Cyclops The ASlevel Connectivity Observatory YingJu Ch - PDF document

Figure1:TheInternetTopologyandBGPmonitor-ing.2.BACKGROUNDTheInternetconsistsofalargenumberofnetworkscalledAutonomousSystems(ASes),eachwithanallocateduniqueASnumber.AnASmaycontainoneormultipledestinationnetworks,eachrepresentedbyanIPprex.Forexample,AS52(UCLA'sASnumber)announces5IPprexes,andoneofthem,131.179.0.0/16,representsthenetworkofUCLAComputerScienceDepartment.ASesexchangedestinationnetworkreachabilityinformationusingtheBorderGatewayProtocol(BGP).ABGPupdatecontainstheASpathusedtoreachadestinationprex,i.e.alistofASnumbersofallthenetworkstraversed.Figure1isasimpliedexampletoillustratesBGPupdatepropagation.AS-1ownsapre-xPandannouncesittoneighborAS-2.Whenreceivingtheupdate,AS-2addsitsownASnumbertothepathandfurtherpropagatestheupdatetoitsneighbors.NotethataBGProutermayreceivemultiplepathstoeachdestination,butitonlypropagatesthebestpathtoneighborASes.ForexampleAS-3inFigure1willreceivetwopathstoprexPandselectfP:21gasitsprimarypathandpropagatesittoaBGPcollectorbox;wecalltherouterinAS-3whichisconnectedtothecollectoramonitor.BecauseBGProutersonlypropagatethebestpathtoeachdestinationnetwork,onemaynotbeabletocollectthecompleteASconnectivityfromBGPupdates.InstudyingInternetAS-leveltopology,oneviewstheIn-ternetasanAS-levelgraph,whereeachnoderepresentsanASandeachlinkrepresentsatracexchangeagreementbetweentwoASes;thisagreementisrealizedbytheestab-lishmentofoneormultipleBGPsessionsbetweenthetwoneighborASes,perhapsovermultiplephysicallinksatmul-tipledispersedgeographicallocations.Generallyspeaking,ASescanbeclassiedintotwoclasses:transitsandstubs.AtransitASprovidesInternetaccesstootherASesinadditiontoitowncustomers,whileastubASisasourceordestina-tionofdatatracanddoesnotprovidetransitconnectivitytoanyotherASes.TheAS-linkscanbebroadlyclassiedintwotypes:customer-providerandpeer-to-peer.Inacustomer-providerrelation,thecustomerpaystheproviderfortheInternetaccess,whereasinapeer-peerrelationASesexchangetracwitheachotherwithoutpayment.Therefore,whengivenmultipleroutestoadestinationprex,aroutertypicallyhasapreferenceor-derofchoosingroutesfromcustomersrst,thenpeersandnallyproviders.InFigure1,assumingAS-1isacustomerofAS-2,AS-2andAS-3arecustomersofAS-4,andAS-2andAS-3arepeers,thenAS-3selectsthepeerroutefromAS-2ratherthantheproviderrouteannouncedbyAS-4.2.1MonitoringandDataCollectionRouteView[6]andRIPE[5]representtwomajorBGPmonitoringprojectstoday.Theymanageasetofcollec-tors,whichestablishBGPsessionswithoperationalrouters,calledmonitors,toreceivetheupdatesandperiodicallydumpasnapshotofeachmonitor'sroutingtable.Thetotalnum-berofmonitorshavebeenincreasingovertime.Atthetimeofthiswritingthereareseveralhundredsofsuchmonitors,althoughonlyabout120orsomonitorsprovideacompleteBGProutingtable;therestprovidesonlyapartialtable.Thetopologydatabasehttp://irl.cs.ucla.edu/topology/,whichisdescribedin[24],includesdatacollectedfromrouteservers,lookingglasses[3],androutingregistrydatabasesinadditiontothedatafromalltheRouteViewsandRIPEcol-lectors1.WetermtheAS-levelconnectivityextractedfromthisdatasetasPublic-View.CyclopsusesthePublic-ViewdatacollectedfromJanuary2004topresent.ItiswellknownthattheinferredAStopologyisratherincomplete,andthatitremainsaresearchchallengetoquan-tifythedegreeofthisincompleteness[21].Cyclops'abilitytovisualizeASconnectivityanditschangesisconnedbythelimitationofthedataset.Neverthelessasweillustratelaterinthepaper,Cyclopsprovidesvisualdisplayoftopo-logicalchangesbasedontheavailabledataset,avaluablefunctionthatisunavailablepreviously,andoersitselfasapowerfuldetectionmechanismforroutinghijacks.2.2TopologyInferenceandFaultDetectionForeachspecicAS-x,thereisalistofneighborASeswithwhomxhastracexchangeagreements;wetermthislistthegroundtruthofAS-x'sconnectivity.Ingeneralwedonotknowthegroundtruthofx,andweinferx'sneighborASesfromtheASpathscarriedinBGPupdates.Atanygiventime,dierencesmayexistbetweenthelistofinferredASneighborsandthatfromthegroundtruth.Thesedierencecanstemfromseveralreasons.First,thelimitednumberofvantagepointsusedinthePublic-Viewlimitsitscomplete-nessinrevealingallAS-x'sneighbors[21];i.e.someneigh-borsinx'sgroundtruthmaybeinvisibleinPublic-View.Howeverbyaccumulatingtheobservationofx'sneighborsovertime,onecansignicantlyreducethedierences[22].Atthesametime,accumulatingtheobservedx'sconnec-tivityovertimecanalsointroducestalelinksthatarenolongerexist,hencecontributingtothedierencebetweeninferredconnectivityandgroundtruth.Furthermore,falselinkscausedbyBGPmiscongurations,orevenintentionalroutehijacks,alsocontributetothedierencebetweentheinferredAS-x'sconnectivityanditsgroundtruth.Thersttwocausesofthedierences,namelyinvisibleorstaleASlinksintheinferredtopology,resultfromlim-itationsofthemeasurementinfrastructureandhavebeenmitigatedtoacertaindegreerecently[21,22].Thethird 1WecurrentlydonotuseAStopologicaldataderivedfromtraceroutemeasurementsduetotheissuesinconvertingrouterpathstoASpaths,asextensivelyreportedinpre-viouswork[10,18,13,22]. causeistheresultsoffaultsormaliciousattacks,whichcanaectdatadeliverytoAS-xortootherASes.Aspecicex-ampleofaroutehijackhappenswhenAS-ywantstohijacktractoaprexpownedbyAS-x.AS-ymayannounceprexptoaneighborAS-z.HoweverAS-zcandetectsuchhijacksbyverifyingtheoriginmapping(p;x)againsttheInternetRoutingRegistry.AmoresubtlehijackbyAS-yistoannouncearoutetopwithafalseASlinky�xintheASpath.CyclopsprovidesaneectivemeanstodetectbothtypesofroutehijackbyallowingwhoeverknowingthegroundtruthofAS-xtocompareitagainstAS-x'sinferredconnectivity.FalselinksintheinferredASconnectivitycanalsobeduetoBGPmiscongurations.Forinstance,ifacustomerAS-wstartsadvertisingitsproviderorpeerroutestoitsBGPneighbors,i.e.thecaseofarouteleakage,CyclopswillsuddenlyobservenewASlinksattachedtoAS-w.Infact,operatorshaveindeeddetectedmiscongurationsusingourinferredASconnectivitydata.3.CYCLOPSDESIGNInthissectionwerstdiscussthedesigngoalsofCyclops,thenpresentanoverviewofCyclopsdesign,followedbyadescriptionofeachofCyclops'threeoutputmodules,rawdata,webinterface,andthevisualizer.3.1DesigngoalsCyclopsisdesignedtomeettheneedforAStopologicalconnectivityinformationforvariousdierentpurposes.Inparticular,thedesignhasthefollowinggoalsinmind:BeingabletoquicklylocatehighactivityperiodsinAStopologychanges.ProvidingacomprehensivevisualinspectionofAScon-nectivityandchanges.EnablingnavigationthroughtheASconnectivitytoexaminetopologicaleventcorrelations.Beingabletoscalethedisplaytoallowtheexamina-tionofindividualAS'sconnectivitychangesindetail.Therstgoalisachievedthroughthedevelopmentofanactivitywindow,whichisdescribedinSection3.5.2.Theactivitywindowusesbargraphstodisplayacondensedpre-sentationofASconnectivitychangesoveraspeciedtimeperiod,allowingonetospotperiodswithhighconnectivitychangesinoneglance.Thesecondgoalisrealizedthroughthejudicioususeofvariousgraphicalnotationstodenotenewordeadnodesandlinks,ASdegrees,AStypes,linkages,andnumberofroutescarriedoverthelinksinCyclops'visualizer.TheASconnectivitynavigationisaccomplishedinthevisualizeraswell;onecanmovethefocus,theCy-clops'seye,fromoneAStoanyotherneighborASandsooneandsoforth.Thelastgoalonscalabledisplayismorechallenge.Ontheonehand,onewouldliketobeabletopresentinde-tailalltheconnectivityofagivenAS.Ontheotherhand,largeASescanhavethousandsofneighbornodes,whichmakesthevisualpresentationoftheconnectivitytoalltheneighborsbothinfeasibleandlessuseful,becausethespe-cicinformationauserisinterestedinwouldbeembeddedinthelargeamountofotherinformation.Weresolvedthiscon ictbyprovidingtheuserawebinterfaceinadditiontothevisualizer.Cyclops'webinterfaceenablesonetoeasilyndouttheinformationneededbyallowingtheusertosortanAS'sneighborlistbyanumberofdierentmeasurementparameters,asdescribedinSection3.4.ItismostlikelythatotherusagesoftheASconnectivityinformationexistthatwehavenotrecognized,orwillariseoncetheavailabilityofthisinformationiswidelyspread.Tomeettheunknownandfutureneed,wealsoprovideourASconnectivityinformationintherawdataformat,sothatanyinterestedpartiescandownloadandprocessthedatalocallytomeettheirownneeds.Infactwehaveheardfromanumberofcolleagueswhohaveusedourdatainvariousresearchprojects.3.2AnoverviewofCyclopsFigure2summarizestheCyclopsimplementation.DailycollectedBGPdatafromthePublic-Viewrstgoesthroughapre-processingstagewhereASlinksandtimestampsareextracted.Moreprecisely,foreachASlinkinanASpath,werecordtherstandlasttimesthelinkwasseen,andwhetherthelinkwasseeninthebeginning,middleorendoftheASpath.Inaddition,wesavethelastseenBGPupdatemessagethatcontainedthatlink.Inthepre-processingstage,wealsogleanASpathstoinferbusinessrelationshipsbetweenASes,i.e.provider-customer,orpeer-to-peer,andthisrelationshipinformationisthenusedtodoASclassication.ThespecicmethodweusetodoASrelationshipinferenceisdeceptivelysimple.WeextracttheASlinksfromtheBGProutescollectedfromtheTier-1ISPmonitorsoverawindowoftimewhichshouldspanseveralmonths.IntheASpatha0{a1{...{an,thelinka0{a1canbeeitherpeer-peerorprovider-customer(a0referstotheTier-1ASthemonitorresidesin),buttheremaininglinksintheASpathshouldbeoftypecustomer-provideraccordingtono-valleypolicy.Furthermore,ifa0{a1turnsouttobeacustomer-providerlink,itwillberevealedinroutesofanotherTier-1AS,thereforewewillbeabletoaccuratelylabelit.Thepeerlinksareinferredbydoingthedibetweentheentiresetoflinksextractedfromallthemonitorsandthesetofcustomer-providerlinks,i.e.thepeerlinksareallthelinksthatarenotpropagatedupstreamtoTier-1s.Inaddition,wesortASesintofourclassesbasedonthenumberofdownstreamcustomerASes:stubsiftheyhave4orlessdownstreamASes,smallISPsiftheyhavebetween5and50downstreams,largeISPsiftheyhavemorethan50downstreams,andnallyTier-1ASes.TomeasurehowmuchanASlinkisused,wekeeptrackofthenumberofBGProutescarriedoneachASlink.Wecallthisnumberthelinkweight,aconceptborrowedfromourpreviouswork[16].Toavoidmeasurementbias,thelinkweightmeasurementonlyusesdatafromtheN'120mon-itorsinPublic-ViewthatprovidefullBGPtablesandresideindierentASes.Wedenotewji(t)thenumberofroutesofmonitorjthatuselinkiondayt,andwi(t)=1 NPjwji(t)theaverageweightoflinkioveralltheNmonitors.Wefur-thercomputeanexpectedweightofeachlinkovertimeusingaTCPRTTmeasurement-likesmoothedaverage:^wi(t)=0:8^wi(t�1)+0:2wi(t),andkeeptrackofthedierencebe-tweentheinstantaneouslinkweightondaytandtheex-pectedweightofeachlinki:
wi(t)=wi(t)�^wi(t).Asignicantdierencecanbeusedtotriggeralarms.Fur-thermore,wekeeptrackoftwodierentweightsdepending Figure3:AsnapshotofCyclopswebinterface:connectivityofAS174. Figure4:AS174connectivitychangesduringtheperiodof[5/23/08,5/29/08]. Figure5:SnapshotofCyclopsvisualizer.neighborASesarealsoremovedatthesametime,thenweseethatxishavingareducedconnectivitytotherestoftheInternet,andthatxcouldbethemajorfactorcausingthelinkremovals.AnotherfeatureofthevisualizeristhatitsactivitygraphshowstheaggregatedtopologicalchangeactivityoftheentireperiodstartingfromJanuary2004,providinganeasywayfortheusertovisuallyinspectanddetectanomalouseventsanddrilldownthedetails.TheCyclopsvisualizerconsistsofthreemainparts:topologygraph,activitygraph,andcontrolpanel.Wedescribeeachofthesepartsinthefollowingsections.3.5.1TopologyGraphThemaincomponentofthevisualizeristhetopologygraphcenteredattheCyclops'eyex,asshowninFigure5.Asinthewebinterface,thevisualizerhasaconnectivitymodeandachanges-onlymode,denedbythestartdatet0andenddatet1.Wheninconnectivitymode,allneighborsofxattimet1arerepresentedinthegraph,onenodeperAS(edgesinthegraphrepresentcommercialagreementsbetweenASes).Inchanges-onlymode,onlythelinkre-movalandadditionsthatoccurwithintheinterval[t0;t1]areshown.Wheninchanges-onlymode,wedenenewnodes(orASes)andnewlinksasthosenodes/linksappearingafterthestartdatet0andbeforetheenddatet1.Similarly,thedeadnodes/linksaredenedasnodes/linkswhichwerepresentatthestartdatet0butdisappearedbeforet1.Weusethecolorgreentomarkthebirthofnewnodes/links,redtodenotethedeathofnodes/links,bluetoindicatetheeyeoftheCy-clops,andorangeforallothernodes/links.Furthermore,toputtheimportanceofeachnode/linkinperspective,weusethefollowingparameters:ASdegree,AStype,ageoflinks,andnumberofroutescarriedbyeachlink.Tovisuallydif-ferentiatelargeISPsfromsmallones,wedrawthenodesizeproportionallytotheconnectivitydegreeoftheAS.Wealso Figure6:DetailofCyclopsvisualizer.usedierentvertexstrokestodenotetheAStype:thickcirclesforTier-1ASes,dottedcirclesfortransitnodes,andsolidcirclesforstubs.Theedgethicknessiseitherpropor-tionaltotheageofthelink(separatinglinksthathavebeenaroundforalongtimefromshort-livedones)ortothenum-berofroutesusingthatlink(separatinglinksthatcarryaheavynumberofroutesfromtheothers).Inaddition,eachlinkhasalabelthatdisplaysthelifetimeindays,aswellasthenumberofroutescarried.Foradeadlink,thenum-berofdayssinceitsdeathisalsoshowninparenthesesinthelabel.Forexample,inFigure6,AS11537connectedtoTier-1AS354994daysago(thisistheageofthelink).ItalsodepeeredwithAS11095(whichisnowdead)82daysagoandastubAS13998147daysago.Theageofthelinkbetween11537and13998was407days,justwhenthelinkwasremoved.Asnotedby[22],changesintheobservedtopologymaynotcorrespondtochangesintherealtopology,e.g.alink Figure7:Activitygraph.x�ymaytemporarilybedownformaintenance,eventhoughthecommercialagreementbetweenxandyisstillup.How-ever,wehavehighcondencetosayalinkisdeadifitdis-appearsanddoesnotreappearagainforasucientlylongtime.Inthetopologygraph,weusethetransparencyofeachlinktorepresenthowlikelyitisthatthelinkwasac-tuallyremovedfromthetopology.Thelesstransparentthelinksisthelesslikelyitcorrespondstoanactualtopologychange,i.e.theresultoftransientroutingdynamicsshouldberepresentedbymoretransparentlinks.Thecorrelationbetweendierentchangesisdonebyopen-ingonenodeaftertheother.Whenanodeisopen,itbe-comesanothereye,soallitsneighborsarealsodisplayed.SaywestartwithnodexastheeyeoftheCyclops,thenwendaninterestingdepeeringwithaneighbory.Wemightwanttoopenytoverifyifthedepeeringwaspartofaseriesofeventsinitiatedbyy.InSection4weshowhowCyclopscanbeusedtodothis.3.5.2ActivityGraphTheCyclopsactivitybarshowninFigure7isdesignedsothatuserscanhaveasummarizedviewof(de)peeringactiv-ityovertheentireobservationperiod,enablingthedetectionofanomalousevents.Thegreenpositivebarsinthegraphrepresentthenumberofnewlinksover7-daytimeslots,whiletheredbarsonthealternatesideofthetimeaxisrep-resentthenumberofdisappearedlinks.Theactivitygraphenablesuserstoidentifythetimeperiodswithanomalousnumberofchanges,andfurtherexaminethoseperiodsinmoredetail.Thesmallertimewindowinthegraph(repre-sentedinFigure7inadarkercolor)allowsuserstoselectaspecictimeintervaltovisualizeinthetopologygraph.Forinstance,inFigure7therearefournoticeablespikesofde-peerings,whichcanbefurtherinvestigatedbyslidingthesmallerwindowtotheappropriateevent.Sincethemag-nitudeofthesmallbarsintheactivitygraphmayvaryalot,andtoavoidonespecicperiodoverwhelmingtheoth-ers,wemakethescaleoftheY-axisadjustable.Therefore,whensettingthescale,allthebarswhichexceedthegivenvaluewillbesettothemaximumlengthintheplot,andthelengthofotherbarswillbescaledlinearlyrelativetothevalue.Thiscanhelpuserslteroutoutliersandobtainaclearerviewofusualactivity.3.5.3ControlPanelThevisualizercontrolpanelprovidesmultipleoptionstoletuserslterwhattheyareinterestedinvisualizing.Asalreadymentioned,userscanselectbetweenchanges-onlymodeandconnectivitymode.Inthechanges-onlymodeuserscanfocusonexaminingconnectivitychangesinaspe-cictimeinterval,andinconnectivitymodeusershaveavisualoftheentireconnectivityoftheCyclops'eyeatagiventime.Theinterfacealsoincludesseveraloutputl-ters,suchaslteringonlybirthordeath,separatingtransitnodesandstubs,andASdegreethreshold.Theseltersreducetheamountofinformationinthegraph,makingitmorereadable.3.6Comparisonofvisualizerandwebinter-faceThewebinterfaceandthevisualizerhavedierentfea-turesandtheirownadvantagesanddisadvantages.Apic-tureisworthathousandwords:thevisualizerisdesignedtosummarizeprimaryinformationintheconnectivitygraphandprovideaviewofthebigpicture.Thegraphicalinter-facemakeseasierthenavigationacrosstimeandlocationandenablestheidenticationofcorrelationsbetweenpeer-ingsandde-peerings.However,thevisualizerdoesnotscalewellwhenthenumberoflinksgoesabovethe2-digits,asthegraphbecomesunreadable.Thewebinterfaceovercomesthisproblembyprovidingaquickwayofgettingatext-formatorderedlistofneighborsandconnectivitychanges.Userscansortthelistinmultipledierentwaysaccordingtowhattheyareinterestedincapturing,e.g.shortlifetimes,highdegrees.Furthermore,byprovidingrawdataaccess,CyclopsenablesISPstoruntheirownscriptstocomparethePVwiththegroundtruth,andsignalalarmswhenap-propriate.4.CASESTUDIESInthissectionweshowhowtouseCyclopsinfourdierentcasestudies.WeextractthesecasesfromanomalouseventsseeninCyclopsinvolvinglargeISPsandcontentproviders.Afterdiscoveringanyanomalousevent,weeithercontactdirectlythenetworkoperatororsearchtheNANOGmailinglist[4]forfurtherverication.4.1GooglerouteleakageOurrstcasestudyinvolvesGoogle,whichiscurrentlyprobablythelargestcontentproviderintheInternet.Fig-ure9showstheactivitygraphforGoogle(AS15169)fromJanuary2004toOctober2007,whichisagoodstartingpointtodiscoveranomalousevents.Weobserveabigspike(bothpositiveandnegative)abitafterthehalfoftheperiod,thatrepresentsseveralpeeringsanddepeeringshappeningverycloseintime.Wedrilldowninthisperiodusingtheslid-ingtimewindowandstudytheASconnectivitychangesindetail.AsshowninFigure8(a),onJuly18th2006Googleestablishedconnectionswith36newneighborASes.How-ever,accordingtoFigure8(b),onthenextdayallthesenewlinksweredepeered,andthereforetheyhavealifetimeof0days(whichisshowninthelinklabels).Webelievethaton18July2006Googleaccidentallyleakedaseriesofpeerroutestoitsneighbors,howevertheproblemwaseasilyxed.RouteleakagesusuallyresultfromBGPmiscongu-rationsinrouters,whichstartannounceroutesthatshouldbeltered.Usuallytheendresultislossofreachabilitytothosedestinations.Notethatthiseventcouldhavealsobeendetectedjustbysortingthelifetimecolumninthewebin-terface,wherethe0lifetimeentrieswouldhavecausesomealarm.4.2YahoooutageOursecondcasestudyalsoinvolvesarouteleakage,thistimeaectingYahoo.Severalsites,includingYahoo(AS Figure9:TheactivityplotforGoogle. Figure10:ThetopologychangegraphforAS10310(Yahoo)on6July2007. Figure11:ThetopologychangegraphforAS9318on6July2007. (a)18July2006 (b)19July2006Figure8:ThetopologychangegraphforGoogleon18and19July2006.10310),wereunreachableonJuly6th2007.Usingthevi-sualizer,weexamineYahoo'sconnectivityaroundthattimeandcheckforanomalousevents.Figure10showsthatYa-hooaddedanewneighborAS9318onthatday,buttheneighborwasremovedwithinthesameday.Thisisusuallyasignofamisconguration.SincethereisnootherchangeinYahoo'sconnectivity,weopenasecondCyclops'eyeatAS9318andstartlookingforconnectivitychanges.Fig-ure11showsthechangesinvolvingAS9318onthatday,andwenotethatalllinksappearanddisappearwithinthesameday.WebelieveAS9318accidentallypropagatedsomeroutescomingfromYahootootherneighbors,andthereforesomepointsinthenetworkstoppedreachingYahoo'spre-xes.ThiswasfurtherconrmedbyanindependentanalysispostedinNANOGmailinglist.4.3CogentdepeeringsOurthirdcasestudyconcernsasetofdepeeringsmadebyCogent(AS174),asdescribedindetailin[23].Accord-ingto[23],duringApril2007CogentdepeeredseveralsmalleuropeanISPs.Figure12showsthedepeeringsofCogentduringMarchandApril2007ascapturedinCyclopsvisu-alizer.WeobservethatthedepeeringactivityinAprilwasmuchmoreintensethanthatinMarch.Theedgethicknessinthiscaseisproportionaltothelinkage,andfromthegraphwecanobservethatmostofthelinksinvolvedhaveaconsiderableage.WeveriedsomeASesthatwerere-portedby[23]tohavebeendepeered,andallofthemwereconrmedbyCyclops.InSeptember2007therewasan-otherdiscussionthreadontheNANOGmailinglistaboutwhetherCogentdepeeredwithLimelightNetworks,nLayerCommunications,andWVFiber.Severalpeopletriedtog-ureoutwhathappenedtoCogentbydierentmethods,suchastracerouteandlookingatRouteViewdata,buttheyob-taineddierentresults.Figure13showsthechangesinCo-gentconnectivityduringSeptember2007usingCyclopswebinterface.WecanseethatCogentdepeeredwithWVFiber(AS19151)on17SeptemberandLimelight(AS22822)on27September,butitdidnotdepeerwithnLayer.Theseob-servationsareconsistentwiththeconclusionoftheNANOGthreadlateron.4.4DepeeringsinQwestOurlastcasestudyusesthevisualizertocorrelatedier-entdepeeringevents.Figure14showsthatQwest(AS209)hadtwosignicantdepeeringswithAS6395andAS8075inApril2007.Inthisgure,thethicknessofedgesispropo-tionaltothenumberofroutescarriedbythelinks,andthe Figure14:CorrelatingdierentdepeeringsaectingQwestanditsneighborsinApril2007. (a)CogentdepeeringsinMarch2007. (b)CogentdepeeringsinApril2007.Figure12:ThetopologychangegraphforCogentinMarchandApril2007. Figure13:CogentdepeeringsinSeptember2007.edgelabelsindicatethelinkagesandthetimesincede-peeringindays.WeaddedAS8075andAS6395asextraCyclops'eyes,whichwerethetwomostsignicantdepeer-ingsofQwestatthattime.TheexpandedviewsshowthatthedepeeringbetweenQwestandAS6395ispartofasetofdepeeringsoriginatedfromAS6395somedaysbeforetheobservationtime(valueswithintheparenthesesinthela-bels).Ontheotherhand,thedepeeringbetweenQwestandAS8075seemstobepartofasetofindependentdepeeringsoriginatedfromAS8075.Fromthisanalysis,webelievethetwodepeeringswithQwestwerenotoriginatedfromQwestandarenotrelatedtoeachother.5.RELATEDWORKMostoftherecentworkinnetworkvisualizationhasfo-cusedontheanalysisofBGProutingdynamics[7,15].Thesevisualizationtoolshavebeenusedtodetectanddiag-noseroutingdisruptionsaectingagivendestinationprexorgroupofprexes.Dierentfromtheseexistingtools,CyclopsvisualizerfocusesonhighlightingASconnectivitychangessuchasnewpeeringsanddepeerings,andprovidesmeanstocorrelatetheseeventsamongdierentASes.TheCooperativeAssociationforInternetDataAnalysis (CAIDA)hasdesignedseveralvisualizationtoolsfortheIn-ternettopology[8].OneofthemisMapnet[11],whichdis-playstheinfrastructure(PoPlevel)ofmultipleU.S.back-boneprovidersoverageographicmap.Otter[12]isanothertoolsetwhichvisualizesawidevarietyofInternetdata,suchasmulticastandunicasttopologydatabases,coreBGProut-ingtables,andSNMPdata.HERMES[9]andVAST[20]alsoaimtovisualizetheASlevelconnectivity.HERMESallowsuserstoexploreandvisualizetheASinterconnec-tions,informationaboutASes,andtheBGProutingpoli-cies,whileVASTisa3-dimensionalgraphicaltoolthatpro-videsinformationaboutboththeoveralltopologicalproper-tiesoftheInternetaswellasindividualASbehavior.Fixe-dOrbit[1]providesawebinterfacetoobtainthelistingofneighborsofagivenAS.AlthoughtheabovementionedtoolsusevariousapproachestovisualizethestaticInternettopol-ogyproperties,noneofthemisabletodisplaythechangesintheconnectivity.Incontrast,CyclopsprovidesaviewofthetopologychangesandthedetailsoftheBGPmessagesusedtoinfereachchange.ThecomparisonbetweenPublic-ViewandgroundtruthenabledbyCyclopswaspartiallyexploredbyLadetal.[14]whenverifyingthelasthopAS.CyclopsprovidesamorecomprehensivevericationbyincludingallthelinksinalltheobservedASpaths,aswellastheBGPmessagesthatcanbeusedfortroubleshooting.6.CONCLUSIONANDFUTUREWORKInthispaperwepresentedCyclops,atoolsetthatdis-playsAS-levelconnectivityandchangesasinferredfromPublic-View.Fromaresearchstandpoint,CyclopsprovidesaninteractivedisplayofeachAS'sconnectivityandnavi-gationmechanismstoexaminethecorrelationofinter-ASlinkchanges,whichcanserveasanimportantinputtothestudyofAS-leveltopologymodels.Fromanoperationalstandpoint,CyclopsprovidesISPsaviewoftheirAScon-nectivityasseenfromtheBGProutingsystem,enablingacomparisonbetweentheobservedconnectivityandtheintendedconnectivity.ISPscanutilizethedataprovidedbyCyclopstodetectanddiagnoseBGPmiscongurations,routeleakagesorevenroutehijacks.TomakeCyclopsmoreuseful,wehavesketchedoutsev-eralsteps.First,falsedetectionsrequirethatASconnectiv-ityobservedfromtheBGProutingsystembeprovidedinrealtime.Duetothedelaysindatacollection,ourtopologydatabaseisupdatedonadailybasis.Ourverynextstepistoin-tegrateCyclopswithBGPMon[19],anewlydevelopedrealtimeBGPdatacollectionsystemwhichcanprovideCyclopswithrealtimeBGPfeeds.Wealsoplantoexplorethepos-sibilitytomakeCyclopsgeneratealarmsforsuspiciousASconnectivitychangesbasedonmultiplecriteriasuchaslinklifetimeandlinkweightdierences.Weenvisionasubscribersystem,whereeachASownerisnotiedwithanalarmonalinkwiththeASasoneendistriggered,e.g.ifoneormultiplenewlinksinvolvingtheASsuddenlyoccur.WearealsoaddingtoCyclopsinformationaboutgeo-graphicallocationofPoPswhereeachAShasapresence,andinformationaboutwhichprexesareannouncedatwhichPoP.GoingbeyondtheconceptoftreatingeachASasanatomisanessentialsteptowardsunderstandingtheinternalstructureofeachAS.7.REFERENCES[1]Fixedorbitwebsite.http://www.xedorbit.com.[2]IrlinternetTopologyCollection.Availablefrom:http://irl.cs.ucla.edu/topology/.[3]LookingGlassSite.http://www.nanog.org/lookingglass.html.[4]Nanogwebsite.http://www.nanog.org.[5]RIPERoutingInformationServiceProject.http://www.ripe.net/.[6]RouteViewsRoutingTableArchive.http://www.routeviews.org/.[7]G.D.Battista,F.Mariani,M.Patrignani,,andM.Pizzonia.BGPlay:Asystemforvisualizingtheinterdomainroutingevolution.InGraphDrawing,volume2912ofLectureNotesComputerScience,pages295{306,2003.[8]CAIDA.CAIDAVisualizationTools.Availablefrom:http://www.caida.org/tools/visualization/.[9]A.Carmignani,G.D.Battista,W.Didimo,F.Matera,andM.Pizzonia.VisualizationoftheHighLevelStructureoftheInternetwithHermes,2002.[10]H.Chang,S.Jamin,andW.Willinger.InferringAS-levelInternettopologyfromrouter-levelpathtraces.InSPIEITCom,2001.[11]K.ClayandB.Huaker.MacroscopicInternetVisualizationandMeasurement.Availablefrom:http://www.caida.org/tools/visualization/mapnet/.[12]B.Huaker,E.Nemeth,andK.Clay.Otter:AGeneral-purposeNetworkVisualizationTool,inINET1999.Availablefrom:http://www.caida.org/tools/visualization/otter/.[13]Y.Hyun,A.Broido,andkcclay.Onthird-partyaddressesintraceroutepaths.InProc.ofPassiveandActiveMeasurementWorkshop(PAM),2003.[14]M.Lad,D.Massey,D.Pei,Y.Wu,B.Zhang,andL.Zhang.PHAS:Aprexhijackalertsystem.In15thUSENIXSecuritySymposium,2006.[15]M.Lad,D.Massey,andL.Zhang.VisualizingInternetRoutingChanges.IEEETransactionsonVisualizationandComputerGraphics,2006.[16]M.Lad,R.Oliveira,D.Massey,andL.Zhang.InferringtheOriginofRoutingChangesusingLinkWeights.InProc.IEEEICNP,2007.[17]J.Madaadhain,D.Fisher,P.Smyth,S.White,andY.-B.Boey.AnalaysisandvisualizaitonofnetworkdatausingJUNG.InJournalofStatisticalSoftware,toappear.[18]Z.M.Mao,J.Rexford,J.Wang,andR.H.Katz.TowardsanaccurateAS-leveltraceroutetool.InProc.ofACMSIGCOMM,2003.[19]D.Matthews,Y.Chen,H.Yan,andD.Massey.BGPMonitoringSystem.Availablefrom:http://bgpmon.netsec.colostate.edu/.[20]J.Oberheide,M.Karir,andD.Blazakis.VAST:VisualizingAutonomousSystemTopology.InVizSEC'06:Proceedingsofthe3rdinternationalworkshoponVisualizationforcomputersecurity,pages71{80,NewYork,NY,USA,2006.ACMPress.[21]R.Oliveira,D.Pei,W.Willinger,B.Zhang,andL.Zhang.InSearchoftheelusiveGroundTruth:TheInternet'sAS-levelConnectivityStructure.InProc.ACMSigmetrics,2008.[22]R.Oliveira,B.Zhang,andL.Zhang.ObservingtheEvolutionofInternetASTopology.InACMSIGCOMM,2007.[23]T.Underwood.RenesysBlog.Availablefrom:http://www.renesys.com/blog/2007/04/rough_day_at_cogent_part_1_cog.shtml.[24]B.Zhang,R.Liu,D.Massey,andL.Zhang.CollectingtheInternetAs-levelTopology.SIGCOMMComput.Commun.Rev.,35(1):53{61,2005.