Differences between In- and Outbound Internet Backbone Traffic

1
Differences between In- and Outbound Internet
Backbone Traffic

• Wolfgang John and Sven TafvelinDept. of Computer
  Science and EngineeringChalmers University of
  TechnologyGöteborg, Sweden

2
Overview

• Introduction
• Highlights of directional differences on
• IP level
• TCP level
• UDP level
• Summary of results
• Conclusions

3
Introduction Motivation

• Why measuring on Internet links?
• to understand the nature of Internet traffic
• quantify deployment of protocol features
• Interesting for
• Network engineers and protocol developers
• Network modeling and simulation community
• Network security and intrusion detection

4
Introduction Related work

• Directional differences on backbone traffic
• Evident on simple packet header analysis
• Correlation of packets might reveal reasons
• Related work
• Mainly unidirectional flow data (NetFlow)
• Either low or very high aggregation level
• Marginal discussion on directional differences

5
Introduction Our contribution

• Complete view on different levels
• Contemporary data
• Packet level analysis
• Bi-directional TCP connections
• Specific measurement location
• Medium aggregation level
• Suitable for highlighting directional differences

6
Introduction Measurement location
Internet

• 2x 10 Gbit/s (OC-192)
• 2x DAG6.2SE Cards
• tightly synchronized
• capturing headers

Sthlm
Stud-Net
Regional ISPs
Gbg
Chalmers Univ.
Göteborgs Univ.
7
Introduction General traffic characteristics

• Data from 20 days in April 2006
• 146 traces, 10.7 billion frames, 7.5 TB
• 99.99 IPv4 data
• 93 TCP packets
• 97 TCP data
• Data and packet counts equal on inbound and
  outbound links!

8
Highlights IP level

• Distinct IP addresses seen (in Millions)

9
Highlights IP level

• Distinct IP addresses seen (in Millions)
• Surprisingly large numbers
• Inbound destinations gtgt outbound sources
• Outside hosts primarily due to UDP

10
Highlights TCP level

• Connection attempt breakdown (Millions)

11
Highlights TCP level

• Connection attempt breakdown (Millions)
• Inbound connections mainly scans!

12
Highlights TCP level (2)

• TCP termination behavior (Millions)

13
Highlights TCP level (2)

• TCP termination behavior (Millions)
• Only 67 close properly (2xFIN)
• Inbound 20 of conn. closed by FIN and RST!

14
Highlights TCP level (3)

• Statistical properties of established TCP
  connections
• Lifetime, data volume, packet count
• Inbound connections more likely to
• show lifetimes between 1 and 5 seconds
• be long lasting (gt10 minutes)
• carry more data and more packets
• show higher asymmetry (client-server pattern)

15
TCP level P2P traffic

• Quantification according to port-numbers
• Missing payload
• ? underestimated by factor 2-3 ,
• 13 of data in outbound connections
• 25 of data in inbound connections

S. Sen et al, Accurate, Scalable
in-network identification of P2P traffic across
large networks, IMW 2002 T. Karagiannis et
al, Transport layer identification of P2P
Traffic, ACM SIGCOMM 2004
16
Highlights UDP level

• 68 million UDP flows
• 51 million carry less than 3 packets!
• DNS 5 NTP 1.7
• Incoming scanning gt 8
• P2P overlay traffic gt 20
• Signaling Traffic
• Distributed Hash Table (DHT) like Kademlia
• Update routing tables in decentralized way
• Periodic ping queries and replies
• P2P overlay networks span entire globe
• High fluctuation in peering partners ? lots of
  IPs

17
Summary of results

• Besides equal counts and volumes on both links,
  directional differences were found in
• IP packet sizes
• IP fragmentation
• Number of TCP connections
• TCP connection establishment termination
• TCP option usage
• TCP connection properties
• UDP scanning traffic

18
Conclusion

• High level analysis does not necessarily show
  differences ? detailed analysis does!
• 2 main reasons for directional differences
• Malicious traffic
• the Internet is unfriendly
• P2P
• Göteborg is a P2P source
• P2P is changing traffic characteristicse.g.
  packet sizes, TCP termination, TCP option usage

19
Thank you very much for you attention!

• Questions?

20
BACKUP

• BACKUP SLIDES

21
Common P2P port numbers
22
TCP level (4)

• TCP options (in )

23
TCP level (4)

• TCP options (in )

24
IP level (2)

• Packet size distribution on the 2 links

25
IP level (2)

• Packet size distribution on the 2 links

26
IP level (3)

• IP fragmentation on the 2 links

27
Malicous traffic / P2P traffic

• Connection properties

lifetime in sec