Yarrping the Internet Robert Beverly Naval Postgraduate School - - PowerPoint PPT Presentation

yarrp ing the internet
SMART_READER_LITE
LIVE PREVIEW

Yarrping the Internet Robert Beverly Naval Postgraduate School - - PowerPoint PPT Presentation

Apr 23, 2023 382 likes •579 views

Yarrping the Internet Robert Beverly Naval Postgraduate School February 12, 2016 Active Internet Measurements (AIMS) Workshop R. Beverly (NPS) Yarrp AIMS 2016 1 / 17 Motivation Active Topology Probing Years (and years) of prior work on

slide-1
SLIDE 1

Yarrp’ing the Internet

Robert Beverly

Naval Postgraduate School February 12, 2016

Active Internet Measurements (AIMS) Workshop

  • R. Beverly (NPS)

Yarrp AIMS 2016 1 / 17

slide-2
SLIDE 2

Motivation

Active Topology Probing

Years (and years) of prior work on Internet-scale topology probing e.g., Scamper, DoubleTree, iPlane It’s 2016: Why can’t we traceroute to every IPv4 destination quickly? e.g., O(minutes)? (The ZMapa and Masscanb folks can do it – why can’t we?)

  • aZ. Durumeric et al., 2013
  • bR. Graham, 2013
  • R. Beverly (NPS)

Yarrp AIMS 2016 2 / 17

slide-3
SLIDE 3

Motivation

Active Topology Probing

Years (and years) of prior work on Internet-scale topology probing e.g., Scamper, DoubleTree, iPlane It’s 2016: Why can’t we traceroute to every IPv4 destination quickly? e.g., O(minutes)? (The ZMapa and Masscanb folks can do it – why can’t we?)

  • aZ. Durumeric et al., 2013
  • bR. Graham, 2013
  • R. Beverly (NPS)

Yarrp AIMS 2016 2 / 17

slide-4
SLIDE 4

Motivation State-of-the-art

Existing traceroute-style approaches: Maintain state over outstanding probes (identifier, origination time) Are sequential, probing all hops along the path. At best, parallelism limited to a window of outstanding destinations being probed. Implications: Concentrates load: along paths, links, routers (potentially triggering rate-limiting or IDS alarms) Production systems probe slowly

  • R. Beverly (NPS)

Yarrp AIMS 2016 3 / 17

slide-5
SLIDE 5

Motivation State-of-the-art

Existing traceroute-style approaches: Maintain state over outstanding probes (identifier, origination time) Are sequential, probing all hops along the path. At best, parallelism limited to a window of outstanding destinations being probed. Implications: Concentrates load: along paths, links, routers (potentially triggering rate-limiting or IDS alarms) Production systems probe slowly

  • R. Beverly (NPS)

Yarrp AIMS 2016 3 / 17

slide-6
SLIDE 6

Methodology

Yarrp

“Yelling at Random Routers Progressively” Takes inspiration from ZMap: Uses a block cipher to randomly permute the < IP, TTL > space Is stateless, recovering necessary information from replies Permits fast Internet-scale active topology probing (even from a single VP)

  • R. Beverly (NPS)

Yarrp AIMS 2016 4 / 17

slide-7
SLIDE 7

Methodology Traditional Traceroute

Example Topology

prober prober T1 T1 T T

2

T T

3

  • R. Beverly (NPS)

Yarrp AIMS 2016 5 / 17

slide-8
SLIDE 8

Methodology Traditional Traceroute

prober prober T1 T1

t t l = 2

Traditional traceroute sends probes with incrementing TTL to destination T1

  • R. Beverly (NPS)

Yarrp AIMS 2016 6 / 17

slide-9
SLIDE 9

Methodology Traditional Traceroute

prober prober T1 T1

t t l = 4

... continuing until finished with T1 (reach destination or gap limit). Prober must maintain state, while traffic is concentrated on prober T1 path

  • R. Beverly (NPS)

Yarrp AIMS 2016 7 / 17

slide-10
SLIDE 10

Methodology Yarrp

prober prober T1 T1 T T

2

T T

3

t t l = 4 , d s t = t 2

Yarrp iterates through randomly permuted < Target, TTL > pairs

  • R. Beverly (NPS)

Yarrp AIMS 2016 8 / 17

slide-11
SLIDE 11

Methodology Yarrp

prober prober T1 T1 T T

2

T T

3

t t l = 2 , d s t = t 1 ttl=3,dst=t3

Yarrp iterates through randomly permuted < Target, TTL > pairs

  • R. Beverly (NPS)

Yarrp AIMS 2016 9 / 17

slide-12
SLIDE 12

Methodology Yarrp

Inferred Topology

prober prober T1 T1 T T

2

T T

3

Finally, stitch together topology. Requires state and computation, but

  • ff-line after probing completes.
  • R. Beverly (NPS)

Yarrp AIMS 2016 10 / 17

slide-13
SLIDE 13

Methodology Challenges

Encoding State

Source Port d_port = 80 Ver HL

DSCP

Len Frag Offset TTL P=TCP Header Checksum Source IP = prober Destination IP = target

32 16

E C N

Sequence Number IPID

IP TCP

cksum(T arget IP) Send TTL Send Elapsed Time (ms) T arget IP

IPID = Probe’s TTL TCP Source Port = cksum(Target IP destination)a TCP Seq No = Probe send time (elapsed ms) Per-flow load balancing fields remain constant (ala Paris) Assume routers echo only 28B of expired packet

aMalone PAM 2007: ≈2% of quotations contained modified destination IP

  • R. Beverly (NPS)

Yarrp AIMS 2016 11 / 17

slide-14
SLIDE 14

Methodology Challenges

Recovering State

P=ICMP Source IP = router interface Destination IP = prober

32 16

cksum(T arget IP) Send TTL Send Elapsed Time (ms)

IP ICMP

Source Port d_port = 80 TTL=0 P=TCP Source IP = prober Destination IP = target Sequence Number IPID

Quote type=11 code=0

T arget IP

ICMP TTL exceeded replies permit recovery of: target probed,

  • riginating TTL (hop), and responding router interface at that hop.
  • R. Beverly (NPS)

Yarrp AIMS 2016 12 / 17

slide-15
SLIDE 15

Methodology Challenges

Distribution of unique interfaces discovered vs. TTL for all Ark monitors, one Ark topology probing cycle

1 2 3 4 5 6 7 8 9 1 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 3 1 3 2 Trace TTL 100 101 102 103 104 105 Unique Interfaces

Problem: knowing when to stop Little discoverable topology past TTL=32 ⇒ limit < IP, TTL > search space to TTL ≤ 32

  • R. Beverly (NPS)

Yarrp AIMS 2016 13 / 17

slide-16
SLIDE 16

Results

Initial Testing Speed C++ implementation w/o tuning Linux KVM (1 core, Intel L5640 @ 2.27GHz) Achieve 106K pps Proof-of-concept Sent 10M probes in ≈ 100 sec Discovered 178,453 unique router interfaces CPU: 52%

  • R. Beverly (NPS)

Yarrp AIMS 2016 14 / 17

slide-17
SLIDE 17

Results

What’s Possible

Traceroute to an address in each /24, for TTLs 1-32 t =

224∗25 100Kpps ≃ 84min

Traceroute to every routed IPv4 destination t =

231∗25 100Kpps ≃ 1week

  • R. Beverly (NPS)

Yarrp AIMS 2016 15 / 17

slide-18
SLIDE 18

Results

Optimizations Base Yarrp requires no state (Must reconstruct traces, but that’s an offline local process) If we’re willing to maintain some space, we can optimize: Time Memory Trade Off

Probe only routed destinations (radix trie BGP RIB) Avoiding repeated re-discovery of prober’s local neighborhood (state over small number of interfaces near prober)

Distribute: only requires communicating block cipher key and

  • ffset!
  • R. Beverly (NPS)

Yarrp AIMS 2016 16 / 17

slide-19
SLIDE 19

Results

Next Steps

Yarrping the Internet Push limits on how fast we can map the entire IPv4 Internet Compare discovered topologies from e.g. Ark versus Yarrp Applications? What do two snapshots of the Internet topology separated by an hour reveal? Others? Thanks! – Questions? https://www.cmand.org

  • R. Beverly (NPS)

Yarrp AIMS 2016 17 / 17