Inferring Internet Server IPv4 and IPv6 Address Relationships Robert - PowerPoint PPT Presentation

Inferring Internet Server IPv4 and IPv6 Address Relationships Robert Beverly, Arthur Berger ∗ , Nicholas Weaver † , Larry Campbell ∗ Naval Postgraduate School ∗ Akamai † ICSI/UCSD rbeverly@nps.edu, awberger@mit.edu February 7, 2013 CAIDA Active Internet Measurement 2013 Beverly, et al. (NPS) CAIDA AIMS-5 1 / 18

Sibling Resolution Intro Sibling Resolution New Problem We Term “Sibling Resolution:” Given a candidate ( IPv 4 , IPv 6 ) address pair, determine if these addresses are assigned to the same cluster, device, or interface. Lots of prior work on passive sibling associations: e.g. web-bugs, javascript, flash, etc. Prior work focuses on clients (adoption, performance) This work: Targeted, active test: on-demand for any given pair Infrastructure: finding server siblings Eventual goal: router siblings (not there yet) Beverly, et al. (NPS) CAIDA AIMS-5 2 / 18

Sibling Resolution Intro Motivation Why? Adoption (non-adoption): IPv4 and IPv6 expected to co-exist (for a long while?) → dual-stacked devices Track IPv6 evolution Security: IPv6 is largely unsecured! Inter-dependence of IPv6 on IPv4 (and vice-versa) e.g. attack on IPv6 resource affecting IPv4 service Correlating geolocation, reputation, etc with IPv4 host counterpart. Performance: Getting measurements of IPv4 vs. IPv6 performance correct: isolate path vs. host performance Operationally deployed today in Akamai, informing Edgescape geolocation. Beverly, et al. (NPS) CAIDA AIMS-5 3 / 18

Methodology Techniques 3 Techniques: (Passive) Induce DNS resolvers to use both v4 and v6 during 1 natural resolution of Akamai resources (deployed, large set of measurements). (Active) Force DNS to use a chain of v4 and v6 addresses to 2 perform resolution. Allows us to validate (a subset) of the passively collected results. (Active) Probe potentially in-common TCP stack of a candidate 3 v4, v6 sibling pair to obtain timestamp fingerprint. Beverly, et al. (NPS) CAIDA AIMS-5 4 / 18

Methodology Passive DNS Encode IPv4 address of querying resolver into a AAAA record returned for the next-level NS Subsequent query to the IPv6 authority nameserver permits linking v4 and v6 resolver addresses First−Level DNS A? www.a.example.com Auth DNS Resolver NS=2001:428::IPv4 Pairs IPv4 A? www.a.example.com IPv6 src: IPv6, dst: 2001:428::IPv4 Second−Level Auth DNS (IPv4,IPv6) Beverly, et al. (NPS) CAIDA AIMS-5 5 / 18

Methodology Active DNS Custom DNS server as authority for special domain Chain of alternating v6, v4 CNAME records, only available via v6 or v4, that maintain state within the dynamic name. c 1 . N . v 6 . d o m a i n v6Q? c1.N.v6.domain CNAME=c2.N.A1.v4.domain domain Auth DNS v4Q? c2.N.A1.v4.domain CNAME=c3.N.A1.A2.v6.domain Prober v6Q? c3.N.A1.A2.v6.domain CNAME=txt.N.A1.A2.A3.v4.domain v4Q? txt.N.A1.A2.A3.v4.domain TXT="A1 A2 A3 A4" TXT="A1 A2 A3 A4" Resolver (w/ IPv6=A1,A3; IPv4=A2,A4) Beverly, et al. (NPS) CAIDA AIMS-5 6 / 18

Methodology DNS Results Deployed on Akamai; gathered ≃ 675,000 v4,v6 pairs Importance: directing users to content in a CDN relies on properties of DNS resolution. Improves IPv6 geolocation. 77% of v4,v6 pairs are 1-1, the rest is messy. Most complexity due to large cluster resolvers (e.g. nominum, google DNS, openDNS, comcast, etc). 2 11 2 10 2 9 number of v6 addresses in equiv. class 75% 2 8 5% 2 7 2 6 2% 2 5 1% 2 4 2 3 0.5% 2 2 0.2% 2 1 2 0 0.1% 2 -1 2 -1 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 2 10 number of v4 addresses in equiv. class Beverly, et al. (NPS) CAIDA AIMS-5 7 / 18

Methodology Targeted, Active Technique Intuition: IPv4 and IPv6 share a common transport-layer (TCP) stack Leverage prior work on physical device fingerprinting using TCP timestamp clockskew [Kohno 2005] TCP timestamp option: “TCP Extensions for High Performance” [RFC1323, May 1992]. Universally supported, enabled by default. Note: TS clock � = system clock Note: TS clock frequently unaffected by system clock adjustments (e.g. NTP) Basic Idea: Probe over time. Fingerprint is clock skew (and remote clock resolution). Beverly, et al. (NPS) CAIDA AIMS-5 8 / 18

Methodology Examples Example Example Gather 4 timestamp series: www.caida.org (v4 and v6) www.ripe.net (v4 and v6) Beverly, et al. (NPS) CAIDA AIMS-5 9 / 18

Methodology Examples Example 40 Observe different skew 30 20 slopes (one negative) observed offset (msec) 10 Different timestamp 0 -10 granularity -20 -30 y = 0 . 029938 x equates -40 to skew of ≈ 1.8ms / Host A (IPv6) -50 Host B (IPv4) α =0.029938 β =-3.519 -60 minute, or ≈ 15 minutes α =-0.058276 β =-1.139 -70 per year. 0 200 400 600 800 1000 measurement time(sec) False siblings! CAIDA IPv6 vs. RIPE IPv4 Beverly, et al. (NPS) CAIDA AIMS-5 10 / 18

Methodology Examples Example 40 10 30 0 20 -10 observed offset (msec) 10 observed offset (msec) 0 -20 -10 -30 -20 -40 -30 -40 -50 Host A (IPv6) Host A (IPv6) -50 Host B (IPv4) Host A (IPv4) -60 α =0.029938 β =-3.519 α =-0.058253 β =-1.178 -60 α =-0.058276 β =-1.139 α =-0.058276 β =-1.139 -70 -70 0 200 400 600 800 1000 0 200 400 600 800 1000 measurement time(sec) measurement time(sec) False Siblings True Siblings CAIDA IPv4 vs. CAIDA IPv6: identical slopes ( θ = 0 . 0098) CAIDA IPv6 vs. RIPE IPv4: different slopes ( θ = 31 . 947) Beverly, et al. (NPS) CAIDA AIMS-5 11 / 18

Methodology Examples Complications 250 193.110.128.199 2001:67c:2294:1000::f199 200 150 observed offset (msec) Not always so distinct of 100 a difference! 50 Slope angle difference: 0 θ = 2 . 046 -50 0 10000 20000 30000 40000 50000 60000 70000 measurement time(sec) www.marca.com (#6 on alexa ipv6) Beverly, et al. (NPS) CAIDA AIMS-5 12 / 18

Methodology Examples Complications 4.5e+09 apache.org V4 apache.org V6 4e+09 Raw TCP timestamps 3.5e+09 3e+09 Deterministically random TCP Timestamp 2.5e+09 and monotonic for a 2e+09 single connection 1.5e+09 Random across 1e+09 5e+08 connections. Looks like 0 noise to us. 0 50 100 150 200 TCP Packet Sample www.apache.com Beverly, et al. (NPS) CAIDA AIMS-5 13 / 18

Methodology Examples Complications 0.025 203.5.76.12 2001:388:1:5062::cb05:4c0c 0.02 0.015 observed offset (msec) 0.01 What’s going on here? 0.005 0 -0.005 0 10000 20000 30000 40000 50000 60000 70000 measurement time(sec) Beverly, et al. (NPS) CAIDA AIMS-5 14 / 18

Methodology Examples Complications 2e+15 209.85.225.160 2001:4860:b007::a0 0 -2e+15 -4e+15 Also detects load observed offset (msec) -6e+15 -8e+15 balancing among -1e+16 servers -1.2e+16 -1.4e+16 But how to deal with it? -1.6e+16 -1.8e+16 -2e+16 0 10000 20000 30000 40000 50000 60000 70000 measurement time(sec) Beverly, et al. (NPS) CAIDA AIMS-5 15 / 18

Results Machine Sibling Inference Machine Sibling Inference Methodology: Analyze Alexa top 100,000 websites Pull A and AAAA records 1398 ( ≈ 1 . 4%) have IPv6 DNS Repeatedly fetch root HTML page via IPv4 and IPv6 via deterministic IP address Record all packets Beverly, et al. (NPS) CAIDA AIMS-5 16 / 18

Results Machine Sibling Inference Alexa 100K Targeted Machine-Sibling Inference Case Count v4 and v6 non-monotonic (possible siblings) 109 (7.8%) v4 or v6 non-monotonic (non-siblings) 140 (10.0%) v4 and v6 no timestamps (possible siblings) 94 (6.7%) v4 or v6 no timestamps (non-sibling) 101 (7.2%) Our technique fails when timestamps are not monotonic across TCP flows (e.g. load-balancer or BSD OS) Or, when timestamps are not supported (e.g. middlebox) Note, can disambiguate non-siblings Beverly, et al. (NPS) CAIDA AIMS-5 17 / 18

Results Machine Sibling Inference Alexa 100K Targeted Machine-Sibling Inference Case Count v4 and v6 non-monotonic (possible siblings) 109 (7.8%) v4 or v6 non-monotonic (non-siblings) 140 (10.0%) v4 and v6 no timestamps (possible siblings) 94 (6.7%) v4 or v6 no timestamps (non-sibling) 101 (7.2%) Skew-based siblings 839 (60.0%) Skew-based non-siblings 115 (8.3%) Total 1398 (100%) 25.5% (356) non-siblings 57% of skew-based non-siblings are in same AS 12.6% of skew-based siblings are in different ASes Beverly, et al. (NPS) CAIDA AIMS-5 18 / 18

Results Feedback Thanks! Viz : Awesome scatter plot! Data-Sharing : None so far (Akamai data off-limits, web-probing can be released) Feedback : Do you believe our motivation story!?!? Operational experience with large DNS resolvers? Thoughts on router v4,v6 sibling resolution? Beverly, et al. (NPS) CAIDA AIMS-5 19 / 18