A Second Look at Detecting Third-Party Addresses in Traceroute Traces with the IP Timestamp Option

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8362)


Artifacts in traceroute measurement output can lead to false inferences of AS-level links and paths when used to deduce AS topology. One traceroute artifact is caused by routers that respond to traceroute probes with a source address not in the path towards the destination, i.e. an off-path address. The most well-known traceroute artifact, the third-party address, is caused by off-path addresses that map to ASes not in the corresponding BGP path. In PAM 2013, Marchetta et al. proposed a technique to detect off-path addresses in traceroute paths [14]. Their technique assumed that a router IP address reported in a traceroute path towards a destination was off-path if, in a subsequent probe towards the same destination, the router did not insert a timestamp into a pre-specified timestamp option in the probe’s IP header. However, no standard precisely defines how routers should handle the pre-specified timestamp option, and implementations are inconsistent. Marchetta et al. claimed that most IP addresses in a traceroute path are off-path, and that consecutive off-path addresses are common. They reported no validation of their results. We cross-validate their approach with a first-principles approach, rooted in the assumption that subnets between connected routers are often /30 or /31 because routers are often connected with point-to-point links. We infer if an address in a traceroute path corresponds to the interface on a router that received the packet (the in-bound interface) by attempting to infer if its /30 or /31 subnet mate is an alias of the previous hop. We traceroute from 8 Ark monitors to 80K randomly chosen destinations, and find that most observed addresses are configured on the in-bound interface on a point-to-point link connecting two routers, i.e. are on-path. Because the technique from [14] reports 70.9%–74.9% of these addresses as being off-path, we conclude it is not reliable at inferring which addresses are off-path or third-party.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    IP address hitlist, PREDICT ID USC-LANDER/internet_address_hitlist_it52w (January 2, 2013),
  2. 2.
    Ager, B., Chatzis, N., Feldmann, A., Sarrar, N., Uhlig, S., Willinger, W.: Anatomy of a large European IXP. In: SIGCOMM 2012 (2012)Google Scholar
  3. 3.
    Augustin, B., Friedman, T., Teixeira, R.: Measuring load-balanced paths in the Internet. In: IMC 2007 (2007)Google Scholar
  4. 4.
    Augustin, B., Krishnamurthy, B., Willinger, W.: IXPs: Mapped? In: IMC 2009 (2009)Google Scholar
  5. 5.
    Bender, A., Sherwood, R., Spring, N.: Fixing Ally’s growing pains with velocity modeling. In: IMC 2008 (2008)Google Scholar
  6. 6.
    Giotsas, V., Zhou, S., Luckie, M., Claffy, K.: Inferring multilateral peering. In: CoNEXT 2013 (2013)Google Scholar
  7. 7.
    Govindan, R., Tangmunarunkit, H.: Heuristics for Internet map discovery. In: INFOCOM 2000 (2000)Google Scholar
  8. 8.
    Heidemann, J., Pradkin, Y., Govindan, R., Papadopoulos, C., Bartlett, G., Bannister, J.: Census and survey of the visible Internet. In: IMC 2008 (2008)Google Scholar
  9. 9.
    Hyun, Y., Broido, A., Claffy, K.: On third-party addresses in traceroute paths. In: PAM 2003 (2003)Google Scholar
  10. 10.
    Keys, K., Hyun, Y., Luckie, M., Claffy, K.: Internet-scale IPv4 alias resolution with MIDAR. IEEE/ACM Transactions on Networking 21(2) (April 2013)Google Scholar
  11. 11.
    Lakhina, A., Byers, J.W., Crovella, M., Xie, P.: Sampling biases in IP topology measurements. In: INFOCOM 2003 (2003)Google Scholar
  12. 12.
    Luckie, M.: Scamper: a scalable and extensible packet prober for active measurement of the Internet. In: IMC 2010 (2010)Google Scholar
  13. 13.
    Luckie, M., Dhamdhere, A., Claffy, K., Murrell, D.: Measured impact of crooked traceroute. CCR 14(1) (January 2011)Google Scholar
  14. 14.
    Marchetta, P., de Donato, W., Pescapé, A.: Detecting third-party addresses in traceroute traces with IP timestamp option. In: Roughan, M., Chang, R. (eds.) PAM 2013. LNCS, vol. 7799, pp. 21–30. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  15. 15.
    Oliveira, R., Pei, D., Willinger, W., Zhang, B., Zhang, L.: In search of the elusive ground truth: the Internet’s AS-level connectivity structure. In: SIGMETRICS 2008 (2008)Google Scholar
  16. 16.
    Oliveira, R., Zhang, B., Zhang, L.: Observing the Evolution of Internet AS Topology. In: SIGCOMM 2007 (2007)Google Scholar
  17. 17.
    Postel, J.: Internet protocol (September 1981)Google Scholar
  18. 18.
    Sherry, J., Katz-Bassett, E., Pimenova, M., Madhyastha, H.V., Anderson, T., Krishnamurthy, A.: Resolving IP aliases with prespecified timestamps. In: IMC 2010 (2010)Google Scholar
  19. 19.
    Spring, N., Mahajan, R., Wetherall, D.: Measuring ISP topologies with Rocketfuel. In: SIGCOMM 2002, Pittsburgh, PA, USA (2002)Google Scholar
  20. 20.
    Zhang, Y., Oliveira, R., Zhang, H., Zhang, L.: Quantifying the pitfalls of traceroute in AS connectivity inference. In: Krishnamurthy, A., Plattner, B. (eds.) PAM 2010. LNCS, vol. 6032, pp. 91–100. Springer, Heidelberg (2010)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.CAIDAUC San DiegoUSA

Personalised recommendations