Yarrp ing the Internet

Similar documents
Efficient Discovery of Load-Balanced Paths. Alistair King

Efficient Methodical Internet Topology Discovery

Assignment #3 Routing and Network Analysis. CIS3210 Computer Networks. University of Guelph

The digital copy of this thesis is protected by the Copyright Act 1994 (New Zealand).

Network layer: Overview. Network layer functions IP Routing and forwarding

Layer Four Traceroute (and related tools) A modern, flexible path-discovery solution with advanced features for network (reverse) engineers

IP addressing and forwarding Network layer

Internet Control Protocols Reading: Chapter 3

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

TEIN2 Measurement and Monitoring Workshop.

Internet Protocol: IP packet headers. vendredi 18 octobre 13

High-Frequency Active Internet Topology Mapping

IP - The Internet Protocol

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Network Measurement. Why Measure the Network? Types of Measurement. Traffic Measurement. Packet Monitoring. Monitoring a LAN Link. ScienLfic discovery

Network Layer: Network Layer and IP Protocol

Visualizations and Correlations in Troubleshooting

Mobile IP Network Layer Lesson 02 TCP/IP Suite and IP Protocol

A Characterization of IPv6 Network Security Policy

Active Measurements: traceroute

Understanding and Configuring NAT Tech Note PAN-OS 4.1

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

Paris traceroute: Measuring more accurate and complete paths

NetFlow/IPFIX Various Thoughts

Internet Infrastructure Measurement: Challenges and Tools

An Evaluation of Peering and Traffic Engineering in the Pan- African Research and Education Network

Traceroute The Internet s Diagnostic Tool

Network layer" 1DT066! Distributed Information Systems!! Chapter 4" Network Layer!! goals: "

Network Layer: and Multicasting Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Unverified Fields - A Problem with Firewalls & Firewall Technology Today

IPv6 Diagnostic and Troubleshooting

Internetworking. Problem: There is more than one network (heterogeneity & scale)

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Internet Protocols Fall Lectures 7-8 Andreas Terzis

CS 5480/6480: Computer Networks Spring 2012 Homework 3 Due by 1:25 PM MT, Monday March 5 th 2012

Network reconnaissance and IDS

Computer Networks I Laboratory Exercise 1

pathchar a tool to infer characteristics of Internet paths

Troubleshooting Tools

Network Troubleshooting

Announcements. No question session this week

FIREWALL AND NAT Lecture 7a

CS268 Exam Solutions. 1) End-to-End (20 pts)

8.2 The Internet Protocol

NETWORK LAYER/INTERNET PROTOCOLS

Troubleshooting the Firewall Services Module

Networks: IP and TCP. Internet Protocol

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Auxiliary Protocols

ZMap. Fast Internet-Wide Scanning and its Security Applications. Zakir Durumeric Eric Wustrow J. Alex Halderman. University of Michigan

Компјутерски Мрежи NAT & ICMP

What is a DoS attack?

Interconnection of Heterogeneous Networks. Internetworking. Service model. Addressing Address mapping Automatic host configuration

Application Layer -1- Network Tools

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

Internet Control Message Protocol (ICMP)

Routing Protocols (RIP, OSPF, BGP)

Configuring Static and Dynamic NAT Simultaneously

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Flow Analysis. Make A Right Policy for Your Network. GenieNRM

Dynamic Routing Protocols II OSPF. Distance Vector vs. Link State Routing

Network (Tree) Topology Inference Based on Prüfer Sequence

Internet Architecture and Philosophy

Software Defined Networking (SDN) - Open Flow

A Second Look at Detecting Third-Party Addresses in Traceroute Traces with the IP Timestamp Option

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Exercise 4 MPLS router configuration

Avaya ExpertNet Lite Assessment Tool

Life of a Packet CS 640,

Troubleshooting the Firewall Services Module

Chapter 11. User Datagram Protocol (UDP)

Instructor Notes for Lab 3

Network Traffic Evolution. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig

Cisco IOS Flexible NetFlow Technology

RARP: Reverse Address Resolution Protocol

Internet (IPv4) Topology Mapping. Department of Computer Science The University of Texas at Dallas

Cisco Configuring Commonly Used IP ACLs

Using IPM to Measure Network Performance

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

Computer Networks - CS132/EECS148 - Spring

The Gnutella Protocol Specification v0.4

Deploying in a Distributed Environment

Efficient strategies for active interface-level network topology discovery

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Monitoring and analyzing audio, video, and multimedia traffic on the network

Chapter 2 Lab 2-2, EIGRP Load Balancing

Chapter 9. IP Secure

Enterprise Network Management. March 4, 2009

How will the Migration from IPv4 to IPv6 Impact Voice and Visual Communication?

Public Review for Revealing MPLS Tunnels Obscured from Traceroute. Benoit Donnet, Matthew Luckie, Pascal Mérindol, and Jean-Jacques Pansiot

Introduction to Cisco IOS Flexible NetFlow

DDoS Attack Traceback

MPLS Basics. For details about MPLS architecture, refer to RFC 3031 Multiprotocol Label Switching Architecture.

Host Configuration (Linux)

Sage ERP Accpac Online

Sage 300 ERP Online. Mac Resource Guide. (Formerly Sage ERP Accpac Online) Updated June 1, Page 1

Exam 1 Review Questions

Distributed monitoring of IP-availability

Network Security TCP/IP Refresher

Efficient Doubletree: An Algorithm for Large-Scale Topology Discovery

Transcription:

Yarrp ing the Internet Robert Beverly Naval Postgraduate School February 12, 2016 Active Internet Measurements (AIMS) Workshop R. Beverly (NPS) Yarrp AIMS 2016 1 / 17

Motivation Active Topology Probing Years (and years) of prior work on Internet-scale topology probing e.g., Scamper, DoubleTree, iplane It s 2016: Why can t we traceroute to every IPv4 destination quickly? e.g., O(minutes)? (The ZMap a and Masscan b folks can do it why can t we?) a Z. Durumeric et al., 2013 b R. Graham, 2013 R. Beverly (NPS) Yarrp AIMS 2016 2 / 17

Motivation Active Topology Probing Years (and years) of prior work on Internet-scale topology probing e.g., Scamper, DoubleTree, iplane It s 2016: Why can t we traceroute to every IPv4 destination quickly? e.g., O(minutes)? (The ZMap a and Masscan b folks can do it why can t we?) a Z. Durumeric et al., 2013 b R. Graham, 2013 R. Beverly (NPS) Yarrp AIMS 2016 2 / 17

Motivation State-of-the-art Existing traceroute-style approaches: Maintain state over outstanding probes (identifier, origination time) Are sequential, probing all hops along the path. At best, parallelism limited to a window of outstanding destinations being probed. Implications: Concentrates load: along paths, links, routers (potentially triggering rate-limiting or IDS alarms) Production systems probe slowly R. Beverly (NPS) Yarrp AIMS 2016 3 / 17

Motivation State-of-the-art Existing traceroute-style approaches: Maintain state over outstanding probes (identifier, origination time) Are sequential, probing all hops along the path. At best, parallelism limited to a window of outstanding destinations being probed. Implications: Concentrates load: along paths, links, routers (potentially triggering rate-limiting or IDS alarms) Production systems probe slowly R. Beverly (NPS) Yarrp AIMS 2016 3 / 17

Yarrp Methodology Yelling at Random Routers Progressively Takes inspiration from ZMap: Uses a block cipher to randomly permute the < IP, TTL > space Is stateless, recovering necessary information from replies Permits fast Internet-scale active topology probing (even from a single VP) R. Beverly (NPS) Yarrp AIMS 2016 4 / 17

Example Topology Methodology Traditional Traceroute T 1 prober T 2 T 3 R. Beverly (NPS) Yarrp AIMS 2016 5 / 17

Methodology Traditional Traceroute T 1 ttl=2 prober Traditional traceroute sends probes with incrementing TTL to destination T 1 R. Beverly (NPS) Yarrp AIMS 2016 6 / 17

Methodology Traditional Traceroute ttl=4 T 1 prober... continuing until finished with T 1 (reach destination or gap limit). Prober must maintain state, while traffic is concentrated on prober T 1 path R. Beverly (NPS) Yarrp AIMS 2016 7 / 17

Methodology Yarrp T 1 ttl=4,dst=t2 prober T 2 T 3 Yarrp iterates through randomly permuted < Target, TTL > pairs R. Beverly (NPS) Yarrp AIMS 2016 8 / 17

Methodology Yarrp T 1 prober ttl=2,dst=t1 T 2 ttl=3,dst=t3 T 3 Yarrp iterates through randomly permuted < Target, TTL > pairs R. Beverly (NPS) Yarrp AIMS 2016 9 / 17

Inferred Topology Methodology Yarrp T 1 prober T 2 T 3 Finally, stitch together topology. Requires state and computation, but off-line after probing completes. R. Beverly (NPS) Yarrp AIMS 2016 10 / 17

Methodology Challenges Encoding State IP TCP 16 Ver HL DSCP C Len E N IPID Frag Offset TTL P=TCP Header Checksum Source IP = prober Destination IP = target Source Port d_port = 80 Sequence Number 32 Send TTL cksum(target IP) Send Elapsed Time (ms) Target IP IPID = Probe s TTL TCP Source Port = cksum(target IP destination) a TCP Seq No = Probe send time (elapsed ms) Per-flow load balancing fields remain constant (ala Paris) Assume routers echo only 28B of expired packet a Malone PAM 2007: 2% of quotations contained modified destination IP R. Beverly (NPS) Yarrp AIMS 2016 11 / 17

Methodology Challenges Recovering State 16 32 Send TTL IP ICMP P=ICMP Source IP = router interface Destination IP = prober cksum(target IP) Send Elapsed Time (ms) type=11 code=0 Target IP IPID Quote TTL=0 P=TCP Source IP = prober Destination IP = target Source Port d_port = 80 Sequence Number ICMP TTL exceeded replies permit recovery of: target probed, originating TTL (hop), and responding router interface at that hop. R. Beverly (NPS) Yarrp AIMS 2016 12 / 17

Methodology Challenges Distribution of unique interfaces discovered vs. TTL for all Ark monitors, one Ark topology probing cycle Unique Interfaces 10 5 10 4 10 3 10 2 10 1 10 0 1 23 4 56 7 89 10 1112 13 1415 16 1718 Trace TTL 19 2021 22 2324 25 2627 28 2930 31 32 Problem: knowing when to stop Little discoverable topology past TTL=32 limit < IP, TTL > search space to TTL 32 R. Beverly (NPS) Yarrp AIMS 2016 13 / 17

Results Initial Testing Speed C++ implementation w/o tuning Linux KVM (1 core, Intel L5640 @ 2.27GHz) Achieve 106K pps Proof-of-concept Sent 10M probes in 100 sec Discovered 178,453 unique router interfaces CPU: 52% R. Beverly (NPS) Yarrp AIMS 2016 14 / 17

What s Possible Results Traceroute to an address in each /24, for TTLs 1-32 t = 224 2 5 100Kpps 84min Traceroute to every routed IPv4 destination t = 231 2 5 100Kpps 1week R. Beverly (NPS) Yarrp AIMS 2016 15 / 17

Results Optimizations Base Yarrp requires no state (Must reconstruct traces, but that s an offline local process) If we re willing to maintain some space, we can optimize: Time Memory Trade Off Probe only routed destinations (radix trie BGP RIB) Avoiding repeated re-discovery of prober s local neighborhood (state over small number of interfaces near prober) Distribute: only requires communicating block cipher key and offset! R. Beverly (NPS) Yarrp AIMS 2016 16 / 17

Next Steps Results Yarrping the Internet Push limits on how fast we can map the entire IPv4 Internet Compare discovered topologies from e.g. Ark versus Yarrp Applications? What do two snapshots of the Internet topology separated by an hour reveal? Others? Thanks! Questions? https://www.cmand.org R. Beverly (NPS) Yarrp AIMS 2016 17 / 17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information