a method for inconspicuous traceroute jonathan haber
TRANSCRIPT
A METHOD FOR INCONSPICUOUS
TRACEROUTE
Jonathan Haber
Internet Protocol
Data broken into packets Packets have header and data Packets forwarded to
destinations
The Problem?
Internet protocols provide no mechanism for determining what route your data is taking to the destination
Fine when things are working, but routing problems are inevitably going to arise
What is a traceroute?
A tool used to ascertain the path taken by information across the internet
No built-in mechanism to observe these paths, so must devise methods of path inference
How does it work?
Time-to-Live (TTL) Used to ensure that packets do
not float around the Internet indefinitely
Each time a packet is forwarded, its TTL is decremented
How is this used by traceroute? Send out a packet with TTL of 1,
which should cause it to die at the first hop
Wait for message saying where the packet died
Repeat this process, incrementing the TTL each time
Traceroute Graphic
TTL = 4
Source
Destination
Traceroute Graphic
TTL = 4
Source
Destination
Traceroute Graphic
TTL = 4
TTL = 1
Source
Destination
20.8.4.1
Traceroute Graphic
TTL = 2
4
TTL = 1
Source
Destination
20.8.4.1
36.12.0.1
Traceroute Graphic
TTL = 2
4
TTL = 1
TTL = 3
Source
Destination
20.8.4.1
36.12.0.1
62.14.9.3
Traceroute Graphic
TTL = 2
TTL = 4
TTL = 1
TTL = 3
Source
Destination
20.8.4.1
36.12.0.1
62.14.9.3
12.0.63.8
Traceroute Graphic
TTL = 2
TTL = 4
TTL = 1
TTL = 3 TTL = 5
Source
Destination
20.8.4.1
36.12.0.1
62.14.9.3
12.0.63.8
So what’s the problem?
Traceroute information can not be verified
A network might want to falsify this information
Common traceroute implementations have characteristics that make it easy to identify traceroute packets
Example traceroute
A router might see:UDP Packet From: 245.100.198.6 To: 237.52.1.142:33489
TTL: 1 ID: 59480 Length: 38
UDP Packet From: 245.100.198.6 To: 237.52.1.142:33490
TTL: 2 ID: 59481 Length: 38
UDP Packet From: 245.100.198.6 To: 237.52.1.142:33491
TTL: 3 ID: 59482 Length: 38
What are falsified responses?A router might: Respond to a traceroute probe with
an incorrect IP address Intercept traceroute traffic before
its destination and spoof responses Intentionally treat traceroute traffic
differently than normal traffic
So far
Implemented new traceroute method using TCP Packets
Goal is to make traceroute traffic harder to identify
Why TCP and not UDP or ICMP?
Details
Implemented in Tcl using hping Sends TCP probes (SYN) with
increasing TTL’s Has delay between sending
probes (variable) Looks for response, if none found
will change packet type
So far
Began collecting data Still experimenting with
traceroute program to maximize responses
Begin to look at data for anomalies
Example traceroute to Youtube.com
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 216.239.46.215 (216.239.46.215)
14 72.14.232.141 (72.14.232.141)
15 209.85.241.35 (209.85.241.35)
16 iw-in-f93.1e100.net (74.125.95.93)
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 * * *
14 209.85.241.22 (209.85.241.22)
15 209.85.241.37 (209.85.241.37)
16 iw-in-f93.1e100.net (74.125.95.93)
New Method Old Method (TCP/UDP)
Example traceroute to Youtube.com
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 216.239.46.215 (216.239.46.215)
14 72.14.232.141 (72.14.232.141)
15 209.85.241.35 (209.85.241.35)
16 iw-in-f93.1e100.net (74.125.95.93)
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 * * *
14 209.85.241.22 (209.85.241.22)
15 209.85.241.37 (209.85.241.37)
16 iw-in-f93.1e100.net (74.125.95.93)
New Method Old Method (TCP/UDP)
Example traceroute to Youtube.com
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 216.239.46.215 (216.239.46.215)
14 72.14.232.141 (72.14.232.141)
15 209.85.241.35 (209.85.241.35)
16 iw-in-f93.1e100.net (74.125.95.93)
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 * * *
14 209.85.241.22 (209.85.241.22)
15 209.85.241.37 (209.85.241.37)
16 iw-in-f93.1e100.net (74.125.95.93)
New Method Old Method (TCP/UDP)
Example traceroute to Youtube.com
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 216.239.46.215 (216.239.46.215)
14 72.14.232.141 (72.14.232.141)
15 209.85.241.35 (209.85.241.35)
16 iw-in-f93.1e100.net (74.125.95.93)
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 * * *
14 209.85.241.22 (209.85.241.22)
15 209.85.241.37 (209.85.241.37)
16 iw-in-f93.1e100.net (74.125.95.93)
New Method Old Method (TCP/UDP)
Example traceroute to Youtube.com
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 216.239.46.215 (216.239.46.215)
14 72.14.232.141 (72.14.232.141)
15 209.85.241.35 (209.85.241.35)
16 iw-in-f93.1e100.net (74.125.95.93)
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 * * *
14 209.85.241.22 (209.85.241.22)
15 209.85.241.37 (209.85.241.37)
16 iw-in-f93.1e100.net (74.125.95.93)
New Method Old Method (TCP/UDP)
Example traceroute to Youtube.com
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 216.239.46.215 (216.239.46.215)
14 72.14.232.141 (72.14.232.141)
15 209.85.241.35 (209.85.241.35)
16 iw-in-f93.1e100.net (74.125.95.93)
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 * * *
14 209.85.241.22 (209.85.241.22)
15 209.85.241.37 (209.85.241.37)
16 iw-in-f93.1e100.net (74.125.95.93)
New Method Old Method (TCP/UDP)
Example traceroute to Youtube.com
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 216.239.46.215 (216.239.46.215)
14 72.14.232.141 (72.14.232.141)
15 209.85.241.35 (209.85.241.35)
16 iw-in-f93.1e100.net (74.125.95.93)
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 * * *
14 209.85.241.22 (209.85.241.22)
15 209.85.241.37 (209.85.241.37)
16 iw-in-f93.1e100.net (74.125.95.93)
New Method Old Method (TCP/UDP)
Example traceroute to Youtube.com
11 core1-0-0-8.lga.net.google.com (198.32.118.39)
12 209.85.248.178 (209.85.248.178)
13 216.239.46.215 (216.239.46.215)
14 72.14.232.141 (72.14.232.141)
15 209.85.241.35 (209.85.241.35)
16 iw-in-f93.1e100.net (74.125.95.93)
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 iw-in-f93.1e100.net (74.125.95.93)
New Method Old Method (ICMP)
Possible Explanations
Different packet types routed differently
Artifact of load balancing Traceroute traffic intentionally
routed differently Responding falsely to detected
traceroute traffic
To Do
Finish tweaking traceroute program
Continue collecting data Path differences have already
begun to emerge Try to characterize these
differences, their causes, etc.
Papers Referenced
Traceroute Probe Method and Forward IP Path Inference Matthew Luckie, Young Hyun, Bradley Huffaker
Avoiding traceroute anomalies with Paris traceroute Brice Augustin, Xavier Cuvellier, Benjamin Orgogozo, Fabien Viger, Timur Friedman, Matthieu Latapy, Clémence Magnien, Renata Teixeira
Traceroute Data Integrity and Route Concealment Oliver Jensen