https://cristel.pelsser.eu/publications Latest research publications from Cristel Pelsser, focusing on network security, BGP, routing protocols, and Internet infrastructure. en-us Fri, 08 May 2026 13:52:21 GMT Cristel's Research Lab Feed Engine v2.0 Copyright © 2026 Cristel Pelsser cristel.pelsser@uclouvain.be (Cristel Pelsser) cristel.pelsser@uclouvain.be (Cristel Pelsser) Computer Science Network Security Internet Routing https://cristel.pelsser.eu/publication/keersmaeker-2025 https://cristel.pelsser.eu/publication/keersmaeker-2025 The widespread use of Smart Home devices has attracted significant research interest in understanding their behavior within home networks. Unlike general-purpose computers, these devices exhibit relatively simple and predictable network activity patterns. However, previous studies have primarily focused on normal network conditions, overlooking potential hidden patterns that emerge under challenging conditions. Discovering the latter is crucial for assessing device robustness. This paper addresses this gap by presenting a framework that systematically and automatically reveals these hidden communication patterns. By actively disturbing communication and blocking observed traffic, the framework generates comprehensive profiles structured as behavior trees, uncovering traffic flows that are missed by more shallow methods. This approach was applied to ten real-world devices, identifying 254 unique flows, with over 27% only discovered through this new method. These insights enhance our understanding of device robustness, and the thus obtained profiles provide a more complete description of the network behavior of devices, as needed, for example, for the configuration of security solutions. Mon, 01 Sep 2025 00:00:00 GMT François De Keersmaeker, Rémi Van Boxem, Cristel Pelsser, and Ramin Sadre IoT Smart Home networks robustness security https://cristel.pelsser.eu/publication/vogel-2025 https://cristel.pelsser.eu/publication/vogel-2025 With the proliferation of connected vehicles and in-car infotainment, road congestion could concentrate mobile data demand precisely when network-supported services (e.g., traffic alerts, safety systems) are most critical. We study whether congestion events measurably affect mobile network performance. Using hourly antenna-level metrics from a major operator in a European country and published road congestion events from July–August 2024, we filter for non-ubiquitous, sustained congestion (excluding the top 20% most frequent sections, events shorter than 30 minutes, and the lowest-severity incidents), yielding 1,838 events. Each road segment is associated with its three strongest antennas via a 4G signal-strength campaign. Performance during events is compared to a reference period (same hour in adjacent weeks) in terms of antenna activity, data volume (upload/download), and throughput. High-severity congestion correlates with increased antenna activity and data volume; throughput shows slight degradation primarily in low population density areas, while dense areas exhibit higher volumes with minimal throughput impact, suggesting built-in resilience. However, observed differences are modest and often not statistically significant, and stratification by population density reduces sample size, limiting definitive claims. Ongoing data collection is needed to validate these emerging trends as vehicle connectivity intensifies. Sun, 01 Jun 2025 00:00:00 GMT Alexandre Vogel, Dena Markudova, Andra Lutu, and Cristel Pelsser Road congestion Mobile network performance Cellular networks Antenna load Population density https://cristel.pelsser.eu/publication/stein-2025 https://cristel.pelsser.eu/publication/stein-2025 Data acquisition (DAQ) networks, widely used in scientific research and indus- trial applications, are composed of numerous interconnected servers, exchanging substantial data volumes produced by large scientific instruments. One traf- fic matrix generally used in such networks is the all-to-all collective exchange, which demands substantial network resources, making network failures partic- ularly challenging to mitigate. If not mitigated, the effects of network failures severely hamper the performance of the DAQ network, potentially leading to the loss of valuable experimental data. In the context of DAQ networks using a fat-tree topology, we propose FORS: a scheduling and associated routing solution to support the all-to-all collective exchange under network failures. FORS optimizes bandwidth utilization in the face of any failure scenarios, ensuring robust performance compared to the exist- ing approaches. We propose an algorithm to solve the scheduling. For the routing, we design an algorithm for simple failure scenarios, along with a linear program- ming model to address more complex failure scenarios. We validate our proposed solution using a real-world DAQ network as a case study. Results demonstrate significant performance degradation in existing approaches and FORS’ consistent ability to achieve higher throughput across various failure scenarios. Tue, 01 Apr 2025 00:00:00 GMT Eloise Stein, Quentin Bramas, Flavio Pisani, Tommaso Colombo, and Cristel Pelsser all-to-all fat-tree networks integer linear programming optimal routing fault-tolerance https://cristel.pelsser.eu/publication/buchet-2025 https://cristel.pelsser.eu/publication/buchet-2025 As QUIC gains attention, more applications that leverage its capabilities are emerging. These include defenses against on-path IP tracking and traffic analysis. However, the deployment of the underlying required support for connection migration remains largely unexplored. This paper provides a comprehensive examination of the support of the QUIC connection migration mechanism over the Internet. We perform Internet-wide scans revealing that despite a rapid evolution in the deployment of QUIC on web servers, some of the most popular destinations do not support connection migration yet. Tue, 01 Apr 2025 00:00:00 GMT Aurélien Buchet and Cristel Pelsser QUIC migration measurements internet scans QUIC migration deployment https://cristel.pelsser.eu/publication/darwich-2025 https://cristel.pelsser.eu/publication/darwich-2025 Routing is essential to the Internet functioning. However, more and more functions are added to BGP, the inter-AS routing protocol. In addition to providing connectivity for best effort service, it carries flow specification rules and blackholing signals to react to DDoS, routes for virtual private networks, IGP link-state database information among other uses. One such addition is the tweaking of BGP advertisements to engineer the traffic, to direct it on some preferred paths. In this paper we aim to estimate the impact of Traffic Engineering (TE) on the BGP ecosystem. We develop a method to detect the impact in space, that is, to find which traffic engineering technique impacts which prefix and which AS. We design a methodology to pinpoint TE events to quantify the impact on time. We find that on average, a BGP vantage point sees 35% of the announced prefixes impacted by TE. Quantifying the impact of TE on BGP stability, we find that TE events contribute to 39% of BGP updates and 44% of the BGP convergence time, and that prefixes belonging to hypergiants contribute the most to TE. Sat, 01 Mar 2025 00:00:00 GMT Omar Darwich, Cristel Pelsser, and Kevin Vermeulen Traffic Engineering Internet Measurements BGP Instability https://cristel.pelsser.eu/publication/buchet-2025-a https://cristel.pelsser.eu/publication/buchet-2025-a While the QUIC specification now includes mechanisms to prevent DoS attacks, they might not always be enforced by servers. With the increasing deployment of QUIC servers, it is now becoming more important to avoid vulnerabilities that could be exploited on a large scale. This paper presents an extensive study of the current state of QUIC servers and how they implement the mechanisms to prevent DoS attacks. The paper focuses on two different amplification DoS attacks that can be performed using QUIC HTTP/3 servers, enabled by the handshake and the connection migration mechanism. We investigate how QUIC servers respond to these attacks and if they are compliant with the general guidelines regarding the amplification protection. Our results show that while a large proportion of QUIC servers are respectful of the specification, around 20% of the IPv4 servers tested are still breaking the amplification limit for the handshake attack while most of the IPv6 servers are compliant. Most of the servers who support connection migration use the path validation mechanism, preventing the attack on connection migration. Overall, the amplification factor of the attacks remains quite low with a median slightly lower than the limit of 3, set in the standard, for the handshake attack and under 1 for the migration attack. Sat, 01 Mar 2025 00:00:00 GMT Aurélien Buchet and Cristel Pelsser QUIC Amplification DoS Connection migration Path validation https://cristel.pelsser.eu/publication/holterbach-2024 https://cristel.pelsser.eu/publication/holterbach-2024 Despite global efforts to secure Internet routing, attackers still successfully exploit the lack of strong BGP security mechanisms. This paper focuses on an attack vector that is frequently used: Forged-origin hijacks, a type of BGP hijack where the attacker manipulates the AS path to make it immune to RPKI-ROV filters and appear as legitimate routing updates from a BGP monitoring standpoint. Our contribution is DFOH, a system that quickly and consistently detects forgedorigin hijacks in the whole Internet. Detecting forged-origin hijacks boils down to inferring whether the AS path in a BGP route is legitimate or has been manipulated. We demonstrate that current state-of-art approaches to detect BGP anomalies are insufficient to deal with forged-origin hijacks. We identify the key properties that make the inference of forged AS paths challenging, and design DFOH to be robust against real-world factors (e.g., data biases). Our inference pipeline includes two key ingredients: (i) a set of strategically selected features, and (ii) a training scheme adapted to topological biases. DFOH detects 90.9% of the forged-origin hijacks within only ≈5min. In addition, it only reports ≈17.5 suspicious cases every day for the whole Internet, a small number that allows operators to investigate the reported cases and take countermeasures. Mon, 01 Jan 2024 00:00:00 GMT Thomas Holterbach, Thomas Alfroy, Amreesh Phokeer, Alberto Dainotti, and Cristel Pelsser https://cristel.pelsser.eu/publication/wirtgen-2024 https://cristel.pelsser.eu/publication/wirtgen-2024 BGP distributes prefixes advertised by Autonomous Systems (ASes) and computes the best paths between them. It is the only routing protocol used to exchange interdomain routes on the Internet. Since its original definition in the late 1980s, BGP uses TCP. To prevent attacks, BGP has been extended with features such as TCP-MD5, TCP-AO, GTSM and data-plane filters. However, these ad hoc solutions were introduced gradually as the Internet grew. In parallel, TLS was standardized to secure end-to-end data-plane communications. Today, a large proportion of the Internet traffic is secured using TLS. Surprisingly, BGP still does not use TLS despite its adequate security features to establish BGP sessions. In this paper, we make the case for using a secure transport with BGP. This can be achieved with TLS combined with TCP-AO or by replacing TCP by QUIC. This protects the BGP stream using established secure transport protocols. In addition, we show that a secure transport using X.509 certificates enables BGP routers to be securely and automatically configured from these certificates. We extend the open-source BIRD BGP daemon to support TLS with TCP-AO and QUIC, to handle such certificates and demonstrate several use cases that benefit from the secure and automated capabilities enabled by our proposal. Fri, 01 Nov 2024 00:00:00 GMT Thomas Wirtgen, Nicolas Rybowski, Cristel Pelsser, and Olivier Bonaventure bgp certificates network automation quic tls https://cristel.pelsser.eu/publication/buchet-2024 https://cristel.pelsser.eu/publication/buchet-2024 As QUIC gains attention, more applications that leverage its capabilities are emerging. These include defenses against on-path IP tracking and traffic analysis. However, the deployment of the underlying required support for connection migration remains largely unexplored. This paper provides a comprehensive examination of the support of the QUIC connection migration mechanism over the Internet. We perform Internet-wide scans revealing that despite a rapid evolution in the deployment of QUIC on web servers, some of the most popular destinations do not support connection migration yet. Tue, 01 Oct 2024 00:00:00 GMT Aurélien Buchet and Cristel Pelsser https://cristel.pelsser.eu/publication/alfroy-2024-a https://cristel.pelsser.eu/publication/alfroy-2024-a BGP data collection platforms as currently architected face fundamental challenges that threaten their long-term sustainability. Inspired by recent work, we analyze, prototype, and evaluate a new optimization paradigm for BGP collection. Our system scales data collection with two components: analyzing redundancy between BGP updates and using it to optimize sampling of the incoming streams of BGP data. An appropriate definition of redundancy across updates depends on the analysis objective. Our contributions include: a survey, measurements, and simulations to demonstrate the limitations of current systems; a general framework and algorithms to assess and remove redundancy in BGP observations; and quantitative analysis of the benefit of our approach in terms of accuracy and coverage for several canonical BGP routing analyses such as hijack detection and topology mapping. Finally, we implement and deploy a new BGP peering collection system that automates peering expansion using our redundancy analytics, which provides a path forward for more thorough evaluation of this approach. Thu, 01 Aug 2024 00:00:00 GMT Thomas Alfroy, Thomas Holterbach, Thomas Krenc, K. C. Claffy, and Cristel Pelsser internet measurement BGP routing security https://cristel.pelsser.eu/publication/stein-2024-a https://cristel.pelsser.eu/publication/stein-2024-a For the Large Hadron Collider beauty (LHCb) experiment, achieving high throughput in the data acquisition (DAQ) network is crucial for supporting scientific applications. However, failures within DAQ networks can lead to significant performance degradation. In this study, we investigate the frequency, duration, and causes of failures in the LHCb DAQ network over a two-month period to illustrate how common these events are. This insight is essential for developing strategies to optimize performance during data taking periods. We further study the performance degradation upon failure. We explore the performance for two potential approaches to high-performance event building on the DAQ network: synchronized and non-synchronized designs. We use live experiments to demonstrate that a synchronized design, which carefully schedules network communications to avoid congestion, can achieve significantly better performance when the network is used at full capacity. However, this approach comes at the expense of reduced fault tolerance compared to the non-synchronized approach. This study highlights that it is essential for the network to handle failures more efficiently to sustainably maintain high data rates. Thu, 01 Aug 2024 00:00:00 GMT Eloise Stein, Flavio Pisani, Tommaso Colombo, and Cristel Pelsser Servers Data acquisition Large Hadron Collider Bandwidth Throughput https://cristel.pelsser.eu/publication/dekeersmaeker-2024 https://cristel.pelsser.eu/publication/dekeersmaeker-2024 Despite their ubiquity, the security of Internet of Things devices is unsatisfactory, as demonstrated by several attacks. The IETF’s MUD standard aims to simplify and automate the secure deployment of network devices. A MUD file specifies a device-specific description of allowed network activities (e.g., allowed IP ports or host addresses) and can be used to configure for example a firewall. A major weakness of MUD is that it is not expressive enough to describe device interactions, which often occur between devices in modern Smart Home platforms. In this article, we present a new language for describing such traffic patterns. The language allows writing device profiles that are more expressive than MUD files and can describe complex traffic patterns. We show how these profiles can be translated to efficient code for a lightweight firewall. We evaluate our approach on traffic generated by various Smart Home devices, and show that our system can accurately block unwanted traffic while inducing negligible latency. Sat, 01 Jun 2024 00:00:00 GMT De Keersmaeker, François, Ramin Sadre, and Cristel Pelsser IoT smart home security firewall device profiling https://cristel.pelsser.eu/publication/burlats-2024-a https://cristel.pelsser.eu/publication/burlats-2024-a Cet article est un résumé d'un article accepté à la conférence CPAIOR 2024. Dans les réseaux informatiques, une récupération rapide des défaillances nécessite une détection et un diagnostic rapides. À l'aide de protocoles tels que Bidirectional Forwarding Detection (BFD), il est possible de sonder l'état d'une route. Ces protocoles sont exécutés sur des nœuds spécifiques désignés comme des moniteurs réseaux. Les moniteurs sont responsables de vérifier constamment la viabilité des chemins de communication. Il est crucial de choisir soigneusement les moniteurs, car la surveillance entraîne des coûts, nécessitant un équilibre entre le nombre de moniteurs et la qualité de la surveillance. Dans ce contexte, nous explorons deux défis de surveillance issus du domaine de la tomographie booléenne des réseaux : la couverture, qui consiste à détecter les défaillances, et la 1-identifiabilité, qui nécessite également d'identifier le lien ou le nœud défaillant. Nous essayons trois approches exactes pour résoudre ce problème : un modèle de programmation linéaire en nombre entier (ILP), un modèle de programmation par contrainte (CP) et un modèle de satisfaisabilité maximale (MaxSAT). En utilisant 625 topologies de réseaux réels, nous illustrons que l'utilisation de ces méthodes exactes peut réduire le nombre de moniteurs nécessaires par rapport à l'algorithme glouton de l'état-de-l'art. Sat, 01 Jun 2024 00:00:00 GMT Alice Burlats, Cristel Pelsser, and Pierre Schaus https://cristel.pelsser.eu/publication/alfroy-2024 https://cristel.pelsser.eu/publication/alfroy-2024 While the increasing number of Vantage Points (VPs) in RIPE RIS and RouteViews improves our understanding of the Internet, the quadratically increasing volume of collected data poses a challenge to the scientific and operational use of the data. The design and implementation of BGP and BGP data collection systems lead to data archives with enormous redundancy, as there is substantial overlap in announced routes across many different VPs. Researchers thus often resort to arbitrary sampling of the data, which we demonstrate comes at a cost to the accuracy and coverage of previous works. The continued growth of the Internet, and of these collection systems, exacerbates this cost. The community needs a better approach to managing and using these data archives. We propose MVP, a system that scores VPs according to their level of redundancy with other VPs, allowing more informed sampling of these data archives. Our challenge is that the degree of redundancy between two updates depends on how we define redundancy, which in turn depends on the analysis objective. Our key contribution is a general framework and associated algorithms to assess redundancy between VP observations. We quantify the benefit of our approach for four canonical BGP routing analyses: AS relationship inference, AS rank computation, hijack detection, and routing detour detection. MVP improves the coverage or accuracy (or both) of all these analyses while processing the same volume of data. Wed, 01 May 2024 00:00:00 GMT Thomas Alfroy, Thomas Holterbach, Thomas Krenc, KC Claffy, and Cristel Pelsser https://cristel.pelsser.eu/publication/burlats-2024 https://cristel.pelsser.eu/publication/burlats-2024 In computer networks, swift recovery from failures requires prompt detection and diagnosis. Protocols such as Bidirectional Forwarding Detection (BFD) exists to probe the liveliness of a path and endpoint. These protocols are run on specific nodes that are designated as network monitors. Monitors are responsible for continuously verifying the viability of communication paths. It is important to carefully select monitors as monitoring incurs a cost, necessitating finding a balance between the number of monitor nodes and the monitoring quality. Here, we examine two monitoring challenges from the Boolean network tomography research field: coverage, which involves detecting failures, and 1-identifiability, which additionally requires identifying the failing link or node. We show that minimizing the number of monitors while meeting these requirements constitutes NP-complete problems. We present integer linear programming (ILP), constraint programming (CP) and Maximum Satisfiability (MaxSAT) formulations for these problems and compare their performance. Using 625 network topologies, we demonstrate that employing such exact methods can reduce the number of monitors needed compared to the existing state-of-the-art greedy algorithm. Wed, 01 May 2024 00:00:00 GMT Auguste Burlats, Pierre Schaus, and Cristel Pelsser https://cristel.pelsser.eu/publication/stein-2024 https://cristel.pelsser.eu/publication/stein-2024 In this paper, we study two possible approaches to high-performance event building on the data acquisition (DAQ) system of the LHCb experiment. We show, using live experiments, that a synchronized design, that carefully schedules network communications to avoid network congestion, can obtain significantly better performance than a looser approach. However, this comes at the price of fault tolerance: we study the performance degradation of the DAQ system in the presence of various link failures, showing that, in these scenarios, the synchronized approach is not optimal. Finally, we derive some design recommendations to make synchronized designs cope with network failures. Mon, 01 Apr 2024 00:00:00 GMT Eloise Noelle Stein, Cristel Pelsser, Flavio Pisani, and Tommaso Colombo Data Acquisition Network Failures Performance Measurement LHCb https://cristel.pelsser.eu/publication/burlats-2024-b https://cristel.pelsser.eu/publication/burlats-2024-b In computer networks, rapid recovery from failures requires fast detection and diagnosis. Using protocols such as Bidirectional Forwarding Detection (BFD), it is possible to probe the state of a route. These protocols are executed on specific nodes designated as network monitors. Monitors are responsible for continuously checking the viability of communication paths. It is crucial to carefully select the monitors, as monitoring incurs costs, requiring a balance between the number of monitors and the quality of the supervision. In this context, we explore two supervision challenges from the field of Boolean network tomography: coverage, which involves detecting failures, and 1-identifiability, which also requires identifying the failing link or node. We examine three exact approaches to solve this problem: an Integer Linear Programming (ILP) model, a Constraint Programming (CP) model, and a Maximum Satisfiability (MaxSAT) model. Using 625 real network topologies, we demonstrate that employing these exact methods can reduce the number of monitors needed compared to the state-of-the-art greedy algorithm. Thu, 01 Feb 2024 00:00:00 GMT Alice Burlats, Cristel Pelsser, and Pierre Schaus Boolean tomography Network supervision https://cristel.pelsser.eu/publication/rybowski-2024 https://cristel.pelsser.eu/publication/rybowski-2024 Link state-routing protocols such as OSPF and ISIS are used in most if not all Internet Service Provider and enterprise networks. They both rely on flooding to distribute the network topology to all routers. Upon topology changes, all routers update their forwarding tables asynchronously which leads to transient events such as micro-loops and packet losses. We propose two improvements to OSPF in an extension called oFIQUIC. First, we use QUIC to exchange routing information between neighboring routers. Second, we revisit the OSPF flooding process. Instead of relying entirely on flooding to distribute topology changes, we establish secure remote QUIC sessions with distant OSPF routers to inform them of topology changes. This enables oFIQUIC to prevent transient loops by ordering the updates of the forwarding tables of all routers after a topology change. We add oFIQUIC to the BIRD implementation of OSPF. Our evaluation demonstrates that oFIQUIC prevents loops and converges quickly in different topologies. Mon, 01 Jan 2024 00:00:00 GMT Nicolas Rybowski, Cristel Pelsser, and Olivier Bonaventure OSPF IS-IS routing protocols https://cristel.pelsser.eu/publication/dekeersmaeker-2024-a https://cristel.pelsser.eu/publication/dekeersmaeker-2024-a Despite their ubiquity, the security of Internet of Things devices is unsatisfactory, as demonstrated by several attacks. The IETF’s MUD standard aims to simplify and automate the secure deployment of network devices. A MUD file specifies a device-specific description of allowed network activities (e.g., allowed IP ports or host addresses) and can be used to configure for example a firewall. A major weakness of MUD is that it is not expressive enough to describe device interactions, which often occur between devices in modern Smart Home platforms. In this article, we present a new language for describing such traffic patterns. The language allows writing device profiles that are more expressive than MUD files and can describe complex traffic patterns. We show how these profiles can be translated to efficient code for a lightweight firewall. We evaluate our approach on traffic generated by various Smart Home devices, and show that our system can accurately block unwanted traffic while inducing negligible latency. Wed, 01 May 2024 00:00:00 GMT De Keersmaeker, François, Ramin Sadre, and Cristel Pelsser IoT smart home security firewall device profiling https://cristel.pelsser.eu/publication/alfroy-2023 https://cristel.pelsser.eu/publication/alfroy-2023 Dramatic growth in Internet connectivity poses a challenge for the resource-constrained data collection efforts that support scientific and operational analysis of interdomain routing. Inspired by tradeoffs made in other disciplines, we explore a fundamental reconceptualization to how we design public BGP data collection architectures: an overshoot-and-discard approach that can accommodate an order of magnitude increase in vantage points by discarding redundant data shortly after its collection. As defining redundant depends on the context, we design algorithms that filter redundant updates without optimizing for one objective, and evaluate our approach in terms of detecting two noteworthy phenomena using BGP data: AS-topology mapping and hijacks. Our approach can generalize to other types of Internet data (e.g., traceroute, traffic). We offer this study as a first step to a potentially new area of Internet measurement research. Wed, 01 Nov 2023 00:00:00 GMT Thomas Alfroy, Thomas Holterbach, Thomas Krenc, KC Claffy, and Cristel Pelsser BGP Routing Security Internet measurement