A closer look at IP-ID behavior in the Wild - Département Informatique et Réseaux Accéder directement au contenu
Communication Dans Un Congrès Année : 2018

A closer look at IP-ID behavior in the Wild

Résumé

Originally used to assist network-layer fragmentation and reassembly, the IP identification field (IP-ID) has been used and abused for a range of tasks, from counting hosts behind NAT, to detect router aliases and, lately, to assist detection of censorship in the Internet at large. These inferences have been possible since, in the past, the IP- ID was mostly implemented as a simple packet counter: however, this behavior has been discouraged for security reasons and other policies, such as random values, have been suggested. In this study, we propose a framework to classify the different IP-ID behaviors using active probing from a single host. Despite being only minimally intrusive, our technique is significantly accurate (99% true positive classification) robust against packet losses (up to 20%) and lightweight (few packets suffices to discriminate all IP-ID behaviors). We then apply our technique to an Internet-wide census, where we actively probe one alive target per each routable /24 subnet: we find that that the majority of hosts adopts a constant IP-IDs (39%) or local counter (34%), that the fraction of global counters (18%) significantly diminished, that a non marginal number of hosts have an odd behavior (7%) and that random IP-IDs are still an exception (2%).
Fichier non déposé

Dates et versions

hal-01712190 , version 1 (19-02-2018)

Identifiants

  • HAL Id : hal-01712190 , version 1

Citer

Flavia Salutari, Danilo Cicalese, Dario Rossi. A closer look at IP-ID behavior in the Wild. International Conference on Passive and Active Network Measurement (PAM), Mar 2018, Berlin, Germany. ⟨hal-01712190⟩
218 Consultations
0 Téléchargements

Partager

Gmail Facebook X LinkedIn More