Presentation is loading. Please wait.

Presentation is loading. Please wait.

REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université.

Published byKatlyn Fithian Modified over 9 years ago

Similar presentations

Presentation on theme: "REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université."— Presentation transcript:

1 REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université catholique de Louvain °Université de Liège http://www.tracebox.org

2 Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

3 The end-to-end principle … Application Transport Network Data link Physical Application Transport Network Data link Physical Data link Physical Network Data link Physical

4 … does not hold  Application Transport Network Data link Physical Application Transport Network Data link Physical Data link Physical Application Transport Network Data link Physical

5 In reality Sherry, Justine, et al. "Making middleboxes someone else's problem: Network processing as a cloud service." Proceedings of the ACM SIGCOMM 2012 conference. ACM, 2012.

6 TCP Segment processed by a router Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address Payload Options Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address Payload Options IP TCP

7 How transparent is the Internet ? 25th September 2010 to 30th April 2011 142 access networks 24 countries Craft TCP segments using custom scripts Sent specific TCP segments from client to a server in Japan Honda, Michio, et al. "Is it still possible to extend TCP?" Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference. ACM, 2011.

8 TCP Segments on the today’s Internet Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address Payload Options IP TCP Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address Payload Options

9 Potentially miss a lot of middleboxes

10 Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

11 Traceroute with ICMP in a nutshell Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address TTL=1 IP/TCP TTL=2

12 Traceroute with ICMP in a nutshell IP/ICMP Source portDestination port Sequence number Ver IHL ToS Total length Checksum 1 Protocol Flags Frag. Offset Source IP address Identification Destination IP address IP type = 11 code = 0 checksum 0 (unused) Use the IP source to identify routers

13 Middlebox detection with ICMP Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum 2 Protocol Flags Frag. Offset Source IP address Identification Destination IP address Source portDestination port Sequence number Ver IHL ToS Total length Checksum 1 Protocol Flags Frag. Offset Source IP address Identification Destination IP address Compare

14 ICMP-based modification detection RFC792 requires ICMP to include only the first 8 bytes of the transport header. In 1995 RFC1812 and in 2007 RFC4884 requires that routers should quote the complete original packet. By default on Linux, Cisco IOX, HP routers, Alcatel routers, PaloAlto Firewall, etc. Source portDestination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Ver IHL ToS Total length Checksum TTL Protocol Flags Frag. Offset Source IP address Identification Destination IP address Payload Options

15 80 % of Internet paths contains at least one RFC1812-capable router

16 ICMP detection limitations Similar to traceroute: Filtering of ICMP Routers throttle or does not send ICMP To detect middlebox in front of server, the latter should generate an ICMP.

17 Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

18 Tracebox Uses the previous mechanism to detect middleboxes. Implemented in C++ with Lua embedded. Libcrafter allows to efficiently describe probes as Scapy. Open source and available at http://www.tracebox.orghttp:// Supports Linux and Mac OSX

19 Tracebox Usage: tracebox [ OPTIONS ] host Options are: -h Display this help and exit -n Do not resolve IP addresses -6 Use IPv6 for static probe generated -u Use UDP for static probe generated -d port Use the specified port for static probe generated. Default is 80. -i device Specify a network interface to operate with -m hops_max Set the max number of hops (max TTL to be reached). Default is 30 -p probe Specify the probe to send. -s script Run a script.

20 Probe definition SYN probe that contains the window scale option ip{} / tcp{flags=0x2,dst=80} / WSCALE IP / TCP / wscale(9) / NOP IPv6/UDP probe with payload IPv6 / udp{dst=5678} / raw(‘this is a payload’) Multiple options: ip{} / RR(8) / tcp{dst=80} / mss(1400) / WSCALE / TS

21 Output example # tracebox -n -p “IP/TCP/MSS/MPCAPABLE/WSCALE” bahn.de tracebox to 81.200.198.6 (bahn.de): 64 hops max 1: 130.104.228.126 IP::CheckSum 2: 130.104.254.229 IP::TTL IP::CheckSum 3: 193.191.3.85 IP::TTL IP::CheckSum 4: 193.191.16.21 IP::TTL IP::CheckSum 5: 195.69.144.123 IP::TTL IP::CheckSum 6: 145.254.5.158 IP::TTL IP::CheckSum 7: 88.79.13.62 IP::TTL IP::CheckSum 8: 81.200.194.234 IP::TTL IP::CheckSum 9: 81.200.197.9 IP::TTL IP::CheckSum 10: 81.200.198.6 TCP::CheckSum IP::TTL IP::CheckSum TCPOptionMaxSegSize::MaxSegSize –TCPOptionMPTCPCapable -TCPOptionWindowScale

22 Output example # tracebox -n -p IP/TCP/MSS/MPCAPABLE/WSCALE bahn.de tracebox to 81.200.198.6 (bahn.de): 64 hops max 1: 130.104.228.126 IP::CheckSum 2: 130.104.254.229 IP::TTL IP::CheckSum 3: 193.191.3.85 IP::TTL IP::CheckSum 4: 193.191.16.21 IP::TTL IP::CheckSum 5: 195.69.144.123 IP::TTL IP::CheckSum 6: 145.254.5.158 IP::TTL IP::CheckSum 7: 88.79.13.62 IP::TTL IP::CheckSum 8: 81.200.194.234 IP::TTL IP::CheckSum 9: 81.200.197.9 IP::TTL IP::CheckSum 10: 81.200.198.6 TCP::CheckSum IP::TTL IP::CheckSum TCPOptionMaxSegSize::MaxSegSize –TCPOptionMPTCPCapable -TCPOptionWindowScale

23 Output example # tracebox -n -p IP/TCP/MSS/MPCAPABLE/WSCALE bahn.de tracebox to 81.200.198.6 (bahn.de): 64 hops max 1: 130.104.228.126 IP::CheckSum 2: 130.104.254.229 IP::TTL IP::CheckSum 3: 193.191.3.85 IP::TTL IP::CheckSum 4: 193.191.16.21 IP::TTL IP::CheckSum 5: 195.69.144.123 IP::TTL IP::CheckSum 6: 145.254.5.158 IP::TTL IP::CheckSum 7: 88.79.13.62 IP::TTL IP::CheckSum 8: 81.200.194.234 IP::TTL IP::CheckSum 9: 81.200.197.9 IP::TTL IP::CheckSum 10: 81.200.198.6 TCP::CheckSum IP::TTL IP::CheckSum TCPOptionMaxSegSize::MaxSegSize –TCPOptionMPTCPCapable -TCPOptionWindowScale

24 Outline Middleboxes interference Detect packet modification with ICMP Tracebox Measurements results

25 Measurements Used PlanetLab to perform experiments PlanetLab nodes are supposed to be directly connected to the Internet. Sources: 70 vantage points Destinations: Top 5000 Alexa

26 Some middleboxes randomize the TCP sequence number …

27 … but does not modify the SACK blocks Missmatch

28 Evaluation of the impact Click TCP Seq Modification TCP Seq Modification Discard 1 % Ack’ = Ack - Δ Seq’ = Seq + Δ

29 Linux performance significantly drops

30 Firewall at source modified the MSS

31 Core network also look at the MSS option and modifies it

32 Lessons learned There exists middleboxes that affect performances and network operators are not always aware of them. Tracebox can detect some middleboxes. Tracebox could help network operators to debug their network even better with more routers that are RFC1812-capable.

33 Thank you. Questions ? gregory.detal@uclouvain.be http://www.tracebox.org

Download ppt "REVEALING MIDDLEBOXES INTERFERENCE WITH TRACEBOX Gregory Detal*, Benjamin Hesmans*, Olivier Bonaventure*, Yves Vanaubel° and Benoit Donnet°. *Université."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
TCP/IP Christopher Zacky. lolwut Decimal Numbers.

TCP/IP Christopher Zacky. lolwut Decimal Numbers.
Multipath TCP: Overview, Design, and Use-Cases Benno Overeinder NLnet Labs.

Multipath TCP: Overview, Design, and Use-Cases Benno Overeinder NLnet Labs.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.

Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.
Networks I Transmission Control Protocol Instituto Tecnológico y de Estudios Superiores de Monterrey Campus Estado de México Prof. MSc. Ivan A. Escobar.

Networks I Transmission Control Protocol Instituto Tecnológico y de Estudios Superiores de Monterrey Campus Estado de México Prof. MSc. Ivan A. Escobar.
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.

Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
CP476 Internet Computing TCP/IP 1 Lecture 3. TCP / IP Objective: A in-step look at TCP/IP Purposes and operations Header specifications Implementations.

CP476 Internet Computing TCP/IP 1 Lecture 3. TCP / IP Objective: A in-step look at TCP/IP Purposes and operations Header specifications Implementations.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.
Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
Chapter 3 Review of Protocols And Packet Formats

Chapter 3 Review of Protocols And Packet Formats
5/12/05CS118/Spring051 A Day in the Life of an HTTP Query 1.HTTP Brower application Socket interface 3.TCP 4.IP 5.Ethernet 2.DNS query 6.IP router 7.Running.

5/12/05CS118/Spring051 A Day in the Life of an HTTP Query 1.HTTP Brower application Socket interface 3.TCP 4.IP 5.Ethernet 2.DNS query 6.IP router 7.Running.
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 12 Transmission Control Protocol (TCP) Basics.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 12 Transmission Control Protocol (TCP) Basics.
Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.

Module A Panko and Panko Business Data Networks and Security, 9 th Edition © 2013 Pearson.
Packet Analysis with Wireshark

Packet Analysis with Wireshark
© Janice Regan, CMPT 128, 2007-2012 0 CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer ICMP and fragmentation.

Similar presentations

Ads by Google