Aniss Maghsoudlou

Aniss Maghsoudlou

Address: Max-Planck-Institut für Informatik
Saarland Informatics Campus
Campus E1 4
66123 Saarbrücken
Standort: E1 4 - 513
Telefon: +49 681 9325 3518
Fax: +49 681 9325 3599
E-mail: Get email via email

Personal Information

Aniss is a PhD student at Internet Architecture group at Max Planck Institute for Informatics. She has been working on several projects on network measurement, to investigate how internet traffic really looks like and to simplify management of the large scale traffic in ISPs and IXPs. She has also worked on Software-defined WLANs as her Master's thesis at Sharif University of Technology.

Publications

2023

Maghsoudlou, A., Vermeulen, L., Poese, I., & Gasser, O. (2023). Characterizing the VPN Ecosystem in the Wild. In Passive and Active Measurement (PAM 2023). Virtual Event: Springer. doi:10.1007/978-3-031-28486-1_2

Links

Export

BibTeX

@inproceedings{Maghsoudlou_PAM23, TITLE = {Characterizing the {VPN} Ecosystem in the Wild}, AUTHOR = {Maghsoudlou, Aniss and Vermeulen, Lukas and Poese, Ingmar and Gasser, Oliver}, LANGUAGE = {eng}, ISBN = {978-3-031-28485-4}, DOI = {10.1007/978-3-031-28486-1_2}, PUBLISHER = {Springer}, YEAR = {2023}, MARGINALMARK = {$\bullet$}, DATE = {2023}, BOOKTITLE = {Passive and Active Measurement (PAM 2023)}, EDITOR = {Brunstrom, Anna and Flores, Marcel and Fiore, Marco}, PAGES = {18--45}, SERIES = {Lecture Notes in Computer Science}, VOLUME = {13882}, ADDRESS = {Virtual Event}, }

Endnote

%0 Conference Proceedings %A Maghsoudlou, Aniss %A Vermeulen, Lukas %A Poese, Ingmar %A Gasser, Oliver %+ Internet Architecture, MPI for Informatics, Max Planck Society External Organizations External Organizations Internet Architecture, MPI for Informatics, Max Planck Society %T Characterizing the VPN Ecosystem in the Wild : %G eng %U http://hdl.handle.net/21.11116/0000-000C-CC64-E %R 10.1007/978-3-031-28486-1_2 %D 2023 %B 24th International Conference on Passive and Active Measurement %Z date of event: 2023-03-21 - 2023-03-23 %C Virtual Event %B Passive and Active Measurement %E Brunstrom, Anna; Flores, Marcel; Fiore, Marco %P 18 - 45 %I Springer %@ 978-3-031-28485-4 %B Lecture Notes in Computer Science %N 13882 %U https://rdcu.be/c70VW

2022

Maghsoudlou, A., Gasser, O., Poese, I., & Feldmann, A. (2022). FlowDNS: Correlating Netflow and DNS Streams at Scale. In CoNEXT ’22, 18th International Conference on Emerging Networking Experiments And Technologies. Roma, Italy: ACM. doi:10.1145/3555050.3569135

Links

Export

BibTeX

@inproceedings{Maghsoudlou_CoNEXT2022, TITLE = {{FlowDNS}: {C}orrelating netflow and {DNS} streams at scale}, AUTHOR = {Maghsoudlou, Aniss and Gasser, Oliver and Poese, Ingmar and Feldmann, Anja}, LANGUAGE = {eng}, ISBN = {978-1-4503-9508-3}, DOI = {10.1145/3555050.3569135}, PUBLISHER = {ACM}, YEAR = {2022}, MARGINALMARK = {$\bullet$}, BOOKTITLE = {CoNEXT '22, 18th International Conference on Emerging Networking Experiments And Technologies}, EDITOR = {Bianchi, Guiseppe and Mei, Alessandro}, PAGES = {187--195}, ADDRESS = {Roma, Italy}, }

Endnote

%0 Conference Proceedings %A Maghsoudlou, Aniss %A Gasser, Oliver %A Poese, Ingmar %A Feldmann, Anja %+ Internet Architecture, MPI for Informatics, Max Planck Society Internet Architecture, MPI for Informatics, Max Planck Society External Organizations Internet Architecture, MPI for Informatics, Max Planck Society %T FlowDNS: Correlating Netflow and DNS Streams at Scale : %G eng %U http://hdl.handle.net/21.11116/0000-000C-179B-C %R 10.1145/3555050.3569135 %D 2022 %B 18th International Conference on Emerging Networking Experiments And Technologies %Z date of event: 2022-12-06 - 2022-12-09 %C Roma, Italy %B CoNEXT '22 %E Bianchi, Guiseppe; Mei, Alessandro %P 187 - 195 %I ACM %@ 978-1-4503-9508-3

2021

Maghsoudlou, A., Gasser, O., & Feldmann, A. (2021a). Zeroing in on Port 0 Traffic in the Wild. In Passive and Active Measurement (PAM 2021). Virtual Event: Springer. doi:10.1007/978-3-030-72582-2_32

Links

Export

BibTeX

@inproceedings{Maghsoudlou_PAM21, TITLE = {Zeroing in on Port 0 Traffic in the Wild}, AUTHOR = {Maghsoudlou, Aniss and Gasser, Oliver and Feldmann, Anja}, LANGUAGE = {eng}, ISBN = {978-3-030-72581-5}, DOI = {10.1007/978-3-030-72582-2_32}, PUBLISHER = {Springer}, YEAR = {2021}, MARGINALMARK = {$\bullet$}, DATE = {2021}, BOOKTITLE = {Passive and Active Measurement (PAM 2021)}, EDITOR = {Hohlfeld, Oliver and Lutu, Andra and Levin, Dave}, PAGES = {547--563}, SERIES = {Lecture Notes in Computer Science}, VOLUME = {12671}, ADDRESS = {Virtual Event}, }

Endnote

Maghsoudlou, A., Gasser, O., & Feldmann, A. (2021b). Zeroing in on Port 0 Traffic in the Wild. Retrieved from https://arxiv.org/abs/2103.13055

(arXiv: 2103.13055)

Abstract

Internet services leverage transport protocol port numbers to specify the source and destination application layer protocols. While using port 0 is not allowed in most transport protocols, we see a non-negligible share of traffic using port 0 in the Internet. In this study, we dissect port 0 traffic to infer its possible origins and causes using five complementing flow-level and packet-level datasets. We observe 73 GB of port 0 traffic in one week of IXP traffic, most of which we identify as an artifact of packet fragmentation. In our packet-level datasets, most traffic is originated from a small number of hosts and while most of the packets have no payload, a major fraction of packets containing payload belong to the BitTorrent protocol. Moreover, we find unique traffic patterns commonly seen in scanning. In addition to analyzing passive traces, we also conduct an active measurement campaign to study how different networks react to port 0 traffic. We find an unexpectedly high response rate for TCP port 0 probes in IPv4, with very low response rates with other protocol types. Finally, we will be running continuous port 0 measurements and providing the results to the measurement community.

Links

Export

BibTeX

@online{Maghsoudlou_2103.13055, TITLE = {Zeroing in on Port 0 Traffic in the Wild}, AUTHOR = {Maghsoudlou, Aniss and Gasser, Oliver and Feldmann, Anja}, LANGUAGE = {eng}, URL = {https://arxiv.org/abs/2103.13055}, EPRINT = {2103.13055}, EPRINTTYPE = {arXiv}, YEAR = {2021}, MARGINALMARK = {$\bullet$}, ABSTRACT = {Internet services leverage transport protocol port numbers to specify the source and destination application layer protocols. While using port 0 is not allowed in most transport protocols, we see a non-negligible share of traffic using port 0 in the Internet. In this study, we dissect port 0 traffic to infer its possible origins and causes using five complementing flow-level and packet-level datasets. We observe 73 GB of port 0 traffic in one week of IXP traffic, most of which we identify as an artifact of packet fragmentation. In our packet-level datasets, most traffic is originated from a small number of hosts and while most of the packets have no payload, a major fraction of packets containing payload belong to the BitTorrent protocol. Moreover, we find unique traffic patterns commonly seen in scanning. In addition to analyzing passive traces, we also conduct an active measurement campaign to study how different networks react to port 0 traffic. We find an unexpectedly high response rate for TCP port 0 probes in IPv4, with very low response rates with other protocol types. Finally, we will be running continuous port 0 measurements and providing the results to the measurement community. }, }

Endnote

%0 Report %A Maghsoudlou, Aniss %A Gasser, Oliver %A Feldmann, Anja %+ Internet Architecture, MPI for Informatics, Max Planck Society Internet Architecture, MPI for Informatics, Max Planck Society Internet Architecture, MPI for Informatics, Max Planck Society %T Zeroing in on Port 0 Traffic in the Wild : %G eng %U http://hdl.handle.net/21.11116/0000-0009-7436-8 %U https://arxiv.org/abs/2103.13055 %D 2021 %X Internet services leverage transport protocol port numbers to specify the source and destination application layer protocols. While using port 0 is not allowed in most transport protocols, we see a non-negligible share of traffic using port 0 in the Internet. In this study, we dissect port 0 traffic to infer its possible origins and causes using five complementing flow-level and packet-level datasets. We observe 73 GB of port 0 traffic in one week of IXP traffic, most of which we identify as an artifact of packet fragmentation. In our packet-level datasets, most traffic is originated from a small number of hosts and while most of the packets have no payload, a major fraction of packets containing payload belong to the BitTorrent protocol. Moreover, we find unique traffic patterns commonly seen in scanning. In addition to analyzing passive traces, we also conduct an active measurement campaign to study how different networks react to port 0 traffic. We find an unexpectedly high response rate for TCP port 0 probes in IPv4, with very low response rates with other protocol types. Finally, we will be running continuous port 0 measurements and providing the results to the measurement community. %K Computer Science, Networking and Internet Architecture, cs.NI

2020

Saidi, S. J., Maghsoudlou, A., Foucard, D., Smaragdakis, G., Poese, I., & Feldmann, A. (2020a). Exploring Network-Wide Flow Data with Flowyager. IEEE Transactions on Network and Service Management, 17(4). doi:10.1109/TNSM.2020.3034278

Links

Export

BibTeX

@article{Saidi_10.1109/TNSM.2020.3034278, TITLE = {Exploring Network-Wide Flow Data with {Flowyager}}, AUTHOR = {Saidi, Said Jawad and Maghsoudlou, Aniss and Foucard, Damien and Smaragdakis, Georgios and Poese, Ingmar and Feldmann, Anja}, LANGUAGE = {eng}, ISSN = {1932-4537}, DOI = {10.1109/TNSM.2020.3034278}, PUBLISHER = {IEEE}, ADDRESS = {Piscataway, NJ}, YEAR = {2020}, DATE = {2020}, JOURNAL = {IEEE Transactions on Network and Service Management}, VOLUME = {17}, NUMBER = {4}, PAGES = {1988--2006}, }

Endnote

%0 Journal Article %A Saidi, Said Jawad %A Maghsoudlou, Aniss %A Foucard, Damien %A Smaragdakis, Georgios %A Poese, Ingmar %A Feldmann, Anja %+ Internet Architecture, MPI for Informatics, Max Planck Society Internet Architecture, MPI for Informatics, Max Planck Society External Organizations Internet Architecture, MPI for Informatics, Max Planck Society External Organizations Internet Architecture, MPI for Informatics, Max Planck Society %T Exploring Network-Wide Flow Data with Flowyager : %G eng %U http://hdl.handle.net/21.11116/0000-0007-7295-0 %R 10.1109/TNSM.2020.3034278 %7 2020 %D 2020 %J IEEE Transactions on Network and Service Management %V 17 %N 4 %& 1988 %P 1988 - 2006 %I IEEE %C Piscataway, NJ %@ false

Saidi, S. J., Maghsoudlou, A., Foucard, D., Smaragdakis, G., Poese, I., & Feldmann, A. (2020b). Exploring Network-Wide Flow Data with Flowyager. Retrieved from https://arxiv.org/abs/2010.13120

(arXiv: 2010.13120)

Abstract

Many network operations, ranging from attack investigation and mitigation to traffic management, require answering network-wide flow queries in seconds. Although flow records are collected at each router, using available traffic capture utilities, querying the resulting datasets from hundreds of routers across sites and over time, remains a significant challenge due to the sheer traffic volume and distributed nature of flow records. In this paper, we investigate how to improve the response time for a priori unknown network-wide queries. We present Flowyager, a system that is built on top of existing traffic capture utilities. Flowyager generates and analyzes tree data structures, that we call Flowtrees, which are succinct summaries of the raw flow data available by capture utilities. Flowtrees are self-adjusted data structures that drastically reduce space and transfer requirements, by 75% to 95%, compared to raw flow records. Flowyager manages the storage and transfers of Flowtrees, supports Flowtree operators, and provides a structured query language for answering flow queries across sites and time periods. By deploying a Flowyager prototype at both a large Internet Exchange Point and a Tier-1 Internet Service Provider, we showcase its capabilities for networks with hundreds of router interfaces. Our results show that the query response time can be reduced by an order of magnitude when compared with alternative data analytics platforms. Thus, Flowyager enables interactive network-wide queries and offers unprecedented drill-down capabilities to, e.g., identify DDoS culprits, pinpoint the involved sites, and determine the length of the attack.

Links

Export

BibTeX

@online{Saidi_arXiv2010.13120, TITLE = {Exploring Network-Wide Flow Data with Flowyager}, AUTHOR = {Saidi, Said Jawad and Maghsoudlou, Aniss and Foucard, Damien and Smaragdakis, Georgios and Poese, Ingmar and Feldmann, Anja}, LANGUAGE = {eng}, URL = {https://arxiv.org/abs/2010.13120}, EPRINT = {2010.13120}, EPRINTTYPE = {arXiv}, YEAR = {2020}, ABSTRACT = {Many network operations, ranging from attack investigation and mitigation to traffic management, require answering network-wide flow queries in seconds. Although flow records are collected at each router, using available traffic capture utilities, querying the resulting datasets from hundreds of routers across sites and over time, remains a significant challenge due to the sheer traffic volume and distributed nature of flow records. In this paper, we investigate how to improve the response time for a priori unknown network-wide queries. We present Flowyager, a system that is built on top of existing traffic capture utilities. Flowyager generates and analyzes tree data structures, that we call Flowtrees, which are succinct summaries of the raw flow data available by capture utilities. Flowtrees are self-adjusted data structures that drastically reduce space and transfer requirements, by 75% to 95%, compared to raw flow records. Flowyager manages the storage and transfers of Flowtrees, supports Flowtree operators, and provides a structured query language for answering flow queries across sites and time periods. By deploying a Flowyager prototype at both a large Internet Exchange Point and a Tier-1 Internet Service Provider, we showcase its capabilities for networks with hundreds of router interfaces. Our results show that the query response time can be reduced by an order of magnitude when compared with alternative data analytics platforms. Thus, Flowyager enables interactive network-wide queries and offers unprecedented drill-down capabilities to, e.g., identify DDoS culprits, pinpoint the involved sites, and determine the length of the attack. }, }

Endnote

%0 Report %A Saidi, Said Jawad %A Maghsoudlou, Aniss %A Foucard, Damien %A Smaragdakis, Georgios %A Poese, Ingmar %A Feldmann, Anja %+ Internet Architecture, MPI for Informatics, Max Planck Society Internet Architecture, MPI for Informatics, Max Planck Society External Organizations Internet Architecture, MPI for Informatics, Max Planck Society External Organizations Internet Architecture, MPI for Informatics, Max Planck Society %T Exploring Network-Wide Flow Data with Flowyager : %G eng %U http://hdl.handle.net/21.11116/0000-0007-8562-4 %U https://arxiv.org/abs/2010.13120 %D 2020 %X Many network operations, ranging from attack investigation and mitigation to traffic management, require answering network-wide flow queries in seconds. Although flow records are collected at each router, using available traffic capture utilities, querying the resulting datasets from hundreds of routers across sites and over time, remains a significant challenge due to the sheer traffic volume and distributed nature of flow records. In this paper, we investigate how to improve the response time for a priori unknown network-wide queries. We present Flowyager, a system that is built on top of existing traffic capture utilities. Flowyager generates and analyzes tree data structures, that we call Flowtrees, which are succinct summaries of the raw flow data available by capture utilities. Flowtrees are self-adjusted data structures that drastically reduce space and transfer requirements, by 75% to 95%, compared to raw flow records. Flowyager manages the storage and transfers of Flowtrees, supports Flowtree operators, and provides a structured query language for answering flow queries across sites and time periods. By deploying a Flowyager prototype at both a large Internet Exchange Point and a Tier-1 Internet Service Provider, we showcase its capabilities for networks with hundreds of router interfaces. Our results show that the query response time can be reduced by an order of magnitude when compared with alternative data analytics platforms. Thus, Flowyager enables interactive network-wide queries and offers unprecedented drill-down capabilities to, e.g., identify DDoS culprits, pinpoint the involved sites, and determine the length of the attack. %K Computer Science, Networking and Internet Architecture, cs.NI

Maghsoudlou, A., Gasser, O., & Feldmann, A. (2020). Reserved: Dissecting Internet Traffic on Port 0. In Extended abstract of a poster presented at Passive and Active Measurement Conference (PAM) 2020. Virtual Conference. Retrieved from http://arxiv.org/abs/2004.03653

(arXiv: 2004.03653)

Abstract

Transport protocols use port numbers to allow connection multiplexing on Internet hosts. TCP as well as UDP, the two most widely used transport protocols, have limitations on what constitutes a valid and invalid port number. One example of an invalid port number for these protocols is port 0. In this work, we present preliminary results from analyzing port 0 traffic at a large European IXP. In one week of traffic we find 74GB port 0 traffic. The vast majority of this traffic has both source and destination ports set to 0, suggesting scanning or reconnaissance as its root cause. Our analysis also shows that more than half of all port 0 traffic is targeted to just 18 ASes, whereas more than half of all traffic is originated by about 100 ASes, suggesting a more diverse set of source ASes.

Links

Export

BibTeX

@inproceedings{Maghsoudlou_PAM2020, TITLE = {Reserved: {D}issecting Internet Traffic on Port 0}, AUTHOR = {Maghsoudlou, Aniss and Gasser, Oliver and Feldmann, Anja}, LANGUAGE = {eng}, URL = {http://arxiv.org/abs/2004.03653}, EPRINT = {2004.03653}, EPRINTTYPE = {arXiv}, YEAR = {2020}, ABSTRACT = {Transport protocols use port numbers to allow connection multiplexing on Internet hosts. TCP as well as UDP, the two most widely used transport protocols, have limitations on what constitutes a valid and invalid port number. One example of an invalid port number for these protocols is port 0. In this work, we present preliminary results from analyzing port 0 traffic at a large European IXP. In one week of traffic we find 74GB port 0 traffic. The vast majority of this traffic has both source and destination ports set to 0, suggesting scanning or reconnaissance as its root cause. Our analysis also shows that more than half of all port 0 traffic is targeted to just 18 ASes, whereas more than half of all traffic is originated by about 100 ASes, suggesting a more diverse set of source ASes. }, BOOKTITLE = {Extended abstract of a poster presented at Passive and Active Measurement Conference (PAM) 2020}, ADDRESS = {Virtual Conference}, }

Endnote

%0 Conference Proceedings %A Maghsoudlou, Aniss %A Gasser, Oliver %A Feldmann, Anja %+ Internet Architecture, MPI for Informatics, Max Planck Society Internet Architecture, MPI for Informatics, Max Planck Society Internet Architecture, MPI for Informatics, Max Planck Society %T Reserved: Dissecting Internet Traffic on Port 0 : %G eng %U http://hdl.handle.net/21.11116/0000-0006-0D13-7 %U http://arxiv.org/abs/2004.03653 %D 2020 %B The Passive and Active Measurement Conference %Z date of event: 2020-03-30 - 2020-03-31 %C Virtual Conference %X Transport protocols use port numbers to allow connection multiplexing on Internet hosts. TCP as well as UDP, the two most widely used transport protocols, have limitations on what constitutes a valid and invalid port number. One example of an invalid port number for these protocols is port 0. In this work, we present preliminary results from analyzing port 0 traffic at a large European IXP. In one week of traffic we find 74GB port 0 traffic. The vast majority of this traffic has both source and destination ports set to 0, suggesting scanning or reconnaissance as its root cause. Our analysis also shows that more than half of all port 0 traffic is targeted to just 18 ASes, whereas more than half of all traffic is originated by about 100 ASes, suggesting a more diverse set of source ASes. %K Computer Science, Networking and Internet Architecture, cs.NI %B Extended abstract of a poster presented at Passive and Active Measurement Conference (PAM) 2020

Research Interests

Network Measurement
Software-defined Networking
Wireless Networks

Teachings

Data Networks (Tutor/Teaching Assistant): Winter 2018, Summer 2020, MPI/UdS
Computer Networks Laboratory (Tutor), Winter 2015, Sharif University of Technology

Recent Positions

July 2018 - today:
Research Assistant, Max Planck Institute for Informatics

April 2018 - June 2018:
Research Assistant, Technische Universitat Berlin

Education

July 2018 - present:
Ph. D. student in Computer Science at the Universität des Saarlandes, Saarbrücken, Germany and the Max-Planck-Institut für Informatik

September 2014 - January 2017:
M.Sc. in Information Technology at Sharif University of Technology, Iran.

September 2010 - August 2014:
B.Sc. in Information Technology Engineering at Tehran University, Iran.