Hidden Treasures – Recycling Large-Scale Internet Measurements to Study the Internet’s Control Plane

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11419)


Internet-wide scans are a common active measurement approach to study the Internet, e.g., studying security properties or protocol adoption. They involve probing large address ranges (IPv4 or parts of IPv6) for specific ports or protocols. Besides their primary use for probing (e.g., studying protocol adoption), we show that—at the same time—they provide valuable insights into the Internet control plane informed by ICMP responses to these probes—a currently unexplored secondary use. We collect one week of ICMP responses (637.50M messages) to several Internet-wide ZMap scans covering multiple TCP and UDP ports as well as DNS-based scans covering >50% of the domain name space. This perspective enables us to study the Internet’s control plane as a by-product of Internet measurements. We receive ICMP messages from \(\sim \)171M different IPs in roughly 53K different autonomous systems. Additionally, we uncover multiple control plane problems, e.g., we detect a plethora of outdated and misconfigured routers and uncover the presence of large-scale persistent routing loops in IPv4.



Funded by the Excellence Initiative of the German federal and state governments, as well as by the German Research Foundation (DFG) as part of project B1 within the Collaborative Research Center (CRC) 1053—MAKI. We would like to thank the network operators at RWTH Aachen University, especially Jens Hektor and Bernd Kohler as well as RWTH’s research data management team.


  1. 1.
    Augustin, B., et al.: Avoiding traceroute anomalies with Paris traceroute. In: ACM IMC (2006)Google Scholar
  2. 2.
    Baker, F.: Requirements for IP Version 4 Routers. RFC 1812, RFC Editor (1995)Google Scholar
  3. 3.
    Bano, S., et al.: Scanning the internet for liveness. SIGCOMM CCR 48(2), 2–9 (2018)CrossRefGoogle Scholar
  4. 4.
    Braden, R.: Requirements for Internet Hosts - Communication Layers. RFC 1122, RFC Editor (1989)Google Scholar
  5. 5.
  6. 6.
  7. 7.
    Custura, A., Fairhurst, G., Learmonth, I.: Exploring usable Path MTU in the Internet. In: IFIP Network Traffic Measurement and Analysis Conference (2018)Google Scholar
  8. 8.
    Donnet, B., Luckie, M., Mérindol, P., Pansiot, J.-J.: Revealing MPLS Tunnels obscured from traceroute. SIGCOMM CCR 42(2), 87–93 (2012)CrossRefGoogle Scholar
  9. 9.
    Durumeric, Z., et al.: The matter of heartbleed. In: ACM IMC (2014)Google Scholar
  10. 10.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security (2013)Google Scholar
  11. 11.
    Edeline, K., Kühlewind, M., Trammell, B., Donnet, B.: copycat: Testing differential treatment of new transport protocols in the wild. In: Proceedings of the Applied Networking Research Workshop (ANRW) (2017)Google Scholar
  12. 12.
    Finn, G.G.: A connectionless congestion control algorithm. SIGCOMM CCR 19(5), 12–31 (1989)CrossRefGoogle Scholar
  13. 13.
    Floyd, S.: TCP and explicit congestion notification. SIGCOMM CCR 24(5), 8–23 (1994)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Francois, P., Bonaventure, O.: Avoiding transient loops during the convergence of link-state routing protocols. IEEE/ACM Trans. Netw. 15, 1280–1292 (2007)CrossRefGoogle Scholar
  15. 15.
    Gill, S.: ICMP redirects are ba’ad, mkay? Technical report, Team Cymru Inc. (2002)Google Scholar
  16. 16.
    Gont, F.: ICMP Attacks Against TCP. RFC 5927, RFC Editor (2010)Google Scholar
  17. 17.
    Gont, F.: Deprecation of ICMP Source Quench Messages. RFC 6633, RFC Editor (2012)Google Scholar
  18. 18.
    Graham, R.: MASSCAN: Mass IP Port Scanner (2018).
  19. 19.
    Guo, H., Heidemann, J.: Detecting ICMP rate limiting in the internet. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 3–17. Springer, Cham (2018). Scholar
  20. 20.
    Hengartner, U., Moon, S., Mortier, R., Diot, C.: Detection and analysis of routing loops in packet traces. In: ACM SIGCOMM Workshop on Internet Measurement (2002)Google Scholar
  21. 21.
    Hewlett Packard: HP-UX - Serviceguard A.11.19 on HP-UX 11.31: Source Quench Seen for Every IPMON Ping.
  22. 22.
    Rüth, J., Zimmermann, T., Hohlfeld, O.: ICMP Dataset and Tools (2018).
  23. 23.
    Johnson, D.: Finding all the elementary circuits of a directed graph. SIAM J. Comput. 4(1), 77–84 (1975)MathSciNetCrossRefGoogle Scholar
  24. 24.
  25. 25.
    Lone, Q., Luckie, M., Korczyński, M., van Eeten, M.: Using loops observed in traceroute to infer the ability to spoof. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 229–241. Springer, Cham (2017). Scholar
  26. 26.
    Malone, D., Luckie, M.: Analysis of ICMP quotations. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.) PAM 2007. LNCS, vol. 4427, pp. 228–232. Springer, Heidelberg (2007). Scholar
  27. 27.
  28. 28.
    Postel, J.: Internet Control Message Protocol. RFC 792, RFC Editor (1981)Google Scholar
  29. 29.
    Reynolds, J., Postel, J.: Assigned Numbers. RFC 1700, RFC Editor (1994)Google Scholar
  30. 30.
    Rüth, J., Bormann, C., Hohlfeld, O.: Large-scale scanning of TCP’s initial window. In: ACM IMC (2017)Google Scholar
  31. 31.
    Rüth, J., Poese, I., Dietzel, C., Hohlfeld, O.: A first look at QUIC in the wild. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 255–268. Springer, Cham (2018). Scholar
  32. 32.
    Sridharan, A., Moon, S., Diot, C.: On the correlation between route dynamics and routing loops. In: ACM IMC (2003)Google Scholar
  33. 33.
    Varvello, M., Schomp, K., Naylor, D., Blackburn, J., Finamore, A., Papagiannaki, K.: Is the web HTTP/2 yet? In: Karagiannis, T., Dimitropoulos, X. (eds.) PAM 2016. LNCS, vol. 9631, pp. 218–232. Springer, Cham (2016). Scholar
  34. 34.
    Wang, F., Qiu, J., Gao, L., Wang, J.: On understanding transient interdomain routing failures (2009)Google Scholar
  35. 35.
    Xia, J., Gao, L., Fei, T.: Flooding attacks by exploiting persistent forwarding loops. In: ACM IMC (2005)Google Scholar
  36. 36.
    Xia, J., Gao, L., Fei, T.: A measurement study of persistent forwarding loops on the internet. Comput. Netw. 51, 4780–4796 (2007)CrossRefGoogle Scholar
  37. 37.
    Zimmermann, T., Rüth, J., Wolters, B., Hohlfeld, O.: How HTTP/2 pushes the web: an empirical study of HTTP/2 server push. In: IFIP Networking Conference (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.RWTH Aachen UniversityAachenGermany

Personalised recommendations