Hidden Treasures – Recycling Large-Scale Internet Measurements to Study the Internet’s Control Plane
- 3 Citations
- 788 Downloads
Abstract
Internet-wide scans are a common active measurement approach to study the Internet, e.g., studying security properties or protocol adoption. They involve probing large address ranges (IPv4 or parts of IPv6) for specific ports or protocols. Besides their primary use for probing (e.g., studying protocol adoption), we show that—at the same time—they provide valuable insights into the Internet control plane informed by ICMP responses to these probes—a currently unexplored secondary use. We collect one week of ICMP responses (637.50M messages) to several Internet-wide ZMap scans covering multiple TCP and UDP ports as well as DNS-based scans covering >50% of the domain name space. This perspective enables us to study the Internet’s control plane as a by-product of Internet measurements. We receive ICMP messages from \(\sim \)171M different IPs in roughly 53K different autonomous systems. Additionally, we uncover multiple control plane problems, e.g., we detect a plethora of outdated and misconfigured routers and uncover the presence of large-scale persistent routing loops in IPv4.
Notes
Acknowledgments
Funded by the Excellence Initiative of the German federal and state governments, as well as by the German Research Foundation (DFG) as part of project B1 within the Collaborative Research Center (CRC) 1053—MAKI. We would like to thank the network operators at RWTH Aachen University, especially Jens Hektor and Bernd Kohler as well as RWTH’s research data management team.
References
- 1.Augustin, B., et al.: Avoiding traceroute anomalies with Paris traceroute. In: ACM IMC (2006)Google Scholar
- 2.Baker, F.: Requirements for IP Version 4 Routers. RFC 1812, RFC Editor (1995)Google Scholar
- 3.Bano, S., et al.: Scanning the internet for liveness. SIGCOMM CCR 48(2), 2–9 (2018)CrossRefGoogle Scholar
- 4.Braden, R.: Requirements for Internet Hosts - Communication Layers. RFC 1122, RFC Editor (1989)Google Scholar
- 5.Cisco: IP Routing Frequently Asked Questions. https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/28745-44.html#qa5
- 6.Cisco Systems, Inc.: Cisco IOS XR MPLS: mpls ip-ttl-propagate (2014). https://www.cisco.com/c/en/us/td/docs/routers/xr12000/software/xr12k_r4-1/mpls/command/reference/b_mpls_cr41xr12k/b_mpls_cr41xr12k_chapter_010.html#wp2864846713
- 7.Custura, A., Fairhurst, G., Learmonth, I.: Exploring usable Path MTU in the Internet. In: IFIP Network Traffic Measurement and Analysis Conference (2018)Google Scholar
- 8.Donnet, B., Luckie, M., Mérindol, P., Pansiot, J.-J.: Revealing MPLS Tunnels obscured from traceroute. SIGCOMM CCR 42(2), 87–93 (2012)CrossRefGoogle Scholar
- 9.Durumeric, Z., et al.: The matter of heartbleed. In: ACM IMC (2014)Google Scholar
- 10.Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security (2013)Google Scholar
- 11.Edeline, K., Kühlewind, M., Trammell, B., Donnet, B.: copycat: Testing differential treatment of new transport protocols in the wild. In: Proceedings of the Applied Networking Research Workshop (ANRW) (2017)Google Scholar
- 12.Finn, G.G.: A connectionless congestion control algorithm. SIGCOMM CCR 19(5), 12–31 (1989)CrossRefGoogle Scholar
- 13.Floyd, S.: TCP and explicit congestion notification. SIGCOMM CCR 24(5), 8–23 (1994)MathSciNetCrossRefGoogle Scholar
- 14.Francois, P., Bonaventure, O.: Avoiding transient loops during the convergence of link-state routing protocols. IEEE/ACM Trans. Netw. 15, 1280–1292 (2007)CrossRefGoogle Scholar
- 15.Gill, S.: ICMP redirects are ba’ad, mkay? Technical report, Team Cymru Inc. (2002)Google Scholar
- 16.Gont, F.: ICMP Attacks Against TCP. RFC 5927, RFC Editor (2010)Google Scholar
- 17.Gont, F.: Deprecation of ICMP Source Quench Messages. RFC 6633, RFC Editor (2012)Google Scholar
- 18.Graham, R.: MASSCAN: Mass IP Port Scanner (2018). https://github.com/robertdavidgraham/masscan
- 19.Guo, H., Heidemann, J.: Detecting ICMP rate limiting in the internet. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 3–17. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_1CrossRefGoogle Scholar
- 20.Hengartner, U., Moon, S., Mortier, R., Diot, C.: Detection and analysis of routing loops in packet traces. In: ACM SIGCOMM Workshop on Internet Measurement (2002)Google Scholar
- 21.Hewlett Packard: HP-UX - Serviceguard A.11.19 on HP-UX 11.31: Source Quench Seen for Every IPMON Ping. https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02190964
- 22.Rüth, J., Zimmermann, T., Hohlfeld, O.: ICMP Dataset and Tools (2018). https://icmp.netray.io
- 23.Johnson, D.: Finding all the elementary circuits of a directed graph. SIAM J. Comput. 4(1), 77–84 (1975)MathSciNetCrossRefGoogle Scholar
- 24.Juniper Networks, Inc.: no-propagate-ttl - TechLibrary - Juniper Networks (2017). https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-propagate-ttl-edit-protocols-mpls.html
- 25.Lone, Q., Luckie, M., Korczyński, M., van Eeten, M.: Using loops observed in traceroute to infer the ability to spoof. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 229–241. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_17CrossRefGoogle Scholar
- 26.Malone, D., Luckie, M.: Analysis of ICMP quotations. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.) PAM 2007. LNCS, vol. 4427, pp. 228–232. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71617-4_24CrossRefGoogle Scholar
- 27.Nokia: Router Configuration Guide Release 15.0.R5. https://infoproducts.alcatel-lucent.com/cgi-bin/dbaccessfilename.cgi/3HE11976AAACTQZZA01_V1_7450%20ESS%207750%20SR%207950%20XRS%20and%20VSR%20Router%20Configuration%20Guide%20R15.0.R5.pdf
- 28.Postel, J.: Internet Control Message Protocol. RFC 792, RFC Editor (1981)Google Scholar
- 29.Reynolds, J., Postel, J.: Assigned Numbers. RFC 1700, RFC Editor (1994)Google Scholar
- 30.Rüth, J., Bormann, C., Hohlfeld, O.: Large-scale scanning of TCP’s initial window. In: ACM IMC (2017)Google Scholar
- 31.Rüth, J., Poese, I., Dietzel, C., Hohlfeld, O.: A first look at QUIC in the wild. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds.) PAM 2018. LNCS, vol. 10771, pp. 255–268. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76481-8_19CrossRefGoogle Scholar
- 32.Sridharan, A., Moon, S., Diot, C.: On the correlation between route dynamics and routing loops. In: ACM IMC (2003)Google Scholar
- 33.Varvello, M., Schomp, K., Naylor, D., Blackburn, J., Finamore, A., Papagiannaki, K.: Is the web HTTP/2 yet? In: Karagiannis, T., Dimitropoulos, X. (eds.) PAM 2016. LNCS, vol. 9631, pp. 218–232. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30505-9_17CrossRefGoogle Scholar
- 34.Wang, F., Qiu, J., Gao, L., Wang, J.: On understanding transient interdomain routing failures (2009)Google Scholar
- 35.Xia, J., Gao, L., Fei, T.: Flooding attacks by exploiting persistent forwarding loops. In: ACM IMC (2005)Google Scholar
- 36.Xia, J., Gao, L., Fei, T.: A measurement study of persistent forwarding loops on the internet. Comput. Netw. 51, 4780–4796 (2007)CrossRefGoogle Scholar
- 37.Zimmermann, T., Rüth, J., Wolters, B., Hohlfeld, O.: How HTTP/2 pushes the web: an empirical study of HTTP/2 server push. In: IFIP Networking Conference (2017)Google Scholar