1. Statistical Analysis of Malformed Packets and Their Origins in the Modern Internet NETREAD UC Berkeley George Porter Oct 4, 2002

2. Main Idea Find malformed packets and determine the reasons What is the proportion? What are the causes? Ohio University

3. Experimental Setup Main University Link 100Mbits Rate limited to 36Mbits 98% TCP Dorm traffic 10 Mbits 60% TCP 40% Kazaa???

4. Errors detected

5. IP Addres outside of range (local link) 169.254.0.0/16 (Microsoft). DHCP INFORM messages. Finding the directory service for the enterprise root. Making dynamic updates on behalf of clients by the server. 172.128.x.x – 172.186.x.x (AOL). Used when DHCP fails. Moral: Treat as private and filter. Moral2: Don’t send INFORM on networks with dynamic address assignment.

6. DDOS attack, bootstrapping ICMP echo requests sent to limited broadcast address Routers should not have forwared them Source+Dest addresses out of range occurred Weekday mornings Bootstrapping issue

7. Interesting Observations Sent to network 0 Misconfigurations Origin of 255.255.255.255 Sent in response to UDP packets, probably a misconfiguration 0/6 port sequences No real ideas there Some SYN,FIN,URG,PSH packets used to determine O/S type Bad checksum in port range 18245- 21536, probably specific impl problem

8. Packet Distributions Mostly during the day They claim that bit- errors are more likely during the day (why?) They suggest the misconfigurations are likely not in system software (then what?)

9. Moral/Takeaway points Misconfiguration accounts for a lot of malformed packets DDOS attack was observed Internet/Local networks have different error characteristics