First Presentation
Download
Report
Transcript First Presentation
A METHOD FOR
INCONSPICUOUS TRACEROUTE
Jonathan Haber
Internet Data Transfer
Data is broken into packets
A packet has a header containing
source/destination information as well as
the actual data being sent
Packets are forwarded across the internet
to their destination
The Problem?
These protocols provide no mechanism for
determining what route your data is
taking to the destination
Fine when things are working, but routing
problems are inevitably going to arise
What is a traceroute?
A tool used to ascertain the path taken by
information across the internet
No built-in mechanism to observe these
paths, so must devise methods of path
inference
The answer?
Time-to-Live (TTL)
Used to ensure that packets do not float
around the internet indefinitely
Each time a packet is forwarded, it’s TTL
is decremented
How is this used by traceroute?
Send out a packet with TTL of 1, which
should cause it to die at the first hop
Wait for message saying where the
packet died
Repeat this process, incrementing the TTL
each time
Traceroute Graphic
TTL =
Source
4
Destination
Traceroute Graphic
TTL =
Source
4
Destination
Traceroute Graphic
TTL =
Source
4
20.8.4.1
TTL = 1
Destination
Traceroute Graphic
TTL = 2
Source
36.12.0.1
4
20.8.4.1
TTL = 1
Destination
Traceroute Graphic
TTL = 2
Source
36.12.0.1
4
20.8.4.1
TTL = 1
62.14.9.3
TTL = 3
Destination
Traceroute Graphic
TTL = 2
Source
36.12.0.1
TTL = 4
12.0.63.8
20.8.4.1
TTL = 1
62.14.9.3
TTL = 3
Destination
Traceroute Graphic
TTL = 2
Source
36.12.0.1
TTL = 4
12.0.63.8
20.8.4.1
TTL = 1
62.14.9.3
Destination
TTL = 3
TTL = 5
So what’s the problem?
Traceroute information can not be verified
A network might want to falsify this
information
Common traceroute implementations have
characteristics that make it easy to
identify traceroute packets
Example traceroute
A router might see:
UDP Packet From: 245.100.198.6 To: 237.52.1.142:33489
TTL: 1 ID: 59480 Length: 38
UDP Packet From: 245.100.198.6 To: 237.52.1.142:33490
TTL: 2 ID: 59481 Length: 38
UDP Packet From: 245.100.198.6 To: 237.52.1.142:33491
TTL: 3 ID: 59482 Length: 38
What are falsified responses?
A router might:
Respond to a traceroute probe with an
incorrect IP address
Intercept traceroute traffic before its
destination and spoof responses
Intentionally treat traceroute traffic
differently than normal traffic
Example network
X
Y
Z
E
A
B
C
D
Example network
X
Y
Z
E
A
B
C
D
The Plan
Implement new traceroute method with
the goal of making traceroute packets
harder to identify
Add delay between sending probes
Randomize packet properties
(TTL, port, length, checksum, ID, etc.)
Collect and Compare Data
Run traceroutes to the same destinations
using old and new methods
Compare paths reported
Hopefully this new method will give a
more accurate picture of the paths being
taken by actual data packets
Papers Referenced
Traceroute Probe Method and Forward IP Path Inference
Matthew Luckie, Young Hyun, Bradley Huffaker
Avoiding traceroute anomalies with Paris traceroute
Brice Augustin, Xavier Cuvellier, Benjamin Orgogozo, Fabien Viger,
Timur Friedman, Matthieu Latapy, Clémence Magnien, Renata Teixeira
Traceroute Data Integrity and Route Concealment
Oliver Jensen