Presentation is loading. Please wait.

Presentation is loading. Please wait.

A METHOD FOR INCONSPICUOUS TRACEROUTE Jonathan Haber.

Published byArabella Parsons Modified over 9 years ago

Similar presentations

Presentation on theme: "A METHOD FOR INCONSPICUOUS TRACEROUTE Jonathan Haber."— Presentation transcript:

1 A METHOD FOR INCONSPICUOUS TRACEROUTE Jonathan Haber

2 Internet Protocol  Data broken into packets  Packets have header and data  Packets forwarded to destinations

3 The Problem?  Internet protocols provide no mechanism for determining what route your data is taking to the destination  Fine when things are working, but routing problems are inevitably going to arise

4 What is a traceroute?  A tool used to ascertain the path taken by information across the internet  No built-in mechanism to observe these paths, so must devise methods of path inference

5 How does it work?  Time-to-Live (TTL)  Used to ensure that packets do not float around the Internet indefinitely  Each time a packet is forwarded, its TTL is decremented

6 How is this used by traceroute?  Send out a packet with TTL of 1, which should cause it to die at the first hop  Wait for message saying where the packet died  Repeat this process, incrementing the TTL each time

7 Traceroute Graphic TTL = 4 Source Destination

8 Traceroute Graphic TTL = 4 Source Destination

9 Traceroute Graphic TTL = 4 TTL = 1 Source Destination 20.8.4.1

10 Traceroute Graphic TTL = 2 4 TTL = 1 Source Destination 20.8.4.1 36.12.0.1

11 Traceroute Graphic TTL = 2 4 TTL = 1 TTL = 3 Source Destination 20.8.4.1 36.12.0.1 62.14.9.3

12 Traceroute Graphic TTL = 2 TTL = 4 TTL = 1 TTL = 3 Source Destination 20.8.4.1 36.12.0.1 62.14.9.3 12.0.63.8

13 Traceroute Graphic TTL = 2 TTL = 4 TTL = 1 TTL = 3 TTL = 5 Source Destination 20.8.4.1 36.12.0.1 62.14.9.3 12.0.63.8

14 So what’s the problem?  Traceroute information can not be verified  A network might want to falsify this information  Common traceroute implementations have characteristics that make it easy to identify traceroute packets

15 Example traceroute A router might see: UDP Packet From: 245.100.198.6 To: 237.52.1.142:33489 TTL: 1 ID: 59480 Length: 38 UDP Packet From: 245.100.198.6 To: 237.52.1.142:33490 TTL: 2 ID: 59481 Length: 38 UDP Packet From: 245.100.198.6 To: 237.52.1.142:33491 TTL: 3 ID: 59482 Length: 38

16 What are falsified responses? A router might:  Respond to a traceroute probe with an incorrect IP address  Intercept traceroute traffic before its destination and spoof responses  Intentionally treat traceroute traffic differently than normal traffic

17 So far  Implemented new traceroute method using TCP Packets  Goal is to make traceroute traffic harder to identify  Why TCP and not UDP or ICMP?

18 Details  Implemented in Tcl using hping  Sends TCP probes (SYN) with increasing TTL’s  Has delay between sending probes (variable)  Looks for response, if none found will change packet type

19 So far  Began collecting data  Still experimenting with traceroute program to maximize responses  Begin to look at data for anomalies

20 Example traceroute to Youtube.com 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 216.239.46.215 (216.239.46.215) 14 72.14.232.141 (72.14.232.141) 15 209.85.241.35 (209.85.241.35) 16 iw-in-f93.1e100.net (74.125.95.93) 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 * * * 14 209.85.241.22 (209.85.241.22) 15 209.85.241.37 (209.85.241.37) 16 iw-in-f93.1e100.net (74.125.95.93) New MethodOld Method (TCP/UDP)

21 Example traceroute to Youtube.com 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 216.239.46.215 (216.239.46.215) 14 72.14.232.141 (72.14.232.141) 15 209.85.241.35 (209.85.241.35) 16 iw-in-f93.1e100.net (74.125.95.93) 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 * * * 14 209.85.241.22 (209.85.241.22) 15 209.85.241.37 (209.85.241.37) 16 iw-in-f93.1e100.net (74.125.95.93) New MethodOld Method (TCP/UDP)

22 Example traceroute to Youtube.com 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 216.239.46.215 (216.239.46.215) 14 72.14.232.141 (72.14.232.141) 15 209.85.241.35 (209.85.241.35) 16 iw-in-f93.1e100.net (74.125.95.93) 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 * * * 14 209.85.241.22 (209.85.241.22) 15 209.85.241.37 (209.85.241.37) 16 iw-in-f93.1e100.net (74.125.95.93) New MethodOld Method (TCP/UDP)

23 Example traceroute to Youtube.com 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 216.239.46.215 (216.239.46.215) 14 72.14.232.141 (72.14.232.141) 15 209.85.241.35 (209.85.241.35) 16 iw-in-f93.1e100.net (74.125.95.93) 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 * * * 14 209.85.241.22 (209.85.241.22) 15 209.85.241.37 (209.85.241.37) 16 iw-in-f93.1e100.net (74.125.95.93) New MethodOld Method (TCP/UDP)

24 Example traceroute to Youtube.com 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 216.239.46.215 (216.239.46.215) 14 72.14.232.141 (72.14.232.141) 15 209.85.241.35 (209.85.241.35) 16 iw-in-f93.1e100.net (74.125.95.93) 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 * * * 14 209.85.241.22 (209.85.241.22) 15 209.85.241.37 (209.85.241.37) 16 iw-in-f93.1e100.net (74.125.95.93) New MethodOld Method (TCP/UDP)

25 Example traceroute to Youtube.com 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 216.239.46.215 (216.239.46.215) 14 72.14.232.141 (72.14.232.141) 15 209.85.241.35 (209.85.241.35) 16 iw-in-f93.1e100.net (74.125.95.93) 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 * * * 14 209.85.241.22 (209.85.241.22) 15 209.85.241.37 (209.85.241.37) 16 iw-in-f93.1e100.net (74.125.95.93) New MethodOld Method (TCP/UDP)

26 Example traceroute to Youtube.com 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 216.239.46.215 (216.239.46.215) 14 72.14.232.141 (72.14.232.141) 15 209.85.241.35 (209.85.241.35) 16 iw-in-f93.1e100.net (74.125.95.93) 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 * * * 14 209.85.241.22 (209.85.241.22) 15 209.85.241.37 (209.85.241.37) 16 iw-in-f93.1e100.net (74.125.95.93) New MethodOld Method (TCP/UDP)

27 Example traceroute to Youtube.com 11 core1-0-0-8.lga.net.google.com (198.32.118.39) 12 209.85.248.178 (209.85.248.178) 13 216.239.46.215 (216.239.46.215) 14 72.14.232.141 (72.14.232.141) 15 209.85.241.35 (209.85.241.35) 16 iw-in-f93.1e100.net (74.125.95.93) 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 iw-in-f93.1e100.net (74.125.95.93) New MethodOld Method (ICMP)

28 Possible Explanations  Different packet types routed differently  Artifact of load balancing  Traceroute traffic intentionally routed differently  Responding falsely to detected traceroute traffic

29 To Do  Finish tweaking traceroute program  Continue collecting data  Path differences have already begun to emerge  Try to characterize these differences, their causes, etc.

30 Papers Referenced  Traceroute Probe Method and Forward IP Path Inference Matthew Luckie, Young Hyun, Bradley Huffaker  Avoiding traceroute anomalies with Paris traceroute Brice Augustin, Xavier Cuvellier, Benjamin Orgogozo, Fabien Viger, Timur Friedman, Matthieu Latapy, Clémence Magnien, Renata Teixeira  Traceroute Data Integrity and Route Concealment Oliver Jensen

Download ppt "A METHOD FOR INCONSPICUOUS TRACEROUTE Jonathan Haber."

Similar presentations

RIP V1 W.lilakiatsakun.

RIP V1 W.lilakiatsakun.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.

Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.
The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Chapter 5 The Network Layer.

Chapter 5 The Network Layer.
Examining IP Header Fields

Examining IP Header Fields
Internet Networking Spring 2003

Internet Networking Spring 2003
Measurement in the Internet. Outline Internet topology Bandwidth estimation Tomography Workload characterization Routing dynamics.

Measurement in the Internet. Outline Internet topology Bandwidth estimation Tomography Workload characterization Routing dynamics.
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.

© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.

User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.
Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.

Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.
ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.

ICMP: Ping and Trace CCNA 1 version 3.0 Rick Graziani Spring 2005.
Network Measurement Bandwidth Analysis. Why measure bandwidth? Network congestion has increased tremendously. Network congestion has increased tremendously.

Network Measurement Bandwidth Analysis. Why measure bandwidth? Network congestion has increased tremendously. Network congestion has increased tremendously.
IPv6 Fundamentals Chapter 2: IPv6 Protocol

IPv6 Fundamentals Chapter 2: IPv6 Protocol
1 ICMP – Using Ping and Trace CCNA Semester 2. 2 172.30.1.20 172.30.1.25.

1 ICMP – Using Ping and Trace CCNA Semester
INTERNET TOPOLOGY MAPPING INTERNET MAPPING PROBING OVERHEAD MINIMIZATION  Intra- and inter-monitor redundancy reduction IBRAHIM ETHEM COSKUN University.

INTERNET TOPOLOGY MAPPING INTERNET MAPPING PROBING OVERHEAD MINIMIZATION  Intra- and inter-monitor redundancy reduction IBRAHIM ETHEM COSKUN University.
CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College

CCNA Introduction to Networking 5.0 Rick Graziani Cabrillo College

Similar presentations

Ads by Google