A Closer Look at IP-ID Behavior in the Wild

  • Flavia Salutari
  • Danilo Cicalese
  • Dario J. Rossi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10771)


Originally used to assist network-layer fragmentation and reassembly, the IP identification field (IP-ID) has been used and abused for a range of tasks, from counting hosts behind NAT, to detect router aliases and, lately, to assist detection of censorship in the Internet at large. These inferences have been possible since, in the past, the IP-ID was mostly implemented as a simple packet counter: however, this behavior has been discouraged for security reasons and other policies, such as random values, have been suggested.

In this study, we propose a framework to classify the different IP-ID behaviors using active probing from a single host. Despite being only minimally intrusive, our technique is significantly accurate (99% true positive classification) robust against packet losses (up to 20%) and lightweight (few packets suffices to discriminate all IP-ID behaviors). We then apply our technique to an Internet-wide census, where we actively probe one alive target per each routable /24 subnet: we find that the majority of hosts adopts a constant IP-IDs (39%) or local counter (34%), that the fraction of global counters (18%) significantly diminished, that a non marginal number of hosts have an odd behavior (7%) and that random IP-IDs are still an exception (2%).



We thank our shepherd Robert Beverly and the anonymous reviewers whose useful comments helped us improving the quality of our paper. This work has been carried out at LINCS ( and benefited from support of NewNet@Paris, Cisco Chair “Networks for the Future” at Telecom ParisTech (


  1. 1.
  2. 2.
    Bellovin, S.M.: A technique for counting NATted hosts. In: Proceedings of the IMW (2002)Google Scholar
  3. 3.
    Bender, A., Sherwood, R., Spring, N.: Fixing ally’s growing pains with velocity modeling. In: Proceedings of the ACM IMC (2008)Google Scholar
  4. 4.
    Beverly, R., Luckie, M., Mosley, L., Claffy, K.: Measuring and characterizing IPv6 router availability. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 123–135. Springer, Cham (2015). CrossRefGoogle Scholar
  5. 5.
    Braden, R.: RFC 1122, Requirements for Internet Hosts - Communication Layers (1989)Google Scholar
  6. 6.
    Chen, W., Huang, Y., Ribeiro, B.F., Suh, K., Zhang, H., de Souza e Silva, E., Kurose, J., Towsley, D.: Exploiting the IPID field to infer network path and end-system characteristics. In: Dovrolis, C. (ed.) PAM 2005. LNCS, vol. 3431, pp. 108–120. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  7. 7.
    Dainotti, A., Benson, K., King, A., Huffaker, B., Glatz, E., Dimitropoulos, X., Richter, P., Finamore, A., Snoeren, A.C.: Lost in space: improving inference of IPv4 address space utilization. In: IEEE JSAC (2016)Google Scholar
  8. 8.
    Pelletier, K.S.G.: RFC 5225, RObust Header Compression Version 2 (ROHCv2): Profiles for RTP. UDP, IP, ESP and UDP-Lite (2008)Google Scholar
  9. 9.
    Gilad, Y., Herzberg, A.: Fragmentation considered vulnerable. In: ACM TISSEC (2013)Google Scholar
  10. 10.
    Gont, F.: RFC 6274, Security assessment of the internet protocol version 4 (2011)Google Scholar
  11. 11.
    Gont, F.: RFC 7739, Security implications of predictable fragment identification values (2016)Google Scholar
  12. 12.
    Heidemann, J., Pradkin, Y., Govindan, R., Papadopoulos, C., Bartlett, G., Bannister, J.: Census and survey of the visible internet. In: Proceedings of the ACM IMC (2008)Google Scholar
  13. 13.
    Herzberg, A., Shulman, H.: Fragmentation considered poisonous, or: In: IEEE CCNS (2013)Google Scholar
  14. 14.
    Idle scanning and related IPID games.
  15. 15.
    Jaiswal, S., Iannaccone, G., Diot, C., Kurose, J., Towsley, D.: Measurement and classification of out-of-sequence packets in a tier-1 IP backbone. In: IEEE/ACM TON (2007)Google Scholar
  16. 16.
    Keys, K., Hyun, Y., Luckie, M., Claffy, K.: Internet-scale IPv4 alias resolution with MIDAR. In: IEEE/ACM TON (2013)Google Scholar
  17. 17.
    Klein, A.: OpenBSD DNS cache poisoning and multiple O/S predictable IP ID vulnerability. Technical report (2007)Google Scholar
  18. 18.
    Loh, W.-Y.: Classification and regression trees. Wiley Interdiscipl. Rev.: Data Mining Knowl. Discov. 1, 14–23 (2011)Google Scholar
  19. 19.
    Luckie, M., Beverly, R., Brinkmeyer, W., et al.: Speedtrap: internet-scale IPv6 alias resolution. In: Proceedings of the ACM IMC (2013)Google Scholar
  20. 20.
    Mahajan, R., Spring, N., Wetherall, D., Anderson, T.: User-level internet path diagnosis. ACM SIGOPS Oper. Syst. Rev. 37(5), 106–119 (2003)CrossRefGoogle Scholar
  21. 21.
    Mogul, J.C., Deering, S.E.: RFC 1191, Path MTU discovery (1990)Google Scholar
  22. 22.
    Mongkolluksamee, S., Fukuda, K., Pongpaibool, P.: Counting NATted hosts by observing TCP/IP field behaviors. In: Proceedings of the IEEE ICC (2012)Google Scholar
  23. 23.
    Pearce, P., Ensafi, R., Li, F., Feamster, N., Paxson, V.: Augur: Internet-wide detection of connectivity disruptions. In: IEEE SP (2017)Google Scholar
  24. 24.
    Postel, J.: RFC 791, Internet protocol (1981)Google Scholar
  25. 25.
    Salutari, F., Cicalese, D., Rossi, D.: A closer look at IP-ID behavior in the wild (extended tech. rep.). Technical report, Telecom ParisTech (2018)Google Scholar
  26. 26.
    Spring, N., Mahajan, R., Wetherall, D., Anderson, T.: Measuring ISP topologies with rocketfuel. In: IEEE/ACM TON (2004)Google Scholar
  27. 27.
    Touch, J.: RFC 6864, Updated Specification of the IPv4 ID Field (2013)Google Scholar
  28. 28.
    West, M.A., McCann, S.: RFC 4413, TCP/IP field behavior (2006)Google Scholar
  29. 29.
    Zander, S., Andrew, L.L., Armitage, G.: Capturing ghosts: predicting the used IPv4 space by inferring unobserved addresses. In: Proceedings of the ACM IMC (2014)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Flavia Salutari
    • 1
  • Danilo Cicalese
    • 1
  • Dario J. Rossi
    • 1
  1. 1.Telecom ParisTechParisFrance

Personalised recommendations