Transcript First Presentation

A METHOD FOR
INCONSPICUOUS TRACEROUTE
Jonathan Haber
Internet Data Transfer
Data is broken into packets
 A packet has a header containing
source/destination information as well as
the actual data being sent
 Packets are forwarded across the internet
to their destination

The Problem?
These protocols provide no mechanism for
determining what route your data is
taking to the destination
 Fine when things are working, but routing
problems are inevitably going to arise

What is a traceroute?
A tool used to ascertain the path taken by
information across the internet
 No built-in mechanism to observe these
paths, so must devise methods of path
inference

The answer?
Time-to-Live (TTL)
 Used to ensure that packets do not float
around the internet indefinitely
 Each time a packet is forwarded, it’s TTL
is decremented

How is this used by traceroute?
Send out a packet with TTL of 1, which
should cause it to die at the first hop
 Wait for message saying where the
packet died
 Repeat this process, incrementing the TTL
each time

Traceroute Graphic
TTL =
Source
4
Destination
Traceroute Graphic
TTL =
Source
4
Destination
Traceroute Graphic
TTL =
Source
4
20.8.4.1
TTL = 1
Destination
Traceroute Graphic
TTL = 2
Source
36.12.0.1
4
20.8.4.1
TTL = 1
Destination
Traceroute Graphic
TTL = 2
Source
36.12.0.1
4
20.8.4.1
TTL = 1
62.14.9.3
TTL = 3
Destination
Traceroute Graphic
TTL = 2
Source
36.12.0.1
TTL = 4
12.0.63.8
20.8.4.1
TTL = 1
62.14.9.3
TTL = 3
Destination
Traceroute Graphic
TTL = 2
Source
36.12.0.1
TTL = 4
12.0.63.8
20.8.4.1
TTL = 1
62.14.9.3
Destination
TTL = 3
TTL = 5
So what’s the problem?
Traceroute information can not be verified
 A network might want to falsify this
information
 Common traceroute implementations have
characteristics that make it easy to
identify traceroute packets

Example traceroute
A router might see:
UDP Packet From: 245.100.198.6 To: 237.52.1.142:33489
TTL: 1 ID: 59480 Length: 38
UDP Packet From: 245.100.198.6 To: 237.52.1.142:33490
TTL: 2 ID: 59481 Length: 38
UDP Packet From: 245.100.198.6 To: 237.52.1.142:33491
TTL: 3 ID: 59482 Length: 38
What are falsified responses?
A router might:
 Respond to a traceroute probe with an
incorrect IP address
 Intercept traceroute traffic before its
destination and spoof responses
 Intentionally treat traceroute traffic
differently than normal traffic
Example network
X
Y
Z
E
A
B
C
D
Example network
X
Y
Z
E
A
B
C
D
The Plan
Implement new traceroute method with
the goal of making traceroute packets
harder to identify
 Add delay between sending probes
 Randomize packet properties
(TTL, port, length, checksum, ID, etc.)

Collect and Compare Data
Run traceroutes to the same destinations
using old and new methods
 Compare paths reported
 Hopefully this new method will give a
more accurate picture of the paths being
taken by actual data packets

Papers Referenced

Traceroute Probe Method and Forward IP Path Inference
Matthew Luckie, Young Hyun, Bradley Huffaker

Avoiding traceroute anomalies with Paris traceroute
Brice Augustin, Xavier Cuvellier, Benjamin Orgogozo, Fabien Viger,
Timur Friedman, Matthieu Latapy, Clémence Magnien, Renata Teixeira

Traceroute Data Integrity and Route Concealment
Oliver Jensen