Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University of Technology Göteborg, Sweden
TNC 2007 Overview 1.Introduction 2.Highlights of directional differences on IP level TCP level UDP level 3.Summary of results 4.Conclusions
TNC 2007 Introduction: Motivation Why measuring on Internet links? –to understand the nature of Internet traffic –quantify deployment of protocol features Interesting for –Network engineers and protocol developers –Network modeling and simulation community –Network security and intrusion detection
TNC 2007 Introduction: Related work Directional differences on backbone traffic –Evident on simple packet header analysis –Correlation of packets might reveal reasons Related work: –Mainly unidirectional flow data (NetFlow) –Either low or very high aggregation level –Marginal discussion on directional differences
TNC 2007 Introduction: Our contribution Complete view on different levels Contemporary data Packet level analysis Bi-directional TCP connections Specific measurement location –Medium aggregation level –Suitable for highlighting directional differences
TNC 2007 Introduction: Measurement location Internet Regiona l ISPs Gbg Sthlm Göteborgs Univ. Chalmers Univ. Stud-Net 2x 10 Gbit/s (OC-192) 2x DAG6.2SE Cards tightly synchronized capturing headers
TNC 2007 Introduction: General traffic characteristics Data from 20 days in April traces, 10.7 billion frames, 7.5 TB 99.99% IPv4 data 93% TCP packets 97% TCP data Data and packet counts equal on inbound and outbound links!
TNC 2007 Highlights: IP level Distinct IP addresses seen (in Millions)
TNC 2007 Distinct IP addresses seen (in Millions) Surprisingly large numbers Inbound destinations >> outbound sources Outside hosts primarily due to UDP Highlights: IP level
TNC 2007 Highlights: TCP level Connection attempt breakdown (Millions)
TNC 2007 Highlights: TCP level Connection attempt breakdown (Millions) Inbound connections mainly scans!
TNC 2007 Highlights: TCP level (2) TCP termination behavior (Millions)
TNC 2007 Highlights: TCP level (2) TCP termination behavior (Millions) Only 67% close properly (2xFIN) Inbound: 20% of conn. closed by FIN and RST!
TNC 2007 Highlights: TCP level (3) Statistical properties of established TCP connections –Lifetime, data volume, packet count Inbound connections more likely to: –show lifetimes between 1 and 5 seconds –be long lasting (>10 minutes) –carry more data and more packets –show higher asymmetry (client-server pattern)
TNC 2007 TCP level: P2P traffic Quantification according to port-numbers Missing payload → underestimated by factor 2-3 [*,**] –13% of data in outbound connections –25% of data in inbound connections * S. Sen et al, “Accurate, Scalable in-network identification of P2P traffic across large networks”, IMW 2002 ** T. Karagiannis et al, “Transport layer identification of P2P Traffic”, ACM SIGCOMM 2004
TNC 2007 Highlights: UDP level 68 million UDP flows 51 million carry less than 3 packets! DNS: 5%; NTP 1.7% Incoming scanning: > 8% P2P overlay traffic: > 20% Signaling Traffic –Distributed Hash Table (DHT) like Kademlia –Update routing tables in decentralized way –Periodic “ping” queries and replies –P2P overlay networks span entire globe –High fluctuation in peering partners → lots of IPs
TNC 2007 Summary of results Besides equal counts and volumes on both links, directional differences were found in: –IP packet sizes –IP fragmentation –Number of TCP connections –TCP connection establishment & termination –TCP option usage –TCP connection properties –UDP scanning traffic
TNC 2007 Conclusion High level analysis does not necessarily show differences → detailed analysis does! 2 main reasons for directional differences: –Malicious traffic the Internet is “unfriendly” –P2P Göteborg is a P2P source P2P is changing traffic characteristics e.g. packet sizes, TCP termination, TCP option usage
Thank you very much for you attention! Questions?
TNC 2007 BACKUP BACKUP SLIDES
TNC 2007 Common P2P port numbers
TNC 2007 TCP level (4) TCP options (in %)
TNC 2007 TCP level (4) TCP options (in %)
TNC 2007 IP level (2) Packet size distribution on the 2 links
TNC 2007 IP level (2) Packet size distribution on the 2 links
TNC 2007 IP level (3) IP fragmentation on the 2 links
TNC 2007 Malicous traffic / P2P traffic Connection properties lifetime in sec