Status of this Memo This memo provides information for the Internet community. It does not specif... more Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard. Distribution of this memo is unlimited. Summary This memo describes a protocol for reliable transport that utilizes the multicast capability of applicable lower layer networking architectures. The transport definition permits an arbitrary number of transport providers to perform realtime collaborations without requiring networking clients (aka, applications) to possess detailed knowledge of the population or geographical dispersion of the participating members. It is not network architectural specific, but does implicitly require some form of multicasting (or broadcasting) at the data link level, as well as some means of communicating that capability up through the layers to the transport.
PARDIS MIRI, Stanford University ROBERT FLORY, Intel Labs ANDERO UUSBERG, University of Tartu HEA... more PARDIS MIRI, Stanford University ROBERT FLORY, Intel Labs ANDERO UUSBERG, University of Tartu HEATHER CULBERTSON, University of Southern California RICHARD H. HARVEY, San Fransisco State University AGATA KELMAN, University of California DAVIS ERIK PEPER, San Fransisco State University JAMES J. GROSS, Stanford University KATHERINE ISBISTER, University of California Santa Cruz KEITH MARZULLO, University of Maryland
Proceedings. 19th IEEE International Conference on Distributed Computing Systems. Workshops on Electronic Commerce and Web-based Applications. Middleware
We devise a mobile agent middleware architecture for supporting distributed applications in a wid... more We devise a mobile agent middleware architecture for supporting distributed applications in a wide-area network. The architecture provides a structural framework for functional components that are needed to support mobile agents in asymmetric networking environments.
Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281)
Message logging protocols ensure that crashed processes make the same choices when re-executing n... more Message logging protocols ensure that crashed processes make the same choices when re-executing nondeterministic events during recovery. Causal message logging protocols achieve this by piggybacking the results of these choices (called determinants) on the ambient message traffic. By doing so, these protocols do not create orphan processes nor introduce blocking in failure-free executions. To survive f failures, they ensure that determinants are stored by at least f + 1 processes. Causal logging protocols differ in the kind of information they piggyback to other processes. The more information they send, the better each process is able to estimate global properties of the determinants, which in turn results in fewer needless piggybacking of determinants. This paper attempts to quantify the tradeoff between the cost of sending more information and the benefit of doing so.
IEEE Transactions on Parallel and Distributed Systems, 2009
In this paper, we consider the problem of detecting whether a compromised router is maliciously m... more In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user-defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.
IEEE Transactions on Parallel and Distributed Systems, 2006
We present a hybrid approach to the scheduling of jobs in a distributed system where the critical... more We present a hybrid approach to the scheduling of jobs in a distributed system where the critical response is the bandwidth to access stored data. Our approach supports the master-worker scheme, but could be applied to other cases of parallel computation over stored data. We tested our new approach under various circumstances and measured it performance by means of several metrics. We made comparisons of our approach with respect to other scheduling policies; it performed significantly better than the majority of cases, and in worst cases, it was as good as the best of the others.
While it is widely understood that criminal miscreants are subverting large numbers of Internet-c... more While it is widely understood that criminal miscreants are subverting large numbers of Internet-connected computers (e.g., for bots, spyware, SPAM forwarding), it is less well appreciated that Internet routers are also being actively targeted and compromised. Indeed, due to its central role in end-to-end communication, a compromised router can be leveraged to empower a wide range of direct attacks including eavesdropping, man-in-the-middle subterfuge, and denial of service. In response, a range of specialized anomaly detection protocols has been proposed to detect misbehaving packet forwarding between routers. This article provides a general framework for understanding the design space of this work and reviews the capabilities of various detection protocols.
Tarek Abdelzaher Hari Adiseshu Hassan Fallah Ad1 Jim Anderson Neil Audsley Young Hyun Bae Sanjoy ... more Tarek Abdelzaher Hari Adiseshu Hassan Fallah Ad1 Jim Anderson Neil Audsley Young Hyun Bae Sanjoy Baruah Azer Bestavros Riccardo Bettati Monica Brockmeyer Milind Buddhikot Craig Chaney Bo-Chao Cheng Erik Cota-Robles Zhong Deng Zubin Dittia William Eatherton Wu-chang Feng Mark K. Gardner Sunondo Ghosh Aniruddha Gokhale Oscar Gonzalez R. Gopalakrishnan Sergey Gorinsky Pawan Goyal Rhan Ha Siamack Haghighi Joosun Hahn Seongsoo Hong Rodney Howell ... David Hull Atri Indiresan Farnam Jahanian J. James Kevin Jeffay Scott ...
to provide an infrastructure for fault-tolerance in distributed systems, including wide-area syst... more to provide an infrastructure for fault-tolerance in distributed systems, including wide-area systems. In our work on master-worker computation for GriPhyN, which is a large project in the area of the computational grid, we asked the question should we build our wide-area master-worker computation using widearea group communications? This paper explains why we decided doing so was not a good idea.
Firewalls are a cornerstone of how sites implement defense in depth. Many security policies assum... more Firewalls are a cornerstone of how sites implement defense in depth. Many security policies assume that outside attackers must first penetrate a firewall configured to block their access. This paper examines what firewalls protect against, and whether those protections are sufficient to warrant placing the current level of trust in firewalls.
Classic Paxos and Fast Paxos are two protocols that are the core of efficient implementations of ... more Classic Paxos and Fast Paxos are two protocols that are the core of efficient implementations of replicated state machines. In runs with no failures and no conflicts, Fast Paxos requires fewer communication steps for learners to learn of a request compared to Classic Paxos. However, there are realistic scenarios in which Classic Paxos has a significant probability of having a lower latency. This paper discusses one such scenario with an analytical comparison of the protocols and simulation results.
The ISIS distributed programming system and the META Project are described. The ISIS programming ... more The ISIS distributed programming system and the META Project are described. The ISIS programming toolkit is an aid to low-level programming that makes it easy to build fault-tolerant distributed applications that exploit replication and concurrent execution. The META Project is reexamining high-level mechanisms such as the filesystem, shell language, and administration tools in distributed systems.
Fault recovery is a key issue in modern data centers. In a fat tree topology, a single link failu... more Fault recovery is a key issue in modern data centers. In a fat tree topology, a single link failure can disconnect a set of end hosts from the rest of the network until updated routing information propagates to every network element in the topology. The time for re-convergence can be substantial, leaving hosts disconnected for long periods of time and significantly reducing the overall availability of the data center. Moreover, the message overhead of sending updated routing information to the entire topology may be unacceptable at scale. We present techniques to modify hierarchical data center topologies to enable switches to react to failures locally, thus reducing both the convergence time and the control overhead of failure recovery. We find that for a given network size, decreasing the convergence time for a topology results in a decrease to the topology’s scalability (e.g. the number of hosts supported). On the other hand, for a fixed host count, a reduction in convergence tim...
How to build a highly available system using consensus.- Distributed admission control algorithms... more How to build a highly available system using consensus.- Distributed admission control algorithms for real-time communication.- Randomization and failure detection: A hybrid approach to solve Consensus.- Levels of authentication in distributed agreement.- Efficient and robust sharing of memory in message-passing systems.- Plausible clocks: Constant size logical clocks for Distributed Systems.- Abstracting communication to reason about distributed algorithms.- Simulating reliable links with unreliable links in the presence of process crashes.- A cyclic distributed garbage collector for network objects.- Incremental, distributed orphan detection and actor garbage collection using graph partitioning and euler cycles.- A framework for the analysis of non-deterministic clock synchronisation algorithms.- Optimal time broadcasting in faulty star networks.- A lower bound for Linear Interval Routing.- Topological routing schemes.- Maintaining a dynamic set of processors in a distributed syst...
A multi-site system consists of a collection of locally-managed networks called sites, each conta... more A multi-site system consists of a collection of locally-managed networks called sites, each containing a collection of processors. In this paper, we present the multisite threshold model: a new failure model for multi-site systems that accounts for failures of sites. Using this model, we then derive quorum constructions that have two interesting features. First, they generate quorum systems that are more available than majority quorums. Second, our constructions reduce quorum sizes compared to the majority construction, thus reducing load on the processors and increasing the total capacity of the system. To show that our model is realistic, we discuss the implementability of this new model, motivating with data from a real system.
Status of this Memo This memo provides information for the Internet community. It does not specif... more Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard. Distribution of this memo is unlimited. Summary This memo describes a protocol for reliable transport that utilizes the multicast capability of applicable lower layer networking architectures. The transport definition permits an arbitrary number of transport providers to perform realtime collaborations without requiring networking clients (aka, applications) to possess detailed knowledge of the population or geographical dispersion of the participating members. It is not network architectural specific, but does implicitly require some form of multicasting (or broadcasting) at the data link level, as well as some means of communicating that capability up through the layers to the transport.
PARDIS MIRI, Stanford University ROBERT FLORY, Intel Labs ANDERO UUSBERG, University of Tartu HEA... more PARDIS MIRI, Stanford University ROBERT FLORY, Intel Labs ANDERO UUSBERG, University of Tartu HEATHER CULBERTSON, University of Southern California RICHARD H. HARVEY, San Fransisco State University AGATA KELMAN, University of California DAVIS ERIK PEPER, San Fransisco State University JAMES J. GROSS, Stanford University KATHERINE ISBISTER, University of California Santa Cruz KEITH MARZULLO, University of Maryland
Proceedings. 19th IEEE International Conference on Distributed Computing Systems. Workshops on Electronic Commerce and Web-based Applications. Middleware
We devise a mobile agent middleware architecture for supporting distributed applications in a wid... more We devise a mobile agent middleware architecture for supporting distributed applications in a wide-area network. The architecture provides a structural framework for functional components that are needed to support mobile agents in asymmetric networking environments.
Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281)
Message logging protocols ensure that crashed processes make the same choices when re-executing n... more Message logging protocols ensure that crashed processes make the same choices when re-executing nondeterministic events during recovery. Causal message logging protocols achieve this by piggybacking the results of these choices (called determinants) on the ambient message traffic. By doing so, these protocols do not create orphan processes nor introduce blocking in failure-free executions. To survive f failures, they ensure that determinants are stored by at least f + 1 processes. Causal logging protocols differ in the kind of information they piggyback to other processes. The more information they send, the better each process is able to estimate global properties of the determinants, which in turn results in fewer needless piggybacking of determinants. This paper attempts to quantify the tradeoff between the cost of sending more information and the benefit of doing so.
IEEE Transactions on Parallel and Distributed Systems, 2009
In this paper, we consider the problem of detecting whether a compromised router is maliciously m... more In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user-defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.
IEEE Transactions on Parallel and Distributed Systems, 2006
We present a hybrid approach to the scheduling of jobs in a distributed system where the critical... more We present a hybrid approach to the scheduling of jobs in a distributed system where the critical response is the bandwidth to access stored data. Our approach supports the master-worker scheme, but could be applied to other cases of parallel computation over stored data. We tested our new approach under various circumstances and measured it performance by means of several metrics. We made comparisons of our approach with respect to other scheduling policies; it performed significantly better than the majority of cases, and in worst cases, it was as good as the best of the others.
While it is widely understood that criminal miscreants are subverting large numbers of Internet-c... more While it is widely understood that criminal miscreants are subverting large numbers of Internet-connected computers (e.g., for bots, spyware, SPAM forwarding), it is less well appreciated that Internet routers are also being actively targeted and compromised. Indeed, due to its central role in end-to-end communication, a compromised router can be leveraged to empower a wide range of direct attacks including eavesdropping, man-in-the-middle subterfuge, and denial of service. In response, a range of specialized anomaly detection protocols has been proposed to detect misbehaving packet forwarding between routers. This article provides a general framework for understanding the design space of this work and reviews the capabilities of various detection protocols.
Tarek Abdelzaher Hari Adiseshu Hassan Fallah Ad1 Jim Anderson Neil Audsley Young Hyun Bae Sanjoy ... more Tarek Abdelzaher Hari Adiseshu Hassan Fallah Ad1 Jim Anderson Neil Audsley Young Hyun Bae Sanjoy Baruah Azer Bestavros Riccardo Bettati Monica Brockmeyer Milind Buddhikot Craig Chaney Bo-Chao Cheng Erik Cota-Robles Zhong Deng Zubin Dittia William Eatherton Wu-chang Feng Mark K. Gardner Sunondo Ghosh Aniruddha Gokhale Oscar Gonzalez R. Gopalakrishnan Sergey Gorinsky Pawan Goyal Rhan Ha Siamack Haghighi Joosun Hahn Seongsoo Hong Rodney Howell ... David Hull Atri Indiresan Farnam Jahanian J. James Kevin Jeffay Scott ...
to provide an infrastructure for fault-tolerance in distributed systems, including wide-area syst... more to provide an infrastructure for fault-tolerance in distributed systems, including wide-area systems. In our work on master-worker computation for GriPhyN, which is a large project in the area of the computational grid, we asked the question should we build our wide-area master-worker computation using widearea group communications? This paper explains why we decided doing so was not a good idea.
Firewalls are a cornerstone of how sites implement defense in depth. Many security policies assum... more Firewalls are a cornerstone of how sites implement defense in depth. Many security policies assume that outside attackers must first penetrate a firewall configured to block their access. This paper examines what firewalls protect against, and whether those protections are sufficient to warrant placing the current level of trust in firewalls.
Classic Paxos and Fast Paxos are two protocols that are the core of efficient implementations of ... more Classic Paxos and Fast Paxos are two protocols that are the core of efficient implementations of replicated state machines. In runs with no failures and no conflicts, Fast Paxos requires fewer communication steps for learners to learn of a request compared to Classic Paxos. However, there are realistic scenarios in which Classic Paxos has a significant probability of having a lower latency. This paper discusses one such scenario with an analytical comparison of the protocols and simulation results.
The ISIS distributed programming system and the META Project are described. The ISIS programming ... more The ISIS distributed programming system and the META Project are described. The ISIS programming toolkit is an aid to low-level programming that makes it easy to build fault-tolerant distributed applications that exploit replication and concurrent execution. The META Project is reexamining high-level mechanisms such as the filesystem, shell language, and administration tools in distributed systems.
Fault recovery is a key issue in modern data centers. In a fat tree topology, a single link failu... more Fault recovery is a key issue in modern data centers. In a fat tree topology, a single link failure can disconnect a set of end hosts from the rest of the network until updated routing information propagates to every network element in the topology. The time for re-convergence can be substantial, leaving hosts disconnected for long periods of time and significantly reducing the overall availability of the data center. Moreover, the message overhead of sending updated routing information to the entire topology may be unacceptable at scale. We present techniques to modify hierarchical data center topologies to enable switches to react to failures locally, thus reducing both the convergence time and the control overhead of failure recovery. We find that for a given network size, decreasing the convergence time for a topology results in a decrease to the topology’s scalability (e.g. the number of hosts supported). On the other hand, for a fixed host count, a reduction in convergence tim...
How to build a highly available system using consensus.- Distributed admission control algorithms... more How to build a highly available system using consensus.- Distributed admission control algorithms for real-time communication.- Randomization and failure detection: A hybrid approach to solve Consensus.- Levels of authentication in distributed agreement.- Efficient and robust sharing of memory in message-passing systems.- Plausible clocks: Constant size logical clocks for Distributed Systems.- Abstracting communication to reason about distributed algorithms.- Simulating reliable links with unreliable links in the presence of process crashes.- A cyclic distributed garbage collector for network objects.- Incremental, distributed orphan detection and actor garbage collection using graph partitioning and euler cycles.- A framework for the analysis of non-deterministic clock synchronisation algorithms.- Optimal time broadcasting in faulty star networks.- A lower bound for Linear Interval Routing.- Topological routing schemes.- Maintaining a dynamic set of processors in a distributed syst...
A multi-site system consists of a collection of locally-managed networks called sites, each conta... more A multi-site system consists of a collection of locally-managed networks called sites, each containing a collection of processors. In this paper, we present the multisite threshold model: a new failure model for multi-site systems that accounts for failures of sites. Using this model, we then derive quorum constructions that have two interesting features. First, they generate quorum systems that are more available than majority quorums. Second, our constructions reduce quorum sizes compared to the majority construction, thus reducing load on the processors and increasing the total capacity of the system. To show that our model is realistic, we discuss the implementability of this new model, motivating with data from a real system.
Uploads
Papers by Keith Marzullo