Abstract: Over my 30+ year career, I have dabbled in network measurement and modeling. In this talk I will trace selected efforts over time and connect them to broader lessons I have learned about how to have impact. I will attempt to connect with the larger research and funding ecosystem for networking in general and measurement in particular. I will close with a grand challenge.

Abstract: Many devices are accessed and controlled through voice assistants today, a representative example being Echo smart speakers and other Amazon devices controlled by Alexa. These offer the convenience of accessing services through voice interactions, but also raise privacy concerns, as data can be stored and used for personalization and voice biometric information is sensitive. Unfortunately, there is still a lack of transparency and control over this data collection and use. Although prior work has shown evidence of ad targeting based on data derived from voice interactions and user profiles/interests, it has so far been an open question whether voice biometric information itself is utilized for targeting. In this paper, (i) we build a general auditing methodology to answer this question for off-the-shelf commercial smart speakers, and (ii) we apply it specifically to Amazon Echo Dot. Our findings suggest that Amazon Music ad content is more strongly associated with demographics (gender and age) inferred from voice characteristics than would be expected by chance. This has important implications for compliance since voice contains sensitive biometric information that is protected by several privacy regulations.

Abstract: Web trackers are pervasive on the Internet, collecting user data as it flows from the end user's device to their servers. Understanding the physical location of these servers and trackers data flow is essential for assessing privacy risks and ensuring control over user data. While much of the existing research focuses on regions like Europe, where regulations such as the General Data Protection Regulation (GDPR) are in place, other regions of the world, where most Internet users reside, remain under-studied. We address this gap by collecting measurements from the web browser and the data-plane (IP of responding server & latency) on the same device. A challenge to apply this approach beyond Europe is the low density of observation points in measurement infrastructure. To address this, we build a software suite that automatically collects measurements in various countries from a volunteer's computer. Our suite is interoperable with all major OSes and requires limited user intervention. We apply our method across 23 geographically diverse countries, offering in-depth insights into tracker data flow.

Abstract: Canvas fingerprinting is a widely-used technique for implicitly re-identifying visitors to a Web site based on subtle variations in the graphical rendering of specific "test canvases". However, different fingerprinting actors make use of distinct canvases for this purpose and thus, as we show, it is possible to "fingerprint the fingerprinters" by clustering \emph{which} canvases are employed for these tests. This paper documents the efficacy of this canvas clustering technique, further uses it to measure and characterize the online footprint of widely-used fingerprinting services, and finally analyzes the context in which these services are used to shine light on their intended purpose.

Abstract: As third-party cookies are being phased out or restricted by major browsers, first-party cookies are increasingly repurposed for tracking. Prior work has shown that third-party scripts embedded in the main frame can access and exfiltrate first-party cookies—including those set by other third-party scripts. However, existing browser security mechanisms, such as the Same-Origin Policy, Content Security Policy, and third-party storage partitioning, do not prevent this type of cross-domain interaction within the main frame. While recent studies have begun to highlight this issue, there remains a lack of comprehensive measurement and practical defenses. In this work, we conduct the first large-scale measurement of cross-domain access to first-party cookies across 20,000 websites. We find that 56\% of websites include third-party scripts that exfiltrate cookies they did not set, and 32\% allow unauthorized overwriting or deletion—revealing significant confidentiality and integrity risks. To mitigate this, we propose CookieGuard, a browser-based runtime enforcement mechanism that isolates first-party cookies on a per-script-origin basis. CookieGuard blocks all unauthorized cross-domain cookie operations while preserving site functionality in most cases, with Single Sign-On disruption observed on 11% of sites. Our results expose critical flaws in current browser models and offer a deployable path toward stronger cookie isolation.

Abstract: Browser fingerprinting is used for bot detection. In response, bots have started altering their fingerprints to evade detection. We conduct the first large-scale evaluation to study whether and how altering fingerprints helps bots evade detection. To systematically investigate such evasive bots, we deploy a honey site that includes two anti-bot services (DataDome and BotD) and solicit bot traffic from 20 different bot services that purport to sell “realistic and undetectable traffic.” Across half a million requests recorded on our honey site, we find an average evasion rate of 52.93% against DataDome and 44.56% evasion rate against BotD. Our analysis of fingerprint attributes of evasive bots shows that they indeed alter their fingerprints. Moreover, we find that the attributes of these altered fingerprints are often inconsistent with each other. We propose FP-Inconsistent, a data-driven approach to detect such inconsistencies across space (two attributes in a given browser fingerprint) and time (a single attribute at two different points in time). Our evaluation shows that our approach can reduce the evasion rate of evasive bots by 44.95%-48.11% while maintaining a true negative rate of 96.84% on traffic from real users.

Abstract: Serverless cloud functions transfer server management responsibilities to service providers, offering scalability and cost-efficiency. This convenience not only facilitates normal activities but also raises abuse concerns. So far, public understanding of real-world cloud functions remains limited. To fill this gap, we conducted an in-depth measurement study to uncover their practical usage and abuse. Through empirical analysis of nine leading providers (e.g., AWS, Tencent), we identified 531,089 function domains from a passive DNS dataset spanning April 2022 to March 2024. We first investigated the usage status of serverless cloud functions, showing the different practices between providers. Additionally, based on active requests to these functions, we pointed out privacy risks of unauthorized access and identified four abuse types, including covert C2 communication, hosting malicious websites, promoting illicit services, and abusing egress nodes as IP proxies. Alarmingly, 4.89% of cloud functions are being abused, with over 614k invocations recorded. Only four abused functions were flagged by existing threat intelligence systems, indicating critical gaps in security monitoring for serverless environments. Our work offers insights into the serverless cloud ecosystem and provides recommendations for better management. With responsible disclosure, we hope to raise awareness and improve protective measures against abuses among cloud function providers.

Abstract: Allocating resources in a distributed environment is a fundamental challenge. In this paper, we analyze the scheduling and placement of virtual machines (VMs) in the cloud platform of SAP, the world's largest enterprise resource planning software vendor. Based on data from roughly 1,800 hypervisors and 48,000 VMs within a 30-day observation period, we highlight potential improvements for workload management. The data was measured through observability tooling that tracks resource usage and performance metrics across the entire infrastructure. In contrast to existing datasets, ours uniquely offers fine-grained time-series telemetry data of fully virtualized enterprise-level workloads, including long-running and memory-intensive SAP S/4HANA and diverse, general-purpose workloads. Our key findings include several sub-optimal scheduling situations, such as CPU resource contention exceeding 40%, peak CPU ready times of up to around 220 seconds, significantly imbalanced compute hosts with a maximum intra-building block host CPU utilization spread of up to 99%, overprovisioned CPU resources with over 80% of VMs using less than 70% CPU, and underutilized memory with similar utilization levels. Using these findings, we derive requirements for the design and implementation of novel placement and scheduling algorithms and provide guidance to optimize resource allocations. The full dataset used in this study is made publicly available. We hope this will enable future research to conduct a data-driven evaluation of potential scheduling solutions for large-scale, productive cloud infrastructures.

Abstract: To tap into the growing market of cloud gaming, whereby game graphics is rendered in the cloud and streamed back to the user as a video feed, network operators are creating monetizable assurance services that dynamically provision network resources. However, without accurately measuring cloud gaming user experience, they cannot assess the effectiveness of their provisioning methods. Basic measures such as bandwidth and frame rate by themselves do not suffice, and can only be interpreted in the context of the game played and the player activity within the game. This paper equips the network operator with a method to obtain a real-time measure of cloud gaming experience by analyzing network traffic, including contextual factors such as the game title and player activity stage. Our method is able to classify the game title within the first five seconds of game launch, and continuously assess the player activity stage as being active, passive, or idle. We deploy it in an ISP hosting NVIDIA cloud gaming servers for the region. We provide insights from hundreds of thousands of cloud game streaming sessions over a three-month period into the dependence of bandwidth consumption and experience level on the gameplay contexts.

Abstract: RDMA datacenters are proliferating to meet the demand of emerging workloads such as AI training and distributed storage. This trend has opened up a critical knowledge gap: the traffic characteristics of congestion in these networks remain unknown. We do not know, for example, which layers of the network are the most congested, if the network is load balanced effectively, how long congestion events last, and how accurate existing telemetry systems are in capturing congestion. This paper bridges this gap by investigating congestion in a large-scale RDMA datacenter dedicated to distributed AI training. We provide insights into three specific congestion patterns: (a) location and distribution in the network, (b) burstiness, e.g., the duration and synchrony of bursts, and (c) observability using existing telemetry methods. We show, for instance, that the deployment of Priority Flow Control (PFC) in RDMA networks has shifted the location of congestion one level up: from the edge-host in legacy TCP/IP datacenters to the network core in RDMA datacenters. At the same time, we show that the same protocol enables us to observe and understand congestion better, even bursty kind.

Abstract: Today’s federated network testbeds enable experiments of unprecedented scale and detail, but only provide rudimentary primitives to capture an experiment’s network traffic. Capturing and analyzing traffic is important for diagnosing and debugging research prototypes and for evaluating research, but today’s testbed users divert and duplicate effort to craft custom solutions for their experiments. Building a general, reusable system is made more challenging by the autonomous structure of federated testbeds and by their high capacity links (requiring accelerated processing). This paper describes the design, implementation, and evaluation of Twine: a user-provided, extensible, open-source, capture and analysis platform that runs on the intercontinental, state-of-the-art FABRIC testbed. Twine works both for individual experiments and also for all experiments occurring simultaneously on FABRIC. To attain a general design, Twine itself runs as an experiment on FABRIC and did not require modifications to FABRIC. For scalability, Twine offloads logic to FPGA NICs on the testbed and uses DPDK. Twine has been used by individual FABRIC users and has been running on FABRIC for over a year to produce a testbed-wide analysis of how researchers are collectively using the testbed’s network. This paper also presents that analysis and discusses implications for future research on measurement.

Abstract: TCP SYN packets are typically meant to initiate a three-way handshake for new connections and do not carry a payload. The only exception, according to the standards, is TCP Fast Open, where data is transmitted as TCP SYN payload. In this paper, we perform an empirical analysis of other cases where TCP SYN carries a payload. We utilize a large passive and a reactive network telescope to collect pure TCP SYN packets over two years. Our analysis shows that around 75\% of these payloads are HTTP GET requests either for potentially censored content performed by researchers and activists originated by a relatively small number of IPs. We also observe scouting and intrusion attempt activity related to port 0, operating systems, middleware, and edge router vulnerability exploitation. While we make our data and methodology publicly available, we also want to raise awareness of this type of TCP SYN that typically goes unnoticed.

Abstract: Since the standardization of IPv6 in 1998, both versions of the Internet Protocol have coexisted in this dual-stack Internet.Clients would usually run algorithms such as Happy Eyeballs, to decide whether to connect to an IPv4 or IPv6 endpoint for dual-stack domains. To identify whether two addresses belong to the same device or service, researchers have proposed different forms of alias resolution techniques. Similarly, one can also form siblings of IPv4 and IPv6 addresses belonging to the same device. Traditionally, all of these approaches have focused on individual IP addresses. In this work, we propose the concept of "sibling prefixes", where we extend the definition of an IPv4-IPv6 sibling to two IP prefixes---one IPv4 prefix and its sibling IPv6 prefix. We present a technique based on large-scale DNS resolution data to identify 47k IPv4-IPv6 sibling prefixes. We find sibling prefixes to be commonly between /24 IPv4 and /48 IPv6 prefixes and to be relatively stable over a one-year period while exhibiting less stability going back two or three years. We find sibling prefixes in 27 hypergiant and CDN networks, showing a bimodal similarity distribution. Moreover, more than 50% of sibling prefixes have at least one of the prefixes with a valid RPKI status, with 10% having at least one invalid status. Furthermore, we present SP-Tuner algorithms to tune the CIDR size of sibling prefixes further, improving similarity metrics by roughly 10%. Finally, we plan to regularly publish a list of sibling prefixes to be used by fellow researchers in dual-stack studies.

Abstract: In this work, we introduce Borges (Better ORGanizations Entities mappingS), a novel framework that leverages ad- vancements in Large Language Models (LLMs) to refine AS-to-organization mappings. Building on the most recent AS2Org systems, combining traditional WHOIS-based meth- ods with information available on PeeringDB, Borges utilizes PeeringDB’s Organizational ID and employs LLMs to auto- matically extract sibling information from embedded text fields using information extraction based on few-shot learn- ing prompts. Borges reliance on LLMs makes possible to extend the standard AS2Org datasets to consider companies’ websites as a source for inferring sibling relationships. Our evaluation demonstrates that Borges outperforms existing AS-to-Organization mapping approaches, achieving a 7% improvement in sibling ASN identification and introducing the Organization Factor as a new metric for mapping effec- tiveness. This method also better captures the user bases of large Internet conglomerates, enhancing user representation by 192 million users (≈ 5% of the Internet population), and expanding country-level organizational footprints across multiple regions.

Abstract: Several systems rely on traceroute to track a large number of Internet paths as they change over time. Monitoring systems perform this task by remapping paths periodically or whenever a change is detected. This paper shows that such complete remapping is inefficient, because most path changes are localized in a few hops of a path. We develop RemapRoute, a tool to remap a path locally given the previously-known path and a change point, sending targeted probes to locate and remap the (often few) hops that have changed. Our evaluation with trace-driven simulations and in a real deployment shows that local remapping reduces by more than 66% and 79%, respectively, the number of probes issued during remapping when compared with complete remapping. Yet, local remapping has little impact on the accuracy of inferred paths.

Abstract: Accurately mapping Internet address space to organizations is critical to understanding the Internet’s organizational ecosystem. Traditional approaches, which rely on individual WHOIS queries often suffer from unclear ownership structure of IP addresses and inconsistent organization names, resulting in ambiguous inferences. Alternative methods that map BGP prefixes to Autonomous Systems Numbers (ASNs) and ASNs to organizations are also inaccurate since ASes often originate prefixes on behalf of their customers. This paper introduces Prefix2Org, a comprehensive prefix-to-organization mapping framework. We introduce a taxonomy for the holders of IP addresses and a methodology to map IP addresses to organizations, based on the operational rights over them. To address inconsistencies in organizational names, we develop string processing heuristics and leverage Resource Certificates in RPKI to aggregate prefixes under unified management. Our public dataset covers 99.96% (99.99%) of IPv4 (IPv6) prefixes. We validate 9.3% of routed IPv4 addresses with a 99% recall, and 5.6% of IPv6 prefixes with a 99.34% recall. For the two very large organizations for which we were able to obtain exhaustive ground truth, Prefix2Org does not generate any false positives. Finally, in two case studies, (i) we characterize organizations that hold address space without an ASN and (ii) demonstrate how RPKI adoption measured through Prefix2Org differs from the previously used AS-centric view.

Abstract: IP anycast is a widely adopted technique in which an address is replicated at multiple locations, to, e.g., reduce latency and enhance resilience. Due to anycast's crucial role on the modern Internet, earlier research introduced tools to perform anycast censuses. The first, iGreedy, uses latency measurements from geographically dispersed locations to map anycast deployments. The second, MAnycast2, uses anycast to perform a census of other anycast networks. MAnycast2's advantage is speed, performing an Internet-wide census in 3 hours, but it suffers from problems with accuracy and precision. Inversely, iGreedy is highly accurate but much slower. On top of that, iGreedy has a much higher probing cost. In this paper we address the shortcomings of both systems and present LACeS (Longitudinal Anycast Census System). Taking MAnycast2 as a basis, we completely redesign its measurement pipeline, and add support for distributed probing, additional protocols (UDP, TCP and IPv6) and latency measurements similar to iGreedy. We validate LACeS on an anycast testbed with 32 globally distributed nodes, compare against an external anycast production deployment and extensive latency measurements with RIPE Atlas, and cross-check over 60% of detected anycast prefixes against operator ground truth. This shows that LACeS achieves high accuracy and precision. We make continual daily LACeS censuses available to the community and release the source code of the tool under a permissive open source license.

Abstract: Numerous disruptions to Internet access have been reported during the war in Ukraine, including large-scale outages, damage to network infrastructure, surveillance, and censorship measures. However, most observations rely on local reports or monitoring systems within Ukraine. In this paper, we investigate whether the conflict’s impact on Internet connectivity can be observed externally, from a vantage point outside Ukraine. Focusing on the Kherson region, which has remained on the frontline for over three years, we conduct an active measurement campaign probing the Ukrainian address space at two-hour intervals since March 2, 2022, the 7th day of the invasion, resulting in a country-wide dataset that spans the full duration of the conflict. Extending existing outage detection approaches, we infer three signals to detect Internet disruptions and refine the mapping of ASes and address blocks to specific regions. This allows us to assign disruptions to oblasts with greater confidence. Our results demonstrate that Internet disruptions caused by the war can be measured remotely by any host connected to the Internet. Our analysis provides new insights into the resilience of small regional providers and identifies periods when Ukraine’s Internet infrastructure was under significant strain.

Abstract: LLM app ecosystems are rapidly evolving to support sophisticated use cases, often requiring extensive user data collection. Given that LLM apps are developed by third parties and anecdotal evidence indicating inconsistent enforcement of policies by LLM platforms, sharing user data with these apps presents significant privacy risks. In this paper we aim to bring transparency in data practices of LLM app ecosystems. We examine OpenAI's GPT app ecosystem as a case study. We propose an LLM-based framework to analyze the natural language specifications of GPT Actions (custom tools) and assess their data collection practices. Our analysis reveals that Actions collect excessive data across 24 categories and 145 data types, with third-party Actions collecting 6.03% more data on average. We find that several Actions violate OpenAI's policies by collecting sensitive information, such as passwords, which is explicitly prohibited by OpenAI. Lastly, we develop an LLM-based privacy policy analysis framework to automatically check the consistency of data collection by Actions with disclosures in their privacy policies. Our measurements indicate that the disclosures for most of the collected data types are omitted, with only 5.8% of Actions clearly disclosing their data collection practices.

Abstract: The success of generative AI relies heavily on training on data scraped through extensive crawling of the Internet, a practice that has raised significant copyright, privacy, and ethical concerns. While few measures are designed to resist a resource-rich adversary determined to scrape a site, crawlers can be impacted by a range of existing tools such as robots.txt, NoAI meta tags, and active crawler blocking by reverse proxies. In this work, we seek to understand the ability and efficacy of today's networking tools to protect content creators against AI-related crawling. For targeted populations like human artists, do they have the technical knowledge and agency to utilize crawler-blocking tools such as robots.txt, and can such tools be effective? Using large scale measurements and a targeted user study of 182 professional artists, we find strong demand for tools like robots.txt, but significantly constrained by significant hurdles in technical awareness, agency in deploying them, and limited efficacy against unresponsive crawlers. We further test and evaluate network level crawler blockers by reverse-proxies, and find that despite very limited deployment today, their reliable and comprehensive blocking of AI-crawlers make them the strongest protection for artists moving forward.

Abstract: The rise of generative artificial intelligence (GenAI), powered by large language models, has led to the emergence of real-time, voice-based conversational applications that enable dynamic, multi-modal interactions for everyday tasks such as checking the weather or planning a trip. These human-to-GenAI calling applications blend speech processing, generative intelligence, and real-time communication, presenting new challenges in latency optimization, network infrastructure design, and resilience under load. Despite their growing popularity, little is known about the operational characteristics and performance of these applications. This paper conducts an empirical measurement of six human-to-GenAI calling applications from Google, Meta, Microsoft, and OpenAI, focusing on their input/output modalities, network behavior, latency metrics, and robustness. Our findings reveal key design choices and performance bottlenecks in these emerging applications. For example, the conversational latency often reaches several seconds, far exceeding the typical sub-second delays of human-to-human voice communication and potentially impairing interactivity. Moreover, voice-based GenAI traffic is inherently asymmetric: the uplink, carrying real-time human speech, benefits from streaming-based transmission, while the typically large downlink GenAI responses are better served through batch-based delivery.

Abstract: With the rapid adoption of large language models (LLMs), security researchers have speculated that cybercriminals may utilize LLMs to improve and automate their attacks. However, so far, the security community has had only anecdotal evidence of attackers using LLMs, lacking large-scale data on the extent of real-world malicious LLM usage. In this paper, we present the first large-scale study measuring AI-generated attacks in-the-wild. In particular, we focus on the use of LLMs by attackers to craft the text of malicious emails by analyzing a corpus of hundreds of thousands of real-world phishing and spam emails detected by a large email security company. The key challenge in this analysis is determining ground truth: we cannot know for certain whether an email is LLM or human-generated. To overcome this challenge, we observe that, prior to the launch of ChatGPT, email text was almost certainly not LLM-generated. Armed with this insight, we run three state-of-the-art LLM detection methods on our corpus and calibrate them against pre-ChatGPT emails, as well as against a diverse set of LLM-generated emails we create ourselves. Since the launch of ChatGPT, all three detection methods indicate that attackers have steadily increased their use of LLMs to generate emails, especially for spam. Using our most precise AI-detection method, we conservatively estimate that at least 16% of spam emails and 4% of business email compromise attacks in our dataset are generated using LLMs, as of April 2024. Finally, analyzing the text of LLM-generated emails, we find strong evidence that LLMs are used by attackers to "polish" their emails and to generate multiple versions of the same email message.

Abstract: Solana has emerged as a major blockchain platform providing high throughput and low fees. Like other blockchains, Solana can be attacked via so-called sandwiching attacks, where an attacker observes a pending transaction, quickly buys the target cryptocurrency, lets the transaction go through, and then immediately sells it for a profit, skimming that profit from the user. While such attacks have been observed by users, they remain underexplored in academic literature due to technical difficulties studying Solana at scale. This paper presents a measurement study of sandwiching attacks on Solana's most adopted validator client, Jito. We develop a methodology to collect Jito data and analyze over three months of data, uncovering patterns indicative of both opportunistic and defensive behaviors. Our analysis reveals the ongoing presence of sandwiching attacks on Jito, finding over 400K instances resulting in over $5M losses for victims. We also observe users employing defensive behaviors that provide little benefit beyond preventing sandwiching. This demonstrates widespread anticipation of adversarial activity, despite sandwiching being relatively rare overall. Our findings raise important questions about the perceived versus actual threat of sandwiching attacks on Solana highlighting the need for more transparent governance around validator-driven extensions.

Abstract: The prosperity of Ethereum gives rise to a new type of transaction-based phishing scam. Specifically, users are tempted to visit phishing websites and sign phishing transactions that allow scammers to withdraw their tokens. Meanwhile, to accelerate the deployment of phishing websites, scammers have introduced a business model, Drainer-as-a-Service (DaaS). In this model, drainer operators focus on crafting specialized phishing toolkits, named “wallet drainers”, while drainer affiliates handle the deployment and promotion of phishing websites. After stealing victims’ tokens, they will distribute profits. In this paper, we present the first systematic study of DaaS on Ethereum. To begin with, we propose a snowball sampling approach to build the first large-scale DaaS dataset, including 1,910 profit-sharing contracts, 56 operator accounts, 6,087 affiliate accounts, and 87,077 profit-sharing transactions. Then, we analyze the scale of DaaS from the perspectives of victims, operators, and affiliates, and perform clustering analysis to uncover dominant DaaS families. Finally, we reported DaaS accounts in the dataset and 32,819 phishing websites deployed with DaaS toolkits to the community. Our work aims to serve as a guide for Ethereum service providers to enhance user protection against DaaS.

Abstract: The cellular network has undergone rapid progress since its inception in 1980s. While rapid iteration of newer generations of cellular technology plays a key role in this evolution, the incremental and eventually wide deployment of every new technology generation also plays a vital role in delivering the promised performance improvement. In this work, we conduct the first metamorphosis study of a cellular network generation, 5G, by measuring the user-experienced 5G performance from 5G network’s birth (initial deployment) to maturity (steady state). By analyzing a 4-year 5G performance trace of 2.65M+ Ookla® Speedtest Intelligence® measurements collected in 9 cities in the United States and Europe from January 2020 to December 2023, we unveil the detailed evolution of 5G coverage, throughput, and latency at the quarterly granularity, compare the performance diversity across the 9 representative cities and gain insights into compounding factors that affect user-experienced 5G performance, such as adoption of 5G devices and the load on the 5G network. Our study uncovers the typical life-cycle of a new cellular technology generation as it undergoes its “growing pain” towards delivering its promised QoE over the previous technology generation.

Abstract: 5G wireless networks are complex, leveraging layers of scheduling, retransmission, and adaptation mechanisms to maximize their efficiency. But these mechanisms interact to produce significant fluctuations in uplink and downlink capacity and latency. This markedly impacts the performance of real-time applications, such as video-conferencing, which are particularly sensitive to such fluctuations, resulting in lag, stuttering, distorted audio, and low video quality. This paper presents a cross-layer view of 5G networks and their impact on and interaction with video-conferencing applications. We conduct novel, detailed measurements of both Private CBRS and commercial carrier cellular network dynamics, capturing physical- and link-layer events and correlating them with their effects at the network and transport layers, and the video-conferencing application itself. Our two datasets comprise days of low-rate campus-wide Zoom telemetry data, and hours of high-rate, correlated WebRTC-network-5G telemetry data. Based on these data, we trace performance anomalies back to root causes, identifying 24 previously unknown causal event chains that degrade 5G video conferencing. Armed with this knowledge, we build Domino, a tool that automates this process and is user-extensible to future wireless networks and interactive applications.

Abstract: 5G is much faster than 4G, offering quicker data transfer and better user experience overall. There is no surprise that 5G should be used as much as possible. However, in this study, we unveil one surprising finding in operational 5G networks: 5G radio access might get stuck into a persistent ON-OFF loop which repeatedly turns 5G on and then off. We conduct extensive measurement experiments with three US operators (T-Mobile, AT&T, and Verizon) in two US cities to characterize and analyze 5G ON-OFF instances in the wild. Even more surprisingly, we find that such 5G ON-OFF loops are not uncommon. They are widely observed at many places, significantly hurting data performance. We further dive into their causes and unveil that inconsistent triggers to turn 5G on and off co-exist in real-world settings, repeatedly releasing 5G radio access after getting 5G back. We identify three loop types each with distinct triggering events (causes). We find that 5G network operators should also take the blame for inconsistent policies and mechanisms, as well as "improper" use of certain frequency channels.

Abstract: As 5G networks develop to achieve the ubiquitous connectivity envisioned in the International Mobile Telecommunications 2030 framework, their control plane traffic has consequently surged. To ensure the ubiquitous connectivity, it is essential to have an in-depth understanding of the internal characteristics and mechanisms of the control plane to provide optimal services. However, existing measurement efforts either exclude the control plane or treat it as an opaque box, focusing solely on the overall performance rather than internal characteristics. In this paper, we present a 3GPP-compliant control plane evaluation framework and conduct the first in-depth analysis based on the measurements of the characteristics and overheads of various network functions (NFs) under large-scale connectivity. We reveal the substantial resource demands and limited scalability of the Access and Mobility Management Function (AMF) and the Network Repository Function (NRF). Additionally, we identify a heavy demand for better state management. Based on insights from our measurements, we discuss the immense potential and necessity for optimization in the core network, including optimized protocol processing, mitigation of potential leverage attacks, and an integrated state management framework.

Abstract: In 2022, 3 years after the initial 5G rollout, through a cross-country US driving trip (from LA to Boston), the authors of [17] conducted an in-depth measurement study of user-perceived experience (network coverage, performance, and QoE of a set of major 5G “killer” apps) over all three major US carriers. The study revealed disappointingly low 5G coverage and suboptimal network performance -- falling short of the expectations needed to support the new generation of 5G "killer apps. Now, five years into the 5G era, widely considered its midlife, 5G networks are expected to deliver stable and mature performance. In this work, we replicate the 2022 study along the same coast-to-coast route, evaluating the current state of cellular coverage and network and application performance across all three major US operators. While we observe a substantial increase in 5G coverage and a corresponding boost in network performance, two out of three operators still exhibit limited 5G coverage even five years after the initial 5G rollout. We expand the scope of the previous work by analyzing key lower-layer KPIs that directly influence the network performance. Finally, we introduce a head-to-head comparison with Starlink's LEO satellite network to assess whether emerging non-terrestrial networks (NTNs) can complement with terrestrial cellular infrastructure in the next generation of wireless connectivity.

Abstract: Wide-area network operators attempt to chase Shannon’s limit on the data rate of optical channels by dynamically adapting these data rates in response to changes in signal quality. However, adapting wavelength data rates incurs failures, resulting in loss of reliability. Using empirical evidence from an ISP in the United States, we quantify the efficiency vs. reliability trade-off inherent in chasing Shannon’s limit on channel capacity in wide-area networks. We identify key factors impacting this trade-off: (1) wider spectral-width channels are more unreliable than narrower ones, and (2) specific SNR values significantly influence the reliability of rate-adaptive channels. Our findings provide practical insights for finding a balance between efficiency and reliability. We highlight how operators can carefully chase Shannon’s limit based on wavelength spectral width, SNR, and transponder capabilities.

Abstract: Happy Eyeballs (HE) started out by describing a mechanism that prefers IPv6 connections while ensuring a fast fallback to IPv4 when IPv6 fails. The IETF is currently working on the third version of HE. While the standards include recom- mendations for HE parameters choices, it is up to the client and OS to implement HE. In this paper we investigate the state of HE in various clients, particularly web browsers and recursive resolvers. We introduce a framework to analyze and measure client’s HE implementations and parameter choices. According to our evaluation, only Safari supports all HE features. Safari is also the only client implementation in our study that uses a dynamic IPv4 connection attempt delay, a resolution delay, and interlaces addresses. We further show that problems with the DNS A record lookup can even delay and interrupt the network connectivity despite a fully functional IPv6 setup with Chrome and Firefox. We publish our testbed measurement framework and a web-based tool to test HE properties on arbitrary browsers.

Abstract: In this paper, we revisit a fundamental discussions in the context of the Internet's future from the past decade: Is IPv6 harmful for DNS or not? As simple as this question may sound, until now, there is no clear recommendation to support DNS for authoritative and recursive name servers. RFC3901 is unchanged since 2004. We revisit the--by now--decade long history of this discussion, and how it relates to choices regarding fragmentation (end-to-end in IPv6 vs. on-path in IPv4), limitations to Path MTU Discovery (PMTUD), and diverging security policies which suggest dropping IPv6 fragments. To address this question we gather an extensive dataset to capture zones' resolvability (for the top 10 million domains in the Google Chrome User Experience report) over time for different MTU and PMTUD scenarios. To scale our experiments we develop the concept of unique name server sets, since fragmentation avoidance (RFC9715) and ENDS0 and TCP fallback capabilities are name server specific. Our results challenge traditional wisdom, demonstrating that: (i) The negative impact of DNS resolution via IPv6 is negligible, even for DNSSEC enabled zones in a worst-case MTU/PMTUD scenario, (ii) NS-Sets supporting DNSSEC are more likely to also support DNS resolution via IPv6, (iii) Dropping or not dropping of fragments has negligible impact on IPv6 DNS resolution, (iv) Prior work missed the notable role of a single Tier-1 when determining how wide-spread IPv6 fragment dropping is. From our results, we argue that it is time to recommend that IPv6 SHOULD be used for the DNS.

Abstract: Twelve years have passed since World IPv6 Launch Day, but what is the current state of IPv6 deployment? Prior work has examined IPv6 status as a binary: can you use IPv6, or not? As deployment increases we must consider a *more nuanced, non-binary perspective on IPv6: how much and often can a user or a service use IPv6?* We consider this question as a client, server, and cloud provider. Considering the client's perspective, we observe user traffic. We see that the fraction of IPv6 traffic a user sends varies greatly, both across users and day-by-day, with a standard deviation of over 15%. We show this variation occurs for two main reasons. First, IPv6 traffic is primarily human-generated, thus showing diurnal patterns. Second, some services are IPv6-forward and others IPv6-laggards, so as users do different things their fraction of IPv6 varies. We look at server-side IPv6 adoption in two ways. First, we expand analysis of web services to examine how many are only partially IPv6 enabled due to their reliance on IPv4-only resources. Our findings reveal that only 12.5% of top 100k websites qualify as fully IPv6-ready. Finally, we examine cloud support for IPv6. Although all clouds and CDNs support IPv6, we find that tenant deployment rates vary significantly across providers. We find that ease of enabling IPv6 in the cloud is correlated with tenant IPv6 adoption rates, and recommend best practices for cloud providers to improve IPv6 adoption. Our results suggest IPv6 deployment is growing, but many services lag, presenting a potential for improvement.

Abstract: Due to its large address space, IPv6 remains a challenge for Internet measurements. Thus, IPv6 scans often resort to hitlists that, however, mainly cover core Internet infrastructure and servers. Contrarily, a recent approach to source addresses leveraging NTP servers promises to discover more user-related hosts. Yet, an in-depth analysis of hosts found by this approach is missing and its impact remains unclear. In this paper, we close this gap by sourcing client IPv6 addresses from our NTP Pool servers and scanning related hosts. We get 3 040 325 302 IPv6 addresses, unveiling 283 867 deployments of consumer products underrepresented in a state-of-the-art hitlist, only leading to 37 858 finds. Security-wise, we find that only 28.4 % of 73 975 NTP-sourced SSH and IoT-related hosts appear to be securely configured, compared to 43.5 % of 854 704 hosts in the hitlist, revealing previously underestimated security issues. Last, we switch sides and identify first (potentially malicious) actors adopting NTP-based address sourcing in their scanning.

Abstract: Real-time communication (RTC) has been prevalent since COVID-19, supporting billions of video calls and voice chat interactions. Protocols such as STUN, TURN, RTP, RTCP, and QUIC play a critical role in transmitting RTC media in various applications. Based on standardized protocol specifications, in this paper, we investigate the extent of protocol compliance by analyzing the network traffic in real-world one-on-one calls. We capture and filter RTC traffic, design a Deep Packet Inspection framework to identify all messages for RTC media transmission, and systematically evaluate each message's compliance against protocol specifications. Our analysis of five popular RTC applications—Zoom, FaceTime, WhatsApp, Facebook Messenger (i.e., Messenger), and Discord—reveals that: 1) None of the studied applications strictly follow all RTC protocol specifications, and existing protocol implementations, except for QUIC, have some level of non-compliance; 2) Existing applications either implement proprietary protocols or modify existing message types to achieve the desired protocol functionality.

Abstract: The current Internet landscape is shaped by intermediate elements, known as middleboxes, which disrupt the end-to-end principle the Internet was originally designed around. In [8], the authors examine the HTTP/1.1 protocol and demonstrate that assessing the compliance of a remote implementation with respect to its RFC is challenging, as middleboxes on the network path can alter application-layer content. This paper builds on their work by focusing on HTTP/2, a more efficient yet more complex protocol that is known to be vulnerable to denial-of-service attacks. We create a suite of 156 tests, more than three times the number conducted on HTTP/1.1, and analyze 12 popular proxies as well as 3 cloud proxies. This work not only investigates the current landscape of proxy implementations with respect to RFCs, but also examines the evolution of compliance over time in local proxies. We show that while there is an improvement compared to previous results in HTTP/1.1, none of the proxies are yet fully compliant.

Abstract: Web 3.0 is redefining the current Web (Web 2.0) with a focus on data and governance decentralization. The InterPlanetary File System (IPFS) exemplifies this shift. However, it faces a trade-off between decentralization and performance: prior studies have shown IPFS’s performance degradations but fail to diagnose root causes or deliver actionable fixes. In this study, we present a comprehensive client-side measurement of IPFS performance, identify key bottlenecks, and propose practical enhancements. The key insights of our study are threefold. First, IPFS suffers from significantly lower (∼ 8×) throughput than HTTP, primarily due to its sequential downloading pattern imposed by its default block exchange protocol, Bitswap. By enhancing Bitswap, we manage to increase IPFS’s downloading throughput by up to 2.23× for large files. Second, Bitswap’s sequential downloading pattern limits parallel data retrieval from multiple sources and prevents BBR congestion control from fully leveraging its throughput optimization potential in lossy networks. Third, Bitswap supersedes DHT as IPFS’s primary content discovery tool, resolving >80% of requests. Meanwhile, the reliability of DHT is hampered by unresponsive peers, causing delays or failures. Fine-tuning the activation threshold of DHT could optimize lookup efficiency as we demonstrate.

Abstract: Transport Layer Security (TLS) is a cornerstone to secure Internet communications. It requires proper deployment and validation of certificate chains. During validation, clients must first construct the chain from server-provided certificates. However, existing research often integrates chain construction into the broader validation process, lacking independent analysis of this crucial step. This paper presents the first systematic assessment of certificate chain construction, covering server-side deployment compliance and client-side capabilities. On the server side, we summarized structural requirements from RFC standards and evaluated real-world website compliance. We found that approximately 3\% of Tranco Top 1M domains have deployed non-compliant chains, with common issues including reversed sequences and incomplete chains. The compliance would be influenced by HTTP server and Certificate Authority checks and guidance during the configuration process. On the client side, we evaluated 9 types of chain-building capabilities across 8 mainstream TLS implementations, uncovering prevalent deficiencies like inadequate backtracking and difficulties with long chains. These deficiencies could compromise TLS security, causing a fallback to insecure HTTP or making the service unavailable. Our findings highlight critical gaps in current certificate chain practices. Based on our findings, we also propose recommendations for improving the deployment and construction of certificate chains.

Abstract: The PKI system supports global use with X.509 certificates, integrating internationalized content like IDNs and multilingual text, referred to as \textit{Unicerts}. This integration introduces complexity in Unicert issuance and usage. Past incidents showed that poor Unicode handling can cause security risks, including spoofing and remote code execution, yet threats specific to PKI and Unicerts remain underexplored. This paper presents the first large-scale study of Unicerts, examining both issuance and parsing compliance. By analyzing 34.8M Unicerts from CT logs and 9 mainstream TLS libraries, we found the PKI ecosystem struggles with adopting Unicode. On the issuing side, 373 CAs issued 249k (0.72\%) non-compliant Unicerts due to weak validation on character ranges, normalization, and formatting, 65.3\% of which from publicly trusted CAs. These issues arise from overly complex standard requirements. On the parsing side, we found that libraries (e.g., GnuTLS and PyOpenSSL) exhibited issues in decoding and handling special characters, such as incompatible decoding and improper escaping, which could lead to incorrect entity extraction or subfield forgery. We further empirically identified three threat surfaces: user spoofing, CT monitor misleading, and traffic obfuscation. Finally, we analyzed root causes and proposed recommendations to enhance Unicert compliance in the global PKI ecosystem.

Abstract: Existing inter-domain routing simulators often suffer from low simulation accuracy, slow processing speeds, and high memory consumption, hindering their ability to perform large-scale Internet simulations. In this paper, we present InternetSim, a multi-threaded simulator for Internet-scale inter-domain routing. InternetSim enables incremental computation to deal with policy changes by some ASes, thus significantly accelerating multi-iteration context-continuous routing simulations. The memory efficiency is also improved by designing compact data structures for routing tables and out-of-memory errors are prevented by offloading the data to disk when necessary. Our simulator can complete an iteration of Internet-scale simulation within 13 hours (21× speedup compared to C-BGP) and can complete an ``incremental computation'' iteration within 15 seconds. The memory requirement is only 45\% of C-BGP (without offloading) and the simulator can work well for Internet-scale simulations on a server with only 64GB if offloading is always enabled.

Abstract: Afek et al. characterized the formation and stability of policy atoms - groups of prefixes that share the same Autonomous System (AS) paths as observed by BGP collectors, a concept initially defined by Broido and Claffy in 2001. Policy atoms provide a valuable perspective on the inter-domain routing policies in the Internet. With the rapid growth and increasing complexity of the Internet over the past two decades, we believe it is crucial to reassess the implication and applicability of policy atoms. In this paper, we revisit the policy atom concept after two decades and replicate the study by Afek et al. to assess the current state of AS path sharing and shed light on the evolution of policy atoms at large in the Internet. We demonstrate that the Internet still operates on the level of policy atoms rather than individual ASes, and we correlate the trends in characteristics of policy atoms with the development of inter-domain routing policies. We highlight the new insight generated by the perspective of the policy atom and its potential for further applications. All of our code and data are publicly available to support reproducibility and to encourage future research on this topic.

Abstract: Resource Public Key Infrastructure (RPKI) has become a standard for enhancing the security of Internet routing. Currently, more than 50% BGP prefixes are covered by RPKI Route Origin Authorizations (ROAs), enabling networks to validate the origin of prefix advertisements in BGP. However, ROA adoption is non-uniform, with key stakeholders still lagging behind. In this paper, we present a data-driven analysis of global RPKI adoption to quantify the current state of ROA coverage and we identify persistent disparities that hinder broader adoption. Our study reveals that although RPKI awareness has grown, the complexity of planning and deploying ROAs is a challenge. Since no unified workflow and documentation exist for ROA planning, many organizations are left without clear operational guidance. To address this challenge, we propose a systematic framework for ROA planning and introduce ru-RPKI-ready, a platform designed to provide data and insights to facilitate ROA planning. Using ru-RPKI-ready, we characterize the routed address space not covered by RPKI ROAs. We find that 47% IPv4 and 71% IPv6 prefixes not in RPKI could be covered with minimal technical efforts. Our analysis also reveals that if as few as ten organizations were to take necessary actions, the global ROA coverage can increase by 7% for IPv4 and 19% for IPv6.

Abstract: Multiple Perspective Issuance Corroboration (MPIC) is a defense that strengthens the Domain Control Validation protocol run by Certificate Authorities (CAs) against network attacks (e.g., routing hijacks). Despite its recent adoption as a requirement by the CA/Browser Forum, the quantitative security benefits of MPIC in light of real-world routing behaviors are not well understood. We seek to address this challenge by creating a framework to test the effects of real-world BGP hijacks on millions of potential MPIC perspective deployments that could be adopted by CAs. Our framework launches around 1500 ethical BGP hijacks on domains we own and analyzes how potential MPIC perspectives route under these attacks. We consider over 100 global MPIC perspective locations spread across 3 major cloud providers. We find that MPIC can prevent a significant number of real-world BGP hijacks that otherwise might have lead to certificate misissuance with optimal deployments preventing over 87% of attacks. We further show that different routing behaviors by cloud providers, such as cold potato routing, have a substantial effect on MPIC's ability to detect BGP attacks. Finally, our framework computes optimized sets of MPIC perspective locations for CAs to use given their preference of cloud provider and perspective count. Our recommendations have already impacted the MPIC deployment at Google Trust Services and have been adopted as the default recommendation by the Open MPIC project.

Abstract: BGP is the de facto protocol used to manage a network's reachability on the Internet. Network operators announce and withdraw their prefixes on BGP to enable or to prevent communication towards their origin network, respectively. However, the withdrawal of a prefix could fail to propagate totally in the Internet and routes towards withdrawn prefixes could remain in the routing tables of routers. These routes are called stuck or zombie BGP routes, and their persistence can lead to performance degradation, or even partial or complete outage. In this paper, we revisit existing work on BGP zombies using RIPE beacons, identify the *double-counting* discrepancy, and revise the methodology to address this problem and detect zombies more accurately. Furthermore, we point out limitations of the RIPE beacons with respect to their periodicity, lack of diversity, and noise and introduce and deploy our own beacons, which address these limitations. Using our beacons and the revised methodology, we analyze the lifespan of BGP zombies. We show that zombie routes can persist in RIBs for days, weeks, or even months. Furthermore, we document that BGP zombies can be announced months after their original withdrawal, affecting new ASes. Finally, we discuss interesting cases of long-lived zombie outbreaks that affected large ISPs with hundreds of ASes in their customer cones.

Abstract: BGP hides information that is crucial for building accurate routing models. In this paper, we combine BGP and active probing to infer relative route preference policies of research and education (R&E) network members. We inferred that sys- tems in ≈88% of ≈12K prefixes that 2,578 ASes announced in an R&E ecosystem were insensitive to AS path length when selecting provider routes – only ≈8-9% appeared to assign the same local preference to available R&E and commodity routes. We validate our method, and discuss broader applica- tion of the method to infer relative route preference, a crucial step in being able to accurately model routing policies.

Abstract: There has been a rise in online platforms facilitating the buying and selling of social media accounts. While the trade of social media profiles is not inherently illegal, social media platforms view such transactions as violations of their policies. They often take action against accounts involved in the misuse of platforms for financial gain. This research conducts a comprehensive analysis of marketplaces that enable the buying and selling of social media accounts. We investigate the economic scale of account trading across five major platforms: \emph{X}, \emph{Instagram}, \emph{Facebook}, \emph{TikTok}, and \emph{YouTube}. From February to June 2024, we identified 38,253 accounts advertising account sales across 11 online marketplaces, covering 211 distinct categories. The total value of marketed social media accounts exceeded \$64 million, with a median price of \$157 per account. Additionally, we analyzed the profiles of 11,457 visible advertised accounts, collecting their metadata and over 200,000 profile posts. By examining their engagement patterns and account creation methods, we evaluated the fraudulent activities commonly associated with these sold accounts. Our research reveals these marketplaces foster fraudulent activities such as bot farming, harvesting accounts for future fraud, and fraudulent engagement. Such practices pose significant risks to social media users, who are often targeted by fraudulent accounts resembling legitimate profiles and employing social engineering tactics. We highlight social media platform weaknesses in the ability to detect and mitigate such fraudulent accounts, thereby endangering users. Alongside, we conducted thorough disclosures with the respective platforms and proposed actionable recommendations, including indicators to identify and track these accounts. These measures aim to enhance proactive detection and safeguard users from potential threats.

Abstract: Recently, there has been a worldwide surge in SMS phishing, aka smishing. However, the lack of open-access updated datasets makes it challenging for researchers to study this global issue. Mobile network operators and government agencies provide users special SMS spam reporting services. Though, these services are regional and users are largely unaware. So, users often turn to public forums such as Twitter and Reddit to report and discuss smishing. This paper presents a novel methodological approach to collect an updated smishing dataset and measure the infrastructure, targets, and strategies employed by attackers to lure victims. We programmatically collect users' smishing reports from five public forums, collating over 64.5$k$ smishing image attachments and reports, which include 28.6$k$ sender IDs and 25.9$k$ URLs criminals abuse to conduct smishing campaigns across 67 languages. We unveil the exploited infrastructure ranging from mobile network operators to domains. We categorize smishing texts into seven scam types and explain lures criminals use to deceive victims into providing sensitive/financial information. Using real time measurements on a random sample of Twitter posts, we showcase how to uncover Android malware spread via smishing. We suggest effective mitigation approaches to curb this widespread cybercrime.

Abstract: Digital certificates are crucial for securing Internet communications. Certificates issued by trusted Certificate Authorities (CAs) can be validated by following the chain of trust, consisting of leaf, intermediate, and root certificates. However, such certificate chain structure may not be followed by private CAs who are not subject to public monitoring and auditing. This paper takes a first look at certificate chains involving certificates issued by private untrusted CAs. Utilizing a year's worth of TLS traffic collected from a campus network, we dissect the certificate chain structures and analyze their usage in TLS connections. While we observe positive acts such as the logging of private CA-issued certificates anchored to trust roots into Certificate Transparency (CT) logs, we also identify potential misconfigurations by servers where extraneous certificates are included in the certificate chains, which may lead to validation and connection failures.

Abstract: Databases often store sensitive organizational data but may be exposed to the Internet through misconfiguration or vulnerabilities. However, such databases may be unintentionally exposed to the Internet, e.g., due to misconfiguration or be vulnerable. To study real-world attacks on public-facing database management systems (DBMS), we deployed 278 honeypots over 20 days in March–April 2024. Our 220 low-interaction honeypots emulate MySQL, MSSQL, PostgreSQL, and Redis, revealing that scanning activity is relatively low (~3,000 IPs), but brute-force attempts are persistent. We also deploy 58 medium/high-interaction honeypots, which reveal three distinct types of exploitation: (i) direct attacks on the database management system to manipulate the database, (ii) ransom-driven attacks that copy and delete the targeted data, and (iii) use the database as an attack vector to take over the underlying system. Our findings highlight that DBMS-targeted attacks are distinct from those on other Internet-facing systems and deserve focused attention.

Abstract: Numerous studies have explored SSH attacks, often focusing on specific botnet activities or providing short-term analyses of particular honeynets. In this paper, we present an analysis of data collected from a large-scale honeynet over a three-year period, shedding light on gradual shifts in attacker behavior. Our findings suggest a trend toward more exploratory attacks, with indications that attackers are increasingly moving beyond the blind execution of scripts. We observe changes in techniques as new bots appear with unique methods and established botnets modify their approaches over time. Furthermore, attackers have adopted a more scouting approach in recent months, showing increased adaptability in their tactics. Additionally, there is a clear preference for utilizing recently registered ASes as storage locations for malicious files. Our findings also suggest that attackers are increasingly aware of honeypot presence. Some attackers actively search for these traps, while others exploit honeypots for their own purposes, underscoring the need for a new generation of more advanced honeypots. Lastly, we conduct a detailed investigation into one of the most prevalent attacks, challenging existing assumptions about the attacker's identity.

Abstract: Precise timekeeping is crucial for the dependable functioning and security of multiple Internet infrastructures, such as TLS certificates. Although the Network Time Protocol (NTP) is widely used for time synchronization across devices, it has several security vulnerabilities. Network Time Security (NTS) offers server authentication and integrity verification to protect against man-in-the-middle attacks. However, NTS does not address issues related to erroneous time sources. In this paper, our objective is to measure the time source vulnerabilities in the NTP ecosystem. We begin by building a long-term, large-scale dataset of open NTP and NTS servers. Based on the dataset, we find that 16.4\% of open NTP servers are bad timekeepers. For NTP Pool servers and \textit{refid} servers, two subsets more likely to have clients, the proportions are lower, with only 0.2\% and 5.0\% being bad timekeepers, respectively. Among these bad timekeepers, 92.1\% are due to synchronization anomalies, and 6.7\% are due to low-quality time sources, which are also experienced by the NTP operators we surveyed. More concerning, we uncover two security risks arising from time source configurations that could be exploited for time-shifting attacks. Our study encourages the NTP community to focus on the accuracy and security of time sources.

Abstract: YouTube is among the most widely-used platforms worldwide, and has seen a lot of recent academic attention. Despite its popularity and the number of studies conducted on it, much less is understood about the way in which YouTube's Data API, and especially the Search endpoint, operates. In this paper, we analyze the API's behavior by running identical queries across a period of 12 weeks. Our findings suggest that the search endpoint returns highly inconsistent results between queries in ways that are not officially documented. Specifically, the API seems to randomize returned videos based on the relative popularity of the respective topic during the query period, making it nearly impossible to obtain representative historical video samples, especially during non-peak topical periods. Our results also suggest that the API may prioritize shorter, more popular videos, although the role of channel popularity is not as clear. We conclude with suggested strategies for researchers using the API for data collection, as well as future research directions on expanding the API's use-cases.

Abstract: Online data scraping has taken on new dimensions in recent years, as traditional scrapers have been joined by new AI-specific bots. To counteract unwanted scraping, many sites use tools like the Robots Exclusion Protocol (REP), which places a robots.txt file at the site root to dictate scraper behavior. Yet, the efficacy of the REP is not well-understood. Anecdotal evidence suggests some bots comply poorly with it, but no rigorous study exists to support (or refute) this claim. To understand the merits and limits of the REP, we conduct the first large-scale study of web scraper compliance robots.txt directives using anonymized web logs from our institution. We analyze the behavior of 130 self-declared bots (and many anonymous ones) over 40 days, using a series of controlled robots.txt experiments. We find that bots are less likely to comply with stricter robots.txt directives, and that certain categories of bots, including AI search crawlers, rarely check robots.txt at all. These findings suggest that relying on robots.txt files to prevent unwanted scraping is risky and highlight the need for alternative approaches.

Abstract: With increasing demand for machine learning, deep learning, and visualization services in the browser, service providers seek cost-effective and privacy-preserving solutions. General-purpose GPU computations, such as vector and matrix operations, are foundational to these applications. WebGL is a widely adopted web graphics API capable of multidimensional rendering, while WebGPU is the newest graphics API to be developed for the web with compute-specific capabilities. This paper explores the use of WebGPU and WebGL APIs to accelerate client-side computations in Web browsers. Although WebGPU is a promising new standard, its performance has not been systematically evaluated. Through benchmarking key computational GPU kernels that we have developed, we compare WebGPU and WebGL across varying input sizes and algorithm complexities. Our results show that: 1) both WebGPU and WebGL underperform for smaller input data because of setup and synchronization overheads, 2) WebGL outperforms WebGPU for complex input data, 3) WebGPU outperforms WebGL for less complex input data and functions containing a central CPU-based loop, and 4) WebAssembly does not significantly enhance performance compared to JavaScript for either of the web graphics APIs because of the major bottlenecks not residing on the CPU.

Abstract: English is the predominant language on the web, powering nearly half of the world’s top ten million websites. Support for multilingual content is nevertheless growing, with many websites increasingly combining English with regional or native languages in both visible content and hidden metadata. This multilingualism introduces significant barriers for users with visual impairments, as assistive technologies like screen readers frequently lack robust support for non-Latin scripts and misrender or mispronounce non-English text, compounding accessibility challenges across diverse linguistic contexts. Yet, large-scale studies of this issue have been limited by the lack of comprehensive datasets on multilingual web content. To address this gap, we introduce LangCrUX, the first large-scale dataset of 120,000 popular websites across 12 languages that primarily use non-Latin scripts. Leveraging this dataset, we conduct a systematic analysis of multilingual web accessibility and uncover widespread neglect of accessibility hints. We find that these hints often fail to reflect the language diversity of visible content, reducing the effectiveness of screen readers and limiting web accessibility. We finally propose Kizuki, a language-aware automated accessibility testing extension to account for the limited utility of language-inconsistent accessibility hints.

Abstract: Modern websites behave like OS-native applications and use powerful APIs, such as *camera* or *microphone*. To ensure that untrusted third-party components, such as ads, cannot abuse powerful features granted to web applications, these features are governed via a permission system: containing the *Permissions-Policy* header and iframe *allow* attribute. Even though the first versions of the permission system were implemented when browsers first allowed access to powerful features more than ten years ago, it is unclear if and how websites are using the permission system. To answer these questions, we systematically measured the permission ecosystem across the top 1,000,000 websites. Our results show that 48.52% of visited websites exhibit permission-related functionality, and 12.07% of websites delegate permissions to embedded iframes using the *allow* attribute. Out of these delegations, many appear overly broad and unused by the iframe, posing a threat in the context of supply chain attacks. Additionally, only *4.5*% websites use the *Permissions-Policy* header, and the primary use case is to turn off powerful APIs such as a camera entirely. Finally, we developed open-source tools to help developers deploy the correct *Permission-Policy* header and *iframe allow* attributes following the principle of least privilege.

Abstract: Operators of web archives have two options for how to crawl pages from the web. Browser-based dynamic crawlers capture all of the resources on every page, but incur high compute overheads. Static browserless crawlers are more lightweight, but miss page resources which are fetched only when scripts are executed. In this paper, we make the case that a web archive does not have to make a binary choice between dynamic or static crawling. Instead, by using a browser for a carefully chosen small subset of crawls, an archive can significantly improve its ability to serve statically crawled pages with high fidelity. First, we show how to reuse crawled resources, both across pages and across multiple crawls of the same page over time. Second, by leveraging a dynamic crawl of a page, we show that subsequent static crawls of the page can be augmented to fetch resources without executing the scripts which request them. We estimate that, as long as 8.5% of page crawls use a browser, an archive can serve roughly 98% of the remaining statically crawled pages without any loss in fidelity, up from 55% without our techniques.

Abstract: Recently, various Mobile Network Aggregators (MNAs) have emerged, leveraging the coverage of a few base operators to offer global connectivity. These MNAs benefit from network softwarization, virtualization, and eSIM technology. This paper explores a new type of MNA -- a \textit{thick} MNA -- that uses multiple base operators from different regions to provide eSIM profiles and employs public internet gateways outside the base operators' home countries. Specifically, we analyze Airalo, a thick MNA operating in 219 countries. Unlike other MNAs that our community scrutinized, we show that Airalo often decouples the geographical location of the public internet gateway from the native country of the base operator via IPX Hub Breakout (IHBO). To map Airalo's underlying infrastructure, we ran web-based measurements that 14 volunteers performed while traveling and using an Airalo eSIM on their personal devices. We further dive into Airalo's performance by running device-based measurements (speedtest, traceroute, video streaming, etc.) in 10 countries.

Abstract: Summer Olympic Games are one of the major sports and social events worldwide, attracting global media attention, thousands of athletes, and large crowds to the hosting country. As such, the Olympics also represent a moment of severe strain for the local infrastructures, including the telecommunication one. Yet, very little is known about how this large event affects the demand for telco services. In this paper, we explore how the 2024 Summer Olympics hosted by Paris, France conditioned the local mobile data traffic volumes and dynamics. We do so from a privileged vantage point by analyzing measurements collected in the production network of Orange -the largest mobile operator in the country and the official communications partner to the event organization. Our results shed light on a variety of aspects, including how Olympic Games affect the consumption of mobile services, on the burden that the event imposes on the local mobile network infrastructure, or on how operators prepare for it.

Abstract: Android apps or Android Application Packages (APKs) are commonly distributed through official app stores, but a significant parallel ecosystem of APK mirror sites has emerged, providing users with alternative access to APK packages. These mirror sites host APKs for direct download and sideloading, bypassing security checks typical of official stores and offering access to packages otherwise unavailable to some users. Despite their growing prominence, academic researchers have underexplored the APK mirror ecosystem. In this paper, we analyzed metadata from over 34M versions of approximately 27M unique Android packages collected from seven prominent APK mirror sites, alongside data from the Google Play Store and Amazon Appstore for comparison. Our findings reveal substantial variation in catalog size and package versioning across mirror sites. The smallest, APK Mirror, has only 17K packages while the largest, APK Combo, hosts over 12M packages, compared to Google Play Store’s 3.1M packages, at the time of measurement. Mirror sites differ markedly from official stores in both breadth - hosting more unique packages - and depth - retaining multiple package versions, often serving as semi-historical archives. This offers a potentially rich record for researchers to access.

Abstract: Reference signals from cellular networks present an untapped and abundant signal of opportunity for high quality radio frequency (RF) propagation measurements. Commercial-off-the-shelf mobile phones continuously capture and report Reference Signal Received Power (RSRP) measurements, making them an easily crowdsource-able data source for RF propagation modeling in path geometries and frequencies relevant to cellular communications, broadcast, and short-range outdoor communications systems. However, it remains unclear whether crowdsourced mobile phone RSRP measurements can meet the stringent accuracy requirements of measured propagation data in support of RF propagation model validation and improvement. This investigation is the first of its kind to quantify the absolute accuracy of nine unique mobile phone models through an extensive measurement campaign and analysis. We demonstrate that phones have an RSRP measurement accuracy between ±6 and ±8 dB. We establish that phones are effective tools for characterizing the slow-fading effects of the RF channel and present the surprising finding that diversifying the phone models actually increases the accuracy of the mean RSRP measurements. Finally, we provide a guide for proper collection and open-sourcing of a crowdsource measurement campaign. Leveraging our findings, a practitioner can conduct a crowdsource campaign with mean measurement accuracy of ±0.5 dB.

Abstract: To approximate sums of values in key-value data streams, sketches are widely used in databases and networking systems. They offer high-confidence approximations for any given key while ensuring low time and space overhead. While existing sketches are proficient in estimating individual keys, they struggle to maintain this high confidence across all keys collectively, an objective that is critically important in both algorithm theory and its practical applications. We propose ReliableSketch, the first to control the error of all keys to less than $\Lambda$ with a small failure probability $\Delta$, requiring only $O(1 + \Delta\ln\ln(\frac{N}{\Lambda}))$ amortized time and $O(\frac{N}{\Lambda} + \ln(\frac{1}{\Delta}))$ space. Furthermore, its simplicity makes it hardware-friendly, and we implement it on CPU servers, FPGAs, and programmable switches. Our experiments show that under the same small space, ReliableSketch not only keeps all keys' errors below $\Lambda$ but also achieves near-optimal throughput, outperforming competitors with thousands of uncontrolled estimations. We have made our source code publicly available.

Abstract: Network telemetry has seen an increasing trend of deploying approximate measurement algorithms (e.g., sketches) on programmable switches due to their ability to provide line-rate speed, high measurement accuracy, and low memory cost. Heap, a vital component of many of measurement algorithms, hinders their deployment because of the difficulties in incorporating it into pipelines. In this paper, we introduce PipHeap, a pipeline-friendly, binary-tree-based min heap that can enhance existing sketches without introducing additional errors. Through evaluation with real-world datasets, we demonstrate that PipHeap can reduce the error of these integrated algorithms by 33\% to 97\% (78\% on average) under the same memory allocation. We have successfully implemented PipHeap and its combination with six different sketches in our testbed, and successfully extended other approximate algorithms (e.g. Space-Saving) onto programmable switch platforms. We have made all code associated available as open-source.

Abstract: Reducing our society's energy demand is critical to address the sustainability challenge. While the Internet already consumes 1--1.5\% of global electricity used and the numbers are growing, we still have no good understanding of the energy demand of one core building block of the Internet: routers. Power data is scarce and too high-level to provide any sensible insights on how one could effectively reduce the energy demand of the Internet. To address this, we assemble and present a unique dataset including datasheet information, router-internal measurements, external power measurements, and router power models. This dataset starts depicting a clearer picture of where the router power goes and provides some clues on how to reduce it. The dataset suggests, e.g., that (i) datasheets are not useful predictors, nor even always correct; (ii) internal router power measurements have limited accuracy; (iii) using more efficient and better-sized power supply units is a promising energy-saving vector; (iv) turning links off is much less efficient than anticipated in the literature. This work also highlights the limitations of today's power monitoring practices and provides suggestions for improvement.

Abstract: Traceroute is a critical tool in the Internet measurement toolbox, but its output can be misleading. One problem for traceroute analysis is that certain types of Multiprotocol Label Switching (MPLS) tunnels can hide routers from traceroute output. Worse still, there is no simple way to detect or reveal missing routers. Any analysis that expects comprehensive topology discovery--including identifying performance bottlenecks, analyzing traffic engineering approaches, and evaluating traffic sovereignty--needs to account for these MPLS tunnels. In this paper, we replicate previous work by Vanaubel et al. to characterize and provide a snapshot of the current deployment of MPLS tunnels. We also provide, and will release open source, a sustainable and easily deployed tool for MPLS detection that performs identically to the prior work, called PyTNT. Using PyTNT, we find that the problematic types of MPLS tunnels remain prevalent even though we observe a general decrease in MPLS usage across the Internet. We also find that public clouds account for 3 of the top 10 networks with the most routers observed to be in MPLS tunnels. Finally, we observe more MPLS routers in Europe than any in other continent, and more MPLS routers in the U.S. than any other country.

Abstract: Segment Routing (Sr), an advanced source routing mechanism, is a promising technology with a wide range of applications that has already gained traction from hardware vendors, network operators, and researchers alike. However, despite the abundance of activity surrounding Sr, little is known about how to gauge Sr deployment and its usage by operators. This paper introduces a methodology, called Advanced Revelation of Segment Routing Tunnels (AReST), for re- vealing the presence of Sr with Mpls as forwarding plane (Sr-Mpls). AReST relies on standard measurement tools, like traceroute and fingerprinting, and post-processes the collected data for highlighting evidence of Sr-Mpls. Our results show that AReST is efficient in revealing the presence of Sr-Mpls in various autonomous systems, obtaining a perfect precision on our ground truth directly obtained from an operator. We also make a preliminary characterization of the Sr-Mpls deployment and show that it is commonly deployed within Content, Transit, and Tier-1 providers and, occasionally, in interworking with classic Mpls. The data collected, as well as our source code, will be made available to the research community upon paper acceptance.

Abstract: The growing demand for reliable Internet access during air travel has made in-flight connectivity (IFC) a critical service for commercial airlines. Traditional IFC systems rely on geostationary (GEO) satellites, but their high latency and limited bandwidth hinder user experience. Emerging Low Earth Orbit (LEO) constellations, such as Starlink, promise better network performance. This paper presents the first empirical comparison of IFC performance across GEO and LEO networks, using data from 26 flights operated by 7 airlines. Measurements collected via instrumented Android devices cover key metrics including latency, throughput, and CDN responsiveness. We find that Starlink’s dynamic gateway selection enables shorter, more flexible routing than the static, distant gateways used by GEO systems, enhancing end-to-end performance through both shorter satellite paths and optimized ground routing. However, DNS-based content filtering on Starlink-equipped flights often affects user geolocation, introducing unnecessary terrestrial delays. We also show that the BBR congestion control algorithm delivers up to 35× higher throughput than Cubic and Vegas over Starlink, but with significantly higher retransmissions due to aggressive bandwidth probing.

Abstract: Low Earth Orbit (LEO) satellites have emerged as a space-based infrastructure to offer networking services anywhere on Earth. Satellite IoTs enable novel Direct-to-Satellite (DtS) connectivity, allowing IoT devices in remote areas to connect to the Internet via LEO satellites using existing terrestrial technologies like LoRa. This paper presents the first-of-its-kind measurement study on satellite IoTs, investigating the practical characteristics of DtS communications and their suitability for IoT applications. We deployed 27 low-cost ground stations across eight locations worldwide to passively measure the network availability of multiple constellations. Our findings reveal a significant gap between the effective durations of DtS connectivity and their theoretical durations, leading to intermittent connections for satellite IoTs. Additionally, we examine the performance of the Tianqi constellation in supporting real-world IoT traffic (agriculture application). We observed longer delays and higher power consumption in satellite IoTs compared to terrestrial IoTs. Our study identifies the bottlenecks and sheds light on potential optimizations for satellite IoTs.

Abstract: In this paper, we study the viability of LEO networks as a failover network. We contextualize our analysis by framing the capacity of satellite networks relative to lost capacity due to submarine cable failure. Specifically, we focus on scenarios where LEO networks act as failovers for submarine cables, providing a concrete target capacity to be fulfilled by the satellite network. We introduce a new model and simulator that help us estimate the failover capacity. We identify key factors determining the actual capacity available on the satellite network: the total area of the country, the terminal distribution policy used by the government, the spectrum allocation and traffic engineering policies used by the LEO network operator. Based on our findings, we make policy recommendations to governments that can result in an increase of up to 1.8× in the failover capacity without requiring additional infrastructure. However, we find after implementing all our recommendations, with 200k terminals deployed and no competing traffic in the network, a satellite network can only satisfy 0.9-14.7% of the capacity lost due to submarine cable failure in four out of six case studies.

Abstract: Low adoption and high misconfiguration rates continue to blunt the security benefits of DNSSEC. Drawing on 1.4 M historical diagnostic snapshots covering 319 K second-level and their subdomains between 2020 and 2024 from the DNSViz service, this paper delivers the first longitudinal, data-driven taxonomy of real-world DNSSEC failures. The study shows that NSEC3 parameter mistakes, delegation failures and missing/expired RRSIGs account for more than 70% of all bogus states, and that 20% such domains remain broken. Guided by these insights, we introduce DFixer —an offline tool that (i) groups cascaded error codes into root causes, and (ii) auto-generates high-level instructions and corresponding concrete BIND command sequences to repair them. Evaluation with a purpose-built ZReplicator testbed demonstrates that DFixer remedies 99.99% of observed errors in seconds. The curated error-to-command mapping is openly released to foster wider, more reliable DNSSEC deployment.

Abstract: The DNS, the Internet's address book, traditionally does not guarantee authenticity of data. The DNS Security Extensions (DNSSEC) exist to add cryptographic authenticity checks to the DNS. In spite of DNSSEC being over 30 years old, its widespread deployment has not yet come to fruition. Recent work has been done in the IETF on automating the setup of DNSSEC, in the hopes of furthering its deployment. In this paper, we analyze the current state of DNSSEC, where automated deployment may prove useful, and how DNS operators are deploying this new standard. We find that DNSSEC deployment remains lackluster. An increase to DNSSEC deployment could be achieved by the implementation of (optionally non-authenticated) automatic DNSSEC configuration by domain name registries and registrars. Only 3 DNS operators implement authenticated bootstrapping, but those that do generally implement this new standard well, with \sperc{99.9} of their zones conforming.

Abstract: In the cloud era, hosting-based email services have become a common business model. Various entities can participate in the email delivery process. However, the intermediate paths of email delivery have received little attention. In particular, the vulnerabilities and centralization of email intermediate paths have already posed real-world security threats. This paper conducts the first systematic analysis of intermediate paths of email delivery, aiming to understand dependence patterns and characterize the centralization. In collaboration with a large email service provider, we collected Received headers from email reception logs spanning nine months and reconstructed the complete intermediate paths of 105M clean emails. Our results reveal that Microsoft is the dominant provider of intermediate paths, participating in 66.4% of emails. We find that 86.9M (82.7%) emails rely on third-party providers in intermediate paths, and 9.1M (8.7%) paths involve multiple providers. Email signature providers frequently appear in cross-vendor intermediate paths. In addition, we reveal significant differences in the regional dependencies and centralization of intermediate paths across countries and continents. The centralization observed in intermediate paths also differs from incoming and outgoing servers. We hope our work prompts more attention to intermediate paths to enhance the security of the email ecosystem.

Abstract: Email has been a cornerstone of online communication for decades, but its lack of built-in confidentiality has left it vul- nerable to various attacks. To address this issue, two key protocols are being used: MTA-STS (Mail Transfer Agent Strict Transport Security) and DANE (DNS-based Authen- tication of Named Entities). While DANE was introduced first, MTA-STS has been actively adopted by major email providers like Google and Microsoft, as it does not require the complex DNSSEC chain that poses a significant challenge in deploying and managing DANE. However, despite its sig- nificance, there has been limited research on how MTA-STS is deployed and managed in practice. In this study, we conduct a comprehensive, longitudinal analysis of the MTA-STS ecosystem; our dataset encom- passes over 87 million domains spanning 31 months across four TLDs, providing a wide-ranging view of MTA-STS adop- tion. Our analysis uncovers a concerning trend of misconfig- urations and inconsistencies in MTA-STS setups. In our most recent snapshot, out of 68K domains with MTA-STS record, 29.6% of domains were incorrectly configured, while 3.2% of these should encounter email delivery failure from MTA- STS supporting senders. To gain insights into the challenges faced by email administrators, we surveyed 117 operators. While awareness of MTA-STS was high (94.7%), many cited operational complexity (48.8%) and a preference for DANE (45.4%) as reasons for not deploying the protocol. Our study not only highlights the growing importance of MTA-STS but also reveals the significant challenges in its deployment and management.