Correlating TTL data to network characteristics Final Talk BSc - - PowerPoint PPT Presentation

Chair for Network Architectures and Services Technical University of Munich (TUM)

Correlating TTL data to network characteristics

Final Talk BSc Informatics Till Wickenheiser

Advisors: Quirin Scheitle, Oliver Gasser, Paul Emmerich, Felix von Eye

April 27, 2016 Chair for Network Architectures and Services Department of Informatics Technical University of Munich (TUM)

Till Wickenheiser – Correlating TTL data to network characteristics 1

Chair for Network Architectures and Services Technical University of Munich (TUM)

Motivation Research questions Approach Implementation Discussion of the results Future Work

Till Wickenheiser – Correlating TTL data to network characteristics 2

Chair for Network Architectures and Services Technical University of Munich (TUM)

Motivation

◮ Time to Live(TTL) behavior strongly influenced by network

structure

Till Wickenheiser – Correlating TTL data to network characteristics 3

Chair for Network Architectures and Services Technical University of Munich (TUM)

Motivation

◮ Time to Live(TTL) behavior strongly influenced by network

structure

◮ Can knowledge about the network characteristics be used

to predict incoming TTL values?

Till Wickenheiser – Correlating TTL data to network characteristics 3

Chair for Network Architectures and Services Technical University of Munich (TUM)

Research questions

◮ Is there a correlation between BGP data and hop count of

incoming packets?

Till Wickenheiser – Correlating TTL data to network characteristics 4

Chair for Network Architectures and Services Technical University of Munich (TUM)

Research questions

◮ Is there a correlation between BGP data and hop count of

incoming packets?

◮ Is there a correlation between RTT of observed hosts and

hop counts?

Till Wickenheiser – Correlating TTL data to network characteristics 4

Chair for Network Architectures and Services Technical University of Munich (TUM)

Research questions

◮ Is there a correlation between BGP data and hop count of

incoming packets?

◮ Is there a correlation between RTT of observed hosts and

hop counts?

◮ Is there a correlation between Geo location data and

incoming hop count?

Till Wickenheiser – Correlating TTL data to network characteristics 4

Chair for Network Architectures and Services Technical University of Munich (TUM)

Approach Correlation of hop count and BGP data:

◮ Capture a sample of the Internet traffic using the already

implemented TTL capturing framework (by Christian Sturm)

Till Wickenheiser – Correlating TTL data to network characteristics 5

Chair for Network Architectures and Services Technical University of Munich (TUM)

Approach Correlation of hop count and BGP data:

◮ Capture a sample of the Internet traffic using the already

implemented TTL capturing framework (by Christian Sturm)

◮ Use the local BGP data as a model for the routing used for

the traffic sample

Till Wickenheiser – Correlating TTL data to network characteristics 5

Chair for Network Architectures and Services Technical University of Munich (TUM)

Approach Correlation of hop count and BGP data:

◮ Capture a sample of the Internet traffic using the already

implemented TTL capturing framework (by Christian Sturm)

◮ Use the local BGP data as a model for the routing used for

the traffic sample

◮ Compare the hop count of packets to the length of AS

paths using the corresponding BGP data

Till Wickenheiser – Correlating TTL data to network characteristics 5

Chair for Network Architectures and Services Technical University of Munich (TUM)

Implementation

◮ Create a longest prefix match lookup tree of entries of the

BGP data (libbgpdump, pytricia)

Till Wickenheiser – Correlating TTL data to network characteristics 6

Chair for Network Architectures and Services Technical University of Munich (TUM)

Implementation

◮ Create a longest prefix match lookup tree of entries of the

BGP data (libbgpdump, pytricia)

◮ Convert the TTL values to hop counts

Till Wickenheiser – Correlating TTL data to network characteristics 6

Chair for Network Architectures and Services Technical University of Munich (TUM)

Implementation

◮ Create a longest prefix match lookup tree of entries of the

BGP data (libbgpdump, pytricia)

◮ Convert the TTL values to hop counts ◮ Assign an AS path to each entry in the capture file

Till Wickenheiser – Correlating TTL data to network characteristics 6

Chair for Network Architectures and Services Technical University of Munich (TUM)

Implementation

◮ Create a longest prefix match lookup tree of entries of the

BGP data (libbgpdump, pytricia)

◮ Convert the TTL values to hop counts ◮ Assign an AS path to each entry in the capture file ◮ Compute the mean, variance, standard deviation of the

hop counts and saving these intermediate results

Till Wickenheiser – Correlating TTL data to network characteristics 6

Chair for Network Architectures and Services Technical University of Munich (TUM)

Implementation

◮ Create a longest prefix match lookup tree of entries of the

BGP data (libbgpdump, pytricia)

◮ Convert the TTL values to hop counts ◮ Assign an AS path to each entry in the capture file ◮ Compute the mean, variance, standard deviation of the

hop counts and saving these intermediate results

◮ Create graphs using the matplotlib and seaborn libraries in

an Ipython notebook

Till Wickenheiser – Correlating TTL data to network characteristics 6

Chair for Network Architectures and Services Technical University of Munich (TUM)

Runtime Data Number of entires File size Runtime IPv4 85 000 000 5 GB ∼8 h IPv6 2 000 000 200 MB ∼15 min Utilizing 16 CPUs running at 2.40GHz and 24GB of RAM.

Till Wickenheiser – Correlating TTL data to network characteristics 7

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for mean hop count values Linear regression parameters Coefficient IPv4 IPv6 Slope 1.1448 1.8173 Intercept 7.7438 2.1843 R-squared 0.0522 0.1544 P value 1.4 ∗ 10−9 Standard error 0.0099 0.2873

Till Wickenheiser – Correlating TTL data to network characteristics 8

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs

Till Wickenheiser – Correlating TTL data to network characteristics 9

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for mean hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 10

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for mean hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 11

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for mean hop count values Linear regression parameters Coefficient IPv4 IPv6 Slope 1.1448 1.8173 Intercept 7.7438 2.1843 R-squared 0.0522 0.1544 P value 1.4 ∗ 10−9 Standard error 0.0099 0.2873

Till Wickenheiser – Correlating TTL data to network characteristics 12

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for mean hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 13

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for mean hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 14

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for mean hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 15

Chair for Network Architectures and Services Technical University of Munich (TUM)

Minima per AS path value

Till Wickenheiser – Correlating TTL data to network characteristics 16

Chair for Network Architectures and Services Technical University of Munich (TUM)

Minima per AS path value

Till Wickenheiser – Correlating TTL data to network characteristics 17

Chair for Network Architectures and Services Technical University of Munich (TUM)

Outliers There are 7000 occurrences (2.5%) of the minimum hop count being below the AS path length. These only occurred during the investigations regarding the IPv4 data.

Till Wickenheiser – Correlating TTL data to network characteristics 18

Chair for Network Architectures and Services Technical University of Munich (TUM)

Outliers There are 7000 occurrences (2.5%) of the minimum hop count being below the AS path length. These only occurred during the investigations regarding the IPv4 data. Reasons for these exceptions could be:

◮ Wrongfully chosen initial TTL value

Till Wickenheiser – Correlating TTL data to network characteristics 18

Chair for Network Architectures and Services Technical University of Munich (TUM)

Outliers There are 7000 occurrences (2.5%) of the minimum hop count being below the AS path length. These only occurred during the investigations regarding the IPv4 data. Reasons for these exceptions could be:

◮ Wrongfully chosen initial TTL value ◮ Used BGP data does not represent a good model for the

real routing path

Till Wickenheiser – Correlating TTL data to network characteristics 18

Chair for Network Architectures and Services Technical University of Munich (TUM)

Interpretation of the results

◮ In general a correlation between the BGP data and

incoming TTL values is present

Till Wickenheiser – Correlating TTL data to network characteristics 19

Chair for Network Architectures and Services Technical University of Munich (TUM)

Interpretation of the results

◮ In general a correlation between the BGP data and

incoming TTL values is present

◮ IPv4 BGP data can only be used in an unreliable way for

the prediction of incoming TTL values / hop counts

Till Wickenheiser – Correlating TTL data to network characteristics 19

Chair for Network Architectures and Services Technical University of Munich (TUM)

Interpretation of the results

◮ In general a correlation between the BGP data and

incoming TTL values is present

◮ IPv4 BGP data can only be used in an unreliable way for

the prediction of incoming TTL values / hop counts

◮ Using IPv6 BGP data could represent a viable method of

predicting incoming TTL values / hop counts

Till Wickenheiser – Correlating TTL data to network characteristics 19

Chair for Network Architectures and Services Technical University of Munich (TUM)

Future work

◮ Investigate the correlation of RTT and incoming TTL values

Till Wickenheiser – Correlating TTL data to network characteristics 20

Chair for Network Architectures and Services Technical University of Munich (TUM)

Future work

◮ Investigate the correlation of RTT and incoming TTL values ◮ Investigate the correlation of Geo location and hop count

Till Wickenheiser – Correlating TTL data to network characteristics 20

Chair for Network Architectures and Services Technical University of Munich (TUM)

Future work

◮ Investigate the correlation of RTT and incoming TTL values ◮ Investigate the correlation of Geo location and hop count ◮ Investigate if the predictability of incoming IPv6 TTL values

is present over multiple measurements

Till Wickenheiser – Correlating TTL data to network characteristics 20

Chair for Network Architectures and Services Technical University of Munich (TUM)

Thank you for your attention!

Till Wickenheiser – Correlating TTL data to network characteristics 21

Chair for Network Architectures and Services Technical University of Munich (TUM)

Bibliography I

[1] G. Armitage, C. Javier, S. Zander, et al. Client rtt and hop count distributions viewed from an australian ‘enemy territory’server. Technical report, CAIA Technical Report, 2006. [2] F. Begtasevic and P . Van Mieghem. Measurements of the hopcount in internet. In PAM2001, A workshop on Passive and Active Measurements, Amsterdam, the Netherlands, April 23-24, 2001, 2001. [3] B. Eriksson, P . Barford, and R. Nowak. Estimating hop distance between arbitrary host pairs. In INFOCOM 2009, IEEE, pages 801–809. IEEE, 2009. [4] B. Eriksson, P . Barford, J. Sommers, and R. Nowak. A learning-based approach for ip geolocation. In Passive and Active Measurement, pages 171–180. Springer, 2010. [5] A. Fei, G. Pei, R. Liu, and L. Zhang. Measurements on delay and hop-count of the internet. In IEEE GLOBECOM, volume 98, 1998. [6] C. Jin, H. Wang, and K. G. Shin. Hop-count filtering: an effective defense against spoofed ddos traffic. In Proceedings of the 10th ACM conference on Computer and communications security, pages 30–41. ACM, 2003. [7] S. Kasiviswanathan, G. Yan, and S. Eidenbenz. Geography-based structural analysis of the internet. Technical report, Los Alamos National Laboratory, 2010.

Till Wickenheiser – Correlating TTL data to network characteristics 22

Chair for Network Architectures and Services Technical University of Munich (TUM)

Bibliography II

[8] F. Li, C. An, J. Yang, J. Wu, and H. Zhang. A study of traffic from the perspective

• f a large pure ipv6 isp. Computer Communications, 37:40–52, 2014.

[9] H. Tangmunarunkit, R. Govindan, S. Shenker, and D. Estrin. The impact of routing policy on internet paths. In INFOCOM 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, volume 2, pages 736–742. IEEE, 2001. [10] P . Van Mieghem, G. Hooghiemstra, and R. van der Hofstad. Modeling the as-hopcount in internet. Technical report, Delft University of Technology, 2002. [11] F. Yakubu, M. Shehu, A. Mustapha, and M. Hayatu. Correlation between latency and hop count.

Till Wickenheiser – Correlating TTL data to network characteristics 23

Chair for Network Architectures and Services Technical University of Munich (TUM)

Runtime

◮ The processing of a capture file of the size of about 5GB

for the IPv4 data and 200MB of IPv6 data, respectively containing 85 000 000 and 2 000 000 entries, took about 8 hours for the IPv4 and 15 minutes for the IPv6 traffic.

Till Wickenheiser – Correlating TTL data to network characteristics 24

Chair for Network Architectures and Services Technical University of Munich (TUM)

Runtime

◮ The processing of a capture file of the size of about 5GB

for the IPv4 data and 200MB of IPv6 data, respectively containing 85 000 000 and 2 000 000 entries, took about 8 hours for the IPv4 and 15 minutes for the IPv6 traffic.

◮ Eight producer and eight consumer processes were used

to scan the capture file on a machine utilizing 16 CPUs running at 2.40GHz and having 24GB of RAM.

Till Wickenheiser – Correlating TTL data to network characteristics 24

Chair for Network Architectures and Services Technical University of Munich (TUM)

Runtime

◮ The processing of a capture file of the size of about 5GB

for the IPv4 data and 200MB of IPv6 data, respectively containing 85 000 000 and 2 000 000 entries, took about 8 hours for the IPv4 and 15 minutes for the IPv6 traffic.

◮ Eight producer and eight consumer processes were used

to scan the capture file on a machine utilizing 16 CPUs running at 2.40GHz and having 24GB of RAM.

◮ The creation of the graphs took a negligible amount of time

and was performed on my personal laptop.

Till Wickenheiser – Correlating TTL data to network characteristics 24

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for minimum hop count values Linear regression parameters Coefficient IPv4 IPv6 Slope 0.9183 1.9801 Intercept 5.6755 1.2865 R-squared 0.0488 0.1797 P value 4.7 ∗ 10−10 Standard error 0.0082 0.2858

Till Wickenheiser – Correlating TTL data to network characteristics 25

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for minimum hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 26

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for minimum hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 27

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for minimum hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 28

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for minimum hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 29

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for minimum hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 30

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for minimum hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 31

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for mean hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 32

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for mean hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 33

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for minimum hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 34

Chair for Network Architectures and Services Technical University of Munich (TUM)

Resulting graphs for minimum hop count values

Till Wickenheiser – Correlating TTL data to network characteristics 35