Network Fingerprinting:TTL-based Router Signatures
Yves Vanaubel1, Jean-Jacques Pansiot2, Pascal Merindol2
and Benoit Donnet1
1ULg (Belgium), 2UDS (France)
October 9, 2013
Summary
I Motivations
I TTL-based router signatures
I Measurement campaign
I Signatures distribution and consistency
I Use cases
I Conclusions
Motivations
Network fingerprinting
Action of grouping network devices into (disjoint) classes.Equivalent to nmap but for routers instead of host OSes.
Signature
Set of information collected thanks to the fingerprinting.
I Understanding the characteristics of the Internet:I hardware distribution (CISCO, Juniper, etc.)I routing operating systems distribution (ios, os-xr, junos,
junosE, etc.)I abnormal behaviorsI vulnerabilitiesI ...
I Topology discovery
I ...
Time To Live (TTL)
I Field in the IP header (avoid routing loops)
I Maximum number of hops for an IP packet
TLL - Initial Value
I Should be initialized to 64 (RFC 1700)
I However, in practice, the initial value of the TTL (iTTL) maydepend on:
I the hardware (CISCO, Juniper, ...)I the operating systemI the protocol used for the message (ICMP, UDP, ...)I the type of the message (information packets versus errors)
Idea:
Solicit routers with several probes in order to receive n different typesof (ICMP) replies, infer their initial TTL value and derive a signatureof the type
< iTTL1, iTTL2, iTTL3, ..., iTTLn >
ICMP Messages
I We consider three types of ICMP messages:
1. Time-exceeded messages (obtained with traceroute)2. Echo-reply messages (obtained with ping)3. Destination-unreachable messages (obtained with UDP
probes sent to a very high destination port)
I Marginal gain with destination-unreachable messages
I Initial values of TTLs used by nodes: 32, 64, 128, 255
Initial TTL Value: Inference
Initial TTL inference:
Smallest integer in {32, 64, 128, 255} larger than the received value
In the example:
I 63 in the TTL field of the ICMP response
I 64 is the corresponding inferred iTTL
Measurement Campaign
I Measurement campaign on the PlanetLab platform
I 1M of destinations from CAIDA data
I 200 vantage points (VP), i.e. 5000 destinations/VP
I Each IP on a trace pinged 6 times
I Scamper with paris-traceroute
I About 8h of probing per VP
I About 3 days of campaign due to the PlanetLab instabilities
I 335,646 unique IPs collected with 13,437,896 traceroute replies
I Marginal probing cost overhead (14,803,614 ping replies)
Initial TTL Value: Distribution
32 64 128 255 ∗iTTL
0.0
0.2
0.4
0.6
0.8
1.0
cdf
echo-reply
time-exceeded
dst-unreachable
Generic Router Signature Construction Algorithm
I For each destination:
1. Send traceroute probes to detect the nodes on the path2. Foreach received ICMP time-exceeded message:
I Check if the corresponding node was not already probedI Infer the first iTTL of the signatureI Send other types of probes (Ping, UDP, ...)I Infer the other iTTLs based on the responses
TTL-based Router Signatures
I Consists in a n-tuple of initial TTL
I As a first try, n = 2 (marginal gain with UDP probes):
I Signature diversity: in theory up to 4× 5n−1, n: # probesI The symbol ∗ means an absence of iTTL (no answer to the
corresponding probe). The signature is incomplete
I Examples : , , , ...
Signatures Consistency
Assumption:
The signature associated to a given IP address is unique
I Considering only IP addresses probed by at least two VPs...
I ... a signature may be (for a given IP address):I Coherent: signatures always the same (in 95.92%)I Weakly incoherent: signatures sometimes complete, but also
sometimes incomplete (in 4.94%) (e.g. and )I Incoherent: complete signatures but different (in 0.14%)
Signatures Consistency
I In the vast majority, coherent signatures.
I Causes of the (rare) inconsistency:I our initial TTL inference?I anycast?I middleboxes?
I Possibility to complete weakly incoherent signatures (e.g. ⇒ )
⇒ Our assumption is correct:The signature associated to a given IP address is unique
Signatures Distribution
255 −
255
255 −
∗
255 −
64
64− 6
4
64− ∗
128 −
128
128 −
∗othe
r
signature
0.0
0.1
0.2
0.3
0.4
0.5
Cisco Juniper (Junos)
Juniper (JunosE) Brocade, Alcatel and Linux boxes
Table : Some router manufacturer mapping examples
MPLS Repartition: Global TTL-overview
255 −
255
255 −
∗
255 −
64
64− 6
4
64− ∗
128 −
128
128 −
∗othe
r
signature
0.0
0.1
0.2
0.3
0.4
0.5
MPLSnon MPLS
I Donnet et al.: “Revealing MPLS tunnels obscured fromtraceroute” ACM SIGCOMM CCR, 2012.
I The increase of Juniper routers seems significant
I Decrease of signature
I Decrease of signature while and increase their share
Use Cases
I (In)validation of measurement hypotheses (e.g. MPLS tunnelsdiscovery)
I Helping alias resolution (clustering approach)
I ...
Conclusion
I Each IP (router?) has a unique TTL-based fingerprint
I The distribution of signatures is already valuable with 2 iTTLs
I Work still in progress: refine the signatures distribution
I Help alias resolution and so IP network mapping
I Help to improve any active probing methods and analysis such asMPLS discovery and quantification
MPLS Tunnels: Taxonomy
R1 R2 R3 R4 R5
Monitor
Destination
LSP
1. R12. R23. R34. R45. R56. Destination
1. R12. R2 - MPLS3. R3 - MPLS4. R4 - MPLS5. R56. Destination
1. R12. R4 - MPLS3. R54. Destination
1. R12. R43. R54. Destination
ImplicitExplicit Opaque Invisible
IH LHIngressLER
EgressLER
propagateIP→ MPLS
propagateMPLS→ IP
MPLS Tunnels: Proportion
0 50 100 150 200vantage point
0.0
0.2
0.4
0.6
0.8
1.0
prop
orti
on
MPLS Tunnels: Signatures
255 −
255
255 −
∗
255 −
64
64− 6
4
64− ∗
128 −
128
128 −
∗othe
r
signature
0.0
0.1
0.2
0.3
0.4
0.5
0.6pr
opor
tion
explicitimplicitopaque
Implicit MPLS Tunnels: Signatures
255 −
255
255 −
∗
255 −
64
64− 6
4
64− ∗
128 −
128
128 −
∗othe
r
signature
0.0
0.1
0.2
0.3
0.4
0.5pr
opor
tion
qTTLuturn
0.0: 0.1: 0.2: 0.3: 0.4: 0.5: 0.6: 0.7: 0.8: 0.9: 0.10: 0.11: 0.12: 0.13: 0.14: 0.15: 0.16: 0.17: 0.18: 0.19: 0.20: 0.21: 0.22: 0.23: 0.24: 0.25: 0.26: 0.27: 0.28: 0.29: 0.30: 0.31: 0.32: 0.33: 0.34: 0.35: 0.36: 0.37: 0.38: 0.39: 0.40: 0.41: 0.42: 0.43: 0.44: 0.45: 0.46: 0.47: 0.48: 0.49: 0.50: 0.51: 0.52: 0.53: 0.54: 0.55: 0.56: 0.57: 0.58: 0.59: 0.60: 0.61: 0.62: 0.63: 0.64: 0.65: 0.66: 0.67: 0.68: 0.69: 0.70: 0.71: 0.72: 0.73: 0.74: 0.75: 0.76: 0.77: 0.78: 0.79: 0.80: 0.81: anm0: