A closer look at IP-ID behavior in the Wild

Abstract :

Originally used to assist network-layer fragmentation and reassembly, the IP identification field (IP-ID) has been used and abused for a range of tasks, from counting hosts behind NAT, to detect router aliases and, lately, to assist detection of censorship in the Internet at large. These inferences have been possible since, in the past, the IP- ID was mostly implemented as a simple packet counter: however, this behavior has been discouraged for security reasons and other policies, such as random values, have been suggested. In this study, we propose a framework to classify the different IP-ID behaviors using active probing from a single host. Despite being only minimally intrusive, our technique is significantly accurate (99% true positive classification) robust against packet losses (up to 20%) and lightweight (few packets suffices to discriminate all IP-ID behaviors). We then apply our technique to an Internet-wide census, where we actively probe one alive target per each routable /24 subnet: we find that that the majority of hosts adopts a constant IP-IDs (39%) or local counter (34%), that the fraction of global counters (18%) significantly diminished, that a non marginal number of hosts have an odd behavior (7%) and that random IP-IDs are still an exception (2%).

Document type :
Conference papers
Complete list of metadatas

https://hal-imt.archives-ouvertes.fr/hal-01712190
Contributor : Admin Télécom Paristech <>
Submitted on : Monday, February 19, 2018 - 11:30:18 AM
Last modification on : Thursday, October 17, 2019 - 12:37:02 PM

Identifiers

  • HAL Id : hal-01712190, version 1

Citation

Flavia Salutari, Danilo Cicalese, Dario Rossi. A closer look at IP-ID behavior in the Wild. International Conference on Passive and Active Network Measurement (PAM), Mar 2018, Berlin, Germany. ⟨hal-01712190⟩

Share

Metrics

Record views

230