Abstract
Internet-wide scans are a common active measurement approach to study the Internet, e.g., studying security properties or protocol adoption. They involve probing large address ranges (IPv4 or parts of IPv6) for specific ports or protocols. Besides their primary use for probing (e.g., studying protocol adoption), we show that—at the same time—they provide valuable insights into the Internet control plane informed by ICMP responses to these probes—a currently unexplored secondary use. We collect one week of ICMP responses (637.50M messages) to several Internet-wide ZMap scans covering multiple TCP and UDP ports as well as DNS-based scans covering >50% of the domain name space. This perspective enables us to study the Internet’s control plane as a by-product of Internet measurements. We receive ICMP messages from \(\sim \)171M different IPs in roughly 53K different autonomous systems. Additionally, we uncover multiple control plane problems, e.g., we detect a plethora of outdated and misconfigured routers and uncover the presence of large-scale persistent routing loops in IPv4.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Please note that we do not have a fully IPv6-capable measurement infrastructure and thus focus on IPv4 only.
- 2.
To reduce the capture size, our packet capture caps packets at 98 byte allowing no further investigation, we find 67% having the maximum capture size.
- 3.
With reachable we actually mean not unreachable, i.e., we do not get ICMP unreachable messages, which must not mean that this host was reached by the scan.
- 4.
This is basically a precaution against bad load balancers traded against the required TTL.
- 5.
Our dataset excludes TTL exceeded messages generated by these traceroutes.
References
Augustin, B., et al.: Avoiding traceroute anomalies with Paris traceroute. In: ACM IMC (2006)
Baker, F.: Requirements for IP Version 4 Routers. RFC 1812, RFC Editor (1995)
Bano, S., et al.: Scanning the internet for liveness. SIGCOMM CCR 48(2), 2–9 (2018)
Braden, R.: Requirements for Internet Hosts - Communication Layers. RFC 1122, RFC Editor (1989)
Cisco: IP Routing Frequently Asked Questions. https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/28745-44.html#qa5
Cisco Systems, Inc.: Cisco IOS XR MPLS: mpls ip-ttl-propagate (2014). https://www.cisco.com/c/en/us/td/docs/routers/xr12000/software/xr12k_r4-1/mpls/command/reference/b_mpls_cr41xr12k/b_mpls_cr41xr12k_chapter_010.html#wp2864846713
Custura, A., Fairhurst, G., Learmonth, I.: Exploring usable Path MTU in the Internet. In: IFIP Network Traffic Measurement and Analysis Conference (2018)
Donnet, B., Luckie, M., Mérindol, P., Pansiot, J.-J.: Revealing MPLS Tunnels obscured from traceroute. SIGCOMM CCR 42(2), 87–93 (2012)
Durumeric, Z., et al.: The matter of heartbleed. In: ACM IMC (2014)
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security (2013)
Edeline, K., Kühlewind, M., Trammell, B., Donnet, B.: copycat: Testing differential treatment of new transport protocols in the wild. In: Proceedings of the Applied Networking Research Workshop (ANRW) (2017)
Finn, G.G.: A connectionless congestion control algorithm. SIGCOMM CCR 19(5), 12–31 (1989)
Floyd, S.: TCP and explicit congestion notification. SIGCOMM CCR 24(5), 8–23 (1994)
Francois, P., Bonaventure, O.: Avoiding transient loops during the convergence of link-state routing protocols. IEEE/ACM Trans. Netw. 15, 1280–1292 (2007)
Gill, S.: ICMP redirects are ba’ad, mkay? Technical report, Team Cymru Inc. (2002)
Gont, F.: ICMP Attacks Against TCP. RFC 5927, RFC Editor (2010)
Gont, F.: Deprecation of ICMP Source Quench Messages. RFC 6633, RFC Editor (2012)
Graham, R.: MASSCAN: Mass IP Port Scanner (2018). https://github.com/robertdavidgraham/masscan
Guo, H., Heidemann, J.: Detecting ICMP rate limiting in the internet. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 3–17. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_1
Hengartner, U., Moon, S., Mortier, R., Diot, C.: Detection and analysis of routing loops in packet traces. In: ACM SIGCOMM Workshop on Internet Measurement (2002)
Hewlett Packard: HP-UX - Serviceguard A.11.19 on HP-UX 11.31: Source Quench Seen for Every IPMON Ping. https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02190964
Rüth, J., Zimmermann, T., Hohlfeld, O.: ICMP Dataset and Tools (2018). https://icmp.netray.io
Johnson, D.: Finding all the elementary circuits of a directed graph. SIAM J. Comput. 4(1), 77–84 (1975)
Juniper Networks, Inc.: no-propagate-ttl - TechLibrary - Juniper Networks (2017). https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-propagate-ttl-edit-protocols-mpls.html
Lone, Q., Luckie, M., Korczyński, M., van Eeten, M.: Using loops observed in traceroute to infer the ability to spoof. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 229–241. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_17
Malone, D., Luckie, M.: Analysis of ICMP quotations. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.) PAM 2007. LNCS, vol. 4427, pp. 228–232. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71617-4_24
Nokia: Router Configuration Guide Release 15.0.R5. https://infoproducts.alcatel-lucent.com/cgi-bin/dbaccessfilename.cgi/3HE11976AAACTQZZA01_V1_7450%20ESS%207750%20SR%207950%20XRS%20and%20VSR%20Router%20Configuration%20Guide%20R15.0.R5.pdf
Postel, J.: Internet Control Message Protocol. RFC 792, RFC Editor (1981)
Reynolds, J., Postel, J.: Assigned Numbers. RFC 1700, RFC Editor (1994)
Rüth, J., Bormann, C., Hohlfeld, O.: Large-scale scanning of TCP’s initial window. In: ACM IMC (2017)
Rüth, J., Poese, I., Dietzel, C., Hohlfeld, O.: A first look at QUIC in the wild. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 255–268. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_19
Sridharan, A., Moon, S., Diot, C.: On the correlation between route dynamics and routing loops. In: ACM IMC (2003)
Varvello, M., Schomp, K., Naylor, D., Blackburn, J., Finamore, A., Papagiannaki, K.: Is the web HTTP/2 yet? In: Karagiannis, T., Dimitropoulos, X. (eds.) PAM 2016. LNCS, vol. 9631, pp. 218–232. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30505-9_17
Wang, F., Qiu, J., Gao, L., Wang, J.: On understanding transient interdomain routing failures (2009)
Xia, J., Gao, L., Fei, T.: Flooding attacks by exploiting persistent forwarding loops. In: ACM IMC (2005)
Xia, J., Gao, L., Fei, T.: A measurement study of persistent forwarding loops on the internet. Comput. Netw. 51, 4780–4796 (2007)
Zimmermann, T., Rüth, J., Wolters, B., Hohlfeld, O.: How HTTP/2 pushes the web: an empirical study of HTTP/2 server push. In: IFIP Networking Conference (2017)
Acknowledgments
Funded by the Excellence Initiative of the German federal and state governments, as well as by the German Research Foundation (DFG) as part of project B1 within the Collaborative Research Center (CRC) 1053—MAKI. We would like to thank the network operators at RWTH Aachen University, especially Jens Hektor and Bernd Kohler as well as RWTH’s research data management team.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Rüth, J., Zimmermann, T., Hohlfeld, O. (2019). Hidden Treasures – Recycling Large-Scale Internet Measurements to Study the Internet’s Control Plane. In: Choffnes, D., Barcellos, M. (eds) Passive and Active Measurement. PAM 2019. Lecture Notes in Computer Science(), vol 11419. Springer, Cham. https://doi.org/10.1007/978-3-030-15986-3_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-15986-3_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-15985-6
Online ISBN: 978-3-030-15986-3
eBook Packages: Computer ScienceComputer Science (R0)