Analysis of Internet Backbone Traffic and Header Anomalies Observed Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers.

Slides:

Advertisements

Similar presentations

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.

IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.

CE363 Data Communications & Networking Chapter 7 Network Layer: Internet Protocol.

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

Network Layer – IPv4 Dr. Sanjay P. Ahuja, Ph.D.

NET0183 Networks and Communications Lectures 17 and 18 Measurements of internet traffic (IP) 8/25/20091 NET0183 Networks and Communications by Dr Andy.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

Network Layer Packet Forwarding IS250 Spring 2010

Chapter 5 The Network Layer.

11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.

CSE331: Introduction to Networks and Security Lecture 7 Fall 2002.

1 TCP Traffic Analysis in cooperation with Motorola Todd DeSantis and David Loose Advisor: Professor Mark Claypool Co-Advisor: Professor Robert Kinicki.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker

Chapter Overview TCP/IP Protocols IP Addressing.

CS 6401 Internet Protocol Outline Introduction to Internet Protocol Header and address formats ICMP Tools.

4: Network Layer4a-1 IP datagram format ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier Internet checksum time.

Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

1 Internet Protocol. 2 Connectionless Network Layers Destination, source, hop count Maybe other stuff –fragmentation –options (e.g., source routing) –error.

CDPA 網管訓練駭客任務 2 Ethernet Switching ARP, IP, LAN, Subnet IP Header, Routing ICMP

Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.

7-1 Last time □ Wireless link-layer ♦ Introduction Wireless hosts, base stations, wireless links ♦ Characteristics of wireless links Signal strength, interference,

April 5, 2004 Prof. Paul Lin 1 CPET The Network Layer Paul I-Hai Lin, Professor Electrical and Computer Engineering Technology Purdue University,

MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.

Transport Layer: TCP and UDP. Overview of TCP/IP protocols Comparing TCP and UDP TCP connection: establishment, data transfer, and termination Allocation.

Network – internet – part2  Address at diff. layers  Headers at diff. layers  Equipment at diff. layers.

ECE 4110 – Internetwork Programming IP Protocol. 2 * From TCP/IP Protocol Suite, B. A. Forouzan, Prentice Hall Position of IP in TCP/IP Protocol Suite.

Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.

1 Network Layer Lecture 15 Imran Ahmed University of Management & Technology.

Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.

Networked Graphics Building Networked Virtual Environments and Networked Games Chapter 3: Overview of the Internet.

Transport Layer3-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.

Network Layer4-1 Datagram networks r no call setup at network layer r routers: no state about end-to-end connections m no network-level concept of “connection”

S305 – Network Infrastructure Chapter 5 Network and Transport Layers.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.

1 Figure 3-5: IP Packet Total Length (16 bits) Identification (16 bits) Header Checksum (16 bits) Time to Live (8 bits) Flags Protocol (8 bits) 1=ICMP,

Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

Net7: IP 協定 Internet Protocol 授課教師：雲林科技大學張慶龍老師.

Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 19 Omar Meqdadi Department of Computer Science and Software Engineering University.

1 Long-Range Dependence in a Changing Internet Traffic Mix STATISTICAL and APPLIED MATHEMATICAL SCIENCES INSTITUTE Félix Hernández-Campos Don Smith Department.

IP Fragmentation. Network layer transport segment from sending to receiving host on sending side encapsulates segments into datagrams on rcving side,

Lecture 13 IP V4 & IP V6. Figure Protocols at network layer.

TCP SPLIT HANDSHAKE ATTACK Mehmet Burak AKGÜN 04/27/2011.

Graciela Perera Department of Computer Science and Information Systems Slide 1 of 18 INTRODUCTION NETWORKING CONCEPTS AND ADMINISTRATION CSIS 3723 Graciela.

Could SP-NAT Save the Internet?

© 2003, Cisco Systems, Inc. All rights reserved.

Chapter 5 Network and Transport Layers

Internet Protocol Version 6 Specifications

Introduction to TCP/IP networking

The Devil and Packet Trace Anonymization

Seminar report on IPv4 & IPv6

Network Fundamentals – Chapter 5

Internet Protocol (IP)

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

Overview The Internet (IP) Protocol Datagram format IP fragmentation

Chapter 4 Network Layer Computer Networking: A Top Down Approach 5th edition. Jim Kurose, Keith Ross Addison-Wesley, April Network Layer.

Network Models CCNA Instructor Training Course October 12-17, 2009

Advanced Computer Networks

46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.

Network Fundamentals – Chapter 5

IPv4 Addressing By, Ishivinder Singh( ) Sharan Patil ( )

ITIS 6167/8167: Network and Information Security

16EC Computer networks unit II Mr.M.Jagadesh

32 bit destination IP address

Presentation transcript:

Analysis of Internet Backbone Traffic and Header Anomalies Observed Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology Göteborg, Sweden

IMC 2007 Overview 1.Introduction 2.Traffic properties IP properties TCP properties 3.Header anomalies 4.Conclusions

IMC 2007 Introduction: Measurement location Internet Regiona l ISPs Göteborg Stockholm Other smaller Univ. and Institutes Göteborgs Univ. Student- Net 2x 10 Gbit/s (OC-192) 2x DAG6.2SE Cards capturing headers only IP addresses anonymized Chalmers Univ.

IMC 2007 Traffic Properties Data from 20 days in April x74 traces, 7.5 TB billion frames 99.97% IPv4 packets PacketsData TCP92.0 % %.. UDP7.6 %..2.6 %.. ICMP0.2 %..0.1 %.. ESP, GRE0.2 %..0.1 %.

IMC 2007 Traffic Properties (2) Packet size distribution (former) default: 576 bytes 1300 bytes 628 bytes

IMC 2007 Traffic Properties: IP IP properties –No IP options (only 68 instances) –91.3% set DF bit –TOS: 0.02% ECN enabled packets

IMC 2007 Traffic Properties: IP (2) IP fragmentation rare (0.06%) 90% of fragmented packets incoming –97% UDP 10% outgoing –63% ESP, between 1 pair of hosts –VPN header causes fragmentation 72% of the fragmented traffic during office hours (10AM, 2PM)

IMC 2007 Traffic Properties: TCP TCP options in SYN segments TCP options values –MSS: from 0 to % (Ethernet max.) –WS: scale factors up to 14 58% scale factor zero 31% scale factor 2 MSSSACK perm.WSTS 99.2 %89.9 %17.9 %14.5 %

IMC 2007 Header Anomalies 10.7 billion IP packets 9.8 billion TCP segments

IMC 2007 Summary and Conclusions Updated packet-level characteristics of Internet traffic Inconsistencies in headers will appear –Network attacks and malicious traffic –Active OS fingerprinting –Buggy applications or protocol stacks

Thank you very much for you attention! Questions?