Reserved: Dissectjng Internet Traffjc on Port 0 Aniss Maghsoudlou - - PowerPoint PPT Presentation

reserved dissectjng internet traffjc on port 0
SMART_READER_LITE
LIVE PREVIEW

Reserved: Dissectjng Internet Traffjc on Port 0 Aniss Maghsoudlou - - PowerPoint PPT Presentation

Feb 14, 2023 117 likes •235 views

Reserved: Dissectjng Internet Traffjc on Port 0 Aniss Maghsoudlou Oliver Gasser Anja Feldmann Max Planck Instjtute for Informatjcs Why Port 0? Using port number 0 is not allowed in: TCP [RFC 1340] UDP [RFC 8085] 76 GB of traffjc

slide-1
SLIDE 1

Reserved: Dissectjng Internet Traffjc on Port 0

Aniss Maghsoudlou Oliver Gasser Anja Feldmann Max Planck Instjtute for Informatjcs

slide-2
SLIDE 2

Why Port 0?

Using port number 0 is not allowed in:

 TCP [RFC 1340]  UDP [RFC 8085]  UDP-Lite [RFC 3828]  SCTP [RFC 4960]

76 GB of traffjc using port 0 in one week of IXP data!

slide-3
SLIDE 3

Previous Work and Our Approach

  • Luchs and Doerr, and Bouharb et al. study Port 0 traffjc
  • Both used Darknets as data sources.
  • We use traffjc from a large European IXP:
  • At the IXP we see real traffjc instead of just scanning artjfacts in darknets
  • Bidirectjonal analysis is possible
  • We add Actjve measurement to identjfy servers.
slide-4
SLIDE 4

Data Overview

Port 0 traffjc:

flows from 2019-09-01 to 2019-09-07 where (srcport = 0 or dstport = 0) and (protocol = UDP or TCP or UDP-lite or SCTP)

  • One week of IPFIX fmow data
  • 31 TB traffjc, 45 Billion packets in total
slide-5
SLIDE 5

Data Overview

  • 76 GB (0.2%), including 103 million packets port 0 traffjc
  • > 99% of the traffjc…
  • has set source and destjnatjon port to 0
  • In IPv4 uses UDP, in IPv6 uses TCP
  • is one-directjonal
  • 16% of the source IP addresses in IPv4 were servers (in IPv6 0%)
slide-6
SLIDE 6

IPv4: 50% originates from 111 ASes, goes to 33 ASes IPv6: 90% originates from 3 ASes, goes to 3 ASes

slide-7
SLIDE 7

IPv4 Port 0 traffjc IPv6 Port 0 traffjc

6.7% of the traffjc is coming from only one AS and only one prefjx, mostly going to only one AS 72.1% of the traffjc is coming from only one AS and only one prefjx

slide-8
SLIDE 8

Small packets in IPv6:

  • All < 102 bytes

TCP control fmags in IPv6 traffjc:

  • 90.2 % Ack
  • 9.6 % RST (mostly response to ACK)
  • 0.16% No fmags set
slide-9
SLIDE 9

Conclusion

Key Observatjons

  • Too much port 0 traffjc in the Internet.
  • Mostly one-directjonal, mostly UDP in IPv4 and TCP in IPv6.
  • IPv6 packets are relatjvely small
  • Small number of ASes contribute to a large share.

Future Work:

  • Longer tjmespans of IXP data
  • Actjve measurement of port 0 traffjc to see how networks fjlter port 0

traffjc

slide-10
SLIDE 10

Thank You!

Aniss Maghsoudlou (Presenter)

aniss@mpi-inf.mpg.de

htups://www.mpi-inf.mpg.de/inet/people/aniss-maghsoudlou/

Oliver Gasser

Oliver.gasser@mpi-inf.mpg.de

htups://www.mpi-inf.mpg.de/inet/people/oliver-gasser/

Anja Feldmann

anja@mpi-inf.mpg.de

htups://www.mpi-inf.mpg.de/inet/people/anja-feldmann/