REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal, Benjamin Hesmans, Olivier Bonaventure, Yves Vanaubel° and Benoit Donnet°. Université.

Slides:

Advertisements

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Advertisements

TCP/IP Christopher Zacky. lolwut Decimal Numbers.

Multipath TCP: Overview, Design, and Use-Cases Benno Overeinder NLnet Labs.

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)

Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.

Networks I Transmission Control Protocol Instituto Tecnológico y de Estudios Superiores de Monterrey Campus Estado de México Prof. MSc. Ivan A. Escobar.

Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.

CP476 Internet Computing TCP/IP 1 Lecture 3. TCP / IP Objective: A in-step look at TCP/IP Purposes and operations Header specifications Implementations.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

Chapter 3 Review of Protocols And Packet Formats

5/12/05CS118/Spring051 A Day in the Life of an HTTP Query 1.HTTP Brower application Socket interface 3.TCP 4.IP 5.Ethernet 2.DNS query 6.IP router 7.Running.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 12 Transmission Control Protocol (TCP) Basics.

Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.

Packet Analysis with Wireshark

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.

Internet Protocol (IP)

Chabot College ELEC Ports (Layer 4).

CDPA 網管訓練駭客任務 2 Ethernet Switching ARP, IP, LAN, Subnet IP Header, Routing ICMP

1 CMPT 471 Networking II IGMP (IPv4) and MLD (IPv6) © Janice Regan,

TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.

Suez Canal University – Faculty of Computers & Informatics - Cisco Local Academy Network Fundamentals.

© Jörg Liebeherr (modified by M. Veeraraghavan) 1 ICMP: A helper protocol to IP The Internet Control Message Protocol (ICMP) is the protocol used for error.

© Introduction to Internetworking – Alex Kooijman 04/04/2000 Introduction to internetworking Part Two.

Transmission Control Protocol

More on TCP Acknowledgements Sequence Number Field Initial Sequence Number Acknowledgement Number Field.

TCOM 515 IP Routing. Syllabus Objectives IP header IP addresses, classes and subnetting Routing tables Routing decisions Directly connected routes Static.

Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

1 IP : Internet Protocol Computer Network System Sirak Kaewjamnong.

Review the key networking concepts –TCP/IP reference model –Ethernet –Switched Ethernet –IP, ARP –TCP –DNS.

Chapter 81 Internet Protocol (IP) Our greatest glory is not in never failing, but in rising up every time we fail. - Ralph Waldo Emerson.

CS4550 Computer Networks II IP : internet protocol, part 2 : packet formats, routing, routing tables, ICMP read feit chapter 6.

Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.

Networked Graphics Building Networked Virtual Environments and Networked Games Chapter 3: Overview of the Internet.

Washington WASHINGTON UNIVERSITY IN ST LOUIS Fred Kuhns Applied Research Laboratory NSP packet Formats.

Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.

Decoding an IP Header (1)

Stateless Transport Tunneling draft-davie-stt-01.txt Bruce Davie, Jesse Gross, Igor Gashinsky et al.

1 Requirements for Internet Routers (Gateways) and Hosts Relates to Lab 3. (Supplement) Covers the compliance requirements of Internet routers and hosts.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.

1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.

Internet Protocol Version 4 VersionHeader Length Type of Service Total Length IdentificationFragment Offset Time to LiveProtocolHeader Checksum Source.

THE CLASSIC INTERNET PROTOCOL (RFC 791) Dr. Rocky K. C. Chang 20 September

1 CSE 5346 Spring Network Simulator Project.

Net7: IP 協定 Internet Protocol 授課教師：雲林科技大學張慶龍老師.

Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.

TCP Handshake NW Analysis Class. What happens in 3-way handshake Client tells server it wants connection Server acknowledges the client’s connection Server.

Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

1 Layer 3: Routing & Addressing Honolulu Community College Cisco Academy Training Center Semester 1 Version

© 2003, Cisco Systems, Inc. All rights reserved.

Introduction To TCP/IP Networking Mr. Zeeshan Ali, Asst. Professor

Introduction to TCP/IP networking

Internet Protocol Formats

© 2003, Cisco Systems, Inc. All rights reserved.

MultiPath TCP Material from

Internet Protocol (IP)

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

What does this packet do?

Network Layer 2019/1/13.

Internet Protocol Formats

46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.

IPv4 Addressing By, Ishivinder Singh( ) Sharan Patil ( )

Network Architecture Models: Layered Communications

ITIS 6167/8167: Network and Information Security

Transport Layer 9/22/2019.

Presentation transcript:

REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université catholique de Louvain °Université de Liège

Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

The end-to-end principle … Application Transport Network Data link Physical Application Transport Network Data link Physical Data link Physical Network Data link Physical

… does not hold  Application Transport Network Data link Physical Application Transport Network Data link Physical Data link Physical Application Transport Network Data link Physical

In reality Sherry, Justine, et al. "Making middleboxes someone else's problem: Network processing as a cloud service." Proceedings of the ACM SIGCOMM 2012 conference. ACM, 2012.

TCP Segment processed by a router Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address Payload Options Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address Payload Options IP TCP

How transparent is the Internet ? 25th September 2010 to 30th April access networks 24 countries Craft TCP segments using custom scripts Sent specific TCP segments from client to a server in Japan Honda, Michio, et al. "Is it still possible to extend TCP?" Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM, 2011.

TCP Segments on the today’s Internet Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address Payload Options IP TCP Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address Payload Options

Potentially miss a lot of middleboxes

Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

Traceroute with ICMP in a nutshell Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address TTL=1 IP/TCP TTL=2

Traceroute with ICMP in a nutshell IP/ICMP Source portDestination port Sequence number Ver IHL ToS Total length Checksum 1 Protocol Flags Frag. Offset Source IP address Identification Destination IP address IP type = 11 code = 0 checksum 0 (unused) Use the IP source to identify routers

Middlebox detection with ICMP Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum 2 Protocol Flags Frag. Offset Source IP address Identification Destination IP address Source portDestination port Sequence number Ver IHL ToS Total length Checksum 1 Protocol Flags Frag. Offset Source IP address Identification Destination IP address Compare

ICMP-based modification detection RFC792 requires ICMP to include only the first 8 bytes of the transport header. In 1995 RFC1812 and in 2007 RFC4884 requires that routers should quote the complete original packet. By default on Linux, Cisco IOX, HP routers, Alcatel routers, PaloAlto Firewall, etc. Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address Payload Options

80 % of Internet paths contains at least one RFC1812-capable router

ICMP detection limitations Similar to traceroute: Filtering of ICMP Routers throttle or does not send ICMP To detect middlebox in front of server, the latter should generate an ICMP.

Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

Tracebox Uses the previous mechanism to detect middleboxes. Implemented in C++ with Lua embedded. Libcrafter allows to efficiently describe probes as Scapy. Open source and available at Supports Linux and Mac OSX

Tracebox Usage: tracebox [ OPTIONS ] host Options are: -h Display this help and exit -n Do not resolve IP addresses -6 Use IPv6 for static probe generated -u Use UDP for static probe generated -d port Use the specified port for static probe generated. Default is 80. -i device Specify a network interface to operate with -m hops_max Set the max number of hops (max TTL to be reached). Default is 30 -p probe Specify the probe to send. -s script Run a script.

Probe definition SYN probe that contains the window scale option ip{} / tcp{flags=0x2,dst=80} / WSCALE IP / TCP / wscale(9) / NOP IPv6/UDP probe with payload IPv6 / udp{dst=5678} / raw(‘this is a payload’) Multiple options: ip{} / RR(8) / tcp{dst=80} / mss(1400) / WSCALE / TS

Output example # tracebox -n -p “IP/TCP/MSS/MPCAPABLE/WSCALE” bahn.de tracebox to (bahn.de): 64 hops max 1: IP::CheckSum 2: IP::TTL IP::CheckSum 3: IP::TTL IP::CheckSum 4: IP::TTL IP::CheckSum 5: IP::TTL IP::CheckSum 6: IP::TTL IP::CheckSum 7: IP::TTL IP::CheckSum 8: IP::TTL IP::CheckSum 9: IP::TTL IP::CheckSum 10: TCP::CheckSum IP::TTL IP::CheckSum TCPOptionMaxSegSize::MaxSegSize –TCPOptionMPTCPCapable -TCPOptionWindowScale

Output example # tracebox -n -p IP/TCP/MSS/MPCAPABLE/WSCALE bahn.de tracebox to (bahn.de): 64 hops max 1: IP::CheckSum 2: IP::TTL IP::CheckSum 3: IP::TTL IP::CheckSum 4: IP::TTL IP::CheckSum 5: IP::TTL IP::CheckSum 6: IP::TTL IP::CheckSum 7: IP::TTL IP::CheckSum 8: IP::TTL IP::CheckSum 9: IP::TTL IP::CheckSum 10: TCP::CheckSum IP::TTL IP::CheckSum TCPOptionMaxSegSize::MaxSegSize –TCPOptionMPTCPCapable -TCPOptionWindowScale

Output example # tracebox -n -p IP/TCP/MSS/MPCAPABLE/WSCALE bahn.de tracebox to (bahn.de): 64 hops max 1: IP::CheckSum 2: IP::TTL IP::CheckSum 3: IP::TTL IP::CheckSum 4: IP::TTL IP::CheckSum 5: IP::TTL IP::CheckSum 6: IP::TTL IP::CheckSum 7: IP::TTL IP::CheckSum 8: IP::TTL IP::CheckSum 9: IP::TTL IP::CheckSum 10: TCP::CheckSum IP::TTL IP::CheckSum TCPOptionMaxSegSize::MaxSegSize –TCPOptionMPTCPCapable -TCPOptionWindowScale

Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

Measurements Used PlanetLab to perform experiments PlanetLab nodes are supposed to be directly connected to the Internet. Sources: 70 vantage points Destinations: Top 5000 Alexa

Some middleboxes randomize the TCP sequence number …

… but does not modify the SACK blocks Missmatch

Evaluation of the impact Click TCP Seq Modification TCP Seq Modification Discard 1 % Ack’ = Ack - Δ Seq’ = Seq + Δ

Linux performance significantly drops

Firewall at source modified the MSS

Core network also look at the MSS option and modifies it

Lessons learned There exists middleboxes that affect performances and network operators are not always aware of them. Tracebox can detect some middleboxes. Tracebox could help network operators to debug their network even better with more routers that are RFC1812-capable.

Thank you. Questions ?