Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

Slides:



Advertisements
Similar presentations
Routing Routing in an internetwork is the process of directing the transmission of data across two connected networks. Bridges seem to do this function.
Advertisements

Introduction to TCP/IP
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Multihoming in IPV6 Habib Naderi Department of Computer Science University of Auckland.
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
International Standards Organization Open Systems Interconnect (OSI) Reference Model Advanced Computer Networks.
Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Report by: Loizos Konomou EL933 Fall 2005 Prof: Yong Liu Ruoming Pang, Mark Allman, Mike Bennett, Jason Lee, Vern Paxson, Brian Tierney Princeton University,
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Assessing the Nature of Internet traffic: Methods and Pitfalls Wolfgang John Chalmers University of Technology, Sweden together with Min Zhang Beijing.
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.
 The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization.
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Adapted from: Computer Networking, Kurose/Ross 1DT066 Distributed Information Systems Chapter 4 Network Layer.
Chapter 6: Packet Filtering
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
CIS 3360: Internet: Network Layer Introduction Cliff Zou Spring 2012.
Border Gateway Protocol Presented BY Jay Purohit & Rupal Jaiswal GROUP 9.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
Analysis of Internet Backbone Traffic and Header Anomalies Observed Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers.
1 Network Layer Lecture 13 Imran Ahmed University of Management & Technology.
Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.
Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
April 4th, 2002George Wai Wong1 Deriving IP Traffic Demands for an ISP Backbone Network Prepared for EECE565 – Data Communications.
Transport Layer3-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Chapter 13 The Internet.
1 CSE 5346 Spring Network Simulator Project.
CS 5565 Network Architecture and Protocols Godmar Back Lecture 14.
1 Figure 3-5: IP Packet Total Length (16 bits) Identification (16 bits) Header Checksum (16 bits) Time to Live (8 bits) Flags Protocol (8 bits) 1=ICMP,
Analysis of UDP Traffic Usage on Internet Backbone Links* Min Zhang Maurizio Dusi Wolfgang John *This study was performed while authors visited CAIDA at.
Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 19 Omar Meqdadi Department of Computer Science and Software Engineering University.
Performance Limitations of ADSL Users: A Case Study Matti Siekkinen, University of Oslo Denis Collange, France Télécom R&D Guillaume Urvoy-Keller, Ernst.
Transport layer identification of P2P traffic Victor Gau Yi-Hsien Wang
11/18/2016Basic TCP/IP Networking 1 TCP/IP Overview Basic Networking Concepts.
Introduction to TCP/IP networking
Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.
IT443 – Network Security Administration Instructor: Bo Sheng
Computer Data Security & Privacy
RTP: A Transport Protocol for Real-Time Applications
RTP – Real-time Transport Protocol
Network Fundamentals – Chapter 5
Net431:advanced net services
Network Fundamentals – Chapter 5
Internet Control Message Protocol (ICMP)
Network Fundamentals – Chapter 5
Network Fundamentals – Chapter 5
CPSC 641: WAN Measurement Carey Williamson
Network Fundamentals – Chapter 5
Network Fundamentals – Chapter 5
Overview The Internet (IP) Protocol Datagram format IP fragmentation
Network Fundamentals – Chapter 5
Carey Williamson Department of Computer Science University of Calgary
Introduction to TCP/IP protocol Suite
Transport Layer Identification of P2P Traffic
16EC Computer networks unit II Mr.M.Jagadesh
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology Göteborg, Sweden

TNC 2007 Overview 1.Introduction 2.Highlights of directional differences on IP level TCP level UDP level 3.Summary of results 4.Conclusions

TNC 2007 Introduction: Motivation Why measuring on Internet links? –to understand the nature of Internet traffic –quantify deployment of protocol features Interesting for –Network engineers and protocol developers –Network modeling and simulation community –Network security and intrusion detection

TNC 2007 Introduction: Related work Directional differences on backbone traffic –Evident on simple packet header analysis –Correlation of packets might reveal reasons Related work: –Mainly unidirectional flow data (NetFlow) –Either low or very high aggregation level –Marginal discussion on directional differences

TNC 2007 Introduction: Our contribution Complete view on different levels Contemporary data Packet level analysis Bi-directional TCP connections Specific measurement location –Medium aggregation level –Suitable for highlighting directional differences

TNC 2007 Introduction: Measurement location Internet Regiona l ISPs Gbg Sthlm Göteborgs Univ. Chalmers Univ. Stud-Net 2x 10 Gbit/s (OC-192) 2x DAG6.2SE Cards tightly synchronized capturing headers

TNC 2007 Introduction: General traffic characteristics Data from 20 days in April traces, 10.7 billion frames, 7.5 TB 99.99% IPv4 data 93% TCP packets 97% TCP data Data and packet counts equal on inbound and outbound links!

TNC 2007 Highlights: IP level Distinct IP addresses seen (in Millions)

TNC 2007 Distinct IP addresses seen (in Millions) Surprisingly large numbers Inbound destinations >> outbound sources Outside hosts primarily due to UDP Highlights: IP level

TNC 2007 Highlights: TCP level Connection attempt breakdown (Millions)

TNC 2007 Highlights: TCP level Connection attempt breakdown (Millions) Inbound connections mainly scans!

TNC 2007 Highlights: TCP level (2) TCP termination behavior (Millions)

TNC 2007 Highlights: TCP level (2) TCP termination behavior (Millions) Only 67% close properly (2xFIN) Inbound: 20% of conn. closed by FIN and RST!

TNC 2007 Highlights: TCP level (3) Statistical properties of established TCP connections –Lifetime, data volume, packet count Inbound connections more likely to: –show lifetimes between 1 and 5 seconds –be long lasting (>10 minutes) –carry more data and more packets –show higher asymmetry (client-server pattern)

TNC 2007 TCP level: P2P traffic Quantification according to port-numbers Missing payload → underestimated by factor 2-3 [*,**] –13% of data in outbound connections –25% of data in inbound connections * S. Sen et al, “Accurate, Scalable in-network identification of P2P traffic across large networks”, IMW 2002 ** T. Karagiannis et al, “Transport layer identification of P2P Traffic”, ACM SIGCOMM 2004

TNC 2007 Highlights: UDP level 68 million UDP flows 51 million carry less than 3 packets! DNS: 5%; NTP 1.7% Incoming scanning: > 8% P2P overlay traffic: > 20% Signaling Traffic –Distributed Hash Table (DHT) like Kademlia –Update routing tables in decentralized way –Periodic “ping” queries and replies –P2P overlay networks span entire globe –High fluctuation in peering partners → lots of IPs

TNC 2007 Summary of results Besides equal counts and volumes on both links, directional differences were found in: –IP packet sizes –IP fragmentation –Number of TCP connections –TCP connection establishment & termination –TCP option usage –TCP connection properties –UDP scanning traffic

TNC 2007 Conclusion High level analysis does not necessarily show differences → detailed analysis does! 2 main reasons for directional differences: –Malicious traffic the Internet is “unfriendly” –P2P Göteborg is a P2P source P2P is changing traffic characteristics e.g. packet sizes, TCP termination, TCP option usage

Thank you very much for you attention! Questions?

TNC 2007 BACKUP BACKUP SLIDES

TNC 2007 Common P2P port numbers

TNC 2007 TCP level (4) TCP options (in %)

TNC 2007 TCP level (4) TCP options (in %)

TNC 2007 IP level (2) Packet size distribution on the 2 links

TNC 2007 IP level (2) Packet size distribution on the 2 links

TNC 2007 IP level (3) IP fragmentation on the 2 links

TNC 2007 Malicous traffic / P2P traffic Connection properties lifetime in sec

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.