Skip to main content
SpringerLink
Log in

A Closer Look at IP-ID Behavior in the Wild

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2018)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10771))

Included in the following conference series:

Abstract

Originally used to assist network-layer fragmentation and reassembly, the IP identification field (IP-ID) has been used and abused for a range of tasks, from counting hosts behind NAT, to detect router aliases and, lately, to assist detection of censorship in the Internet at large. These inferences have been possible since, in the past, the IP-ID was mostly implemented as a simple packet counter: however, this behavior has been discouraged for security reasons and other policies, such as random values, have been suggested.

In this study, we propose a framework to classify the different IP-ID behaviors using active probing from a single host. Despite being only minimally intrusive, our technique is significantly accurate (99% true positive classification) robust against packet losses (up to 20%) and lightweight (few packets suffices to discriminate all IP-ID behaviors). We then apply our technique to an Internet-wide census, where we actively probe one alive target per each routable /24 subnet: we find that the majority of hosts adopts a constant IP-IDs (39%) or local counter (34%), that the fraction of global counters (18%) significantly diminished, that a non marginal number of hosts have an odd behavior (7%) and that random IP-IDs are still an exception (2%).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    In particular [22] reports Windows and FreeBSD to use a global counter, Linux and MacOS to use local counters and OpenBSD to use pseudo-random IP-IDs.

  2. 2.

    Notice that packet losses and reordering may let us receive less than N packets, or receive packets in a slight different order than what sent by the target. We come back to this issue later on.

  3. 3.

    Sequences from well behaving hosts that have no software bug or malicious behavior, and that are neither affected by losses nor reordering.

  4. 4.

    Notice that even in the extreme case with as few as \(N'=2\) packets, random and constant classification are correctly labeled, whereas the remaining global vs local cannot be discriminated, yielding to 0.70 accuracy in the \(\mathcal {G}\) set.

References

  1. https://perso.telecom-paristech.fr/drossi/dataset/IP-ID/

  2. Bellovin, S.M.: A technique for counting NATted hosts. In: Proceedings of the IMW (2002)

    Google Scholar 

  3. Bender, A., Sherwood, R., Spring, N.: Fixing ally’s growing pains with velocity modeling. In: Proceedings of the ACM IMC (2008)

    Google Scholar 

  4. Beverly, R., Luckie, M., Mosley, L., Claffy, K.: Measuring and characterizing IPv6 router availability. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 123–135. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15509-8_10

    Chapter  Google Scholar 

  5. Braden, R.: RFC 1122, Requirements for Internet Hosts - Communication Layers (1989)

    Google Scholar 

  6. Chen, W., Huang, Y., Ribeiro, B.F., Suh, K., Zhang, H., de Souza e Silva, E., Kurose, J., Towsley, D.: Exploiting the IPID field to infer network path and end-system characteristics. In: Dovrolis, C. (ed.) PAM 2005. LNCS, vol. 3431, pp. 108–120. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31966-5_9

    Chapter  Google Scholar 

  7. Dainotti, A., Benson, K., King, A., Huffaker, B., Glatz, E., Dimitropoulos, X., Richter, P., Finamore, A., Snoeren, A.C.: Lost in space: improving inference of IPv4 address space utilization. In: IEEE JSAC (2016)

    Google Scholar 

  8. Pelletier, K.S.G.: RFC 5225, RObust Header Compression Version 2 (ROHCv2): Profiles for RTP. UDP, IP, ESP and UDP-Lite (2008)

    Google Scholar 

  9. Gilad, Y., Herzberg, A.: Fragmentation considered vulnerable. In: ACM TISSEC (2013)

    Google Scholar 

  10. Gont, F.: RFC 6274, Security assessment of the internet protocol version 4 (2011)

    Google Scholar 

  11. Gont, F.: RFC 7739, Security implications of predictable fragment identification values (2016)

    Google Scholar 

  12. Heidemann, J., Pradkin, Y., Govindan, R., Papadopoulos, C., Bartlett, G., Bannister, J.: Census and survey of the visible internet. In: Proceedings of the ACM IMC (2008)

    Google Scholar 

  13. Herzberg, A., Shulman, H.: Fragmentation considered poisonous, or: one-domain-to-rule-them-all.org. In: IEEE CCNS (2013)

    Google Scholar 

  14. Idle scanning and related IPID games. https://nmap.org/book/idlescan.html

  15. Jaiswal, S., Iannaccone, G., Diot, C., Kurose, J., Towsley, D.: Measurement and classification of out-of-sequence packets in a tier-1 IP backbone. In: IEEE/ACM TON (2007)

    Google Scholar 

  16. Keys, K., Hyun, Y., Luckie, M., Claffy, K.: Internet-scale IPv4 alias resolution with MIDAR. In: IEEE/ACM TON (2013)

    Google Scholar 

  17. Klein, A.: OpenBSD DNS cache poisoning and multiple O/S predictable IP ID vulnerability. Technical report (2007)

    Google Scholar 

  18. Loh, W.-Y.: Classification and regression trees. Wiley Interdiscipl. Rev.: Data Mining Knowl. Discov. 1, 14–23 (2011)

    Google Scholar 

  19. Luckie, M., Beverly, R., Brinkmeyer, W., et al.: Speedtrap: internet-scale IPv6 alias resolution. In: Proceedings of the ACM IMC (2013)

    Google Scholar 

  20. Mahajan, R., Spring, N., Wetherall, D., Anderson, T.: User-level internet path diagnosis. ACM SIGOPS Oper. Syst. Rev. 37(5), 106–119 (2003)

    Article  Google Scholar 

  21. Mogul, J.C., Deering, S.E.: RFC 1191, Path MTU discovery (1990)

    Google Scholar 

  22. Mongkolluksamee, S., Fukuda, K., Pongpaibool, P.: Counting NATted hosts by observing TCP/IP field behaviors. In: Proceedings of the IEEE ICC (2012)

    Google Scholar 

  23. Pearce, P., Ensafi, R., Li, F., Feamster, N., Paxson, V.: Augur: Internet-wide detection of connectivity disruptions. In: IEEE SP (2017)

    Google Scholar 

  24. Postel, J.: RFC 791, Internet protocol (1981)

    Google Scholar 

  25. Salutari, F., Cicalese, D., Rossi, D.: A closer look at IP-ID behavior in the wild (extended tech. rep.). Technical report, Telecom ParisTech (2018)

    Google Scholar 

  26. Spring, N., Mahajan, R., Wetherall, D., Anderson, T.: Measuring ISP topologies with rocketfuel. In: IEEE/ACM TON (2004)

    Google Scholar 

  27. Touch, J.: RFC 6864, Updated Specification of the IPv4 ID Field (2013)

    Google Scholar 

  28. West, M.A., McCann, S.: RFC 4413, TCP/IP field behavior (2006)

    Google Scholar 

  29. Zander, S., Andrew, L.L., Armitage, G.: Capturing ghosts: predicting the used IPv4 space by inferring unobserved addresses. In: Proceedings of the ACM IMC (2014)

    Google Scholar 

Download references

Acknowledgments

We thank our shepherd Robert Beverly and the anonymous reviewers whose useful comments helped us improving the quality of our paper. This work has been carried out at LINCS (http://www.lincs.fr) and benefited from support of NewNet@Paris, Cisco Chair “Networks for the Future” at Telecom ParisTech (http://newnet.telecom-paristech.fr).

Author information

Authors and Affiliations

  1. Telecom ParisTech, Paris, France

    Flavia Salutari, Danilo Cicalese & Dario J. Rossi

Authors
  1. Flavia Salutari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Danilo Cicalese
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dario J. Rossi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Flavia Salutari .

Editor information

Editors and Affiliations

  1. Naval Postgraduate School, Monterey, California, USA

    Robert Beverly

  2. Technical University of Berlin, Berlin, Germany

    Georgios Smaragdakis

  3. Max Planck Institute for Informatics, Saarbrücken, Germany

    Anja Feldmann

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Salutari, F., Cicalese, D., Rossi, D.J. (2018). A Closer Look at IP-ID Behavior in the Wild. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds) Passive and Active Measurement. PAM 2018. Lecture Notes in Computer Science(), vol 10771. Springer, Cham. https://doi.org/10.1007/978-3-319-76481-8_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-76481-8_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-76480-1

  • Online ISBN: 978-3-319-76481-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation