Analysis of Internet Backbone Trafficand Header Anomalies Observed
Wolfgang John and Sven TafvelinDept. of Computer Science and Engineering
Chalmers University of TechnologyGöteborg, Sweden
2007-11-24IMC 2007
Overview
1. Introduction
2. Traffic properties• IP properties• TCP properties
3. Header anomalies
4. Conclusions
2007-11-24IMC 2007
Introduction: Measurement location
Internet
Internet
Region
al ISPsRegion
al ISPs
Göteborg
Stockholm
Other smaller Univ. and Institutes
Göteborgs Univ.
Student-Net
• 2x 10 Gbit/s (OC-192)• 2x DAG6.2SE Cards• capturing headers only• IP addresses anonymized
Chalmers Univ.
2007-11-24IMC 2007
Traffic Properties
• Data from 20 days in April 2006• 2x74 traces, 7.5 TB• 10.77 billion frames• 99.97% IPv4 packets
Packets Data
TCP 92.0 % .. 97.2 % ..
UDP 7.6 % .. 2.6 % ..
ICMP 0.2 % .. 0.1 % ..
ESP, GRE 0.2 % .. 0.1 % .
2007-11-24IMC 2007
Traffic Properties (2)
• Packet size distribution
(former) default: 576 bytes
1300 bytes628 bytes
2007-11-24IMC 2007
Traffic Properties: IP
• IP properties
– No IP options (only 68 instances)
– 91.3% set DF bit
– TOS: 0.02% ECN enabled packets
2007-11-24IMC 2007
Traffic Properties: IP (2)
• IP fragmentation rare (0.06%)
• 90% of fragmented packets incoming– 97% UDP
• 10% outgoing– 63% ESP, between 1 pair of hosts– VPN header causes fragmentation
• 72% of the fragmented traffic during office hours (10AM, 2PM)
2007-11-24IMC 2007
Traffic Properties: TCP
• TCP options in SYN segments
• TCP options values– MSS: from 0 to 65535
94% 1400-1460 (Ethernet max.)
– WS: scale factors up to 1458% scale factor zero31% scale factor 2
MSS SACK perm. WS TS
99.2 % 89.9 % 17.9 % 14.5 %
2007-11-24IMC 2007
51,842TCP: RST+FIN flags
27,474IP: DF + MF flags
563TCP: other invalid flag combos
53,280TCP: small MSS values
848TCP: invalid header length
5,534TCP: invalid option length
2,370TCP: option kind undefined
Packet CountAnomaly
51,842TCP: RST+FIN flags
27,474IP: DF + MF flags
563TCP: other invalid flag combos
53,280TCP: small MSS values
848TCP: invalid header length
5,534TCP: invalid option length
2,370TCP: option kind undefined
Packet CountAnomaly
Header Anomalies
• 10.7 billion IP packets• 9.8 billion TCP segments
51,842TCP: RST+FIN flags
27,474IP: DF + MF flags
563TCP: other invalid flag combos
53,280TCP: small MSS values
848TCP: invalid header length
5,534TCP: invalid option length
2,370TCP: option kind undefined
Packet CountAnomaly
51,842TCP: RST+FIN flags
27,474IP: DF + MF flags
563TCP: other invalid flag combos
53,280TCP: small MSS values
848TCP: invalid header length
5,534TCP: invalid option length
2,370TCP: option kind undefined
Packet CountAnomaly
51,842TCP: RST+FIN flags
27,474IP: DF + MF flags
563TCP: other invalid flag combos
53,280TCP: small MSS values
848TCP: invalid header length
5,534TCP: invalid option length
2,370TCP: option kind undefined
Packet CountAnomaly
51,842TCP: RST+FIN flags
27,474IP: DF + MF flags
563TCP: other invalid flag combos
53,280TCP: small MSS values
848TCP: invalid header length
5,534TCP: invalid option length
2,370TCP: option kind undefined
Packet CountAnomaly
51,842TCP: RST+FIN flags
27,474IP: DF + MF flags
563TCP: other invalid flag combos
53,280TCP: small MSS values
848TCP: invalid header length
5,534TCP: invalid option length
2,370TCP: option kind undefined
Packet CountAnomaly
51,842TCP: RST+FIN flags
27,474IP: DF + MF flags
563TCP: other invalid flag combos
53,280TCP: small MSS values
848TCP: invalid header length
5,534TCP: invalid option length
2,370TCP: option kind undefined
Packet CountAnomaly
2007-11-24IMC 2007
Summary and Conclusions
• Updated packet-level characteristics of Internet traffic
• Inconsistencies in headers will appear
– Network attacks and malicious traffic– Active OS fingerprinting– Buggy applications or protocol stacks
Thank you very much for you attention!
Questions?