Abstract
Originally used to assist network-layer fragmentation and reassembly, the IP identification field (IP-ID) has been used and abused for a range of tasks, from counting hosts behind NAT, to detect router aliases and, lately, to assist detection of censorship in the Internet at large. These inferences have been possible since, in the past, the IP-ID was mostly implemented as a simple packet counter: however, this behavior has been discouraged for security reasons and other policies, such as random values, have been suggested.
In this study, we propose a framework to classify the different IP-ID behaviors using active probing from a single host. Despite being only minimally intrusive, our technique is significantly accurate (99% true positive classification) robust against packet losses (up to 20%) and lightweight (few packets suffices to discriminate all IP-ID behaviors). We then apply our technique to an Internet-wide census, where we actively probe one alive target per each routable /24 subnet: we find that the majority of hosts adopts a constant IP-IDs (39%) or local counter (34%), that the fraction of global counters (18%) significantly diminished, that a non marginal number of hosts have an odd behavior (7%) and that random IP-IDs are still an exception (2%).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In particular [22] reports Windows and FreeBSD to use a global counter, Linux and MacOS to use local counters and OpenBSD to use pseudo-random IP-IDs.
- 2.
Notice that packet losses and reordering may let us receive less than N packets, or receive packets in a slight different order than what sent by the target. We come back to this issue later on.
- 3.
Sequences from well behaving hosts that have no software bug or malicious behavior, and that are neither affected by losses nor reordering.
- 4.
Notice that even in the extreme case with as few as \(N'=2\) packets, random and constant classification are correctly labeled, whereas the remaining global vs local cannot be discriminated, yielding to 0.70 accuracy in the \(\mathcal {G}\) set.
References
Bellovin, S.M.: A technique for counting NATted hosts. In: Proceedings of the IMW (2002)
Bender, A., Sherwood, R., Spring, N.: Fixing ally’s growing pains with velocity modeling. In: Proceedings of the ACM IMC (2008)
Beverly, R., Luckie, M., Mosley, L., Claffy, K.: Measuring and characterizing IPv6 router availability. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 123–135. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8_10
Braden, R.: RFC 1122, Requirements for Internet Hosts - Communication Layers (1989)
Chen, W., Huang, Y., Ribeiro, B.F., Suh, K., Zhang, H., de Souza e Silva, E., Kurose, J., Towsley, D.: Exploiting the IPID field to infer network path and end-system characteristics. In: Dovrolis, C. (ed.) PAM 2005. LNCS, vol. 3431, pp. 108–120. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31966-5_9
Dainotti, A., Benson, K., King, A., Huffaker, B., Glatz, E., Dimitropoulos, X., Richter, P., Finamore, A., Snoeren, A.C.: Lost in space: improving inference of IPv4 address space utilization. In: IEEE JSAC (2016)
Pelletier, K.S.G.: RFC 5225, RObust Header Compression Version 2 (ROHCv2): Profiles for RTP. UDP, IP, ESP and UDP-Lite (2008)
Gilad, Y., Herzberg, A.: Fragmentation considered vulnerable. In: ACM TISSEC (2013)
Gont, F.: RFC 6274, Security assessment of the internet protocol version 4 (2011)
Gont, F.: RFC 7739, Security implications of predictable fragment identification values (2016)
Heidemann, J., Pradkin, Y., Govindan, R., Papadopoulos, C., Bartlett, G., Bannister, J.: Census and survey of the visible internet. In: Proceedings of the ACM IMC (2008)
Herzberg, A., Shulman, H.: Fragmentation considered poisonous, or: one-domain-to-rule-them-all.org. In: IEEE CCNS (2013)
Idle scanning and related IPID games. https://nmap.org/book/idlescan.html
Jaiswal, S., Iannaccone, G., Diot, C., Kurose, J., Towsley, D.: Measurement and classification of out-of-sequence packets in a tier-1 IP backbone. In: IEEE/ACM TON (2007)
Keys, K., Hyun, Y., Luckie, M., Claffy, K.: Internet-scale IPv4 alias resolution with MIDAR. In: IEEE/ACM TON (2013)
Klein, A.: OpenBSD DNS cache poisoning and multiple O/S predictable IP ID vulnerability. Technical report (2007)
Loh, W.-Y.: Classification and regression trees. Wiley Interdiscipl. Rev.: Data Mining Knowl. Discov. 1, 14–23 (2011)
Luckie, M., Beverly, R., Brinkmeyer, W., et al.: Speedtrap: internet-scale IPv6 alias resolution. In: Proceedings of the ACM IMC (2013)
Mahajan, R., Spring, N., Wetherall, D., Anderson, T.: User-level internet path diagnosis. ACM SIGOPS Oper. Syst. Rev. 37(5), 106–119 (2003)
Mogul, J.C., Deering, S.E.: RFC 1191, Path MTU discovery (1990)
Mongkolluksamee, S., Fukuda, K., Pongpaibool, P.: Counting NATted hosts by observing TCP/IP field behaviors. In: Proceedings of the IEEE ICC (2012)
Pearce, P., Ensafi, R., Li, F., Feamster, N., Paxson, V.: Augur: Internet-wide detection of connectivity disruptions. In: IEEE SP (2017)
Postel, J.: RFC 791, Internet protocol (1981)
Salutari, F., Cicalese, D., Rossi, D.: A closer look at IP-ID behavior in the wild (extended tech. rep.). Technical report, Telecom ParisTech (2018)
Spring, N., Mahajan, R., Wetherall, D., Anderson, T.: Measuring ISP topologies with rocketfuel. In: IEEE/ACM TON (2004)
Touch, J.: RFC 6864, Updated Specification of the IPv4 ID Field (2013)
West, M.A., McCann, S.: RFC 4413, TCP/IP field behavior (2006)
Zander, S., Andrew, L.L., Armitage, G.: Capturing ghosts: predicting the used IPv4 space by inferring unobserved addresses. In: Proceedings of the ACM IMC (2014)
Acknowledgments
We thank our shepherd Robert Beverly and the anonymous reviewers whose useful comments helped us improving the quality of our paper. This work has been carried out at LINCS (http://www.lincs.fr) and benefited from support of NewNet@Paris, Cisco Chair “Networks for the Future” at Telecom ParisTech (http://newnet.telecom-paristech.fr).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Salutari, F., Cicalese, D., Rossi, D.J. (2018). A Closer Look at IP-ID Behavior in the Wild. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds) Passive and Active Measurement. PAM 2018. Lecture Notes in Computer Science(), vol 10771. Springer, Cham. https://doi.org/10.1007/978-3-319-76481-8_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-76481-8_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76480-1
Online ISBN: 978-3-319-76481-8
eBook Packages: Computer ScienceComputer Science (R0)