Analysis of Internet Backbone Traffic and Header Anomalies Observed

1
Analysis of Internet Backbone Trafficand Header
Anomalies Observed

• Wolfgang John and Sven TafvelinDept. of Computer
  Science and EngineeringChalmers University of
  TechnologyGöteborg, Sweden

2
Overview

• Introduction
• Traffic properties
• IP properties
• TCP properties
• Header anomalies
• Conclusions

3
Introduction Measurement location
Internet

• 2x 10 Gbit/s (OC-192)
• 2x DAG6.2SE Cards
• capturing headers only
• IP addresses anonymized

Stockholm
Student-Net
Regional ISPs
Göteborg
Göteborgs Univ.
Chalmers Univ.
Other smaller Univ. and Institutes
4
Traffic Properties

• Data from 20 days in April 2006
• 2x74 traces, 7.5 TB
• 10.77 billion frames
• 99.97 IPv4 packets

5
Traffic Properties (2)

• Packet size distribution

(former) default 576 bytes
1300 bytes
628 bytes
6
Traffic Properties IP

• IP properties
• No IP options (only 68 instances)
• 91.3 set DF bit
• TOS 0.02 ECN enabled packets

7
Traffic Properties IP (2)

• IP fragmentation rare (0.06)
• 90 of fragmented packets incoming
• 97 UDP
• 10 outgoing
• 63 ESP, between 1 pair of hosts
• VPN header causes fragmentation
• 72 of the fragmented traffic during office hours
  (10AM, 2PM)

8
Traffic Properties TCP

• TCP options in SYN segments
• TCP options values
• MSS from 0 to 65535 94 1400-1460 (Ethernet
  max.)
• WS scale factors up to 14 58 scale factor
  zero 31 scale factor 2

9
Header Anomalies

• 10.7 billion IP packets
• 9.8 billion TCP segments

10
Summary and Conclusions

• Updated packet-level characteristics of Internet
  traffic
• Inconsistencies in headers will appear
• Network attacks and malicious traffic
• Active OS fingerprinting
• Buggy applications or protocol stacks

11
Thank you very much for you attention!

• Questions?