReef software suite as a tool for system and network administration" was accepted for presentation at the 2001 USENIX LISA conference to be held in December, and can be found at https://www.caida.org/publications/papers/2001/LISA/CoralApps/ .

Analysis of OC48 tracefile: CoralReef was used in conjunction with DAG cards to characterize Internet traffic from an OC48 commercial backbone link. We present data sampled from the Metromedia Fiber Network in San Jose ( http://www.mmfn.com/mfn/index.jsp). The total trace time was 75 minutes. The size of the trace was 32 gigabytes.

Figure 1: Distribution of applications by bytes, top 25 applications.

While dominated by WWW traffic, both peer-to-peer applications (e.g. KaZaA, Gnutella, Napster) and games (e.g. Asherons, Starcraft, Quake) comprise a significant portion of remaining traffic. The analyzed trace was recorded on 08/05/2001 for 75 minutes.

Figure 1 presents data in bytes, stratified by applications, from the MFN OC48 link. The graph shows that while traffic is dominated by web-based network technologies (in particular WWW traffic), newer applications such as peer-to-peer file sharing (e.g. KaZaA, Gnutella, Napster) and gaming (e.g. Asherons, Quake, Starcraft) comprise a large portion of the remaining traffic.

For methodological reasons our statistics reflect lower bounds for traffic volume attributable to peer-to-peer applications. For instance, Napster does not use a fixed set of ports for file transfers, so we identified the three most commonly used TCP ports (6688, 6697, and 6699) and mapped all traffic on these ports to the Napster category. Bulk transfer traffic may be either sent to or received from these ports, since Napster supports both active and passive mode transfers. However, it is possible that some traffic is sent on alternate ports and is therefore reported in the "Unclassified" category.

Figure 2: Flow of traffic, in bytes, from source to destination country.

Figure 2 shows the distribution of traffic, in bytes, from source to destination countries. The trace was recorded on 08/05/2001 for 75 minutes and generated 32 Gb of data. A significant portion of the traffic destinations are Asian due to the ISP's routing policy for this particular link on their backbone. The data suggests that commercial backbones carry traffic to and from a wide range of geographic locations regardless of physical location. Understanding the effect of routing policies and the nature of their dynamics (how much and how often they change) could offer a significant advantage in deployment of performance-sensitive collaborative applications.

Figure 3: Flow of traffic, in bytes, from source and destination countries within Asia.

Figure 3 uses the same data set as Figures 1 and 2. Figure 3 demonstrates that a significant amount of traffic traverses routes that may be unexpected by users or application developers.This figure shows traffic between sources and destinations within Asia (i.e., intra-Asia traffic) that is routed through San Jose, California (USA). A developer of collaborative application might assume that traffic where both source and destination are within the same country or region would have a low latency as it would not need to traverse borders outside the country or region (e.g., continent). Figure 3 demonstrates that actual routing violates this assumption. Many countries (e.g. Taiwan) have local traffic routed through North America This is driven by economic and regulatory realities of the underlying global telecommunication system.

Technology Transition:

The CoralReef software suite is available for download at https://www.caida.org/tools/measurement/coralreef/status.xml. Both a public package and a CAIDA member package are available. The members-only version contains additional features and better performance relative to the public package. In addition, CoralReef licensee CAIMIS, recently acquired by Ixia, Inc. (http://www.ixiacom.com) is licensed to provide commercial production environment support and documentation for CoralReef software.

Task 2, Tomography (skitter):

Objective: The majority of today's network measurements are at a microscopic level (e.g., lab simulations or measurements of individual networks). In contrast, CAIDA will measure and analyze traffic behavior on a large cross-section of the Internet infrastructure.

Methodology: CAIDA uses strategically placed skitter active measurement monitors to send ICMP echo requests to a carefully selected list of target hosts covering a large percentage of IPv4 address space. Monitors periodically download their collected data to a central analysis server, and analysis results are posted daily to the CAIDA website.

Accomplishments: Table 1 lists more than 20 sites that use skitter probing to automate the discovery and visualization of macroscopic Internet topology and peering relationships. Discussion of progress with analysis of gathered skitter data is included with Option 1.

Table 1. skitter Monitor Location and Status

Monitor Status	Name	Location
Active	d-root.skitter.caida.org	College Park, MD US (Univ. of Maryland)
Active	e-root.skitter.caida.org	Moffett Field, CA US (NASA)
Active	f-root.skitter.caida.org	Palo Alto, CA US (VIX)
Inactive	g-root.skitter.caida.org	Vienna, VA US (NIC.mil)
Inactive	h-root.skitter.caida.org	Aberdeen, MD US (US Army Research Lab)
Active	k-peer.skitter.caida.org	Amsterdam, North Hollan, NL (RIPE)
Active	k-root.skitter.caida.org	London, UK (RIPE)
Broken	l-root.skitter.caida.org	Marina del Rey, CA US (ISI)
Active	m-root.skitter.caida.org	Tokyo, Kanto JP (WIDE)
Active	sjc.skitter.caida.org	San Jose, CA US (MFN)
Active	yto.skitter.caida.org	Ottawa, Canada (CANet)
Active	lhr.skitter.caida.org	London, UK (MFN)
Active	skitter.uoregon.edu	Eugene, OR US (Univ. of Oregon)
Active	waikato.skitter.caida.org	Hamilton, NZ (Univ. of Waikato)
Active	champagne.caida.org	Urbana, IL US (VBNS)
Active	apan-jp.skitter.caida.org	Tokyo, Kanto JP (APAN)
Active	iad.skitter.caida.org	Washington D.C, US (MFN)
Active	nrt.skitter.caida.org	Tokyo, Kanto JP (MFN)
Active	riesling.caida.org	San Diego, CA US (CAIDA)
Active	skitter.kaist.kr.apan.net	Taejon, KR (APAN)

CAIDA uses skitter data to conduct in-depth analysis on specific topology characteristics such as distributions of Autonomous Systems, round trip times (RTTs) and hop counts. Combining skitter data with latitude and longitude information from NetGeo (see https://www.caida.org/tools/utilities/netgeo/ ), CAIDA also plots distributions of RTTs by continent and country domains.

Technology Transition:

Public access to skitter analysis results is available at http://sk-summary.caida.org/cgi-bin/main.pl

skitter monitoring will continue under CAIDA's NMS project (see https://www.caida.org/funding/nms/ ).

Task 3, Security:

Objective: Build tools to enable high performance networks to identify traffic anomalies in real-time.

Methodology: CAIDA modified Bro security software to use libcoral, giving Bro the ability to read data from Coral monitors. CAIDA also modified CoralReef's crl_filter feature (which provides command line BPF filtering rules) so that it is now possible to use this feature in combination with other existing tcpdump tools. Finally, CAIDA released crl_portmap, a tool that detects suspicious portmapper (RPC) activity then logs all traffic to and from the probing host in tcpdump format.

Accomplishments:

Denial-of-Service Attack Identification: A new technique called "backscatter analysis," was used to estimate worldwide denial-of-service activity. Three weeklong datasets have been analyzed, assessing the number, duration and focus of attacks and characterizing their behavior. David Moore of CAIDA and Geoffrey M. Voelker and Stefan Savage of the UCSD Department of Computer Science and Engineering discuss results of this analysis technique in a paper entitled "Inferring Internet Denial-of-Service Activity" presented at the Usenix Security Symposium held August 13-17, 2001 in Washington, D.C. (See: https://www.caida.org/publications/papers/2001/USENIXSecurity/backscatter/ )

Code-Red Analysis

Beginning in July, CAIDA archived CoralReef traffic traces in order to study the propagation of the Code-Red worms.

The first incarnation of the Code-Red worm (CRv1) began to infect hosts running unpatched versions of Microsoft's IIS webserver on July 12th, 2001. The first version of the worm uses a static seed for its random number generator. At approximately 10:00 UTC on the morning of July 19th, 2001 a random seed variant of the Code-Red worm (CRv2)appeared and spread. This second version shared almost all of its code with the first version, but spread much more rapidly. Finally, on August 4th, a new worm began to infect machines exploiting the same vulnerability in Microsoft's IIS webserver as the original Code-Red virus. Although the new worm shared almost no code with the two versions of the original worm, it contained in its source code the string "CodeRedII" and was thus named CodeRed II.

CAIDA's analysis covers spread of the worm during the 24 hour period beginning July 19th at midnight UTC. The data used for this preliminary study were collected from two locations: a /8 network at UCSD and two /16 networks at Lawrence Berkeley Laboratory (LBL). Two types of data from the UCSD network are used to maximize coverage of the expansion of the worm. Between midnight and 16:30 UTC, a passive network monitor recorded headers of all packets destined for the /8 research network. After 16:30 UTC, a filter installed on a campus router to reduce congestion caused by the worm blocked all external traffic to this network. Because this filter was put into place upstream of the monitor, we were unable to capture IP packet headers after 16:30 UTC. However, a second UCSD data set consisting of sampled netflow output from the filtering router was available at the UCSD site throughout the 24 hour period. Vern Paxson provided probe information collected by Bro on the LBL networks between 10:00 UTC on July 19th and 7:00 on July 20th.

Unless otherwise specified, we have merged these three sources into a single dataset to produce our results.

A full analysis by David Moore on the spread of the Code-Red work (CRv2) can be found at: https://www.caida.org/research/security/code-red/coderedv2_analysis.xml . An animation depicting the geographic spread of the worm was created by Jeff Brown (UCSD CSE Department), and is available from the analysis page.

CAIDA's ongoing analysis of the Code-Red worms includes a detailed analysis of the spread of Code-Red version 2 on July 19, 2001, a follow-up survey of the patch rate of machines infected on July 19th, and dynamic graphs showing the prevalence of Code-Red version 2 and CodeRedII worldwide.

Technology Transition:

Public releases of CoralReef monitoring software include filtering capabilities useful for performing security analysis.

Task 4, Data Storage and Analysis:

Objective: Collect, store and analyze massive volumes of Internet-wide traffic data.

Methodology: CAIDA routinely collects and archives daily summaries of skitter data. We make raw skitter data available via Netscape certificate to researchers who agree to an Acceptable Use Policy and share their research results. CoralReef traces are archived on an as needed basis, depending on storage availability.

Accomplishments: CAIDA archives several kinds of data and provides access to multiple analyses:

1. daily summaries of skitter data collected between 1 Sep 1999 and 30 June 2001. Daily summaries ( http://sk-summary.caida.org/cgi-bin/main.pl ) provide an interface capable of generating various graphic analyses of collected data. A summary of significant analysis results to date is included with Option 1.
2. CAIDA grants access to archived skitter data to researchers who agree to our Acceptable Use Policy. Summaries of their skitter-related research projects can be found at: https://www.caida.org/data/skitter/skitter_data_use.xml
3. CAIDA provides a demonstration of CoralReef data collection, analysis, and reporting at: https://www.caida.org/dynamic/analysis/workload/sdnap/ . Results are updated every 5 minutes.
4. CAIDA archives CoralReef data for special purpose studies as needed but must limit data collection to available disk space. For example, CoralReef traces were stored to analyze the geographic spread of the Code-Red worm discussed in Task 3.

Technology Transition:

CAIDA will continue to make skitter daily summary data available as storage capacity allows.

skitter monitoring will continue under CAIDA's NMS project (see https://www.caida.org/funding/nms/ ).

Option 1, DNS Root name server Initiative and Visualization of Massive Data Sets

Objective:

Provide ICANN with recommendations regarding optimal locations for current and future root name servers. Also expand visualization initiatives to facilitate aggregation, analysis and layout of massive data sets (tens of gigabytes in size). The Domain Name Server (DNS) technical advisory committee to ICANN includes existing root name server operators, institutional representatives (from IESG, IANA, DOC, etc.) and technical measurement experts (CAIDA). One of the committee's responsibilities is to provide ICANN with recommendations regarding optimal locations for root name servers. There are currently 13 root name servers ( http://www.wia.org/pub/rootserv.html ). RSSAC has asked CAIDA for assistance gathering data to help determine architecturally strategic locations for current and planned root name servers within the Internet.

Methodology:

CAIDA has co-located skitter hosts at the A, D, E, F, K-peer, K-root, and M root name servers. The skitter host at L-root is down for hardware repairs, and skitter monitors for G, H, and I root name servers are in place but await administrative activation. CAIDA has developed a methodology for identifying and depicting sets of destinations with high latency from these instrumented locations. CAIDA uses the skitter tool to measure connectivity and performance of the network between root name servers and a subset of their clients.

Accomplishments:

Marina Fomenkov led CAIDA RSSAC investigations which are reported in "Macroscopic Internet Topology and Performance Measurements from the DNS root name servers", a paper to be presented at the USENIX Lisa 2001 conference in December. The methodology uses a common skitter destination list for all skitter monitors co-located with each root name server. This list contains more than 58,000 IP destinations covering 8406 origin Autonomous Systems (ASes) and 184 countries. In addition to providing representative address prefix coverage, use of this common "DNS clients" destination list serves as a yardstick against which performance comparisons can be made. If a set of destinations shows high latency from all root name servers and clusters either geographically or topologically without having systematic regional bandwidth problems or other political constraints, this suggests a region meriting a new root name server. However, collected data cannot be used to decide how well a particular root name server responds to its own specific clients, due to an internal BIND load-balancing feature. Despite this, by maintaining which destinations in this list are frequent clients of which particular root name server, local subsets of the DNS clients lists can still be used to study individual server-specific issues.

The first set of traces from A, E, F, K, K-peer, and L-root name servers was collected between December 1 through December 30, 2000. The second set of traces was gathered between March 6, and April 4, 2001. This second set adds traces from the newly installed M-root name server, but is missing traces from the broken L-root name server. In March, each monitor probed destinations in the DNS Clients list between 7 and 13 times per day, a rate which is 15-60% higher than probes made during December when an older, slower version of skitter was in use.

Two metrics of connectivity (hop count and round trip time) were calculated from the root name server to the hosts in the target set. The IP hop count distributions for each root name server monitor can indicate whether they are near the edge of their local networks and/or near a major exchange point (See peak positions for A, E, F, and L root name server monitors in Figure 4) or are further away from their destinations (See peak positions for K and M root name servers in Figure 4).

Figure 4. IP path length distributions for DNS root name server monitors.

Clusters of hosts having particularly large latencies from all root name servers indicate a potential deficiency in the current Internet infrastructure. A destination is defined as having high latency during a given day if, on that day, it had RTTs in the 90th percentile in at least half the probe cycles on all root name server monitors. Results are then aggregated over a month to filter out transient problems. In Figure 5, the left side maximum is due to random variations in connectivity while the right-side maximum reflects destinations that consistently have high latency on every (or almost every) day during the 30-day collection period.

Figure 5. The persistence of high latency destinations.

Figure 6 depicts high latency destinations by continents. It shows that Africa, Asia, and South America IP addresses account for over 60% of high latency destinations, but less than 14% of the total DNS client list.

December 1 - December 30, 2000	March 6 - April 4, 2001

Figure 6. High-latency destinations compared to entire target list by continent

CAIDA's skitter measurements can be used with local client lists as a baseline against which to compare topology and performance characteristics of the network between a root name server and its clients. We can use the daily summaries generated automatically from each skitter monitor's data to investigate other placement issues, such as distance to the edge of the local network, peering relationships, and choice of upstream transit providers.

Other skitter analysis projects: Several researchers have requested and been granted access to skitter data. Descriptions of their projects can be found at https://www.caida.org/data/skitter/skitter_data_use.xml

Routing and Connectivity Analysis: Analysis of our topology data casts some doubt on the correctness of using routing table data to represent global connectivity. The largest set of publicly available core routing tables (50 tables currently available athttp://www.routeviews.org captures only a small fraction of actual connectivity as observed by our topology probes. CAIDA compared and established active probe and router table data in terms of connectivity coverage and established a framework for empirically-based IP topology analysis in"Internet Topology: Connectivity of IP Graphs" by Andre Broido and kc claffy. This paper was presented at the SPIE ITCom 2001 International Symposium on Convergence of IT and Communications (Denver, Aug 20-24, 2001). Our data suggests that the bidirectionally connected backbone is robust enough to sustain removal of 25% of its nodes before this "giant component" breaks down. These results (where 12,500 nodes are removed from a total of 52,505) differ qualitatively from behavior described for models of scale-free networks (see Albert, Jeung, and Barabasi's "Error and attack tolerance of complex networks." Nature v405, 27 Jul 2001).

This study as well as another and another entitled "Complexity of Global Routing Policies" by Andre Broido and kc claffy were presented at the Multiresolution analysis of Global Internet Measurements Workshop held 10-14 Sep 2001 in Leiden, NL. The second study included comprehensive analysis of the best publicly available global inter-domain routing data, in order to evaluate a number of new routing complexity measures. The goal of this study was to be sensitive to engineering resource limitations of router memory and CPU cycle. We focused on techniques to estimate redundancy of the merged tables in particular how many entries are essential for complete and correct routing. The notion of "policy atoms" is also introduced as part of this new calculus for routing table analysis. We found that the number of atoms and individual counts of atoms associated with a specific number of prefixes properly scale with the Internet's growth and with filtering of prefixes by length.We show that the use of policy atoms can potentially reduce the number of route announcements by a factor of two while preserving all routing policies. Policy atoms thus aqccurately represent Internet properties with much reduced complexity.

Several of our results suggest that certain commonly held Internet engineering beliefs require re-consideration. We find that more specific routes had a relatively constant share of routes in backbone tables across 2000/2001. Conversely, the churn of more specific routes was much larger than that of top prefixes. We find that deaggregation of existing announcements is a second major source (beyond announcement of recently allocated address space) of new top (least specific) prefixes in global BGP tables. We provide examples of misconfiguration and noise in BGP data, including multi-origin prefixes, AS paths with apparent routing loops (some of them due to typographical errors, other actual loops undetected by local BGP speakers), and inadvertent transit through customer ASes.

Large graph handling API: CAIDA is working on a generalized framework for dealing with large graphs. We have begun design and implementation of library libsea (tentative name), which provides functionality for loading, saving, examining, and, to a certain extent, processing large graphs. Libsea’s main purpose is to make graph data easily accessible to programs. Libsea is expected be able to handle graphs with approximately one million nodes, a few million links, and hundreds of paths.

Graph Visualization Library: CAIDA has completed coding of the parts in Immutable Graph having to do with attributes except where it involves an expression language because this has not yet been specified. With the exception of the expression language, all parts of this API having to do with nodes, links, paths, and attributes are done. Plans for testing all these features are underway.

Technology Transition:

Dr. Claffy has entered into discussions with ICANN and Verisign about leveraging the DARPA investment into the current RSSAC study to continue use of the developed methodology to evaluate these now critically strategic components of the Internet infrastructure.

The methodology for the DNS root name server location evaluation, and associated mechanisms for determining central positions within the Internet shows potential relevance far beyond analysis of the DNS system. Any location-based research for any evaluation of data servers within strategic infrastructures could apply the methodology.

New Publications:

USENIX Security Symposium paper: (Aug 13-17, 2001 Washington, D.C.)

[1] "Inferring Internet Denial-of-Service Activity" by D. Moore, G. Voelker, and S. Savage. We present a new technique, called "backscatter analysis," that provides an estimate of worldwide denial-of- service activity.

Globecom 2001 conference paper: (accepted for Nov 25-29, 2001 San Antonia, TX)

[2] "DNS Measurements at a Root Server" by N. Brownlee, k claffy, and E. Nemeth. We passively measure the performance of one root name server. F.root-servers.net measurements show an astounding number of bogus queries: 60-85% of observed queries were repeated from the same host within the measurement interval. More than 14% of a root name server's query load is due to queries that violate the DNS specification. Denial of service attacks using root name servers are common and occurred throughout our measurement period (7-24 Jan 2001).

Usenix LISA 2001 conference papers: Three papers were accepted for presentation at the ACM USENIX LISA conference in December 2001 at San Diego, CA.

[3] "Macroscopic Internet Topology and Performance Measurements from the DNS root name servers" by Marina Fomenkov, kc claffy, Bradley Huffaker and David Moore. skitter measurements using a specially constructed combined DNS clients list can identify clients that have high latency to each of the current root name server locations being monitored.

[4] "The Architecture of the CoralReef Internet Traffic Monitoring Software Suite" by Ken Keys, David Moore, Ryan Koga, Edouard Lagache, Michael Tesch, and k claffy. The CoralReef passive monitoring and analysis tool suite provides convenient tools for a diverse audience, from network administrators to researchers.

[5] "DNS Root/gTLD Server Measurements" by Nevil Brownlee, kc claffy, and Evi Nemeth. NeTraMet passive traffic meters have provided an effective way to monitor the performance of the global name servers as seen from the client side.

Multiresolution analysis of Global Internet Measurements workshop papers: (10-14 Sep 2001 Leiden, NL)

[6] "Internet Topology: Connectivity of IP Graphs" by A. Broido and k claffy. We compare BGP and probed topology data, finding that currently probed topology data yields much denser coverage of AS-level connectivity. We observe behavior of the part of the topology having full bidirectional connectivity (the Internet's "giant component") and analyze its topological resiliency.

[7] "Complexity of Global Routing Policies" by A. Broido and k claffy. We introduce the notion of "policy atoms" as part of a calculus for routing table analysis. We found that the number of atoms and individual counts of atoms with a given number of prefixes properly scale with both the Internet's growth and with filtering of prefixes by length.

Previous Publications:

[8] k. claffy and T. Monk, "What's next for Internet data analysis? Status and challenges facing the community," Proceedings of the IEEE, vol. 85, pp. 1563-71, 1997. https://www.caida.org/publications/papers/1997/ieee97/

[9] D. Wessels and k. claffy, "RFC 2186: Internet Cache Protocol (ICP), version 2," The IRCache Project, 1997. https://www.caida.org/publications/papers/1997/rfc2186

[10] D. Wessels and k. claffy, "RFC 2187: Application of Internet Cache Protocol (ICP), version 2," The IRCache Project, 1997. https://www.caida.org/publications/papers/1997/rfc2187/

[11] T. Monk and k. claffy, "Internet data acquisition and analysis: Status and next steps," National Laboratory for Applied Network Research (NLANR), San Diego Supercomputer Center, UC San Diego, La Jolla, CA 1997. https://www.caida.org/publications/papers/1997/data-inet97/

[12] B. Huffaker, J. Jung, E. Nemeth, D. Wessels, and k. claffy, "Visualization of the growth and topology of the NLANR caching hierarchy," presented at 3rd International WWW Caching Workshop, Manchester, England, UK, 1998. https://www.caida.org/publications/papers/1998/plankton/

[13] D. Wessels and k. claffy, "Evolution of the NLANR cache hierarchy: Global configuration challenges," presented at 3rd International WWW Caching Workshop, Manchester, England, 1998. https://www.caida.org/publications/papers/1996/cache96/

[14] k. claffy, G. Miller, and K. Thompson, "The nature of the beast: Recent traffic measurements from an Internet backbone," presented at INET '98, Geneva, Switzerland, 1998. https://www.caida.org/publications/papers/1998/Inet98/

[15] CAIDA, "Comments by CAIDA concerning the FCC's review of the acquisition of MCI Communications Corp. by Worldcom, Inc.," CAIDA, San Diego Supercomputer Center, UC San Diego, La Jolla, Press Release 27 Apr 1998. https://www.caida.org/publications/papers/1998/fcc-98/

[16] D. Wessels and k. claffy, "ICP and the Squid web cache," IEEE Journal on Selected Areas in Communications, vol. 16, pp. 345-57, 1998. https://www.caida.org/publications/papers/1998/icp-sq/

[17] k. claffy and S. McCreary, "Internet measurement and data analysis: passive and active measurement," presented at American Statistical Association, Baltimore, MD, 1999. https://www.caida.org/publications/papers/1999/Nae4hansen/

[18] R. Periakaruppan and E. Nemeth, "GTrace - A Graphical Traceroute Tool," presented at Usenix LISA, Seattle, WA, 1999. https://www.caida.org/publications/papers/1999/GTrace/

[19] CAIDA, "ISMA passive measurement data and analysis, workshop report," presented at Internet Statistics and Metrics Analysis (ISMA) workshop, La Jolla, CA, 1999. https://www.caida.org/publications/papers/1999/isma9901/

[20] CAIDA, "Report from the ISMA Network Visualization Workshop," presented at Internet Statistics and Metrics Analysis (ISMA) workshop on Network Visualization, La Jolla, CA, 1999. https://www.caida.org/publications/papers/1999/isma9904/

[21] B. Huffaker, k. claffy, and E. Nemeth, "Tools to visualize the Internet multicast backbone," presented at INET '99, San Jose, CA, 1999. https://www.caida.org/publications/papers/1999/manta/

[22] B. Huffaker, E. Nemeth, and k. claffy, "Otter: A general-purpose network visualization tool," presented at INET '99, San Jose, CA, 1999. https://www.caida.org/publications/papers/1999/otter/

[23] k. claffy, T. Monk, and D. McRobb, "Internet tomography," presented at Nature, 1999. https://www.caida.org/publications/papers/1999/webmatters99/

[24] k. claffy, "Internet measurement and data analysis: topology, workload, performance and routing statistics," presented at NAE '99 Workshop, Los Angeles, CA, 1999. https://www.caida.org/publications/papers/1999/Nae/

[25] CAIDA, "ISMA Winter 2000 Workshop - Final Report," presented at Internet Statistics and Metrics Analysis (ISMA) workshop, La Jolla, CA, 2000. https://www.caida.org/publications/papers/2000/isma0012/

[26] S. McCreary and k. claffy, "Trends in wide area IP traffic patterns - A view from Ames Internet Exchange," presented at 13th ITC Specialist Seminar on Internet Traffic Measurement and Modelling, Monterey, CA, 2000. https://www.caida.org/publications/papers/2000/AIX0005/

[27] D. Moore, R. Periakaruppan, J. Donohoe, and k. claffy, "Where in the world is netgeo.caida.org?," presented at INET '00, Yokohama, Japan, 2000. https://www.caida.org/publications/papers/2000/inet_netgeo/

[28] E. Nemeth, T. Ott, K. Thompson, and k. claffy, "The Internet Engineering Curriculum Repository," presented at INET '00, Yokohama, Japan, 2000. https://www.caida.org/publications/papers/2000/inet_iec/

[29] B. Huffaker, M. Fomenkov, D. Moore, E. Nemeth, and k. claffy, "Measurements of the Internet topology in the Asia-Pacific Region," presented at INET '00, Yokohama, Japan, 2000. https://www.caida.org/publications/papers/2000/asia_paper/

[30] N. Brownlee and R. Fulton, "Kawaihiko and the third-quartile day [traffic management]," IEEE Communications Magazine, vol. 38, pp. 162-8, 2000. https://www.caida.org/publications/papers/2000/3qd-kaw/

[31] P. Rajvaidya, K. C. Almeroth, and k. claffy, "A scalable architecture for monitoring and visualizing multicast statistics," presented at Distributed Systems: Operations and Management, 2000. https://www.caida.org/publications/papers/DSOM-00/

[32] k. claffy, "Measuring the Internet," IEEE Internet Computing, vol. 4, pp. 73-5, 2000. https://www.caida.org/publications/papers/2000/ieee0001/

[33] N. Brownlee, k. claffy, M. Murray, and E. Nemeth, "Methodology for passive analysis of a university Internet link," presented at PAM2001 - A workshop on Passive and Active Measurements, Amsterdam, Netherlands, 2001. https://www.caida.org/publications/papers/2001/MethodAnalyseLink/

[34] N. Brownlee and M. Murray, "Streams, Flows and Torrents," presented at PAM2001 - A workshop on Passive and Active Measurements, Amsterdam, Netherlands, 2001. https://www.caida.org/publications/papers/2001/StreamsFlowsTorrents/

[35] B. Huffaker, M. Fomenkov, D. Moore, and k. claffy, "Macroscopic analyses of the infrastructure: measurement and visualization of Internet connectivity and performance," presented at PAM2001 - A workshop on Passive and Active Measurements, Amsterdam, Netherlands, 2001. https://www.caida.org/publications/papers/2001/SkitViz/

[36] K. Keys, D. Moore, R. Koga, E. Lagache, M. Tesch, and k. claffy, "The architecture of CoralReef: an Internet traffic monitoring software suite," presented at PAM2001 - A workshop on Passive and Active Measurements, Amsterdam, Netherlands, 2001. https://www.caida.org/publications/papers/2001/CoralArch/

[37] M. Murray and k. claffy, "Measuring the Immeasurable: Global Internet Measurement Infrastructure," presented at PAM2001 - A workshop on Passive and Active Measurements, Amsterdam, Netherlands, 2001. https://www.caida.org/publications/papers/2001/MeasInfra/

[38] C. Shannon, D. Moore, and k. claffy, "Characteristics of fragmented IP traffic on Internet links," presented at PAM2001 - A workshop on Passive and Active Measurements, Amsterdam, Netherlands, 2001. https://www.caida.org/publications/papers/2001/Frag/

[39] A. Broido and k. claffy, "Internet topology: connectivity of IP graphs," presented at SPIE International symposium on Convergence of IT and Communication, Denver, CO, 2001. https://www.caida.org/publications/papers/2001/OSD/

[40] D. Moore, G. M. Voelker, and S. Savage, "Inferring Internet Denial-of-Service Activity," presented at Usenix Security Symposium, Washington, D.C., 2001. https://www.caida.org/publications/papers/2001/BackScatter/

[41] C. Dovrolis, P. Ramanathan, and D. Moore, "What do packet dispersion techniques measure?," presented at INFOCOM'2001, Alaska, 2001. https://www.caida.org/publications/papers/2001/consti/

[42] k. claffy, "CAIDA: Visualizing the Internet," Internet Computing Online, 2001. https://www.caida.org/publications/papers/2001/caida/

[43] A. Broido and k. claffy, "Complexity of global routing policies," presented at ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA, 2001. https://www.caida.org/publications/papers/2001/CGR/

[44] C. Dovrolis, P. Ramanathan, and D. Moore, "Packet Disperson Techniques and Capacity Estimation," IEEE/ACM Transactions, 2001. https://www.caida.org//publications/papers/2001/ton_dispersion/

[45] M. Mathis, G. L. Huntoon, and k. claffy, "Traffic dynamics testbed," presented at Large Scale Networking (LSN) Workshop, Vienna, VA, 2001. https://www.caida.org/publications/papers/2001/tdt01/

[46] A. Broido and k. claffy, "Analysis of RouteViews BGP data: policy atoms," presented at Network Resource Data Management Workshop, Santa Barbara, CA, 2001. https://www.caida.org/publications/papers/2001/NDRM_bgpatoms/

[47] M. Fomenkov, k. claffy, B. Huffaker, and D. Moore, "Macroscopic Internet Topology and Performance Measurements From the DNS Root Name Servers," CAIDA, San Diego Supercomputer Center, UC San Diego, La Jolla Oct 2001. https://www.caida.org/publications/papers/2001/Rssac2001a/