Presentation is loading. Please wait.

Presentation is loading. Please wait.

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

Similar presentations


Presentation on theme: "Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University."— Presentation transcript:

1 Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology Göteborg, Sweden

2 2007-05-23TNC 2007 Overview 1.Introduction 2.Highlights of directional differences on IP level TCP level UDP level 3.Summary of results 4.Conclusions

3 2007-05-23TNC 2007 Introduction: Motivation Why measuring on Internet links? –to understand the nature of Internet traffic –quantify deployment of protocol features Interesting for –Network engineers and protocol developers –Network modeling and simulation community –Network security and intrusion detection

4 2007-05-23TNC 2007 Introduction: Related work Directional differences on backbone traffic –Evident on simple packet header analysis –Correlation of packets might reveal reasons Related work: –Mainly unidirectional flow data (NetFlow) –Either low or very high aggregation level –Marginal discussion on directional differences

5 2007-05-23TNC 2007 Introduction: Our contribution Complete view on different levels Contemporary data Packet level analysis Bi-directional TCP connections Specific measurement location –Medium aggregation level –Suitable for highlighting directional differences

6 2007-05-23TNC 2007 Introduction: Measurement location Internet Regiona l ISPs Gbg Sthlm Göteborgs Univ. Chalmers Univ. Stud-Net 2x 10 Gbit/s (OC-192) 2x DAG6.2SE Cards tightly synchronized capturing headers

7 2007-05-23TNC 2007 Introduction: General traffic characteristics Data from 20 days in April 2006 146 traces, 10.7 billion frames, 7.5 TB 99.99% IPv4 data 93% TCP packets 97% TCP data Data and packet counts equal on inbound and outbound links!

8 2007-05-23TNC 2007 Highlights: IP level Distinct IP addresses seen (in Millions)

9 2007-05-23TNC 2007 Distinct IP addresses seen (in Millions) Surprisingly large numbers Inbound destinations >> outbound sources Outside hosts primarily due to UDP Highlights: IP level

10 2007-05-23TNC 2007 Highlights: TCP level Connection attempt breakdown (Millions)

11 2007-05-23TNC 2007 Highlights: TCP level Connection attempt breakdown (Millions) Inbound connections mainly scans!

12 2007-05-23TNC 2007 Highlights: TCP level (2) TCP termination behavior (Millions)

13 2007-05-23TNC 2007 Highlights: TCP level (2) TCP termination behavior (Millions) Only 67% close properly (2xFIN) Inbound: 20% of conn. closed by FIN and RST!

14 2007-05-23TNC 2007 Highlights: TCP level (3) Statistical properties of established TCP connections –Lifetime, data volume, packet count Inbound connections more likely to: –show lifetimes between 1 and 5 seconds –be long lasting (>10 minutes) –carry more data and more packets –show higher asymmetry (client-server pattern)

15 2007-05-23TNC 2007 TCP level: P2P traffic Quantification according to port-numbers Missing payload → underestimated by factor 2-3 [*,**] –13% of data in outbound connections –25% of data in inbound connections * S. Sen et al, “Accurate, Scalable in-network identification of P2P traffic across large networks”, IMW 2002 ** T. Karagiannis et al, “Transport layer identification of P2P Traffic”, ACM SIGCOMM 2004

16 2007-05-23TNC 2007 Highlights: UDP level 68 million UDP flows 51 million carry less than 3 packets! DNS: 5%; NTP 1.7% Incoming scanning: > 8% P2P overlay traffic: > 20% Signaling Traffic –Distributed Hash Table (DHT) like Kademlia –Update routing tables in decentralized way –Periodic “ping” queries and replies –P2P overlay networks span entire globe –High fluctuation in peering partners → lots of IPs

17 2007-05-23TNC 2007 Summary of results Besides equal counts and volumes on both links, directional differences were found in: –IP packet sizes –IP fragmentation –Number of TCP connections –TCP connection establishment & termination –TCP option usage –TCP connection properties –UDP scanning traffic

18 2007-05-23TNC 2007 Conclusion High level analysis does not necessarily show differences → detailed analysis does! 2 main reasons for directional differences: –Malicious traffic the Internet is “unfriendly” –P2P Göteborg is a P2P source P2P is changing traffic characteristics e.g. packet sizes, TCP termination, TCP option usage

19 Thank you very much for you attention! Questions?

20 2007-05-23TNC 2007 BACKUP BACKUP SLIDES

21 2007-05-23TNC 2007 Common P2P port numbers

22 2007-05-23TNC 2007 TCP level (4) TCP options (in %)

23 2007-05-23TNC 2007 TCP level (4) TCP options (in %)

24 2007-05-23TNC 2007 IP level (2) Packet size distribution on the 2 links

25 2007-05-23TNC 2007 IP level (2) Packet size distribution on the 2 links

26 2007-05-23TNC 2007 IP level (3) IP fragmentation on the 2 links

27 2007-05-23TNC 2007 Malicous traffic / P2P traffic Connection properties lifetime in sec


Download ppt "Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University."

Similar presentations


Ads by Google