Publications

DNS is one of the cornerstones of the Internet. Nowadays, a substantial
fraction of DNS queries are handled by public resolvers (e.g., Google Public
DNS and Cisco's OpenDNS) rather than ISP nameservers. This behavior makes it
difficult for authoritative nameservers to provide answers based on the
requesting resolver. The impact is especially important for entities that make
client origin inferences to perform DNS-based load balancing (e.g., CDNS). The
EDNS0 Client Subnet (ECS) option adds the client's IP prefix to DNS queries,
which allows authoritative nameservers to provide prefix-based responses. In
this study, we introduce a new method for conducting ECS scans, which provides
insights into ECS behavior and significantly reduces the required number of
queries by up to 97% compared to state-of-the-art techniques. Our approach is
also the first to facilitate ECS scans for IPv6. We conduct a comprehensive
evaluation of the ECS landscape, examining the usage and implementation of ECS
across various services. Overall, 53% of all nameservers support prefix-based
responses. Furthermore, we find that Google nameservers do not comply with the
Google Public DNS guidelines. Lastly, we plan to make our tool, and data
publicly available to foster further research in the area.

Happy Eyeballs (HE) started out by describing a mechanism that prefers IPv6
connections while ensuring a fast fallback to IPv4 when IPv6 fails. The IETF is
currently working on the third version of HE. While the standards include
recommendations for HE parameters choices, it is up to the client and OS to
implement HE. In this paper we investigate the state of HE in various clients,
particularly web browsers and recursive resolvers. We introduce a framework to
analyze and measure client's HE implementations and parameter choices.
According to our evaluation, only Safari supports all HE features. Safari is
also the only client implementation in our study that uses a dynamic IPv4
connection attempt delay, a resolution delay, and interlaces addresses. We
further show that problems with the DNS A record lookup can even delay and
interrupt the network connectivity despite a fully functional IPv6 setup with
Chrome and Firefox. We publish our testbed measurement framework and a
web-based tool to test HE properties on arbitrary browsers.

QAnon is a far-right conspiracy theory that became popular and mainstream
over the past few years. Worryingly, the QAnon conspiracy theory has
implications in the real world, with supporters of the theory participating in
real-world violent acts like the US capitol attack in 2021. At the same time,
the QAnon theory started evolving into a global phenomenon by attracting
followers across the globe and, in particular, in Europe. Therefore, it is
imperative to understand how the QAnon theory became a worldwide phenomenon and
how this dissemination has been happening in the online space. This paper
performs a large-scale data analysis of QAnon through Telegram by collecting
4.5M messages posted in 161 QAnon groups/channels. Using Google's Perspective
API, we analyze the toxicity of QAnon content across languages and over time.
Also, using a BERT-based topic modeling approach, we analyze the QAnon
discourse across multiple languages. Among other things, we find that the
German language is prevalent in QAnon groups/channels on Telegram, even
overshadowing English after 2020. Also, we find that content posted in German
and Portuguese tends to be more toxic compared to English. Our topic modeling
indicates that QAnon supporters discuss various topics of interest within
far-right movements, including world politics, conspiracy theories, COVID-19,
and the anti-vaccination movement. Taken all together, we perform the first
multilingual study on QAnon through Telegram and paint a nuanced overview of
the globalization of the QAnon theory.

The spread of hate speech and hateful imagery on the Web is a significant
problem that needs to be mitigated to improve our Web experience. This work
contributes to research efforts to detect and understand hateful content on the
Web by undertaking a multimodal analysis of Antisemitism and Islamophobia on
4chan's /pol/ using OpenAI's CLIP. This large pre-trained model uses the
Contrastive Learning paradigm. We devise a methodology to identify a set of
Antisemitic and Islamophobic hateful textual phrases using Google's Perspective
API and manual annotations. Then, we use OpenAI's CLIP to identify images that
are highly similar to our Antisemitic/Islamophobic textual phrases. By running
our methodology on a dataset that includes 66M posts and 5.8M images shared on
4chan's /pol/ for 18 months, we detect 573,513 posts containing 92K
Antisemitic/Islamophobic images and 246K posts that include 420 hateful
phrases. Among other things, we find that we can use OpenAI's CLIP model to
detect hateful content with an accuracy score of 0.84 (F1 score = 0.58). Also,
we find that Antisemitic/Islamophobic imagery is shared in 2x more posts on
4chan's /pol/ compared to Antisemitic/Islamophobic textual phrases,
highlighting the need to design more tools for detecting hateful imagery.
Finally, we make publicly available a dataset of 420 Antisemitic/Islamophobic
phrases and 92K images that can assist researchers in further understanding
Antisemitism/Islamophobia and developing more accurate hate speech detection
models.

During the COVID-19 pandemic, health-related misinformation and harmful



content shared online had a significant adverse effect on society. To mitigate



this adverse effect, mainstream social media platforms employed soft moderation



interventions (i.e., warning labels) on potentially harmful posts. Despite the



recent popularity of these moderation interventions, we lack empirical analyses



aiming to uncover how these warning labels are used in the wild, particularly



during challenging times like the COVID-19 pandemic. In this work, we analyze



the use of warning labels on TikTok, focusing on COVID-19 videos. First, we



construct a set of 26 COVID-19 related hashtags, then we collect 41K videos



that include those hashtags in their description. Second, we perform a



quantitative analysis on the entire dataset to understand the use of warning



labels on TikTok. Then, we perform an in-depth qualitative study, using



thematic analysis, on 222 COVID-19 related videos to assess the content and the



connection between the content and the warning labels. Our analysis shows that



TikTok broadly applies warning labels on TikTok videos, likely based on



hashtags included in the description. More worrying is the addition of COVID-19



warning labels on videos where their actual content is not related to COVID-19



(23% of the cases in a sample of 143 English videos that are not related to



COVID-19). Finally, our qualitative analysis on a sample of 222 videos shows



that 7.7% of the videos share misinformation/harmful content and do not include



warning labels, 37.3% share benign information and include warning labels, and



that 35% of the videos that share misinformation/harmful content (and need a



warning label) are made for fun. Our study demonstrates the need to develop



more accurate and precise soft moderation systems, especially on a platform



like TikTok that is extremely popular among people of younger age.

Multipath TCP (MPTCP) extends traditional TCP to enable simultaneous use of
multiple connection endpoints at the source and destination. MPTCP has been
under active development since its standardization in 2013, and more recently
in February 2020, MPTCP was upstreamed to the Linux kernel. In this paper, we
provide an in-depth analysis of MPTCPv0 in the Internet and the first analysis
of MPTCPv1 to date. We probe the entire IPv4 address space and an IPv6 hitlist
to detect MPTCP-enabled systems operational on port 80 and 443. Our scans
reveal a steady increase in MPTCPv0-capable IPs, reaching 13k+ on IPv4
(2$\times$ increase in one year) and 1k on IPv6 (40$\times$ increase). MPTCPv1
deployment is comparatively low with $\approx$100 supporting hosts in IPv4 and
IPv6, most of which belong to Apple. We also discover a substantial share of
seemingly MPTCP-capable hosts, an artifact of middleboxes mirroring TCP
options. We conduct targeted HTTP(S) measurements towards select hosts and find
that middleboxes can aggressively impact the perceived quality of applications
utilizing MPTCP. Finally, we analyze two complementary traffic traces from
CAIDA and MAWI to shed light on the real-world usage of MPTCP. We find that
while MPTCP usage has increased by a factor of 20 over the past few years, its
traffic share is still quite low.

In this paper, we show that adoption of the SNMPv3 network management
protocol standard offers a unique -- but likely unintended -- opportunity for
remotely fingerprinting network infrastructure in the wild. Specifically, by
sending unsolicited and unauthenticated SNMPv3 requests, we obtain detailed
information about the configuration and status of network devices including
vendor, uptime, and the number of restarts. More importantly, the reply
contains a persistent and strong identifier that allows for lightweight
Internet-scale alias resolution and dual-stack association. By launching active
Internet-wide SNMPv3 scan campaigns, we show that our technique can fingerprint
more than 4.6 million devices of which around 350k are network routers. Not
only is our technique lightweight and accurate, it is complementary to existing
alias resolution, dual-stack inference, and device fingerprinting approaches.
Our analysis not only provides fresh insights into the router deployment
strategies of network operators worldwide, but also highlights potential
vulnerabilities of SNMPv3 as currently deployed.

Parler is as an "alternative" social network promoting itself as a service
that allows to "speak freely and express yourself openly, without fear of being
deplatformed for your views." Because of this promise, the platform become
popular among users who were suspended on mainstream social networks for
violating their terms of service, as well as those fearing censorship. In
particular, the service was endorsed by several conservative public figures,
encouraging people to migrate from traditional social networks. After the
storming of the US Capitol on January 6, 2021, Parler has been progressively
deplatformed, as its app was removed from Apple/Google Play stores and the
website taken down by the hosting provider.
This paper presents a dataset of 183M Parler posts made by 4M users between
August 2018 and January 2021, as well as metadata from 13.25M user profiles. We
also present a basic characterization of the dataset, which shows that the
platform has witnessed large influxes of new users after being endorsed by
popular figures, as well as a reaction to the 2020 US Presidential Election. We
also show that discussion on the platform is dominated by conservative topics,
President Trump, as well as conspiracy theories like QAnon.

We study efficiency in a proof-of-work blockchain with non-zero latencies,
focusing in particular on the (inequality in) individual miners' efficiencies.
Prior work attributed differences in miners' efficiencies mostly to attacks,
but we pursue a different question: Can inequality in miners' efficiencies be
explained by delays, even when all miners are honest? Traditionally, such
efficiency-related questions were tackled only at the level of the overall
system, and in a peer-to-peer (P2P) setting where miners directly connect to
one another. Despite it being common today for miners to pool compute
capacities in a mining pool managed by a centralized coordinator, efficiency in
such a coordinated setting has barely been studied.
In this paper, we propose a simple model of a proof-of-work blockchain with
latencies for both the P2P and the coordinated settings. We derive a
closed-form expression for the efficiency in the coordinated setting with an
arbitrary number of miners and arbitrary latencies, both for the overall system
and for each individual miner. We leverage this result to show that
inequalities arise from variability in the delays, but that if all miners are
equidistant from the coordinator, they have equal efficiency irrespective of
their compute capacities. We then prove that, under a natural consistency
condition, the overall system efficiency in the P2P setting is higher than that
in the coordinated setting. Finally, we perform a simulation-based study to
demonstrate that even in the P2P setting delays between miners introduce
inequalities, and that there is a more complex interplay between delays and
compute capacities.

Multipath TCP (MPTCP) extends traditional TCP to enable simultaneous use of
multiple connection endpoints at the source and destination. MPTCP has been
under active development since its standardization in 2013, and more recently
in February 2020, MPTCP was upstreamed to the Linux kernel.
In this paper, we provide the first broad analysis of MPTCPv0 in the
Internet. We probe the entire IPv4 address space and an IPv6 hitlist to detect
MPTCP-enabled systems operational on port 80 and 443. Our scans reveal a steady
increase in MPTCP-capable IPs, reaching 9k+ on IPv4 and a few dozen on IPv6. We
also discover a significant share of seemingly MPTCP-capable hosts, an artifact
of middleboxes mirroring TCP options. We conduct targeted HTTP(S) measurements
towards select hosts and find that middleboxes can aggressively impact the
perceived quality of applications utilizing MPTCP. Finally, we analyze two
complementary traffic traces from CAIDA and MAWI to shed light on the
real-world usage of MPTCP. We find that while MPTCP usage has increased by a
factor of 20 over the past few years, its traffic share is still quite low.

Internet services leverage transport protocol port numbers to specify the
source and destination application layer protocols. While using port 0 is not
allowed in most transport protocols, we see a non-negligible share of traffic
using port 0 in the Internet. In this study, we dissect port 0 traffic to infer
its possible origins and causes using five complementing flow-level and
packet-level datasets. We observe 73 GB of port 0 traffic in one week of IXP
traffic, most of which we identify as an artifact of packet fragmentation. In
our packet-level datasets, most traffic is originated from a small number of
hosts and while most of the packets have no payload, a major fraction of
packets containing payload belong to the BitTorrent protocol. Moreover, we find
unique traffic patterns commonly seen in scanning. In addition to analyzing
passive traces, we also conduct an active measurement campaign to study how
different networks react to port 0 traffic. We find an unexpectedly high
response rate for TCP port 0 probes in IPv4, with very low response rates with
other protocol types. Finally, we will be running continuous port 0
measurements and providing the results to the measurement community.

This paper presents a multi-platform computational pipeline geared to
identify social media posts discussing (known) conspiracy theories. We use 189
conspiracy claims collected by Snopes, and find 66k posts and 277k comments on
Reddit, and 379k tweets discussing them. Then, we study how conspiracies are
discussed on different Web communities and which ones are particularly
influential in driving the discussion about them. Our analysis sheds light on
how conspiracy theories are discussed and spread online, while highlighting
multiple challenges in mitigating them.

Recent research suggests that not all fact checking efforts are equal: when
and what is fact checked plays a pivotal role in effectively correcting
misconceptions. In this paper, we propose a framework to study fact checking
efforts using Google Trends, a signal that captures search interest over topics
on the world's largest search engine. Our framework consists of extracting
claims from fact checking efforts, linking such claims with knowledge graph
entities, and estimating the online attention they receive. We use this
framework to study a dataset of 879 COVID-19-related fact checks done in 2020
by 81 international organizations. Our findings suggest that there is often a
disconnect between online attention and fact checking efforts. For example, in
around 40% of countries where 10 or more claims were fact checked, half or more
than half of the top 10 most popular claims were not fact checked. Our analysis
also shows that claims are first fact checked after receiving, on average, 35%
of the total online attention they would eventually receive in 2020. Yet, there
is a big variation among claims: some were fact checked before receiving a
surge of misinformation-induced online attention, others are fact checked much
later. Overall, our work suggests that the incorporation of online attention
signals may help organizations better assess and prioritize their fact checking
efforts. Also, in the context of international collaboration, where claims are
fact checked multiple times across different countries, online attention could
help organizations keep track of which claims are "migrating" between different
countries.

In this paper, we present a large-scale characterization of the Manosphere, a
conglomerate of Web-based misogynist movements roughly focused on "men's
issues," which has seen significant growth over the past years. We do so by
gathering and analyzing 28.8M posts from 6 forums and 51 subreddits. Overall,
we paint a comprehensive picture of the evolution of the Manosphere on the Web,
showing the links between its different communities over the years. We find
that milder and older communities, such as Pick Up Artists and Men's Rights
Activists, are giving way to more extremist ones like Incels and Men Going
Their Own Way, with a substantial migration of active users. Moreover, our
analysis suggests that these newer communities are more toxic and misogynistic
than the former.

When toxic online communities on mainstream platforms face moderation
measures, such as bans, they may migrate to other platforms with laxer policies
or set up their own dedicated website. Previous work suggests that, within
mainstream platforms, community-level moderation is effective in mitigating the
harm caused by the moderated communities. It is, however, unclear whether these
results also hold when considering the broader Web ecosystem. Do toxic
communities continue to grow in terms of user base and activity on their new
platforms? Do their members become more toxic and ideologically radicalized? In
this paper, we report the results of a large-scale observational study of how
problematic online communities progress following community-level moderation
measures. We analyze data from r/The_Donald} and r/Incels, two communities that
were banned from Reddit and subsequently migrated to their own standalone
websites. Our results suggest that, in both cases, moderation measures
significantly decreased posting activity on the new platform, reducing the
number of posts, active users, and newcomers. In spite of that, users in one of
the studied communities (r/The_Donald) showed increases in signals associated
with toxicity and radicalization, which justifies concerns that the reduction
in activity may come at the expense of a more toxic and radical community.
Overall, our results paint a nuanced portrait of the consequences of
community-level moderation and can inform their design and deployment.

Transport protocols use port numbers to allow connection multiplexing on
Internet hosts. TCP as well as UDP, the two most widely used transport
protocols, have limitations on what constitutes a valid and invalid port
number. One example of an invalid port number for these protocols is port 0. In
this work, we present preliminary results from analyzing port 0 traffic at a
large European IXP. In one week of traffic we find 74GB port 0 traffic. The
vast majority of this traffic has both source and destination ports set to 0,
suggesting scanning or reconnaissance as its root cause. Our analysis also
shows that more than half of all port 0 traffic is targeted to just 18 ASes,
whereas more than half of all traffic is originated by about 100 ASes,
suggesting a more diverse set of source ASes.

YouTube is by far the largest host of user-generated video content worldwide.
Alas, the platform also hosts inappropriate, toxic, and/or hateful content. One
community that has come into the spotlight for sharing and publishing hateful
content are the so-called Involuntary Celibates (Incels), a loosely defined
movement ostensibly focusing on men's issues, who have often been linked to
misogynistic views.
In this paper, we set out to analyze the Incel community on YouTube by
focusing on the evolution of this community over the last decade and
understanding whether YouTube's recommendation algorithm steers users towards
Incel-related videos. We collect videos shared on Incel-related communities
within Reddit, and perform a data-driven characterization of the content posted
on YouTube. Among other things, we find that the Incel community on YouTube is
getting traction and that during the last decade the number of Incel-related
videos and comments rose substantially. Also, we quantify the probability that
a user will encounter an Incel-related video by virtue of YouTube's
recommendation algorithm. Within five hops when starting from a
non-Incel-related video, this probability is 1 in 5, which is alarmingly high
as such content is likely to share toxic and misogynistic views.

YouTube has revolutionized the way people discover and consume videos,
becoming one of the primary news sources for Internet users. Since content on
YouTube is generated by its users, the platform is particularly vulnerable to
misinformative and conspiratorial videos. Even worse, the role played by
YouTube's recommendation algorithm in unwittingly promoting questionable
content is not well understood, and could potentially make the problem even
worse. This can have dire real-world consequences, especially when
pseudoscientific content is promoted to users at critical times, e.g., during
the COVID-19 pandemic.
In this paper, we set out to characterize and detect pseudoscientific
misinformation on YouTube. We collect 6.6K videos related to COVID-19, the flat
earth theory, the anti-vaccination, and anti-mask movements; using
crowdsourcing, we annotate them as pseudoscience, legitimate science, or
irrelevant. We then train a deep learning classifier to detect pseudoscientific
videos with an accuracy of 76.1%. Next, we quantify user exposure to this
content on various parts of the platform (i.e., a user's homepage, recommended
videos while watching a specific video, or search results) and how this
exposure changes based on the user's watch history. We find that YouTube's
recommendation algorithm is more aggressive in suggesting pseudoscientific
content when users are searching for specific topics, while these
recommendations are less common on a user's homepage or when actively watching
pseudoscientific videos. Finally, we shed light on how a user's watch history
substantially affects the type of recommended videos.

Online fringe communities offer fertile grounds for users to seek and share
paranoid ideas fueling suspicion of mainstream news, and outright conspiracy
theories. Among these, the QAnon conspiracy theory has emerged in 2017 on
4chan, broadly supporting the idea that powerful politicians, aristocrats, and
celebrities are closely engaged in a global pedophile ring. At the same time,
governments are thought to be controlled by "puppet masters," as democratically
elected officials serve as a fake showroom of democracy.
In this paper, we provide an empirical exploratory analysis of the QAnon
community on Voat.co, a Reddit-esque news aggregator, which has recently
captured the interest of the press for its toxicity and for providing a
platform to QAnon followers. More precisely, we analyze a large dataset from
/v/GreatAwakening, the most popular QAnon-related subverse (the Voat equivalent
of a subreddit) to characterize activity and user engagement. To further
understand the discourse around QAnon, we study the most popular named entities
mentioned in the posts, along with the most prominent topics of discussion,
which focus on US politics, Donald Trump, and world events. We also use
word2vec models to identify narratives around QAnon-specific keywords, and our
graph visualization shows that some of QAnon-related ones are closely related
to those from the Pizzagate conspiracy theory and "drops" by "Q." Finally, we
analyze content toxicity, finding that discussions on /v/GreatAwakening are
less toxic than in the broad Voat community.

Many network operations, ranging from attack investigation and mitigation to
traffic management, require answering network-wide flow queries in seconds.
Although flow records are collected at each router, using available traffic
capture utilities, querying the resulting datasets from hundreds of routers
across sites and over time, remains a significant challenge due to the sheer
traffic volume and distributed nature of flow records.
In this paper, we investigate how to improve the response time for a priori
unknown network-wide queries. We present Flowyager, a system that is built on
top of existing traffic capture utilities. Flowyager generates and analyzes
tree data structures, that we call Flowtrees, which are succinct summaries of
the raw flow data available by capture utilities. Flowtrees are self-adjusted
data structures that drastically reduce space and transfer requirements, by 75%
to 95%, compared to raw flow records. Flowyager manages the storage and
transfers of Flowtrees, supports Flowtree operators, and provides a structured
query language for answering flow queries across sites and time periods. By
deploying a Flowyager prototype at both a large Internet Exchange Point and a
Tier-1 Internet Service Provider, we showcase its capabilities for networks
with hundreds of router interfaces. Our results show that the query response
time can be reduced by an order of magnitude when compared with alternative
data analytics platforms. Thus, Flowyager enables interactive network-wide
queries and offers unprecedented drill-down capabilities to, e.g., identify
DDoS culprits, pinpoint the involved sites, and determine the length of the
attack.

The outbreak of the COVID-19 pandemic has changed our lives in unprecedented
ways. In the face of the projected catastrophic consequences, many countries
have enacted social distancing measures in an attempt to limit the spread of
the virus. Under these conditions, the Web has become an indispensable medium
for information acquisition, communication, and entertainment. At the same
time, unfortunately, the Web is being exploited for the dissemination of
potentially harmful and disturbing content, such as the spread of conspiracy
theories and hateful speech towards specific ethnic groups, in particular
towards Chinese people since COVID-19 is believed to have originated from
China.
In this paper, we make a first attempt to study the emergence of Sinophobic
behavior on the Web during the outbreak of the COVID-19 pandemic. We collect
two large-scale datasets from Twitter and 4chan's Politically Incorrect board
(/pol/) over a time period of approximately five months and analyze them to
investigate whether there is a rise or important differences with regard to the
dissemination of Sinophobic content. We find that COVID-19 indeed drives the
rise of Sinophobia on the Web and that the dissemination of Sinophobic content
is a cross-platform phenomenon: it exists on fringe Web communities like
\dspol, and to a lesser extent on mainstream ones like Twitter. Also, using
word embeddings over time, we characterize the evolution and emergence of new
Sinophobic slurs on both Twitter and /pol/. Finally, we find interesting
differences in the context in which words related to Chinese people are used on
the Web before and after the COVID-19 outbreak: on Twitter we observe a shift
towards blaming China for the situation, while on /pol/ we find a shift towards
using more (and new) Sinophobic slurs.

Is it possible to patch software bugs in P4 programs without human
involvement? We show that this is partially possible in many cases due to
advances in software testing and the structure of P4 programs. Our insight is
that runtime verification can detect bugs, even those that are not detected at
compile-time, with machine learning-guided fuzzing. This enables a more
automated and real-time localization of bugs in P4 programs using software
testing techniques like Tarantula. Once the bug in a P4 program is localized,
the faulty code can be patched due to the programmable nature of P4. In
addition, platform-dependent bugs can be detected. From P4_14 to P4_16 (latest
version), our observation is that as the programmable blocks increase, the
patchability of P4 programs increases accordingly. To this end, we design,
develop, and evaluate P6 that (a) detects, (b) localizes, and (c) patches bugs
in P4 programs with minimal human interaction. P6 tests P4 switch
non-intrusively, i.e., requires no modification to the P4 program for detecting
and localizing bugs. We used a P6 prototype to detect and patch seven existing
bugs in eight publicly available P4 application programs deployed on two
different switch platforms: behavioral model (bmv2) and Tofino. Our evaluation
shows that P6 significantly outperforms bug detection baselines while
generating fewer packets and patches bugs in P4 programs such as switch.p4
without triggering any regressions.

Despite the influence that image-based communication has on online discourse,
the role played by images in disinformation is still not well understood. In
this paper, we present the first large-scale study of fauxtography, analyzing
the use of manipulated or misleading images in news discussion on online
communities. First, we develop a computational pipeline geared to detect
fauxtography, and identify over 61k instances of fauxtography discussed on
Twitter, 4chan, and Reddit. Then, we study how posting fauxtography affects
engagement of posts on social media, finding that posts containing it receive
more interactions in the form of re-shares, likes, and comments. Finally, we
show that fauxtography images are often turned into memes by Web communities.
Our findings show that effective mitigation against disinformation need to take
images into account, and highlight a number of challenges in dealing with
image-based disinformation.

Reproducibility is one of the key characteristics of good science, but hard
to achieve for experimental disciplines like Internet measurements and
networked systems. This guide provides advice to researchers, particularly
those new to the field, on designing experiments so that their work is more
likely to be reproducible and to serve as a foundation for follow-on work by
others.

The conventional wisdom is that a software-defined network (SDN) operates
under the premise that the logically centralized control plane has an accurate
representation of the actual data plane state. Nevertheless, bugs,
misconfigurations, faults or attacks can introduce inconsistencies that
undermine correct operation. Previous work in this area, however, lacks a
holistic methodology to tackle this problem and thus, addresses only certain
parts of the problem. Yet, the consistency of the overall system is only as
good as its least consistent part.
Motivated by an analogy of network consistency checking with program testing,
we propose to add active probe-based network state fuzzing to our consistency
check repertoire. Hereby, our system, PAZZ, combines production traffic with
active probes to continuously test if the actual forwarding path and decision
elements (on the data plane) correspond to the expected ones (on the control
plane). Our insight is that active traffic covers the inconsistency cases
beyond the ones identified by passive traffic. PAZZ prototype was built and
evaluated on topologies of varying scale and complexity. Our results show that
PAZZ requires minimal network resources to detect persistent data plane faults
through fuzzing and localize them quickly.

State-sponsored organizations are increasingly linked to efforts aimed to
exploit social media for information warfare and manipulating public opinion.
Typically, their activities rely on a number of social network accounts they
control, aka trolls, that post and interact with other users disguised as
"regular" users. These accounts often use images and memes, along with textual
content, in order to increase the engagement and the credibility of their
posts.
In this paper, we present the first study of images shared by state-sponsored
accounts by analyzing a ground truth dataset of 1.8M images posted to Twitter
by accounts controlled by the Russian Internet Research Agency. First, we
analyze the content of the images as well as their posting activity. Then,
using Hawkes Processes, we quantify their influence on popular Web communities
like Twitter, Reddit, 4chan's Politically Incorrect board (/pol/), and Gab,
with respect to the dissemination of images. We find that the extensive image
posting activity of Russian trolls coincides with real-world events (e.g., the
Unite the Right rally in Charlottesville), and shed light on their targets as
well as the content disseminated via images. Finally, we show that the trolls
were more effective in disseminating politics-related imagery than other
images.

Low latency is a requirement for a variety of interactive network
applications. The Internet, however, is not optimized for latency. We thus
explore the design of cost-effective wide-area networks that move data over
paths very close to great-circle paths, at speeds very close to the speed of
light in vacuum. Our cISP design augments the Internet's fiber with free-space
wireless connectivity. cISP addresses the fundamental challenge of
simultaneously providing low latency and scalable bandwidth, while accounting
for numerous practical factors ranging from transmission tower availability to
packet queuing. We show that instantiations of cISP across the contiguous
United States and Europe would achieve mean latencies within 5% of that
achievable using great-circle paths at the speed of light, over medium and long
distances. Further, we estimate that the economic value from such networks
would substantially exceed their expense.

The recent publication of the `InterTubes' map of long-haul fiber-optic
cables in the contiguous United States invites an exciting question: how much
faster would the Internet be if routes were chosen to minimize latency?
Previous measurement campaigns suggest the following rule of thumb for
estimating Internet latency: multiply line-of-sight distance by 2.1, then
divide by the speed of light in fiber. But a simple computation of
shortest-path lengths through the conduits in the InterTubes map suggests that
the conversion factor for all pairs of the 120 largest population centers in
the U.S.\ could be reduced from 2.1 to 1.3, in the median, even using less than
half of the links. To determine whether an overlay network could be used to
provide shortest paths, and how well it would perform, we used the diverse
server deployment of a CDN to measure latency across individual conduits. We
were surprised to find, however, that latencies are sometimes much higher than
would be predicted by conduit length alone. To understand why, we report
findings from our analysis of network latency data from the backbones of two
Tier-1 ISPs, two scientific and research networks, and the recently built fiber
backbone of a CDN.

Within a few years of its introduction, QUIC has gained traction: a
significant chunk of traffic is now delivered over QUIC. The networking
community is actively engaged in debating the fairness, performance, and
applicability of QUIC for various use cases, but these debates are centered
around a narrow, common theme: how does the new reliable transport built on top
of UDP fare in different scenarios? Support for unreliable delivery in QUIC
remains largely unexplored.
The option for delivering content unreliably, as in a best-effort model,
deserves the QUIC designers' and community's attention. We propose extending
QUIC to support unreliable streams and present a simple approach for
implementation. We discuss a simple use case of video streaming---an
application that dominates the overall Internet traffic---that can leverage the
unreliable streams and potentially bring immense benefits to network operators
and content providers. To this end, we present a prototype implementation that,
by using both the reliable and unreliable streams in QUIC, outperforms both TCP
and QUIC in our evaluations.

In today's Internet, mobile devices are connected to multiple access

networks, e.g., WiFi/DSL and LTE. To take advantage of the networks' diverse

paths characteristics (delay, bandwidth, and reliability) and aggregate

bandwidth, we need smart strategies for choosing which interface(s) to use for

what traffic. In this paper, we present an approach how to tackle this

challenge as part of the Operating System (OS): With the concept of Socket

Intents, applications can express what they know about their communication

pattern and their preferences. Using our Socket Intents Prototype and our

modified BSD Socket Interface, this information is used to choose the most

appropriate path or path combination on a per message or per connection basis.

We evaluate our system based on the use case of Web browsing: Using our

prototype and a client-side proxy, we show the feasibility and benefits of our

design. Using a flow-based simulator and a full factorial experimental design,

we study a broad range of access network combinations (based on typical DSL and

LTE scenarios) and real workloads (Alexa Top 100 and Top 1000 Web Sites). Our

policies achieve performance benefits in more than 50% of the cases and

speedups of more than factor two in 20% of the cases without adding overhead in

the other cases.