Related work for fingerprint 19216811 methods

Routerlogin start of 19216811

In this chapter several known IP 19216811 alias resolution techniques will be presented. These techniques may be divided into two categories: fingerprint methods and inference methods (division based on is used although other exists). Finally, some auxiliary techniques for IP will be discussed, such as how to split alias candidates before probing, or how to infer subnets to help alias resolution.

Fingerprint methods

Fingerprint methods are based on active probing and subsequent analysis of collected packets. The aim is to provide evidence, that several packets were generated by the same host (e.g. incoming reply packets with different source address like www routerlogin net ) or by several hosts with common properties (e.g. by hosts with the same initial TTL). A general disadvantage of probing-only based methods is the fact that these depends on host’s responsiveness to probes. Without responding routers (to the particular method), these methods are completely ineffective. Also, network changes during measurement may introduce errors.

Source Address method Origin

Sometimes also referred as UDP technique, this method was used by Pansiot and Grad as a first alias resolution technique ever. It is based on an implementation characteristic of ICMP Destination Unreachable messages, that was described in detail in previous chapter. Method description. An UDP probe is sent to some high numbered port where no service is assumed to be listening. Whatever public interface of a router is queried by UDP 19216811 probe, router always responds (even if the interface queried is not the same as the one by which the query came). It responds with ICMP Destination Port Unreachable, and the reply is routerlogin start sent back by the same interface the query came from. While creating the reply packet the router inserts the IP address of this outgoing interface to the the Source Address field of IP header. This behavior can be exploited in a following way:

• Consider router having interfaces A and B.

• We query the router for interface B.

• Because of the physical location of the measurement host, the query arrives to router via interface A.

• Router replies, inserting A as the Source Address.

• After obtaining reply we see, that while sending query to interface B, interface A replied, thus we have the evidence that A and B are aliases.

Main advantages of this method are simplicity and the fact that only one probe has to be sent to each obtained IP Address. Another strong advantage is that this method is not susceptible to false positives or false negatives. Disadvantages. Not all routers respond to UDP packets in general (responsiveness to UDP www routerlogin net probes was discussed in previous chapter). Moreover, not all routers respond with valid Source Address values. This may lead to inability to find aliases for such router, or to false positives, therefore such measurements have to be discarded. Examples of observed invalid values are: • IP addresses from private address space.

• Invalid IP addresses, i.e. 0.0.0.0, 0.2.0.0, etc.

• IP address being always equal to the original probe destination.

• IP addresses from “dark” address space

• IP address of the vantage point that sent the probe.

Tangmunarunkit used this method in the Mercator tool. They introduced two modifications:

• Probes were sent multiple times (over long time period) to discover eventual backup paths and route changes.

• Loose source routing was used to simulate multiple (geographically disparate) vantage points.

This contributed to the method because probes tend to come from various “sides” (various interfaces) of the router, thus more aliases were collected.

IPID method Origin

Spring first introduced a method that exploits IPID mechanism for alias resolution. Because this method proved to be successful, it was throughly studied and often new methods were compared to it. Method description. As described in previous www routerlogin net chapter, IPID mechanism is often implemented as global incremental counter. Thus if two successive probes are sent to router, IPID values in replies to this probes will also be successive.

is it really the 19216811 IP?

If the difference between IPID values is more than 1, it is usually because router was also replying to other packets6 between replying to first and second probe. Therefore there is some value representing the maximal gap that may be observed between IPID values of successive probes to consider the replies to have common source router. It is however not useful to sent probes immediately one after another as ICMP replies sent by routers are often rate limited.

The resulting algorithm is a heuristic, actual parameters used in Ally (tool developed by Spring that uses this alias resolution method) are as follows: • First two probes (yielding x and y IPID values) are sent. If |x-y| > 200, interfaces are not considered aliases.

• If |x-y| < 200, a third probe is sent to prove whether IPIDs are generated in-order. If so, interfaces are considered aliases.

• Whole process is repeated again at later time, to minimize false positives when two measured routers coincidentally sends in-order IPID values.

• Rate-limiting of ICMP messages is dealt with this way: 6Directed to router on network Layer 3, not the packets belonging to the network traffic the router is processing.

For such “routed” packets, the IPID is not changed. This rate-limiting heuristics alone routerlogin start (without the IPID value check) is sometimes presented as a standalone alias resolution method. Due to the fact that UDP and ICMP are unreliable protocols, missing packets (probe replies) should not be considered a proof of aliased interfaces, and no tool actually uses this method alone. Advantages.

IPID method has false positives, but are successfully minimized by second run. It was popular because it resolves more aliases than UDP Source Address method (linear incremental IPID counters seems to be more common than altering source address).

False positives count is small. False negatives are also possible, for instance if router uses random counter implementation or it increments IPID counter too fast or it has separate counters for each interface. Main disadvantage, most criticized, is the prohibitively high number of needed probes, O(n2 ), where n is number of 19216811 IP addresses to test.

This is partially solved by initial splitting of entry set of IP addresses, nevertheless, on an Internet scale this is still too much generated traffic. Another disadvantage is the probabilistic nature of measurement. Improvements. Feamster used this method during their research of reactive routing. Used heuristics was simple: they repeated the IPID test 100 times. If the test was positive for more than 80 times, the tested interfaces were considered aliases.

It seems to be a bit ineffective, however they also used a simplified method for choosing alias candidates, therefore the effort may have been appropriate to achieve the desired level of confidence. Botta  proposed some modifications of the Ally tool (they include a packet retransmission mechanism) for better multi-thread support as it is not trivial to run IPID method in parallel due to rate limiting. Implemented modifications are not described in detail in the paper.

Modifications used by Jimenez were based on the presented simulation of probability of false positives with a number of packets sent. Improvements like increasing the number of packets sent and using a static time offset between probes actually approaches the Velocity Modeling method (described later).

In reaction to disadvantages of the Ally tool, Bender  recently introduced new technique based on IPID mechanism. The new method is called Velocity Modeling, and was implemented in RadarGun tool. It will be presented as a standalone method. 2.1.3 IPID Velocity Modeling Origin. The original IPID method was developed for measuring ISP-sized networks.

Especially because of number of probes routerlogin start increasing with the square of the number of discovered interfaces, with the ambition to discover the topology of Internet, IPID method becomes prohibitively ineffective unless supported by some sophisticated splitting algorithm7 .

This led to rethinking8 of the IPID method in the paper “Fixing Ally’s Growing Pains with Velocity Modeling” by Bender et al. and development of the RadarGun alias resolution tool. Method description. This method is based on a comparison of the samples from the IPID counters of two router interfaces such as www routerlogin net. The IPID value of each candidate IP address is probed several times. Probes does not have to be sent in a strictly regular manner and there is no time limit for the overall measurement.

Authors of the paper assume, that for a set of 500 000 interfaces, overall measurement should take less than 20 minutes with a single vantage point with 10Mb/s connection (although its in question whether such aggressive measurement is acceptable). All interfaces should be probed in parallel, because comparing IPID values of two interfaces is more accurate if measured values overlap in time.

While modeling the IPID change function, it is vital to be aware of wrapping counters. During the first few probes, RadarGun estimates when the counter will reset (when in time). After this initialization, if a probe reply bears smaller value than the previous probe reply, RadarGun assumes a counter reset. If no reply have arrived until the end of the estimated reset interval, again, RadarGun assumes counter reset.

Each reset adds 65536 to the value of modeled counter of the interface, therefore the counters are modeled as monotonously increasing. After the measurement phase ends, the actual alias resolution comes into place.

Interfaces of 19216811 IP

When comparing two interfaces, their sets (SA and SB) of IPID values sampled in time should overlap on a time scale. Therefore the overall set of samples for this two interfaces can be divided to: • Head – samples of SA collected before any samples of SB (or vice versa).

• Tail – samples of SB collected after any samples of SA (or vice versa).

• Middle – samples between head and tail (where samples from SA and SB overlap in time).

To express a single value indicating the relation of one IPID counter model to another, a property called distance (of modeled IPID velocities) is introduced. Advantages. The main advantage is a very low count of probes (O(n)) needed when compared to original IPID method (O(n2 )). As the probes does not need to be sent in a short time interval, the method is far less vulnerable to rate limiting and packet loss (there is an upper limit for this interval however). For IPID 19216811 counters implemented as pseudo-random, this method does not conclude anything.

This is an advantage compared to original IPID method, as Ally concludes with high probability that such interfaces are non-aliases. The method is not dependent on number of vantage points or on previously obtained traceroutes. It only needs a set of IP addresses. Disadvantages. This method is ineffective for resolving pairs of interfaces where one of the compared interfaces (or both) does not have IPID www routerlogin net counter that can be modeled as linear. This may be more than 10% of all interfaces (as shown in previous chapter). It is also prone to errors in case of sudden change of IPID counter rate (such changes have been observed by the authors).

Also if probe replies does not arrive continuously (e.g. because of delays, although authors assume that the chance is minimal if the interval between probes is large enough), it triggers artificial counter wraps, thus is leads to errors. As the two IPID counters have to be computationally modeled in the comparison process, the method involves some processing time, which is higher than in other fingerprinting methods.

Keys in arguments, that although Velocity Modeling method does not have such a scaling difficulties as IPID method, still these difficulties may be prohibitive. As more routers have to be sampled, the interval between probes to the same router will have to increase. This however increases the probability of a counter wrap or even multiple wraps. Thus number of wraps inferred may be overestimated or underestimated, causing erroneous results in the analytical phase. This may be avoided with multiple vantage points, however, increasing number of vantage points is an scalability issue (not mentioning such vantage point will need synchronized clocks).

Improvements. In a recent presentation, Keys  suggest using TTLlimited probes instead of direct probing to improve response rate. Record Route method Origin. Sherwood and Spring presented this method while developing the Passenger topology discovery tool and the Sidecar platform it relies on . The same method was described by Botta when developing the PingRR alias resolution module in their Hynetd topology discovery tool.

Method description. Sidecar is an engine for injecting probes to standard TCP streams. It deals with many challenges (connection tracking, probe identification, RTT estimation, rate limiting etc.) which will not be described in detail. Passenger implements the logic of issuing probes. It uses traceroute like approach while enabling the Record Route option of IP protocol.

PingRR uses similar approach. This leads to two addresses obtained from each router (if router responds to these techniques):

• IP address which was in ICMP Time Exceeded message (incoming interface).

• IP address which was inserted because of Record Route option (outgoing interface).

Because incoming and outgoing interfaces of a router will have different IP addresses, obtaining both means successful alias resolution. Advantages. In tandem with Sidecar, Passenger has a valuable advantage of issuing probes in a way, that it could be not distinguished from the normal traffic. This means that the measurement can avoid IDS alarms triggering, “suspicious traffic” logs and following abuse reports.

Furthermore, if there is enough confidence in the correctness of IP address alignments (see disadvantages), the alias resolution is as accurate as Source Address method. Passenger has other advantages (e.g. discovering routers hidden by MPLS or the ability to resolve load balancing in traceroutes). These are very interesting, however not closely related to alias resolution. Disadvantages.

The main disadvantage of this method is its complexity and the uncertainty of the result for routerlogin start. The problem that Sherwood and Spring observed is various implementations of the Record Route mechanism among routers. The same problem was observed by Botta. Some routers insert their IP addresses to the Record Route list only if the packet is to be transmitted forward. Some others also if the packet is to be discarded because of TTL being 0. Moreover, some routers does not decrement TTL (or only under some conditions) while some does, but not always update Record Route list.

Exceeded message with the address in Record Route list is a challenging task and because the rules by which various routers acts are unclear, this task has uncertain result. Sherwood reports that because of this complicated aligning of traceroute data with Record Route data, 40% of data sampled by Passenger were unusable, moreover, 11% of aliases inferred from the rest where false positives.

Another disadvantage is that some routers discards packets with IP options. In recent paper on Velocity Modeling technique [19216811], Bender stated that Record Route method discovered 11% of tested aliases, the IPID method contributed the bulk.

This indicates that this method can hardly be used as a standalone alias resolution method. Improvements. Sherwood recently released a paper describing a topology discovery tool DisCarte, which is based on aligning of traceroute data with Record Route data and validation against several rules. The tool uses disjunctive logic programming (DLP), a logical inference and constraint solving technique.

This method promises better accuracy and completeness, however it is (as for now) too complex and expensive in terms of CPU time. Authors states that the solution for a topology measurement data containing 379 sources and 376 408 destinations will cost 11 CPU years on a 341 processor Condor cluster. Therefore this method will not be inspected in detail on this thesis.

Comments

comments

TOPlist TOPlist VIPLOG database valid