Skip to main content
SpringerLink
Log in
Book cover

International Conference on Passive and Active Network Measurement

PAM 2020: Passive and Active Measurement pp 231–248Cite as

Alias Resolution Based on ICMP Rate Limiting

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12048))

Abstract

Alias resolution techniques (e.g., Midar) associate, mostly through active measurement, a set of IP addresses as belonging to a common router. These techniques rely on distinct router features that can serve as a signature. Their applicability is affected by router support of the features and the robustness of the signature. This paper presents a new alias resolution tool called Limited Ltd. that exploits ICMP rate limiting, a feature that is increasingly supported by modern routers that has not previously been used for alias resolution. It sends ICMP probes toward target interfaces in order to trigger rate limiting, extracting features from the probe reply loss traces. It uses a machine learning classifier to designate pairs of interfaces as aliases. We describe the details of the algorithm used by Limited Ltd. and illustrate its feasibility and accuracy. Limited Ltd. not only is the first tool that can perform alias resolution on IPv6 routers that do not generate monotonically increasing fragmentation IDs (e.g., Juniper routers) but it also complements the state-of-the-art techniques for IPv4 alias resolution. All of our code and the collected dataset are publicly available.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    We have explicitly verified that the actual probing rate is not limited by the network card or other factors.

  2. 2.

    The largest reported alias set by Midar and Speedtrap has 43 interfaces. Therefore, the likelihood of observing 50 candidate interfaces that are all aliases is low.

  3. 3.

    Limited Ltd. maintains the flow ID necessary to reach \(\kappa _s\) in subsequent probing of s and \(\kappa _s\).

  4. 4.

    https://gitlab.planet-lab.eu/cartography.

References

  1. PlanetLab Europe. https://www.planet-lab.eu

  2. Private communication with CAIDA

    Google Scholar 

  3. RIPE Registry. https://www.ripe.net/publications/docs/ripe-508

  4. Alvarez, P., Oprea, F., Rule, J.: Rate-limiting of IPv6 traceroutes is widespread: measurements and mitigations. In: Proceedings of IETF, vol. 99 (2017)

    Google Scholar 

  5. Aminikhanghahi, S., Cook, D.J.: A survey of methods for time series change point detection. Knowl. Inf. Syst. 51(2), 339–367 (2017)

    Article  Google Scholar 

  6. Augustin, B., et al.: Avoiding traceroute anomalies with Paris Traceroute. In: Proceedings of IMC (2006)

    Google Scholar 

  7. Bender, A., Sherwood, R., Spring, N.: Fixing Ally’s growing pains with velocity modeling. In: Proceedings of IMC (2008)

    Google Scholar 

  8. Breiman, L., Friedman, J., Olshen, R., Stone, C.: Classification and Regression Trees. Wadsworth and Brooks, Monterey (1984)

    MATH  Google Scholar 

  9. Cisco: Cisco IOS quality of service solutions configuration guide, release 12.2SR. In: Policing and Shaping Overview. https://www.cisco.com/c/en/us/td/docs/ios/qos/configuration/guide/12_2sr/qos_12_2sr_book/polcing_shping_oview.html

  10. Cisco: Configure commonly used IP ACLs. https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html

  11. Cisco: Control plane policing implementation best practices. https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html#7

  12. Cisco: IPv6 ICMP rate limiting. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3s/ip6b-xe-3s-book/ip6-icmp-rate-lmt-xe.pdf

  13. Conta, A., Gupta, M.: RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol version 6 (IPv6) specification. IETF (2006)

    Google Scholar 

  14. Deal, R.A.: Cisco router firewall security: DoS protection. http://www.ciscopress.com/articles/article.asp?p=345618&seqNum=5

  15. Ensafi, R., Knockel, J., Alexander, G., Crandall, J.R.: Detecting intentional packet drops on the Internet via TCP/IP side channels. In: Proceedings of PAM (2014)

    Google Scholar 

  16. Govindan, R., Tangmunarunkit, H.: Heuristics for Internet map discovery. In: Proceedings of INFOCOM (2000)

    Google Scholar 

  17. Gunes, M.H., Sarac, K.: Resolving IP aliases in building traceroute-based Internet maps. IEEE/ACM Trans. Netw. 17(6), 1738–1751 (2009)

    Article  Google Scholar 

  18. Gunes, M.H., Sarac, K.: Importance of IP alias resolution in sampling Internet topologies. In: Proceedings of GI (2007)

    Google Scholar 

  19. Guo, H., Heidemann, J.: Detecting ICMP rate limiting in the Internet. In: Proceedings of PAM (2018)

    Google Scholar 

  20. Juniper: Default ICMP rate limit on the system for host inbound connections. https://kb.juniper.net/InfoCenter/index?page=content&id=KB28184&cat=SRX_SERIES&actp=LIST

  21. Juniper: IPv6 multicast routing on E series broadband services routers, release 15.1. Access-list. https://www.juniper.net/documentation/en_US/junose15.1/topics/reference/command-summary/access-list.html

  22. Juniper: Policer implementation overview. https://www.juniper.net/documentation/en_US/junos/topics/concept/policer-mx-m120-m320-implementation-overview.html

  23. Juniper: System management and monitoring feature guide for switches. Internet-options (ICMPv4). https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/icmpv4-rate-limit-edit-system.html

  24. Juniper: System management and monitoring feature guide for switches. Internet-options (ICMPv6). https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/icmpv6-rate-limit-edit-system.html

  25. Keys, K.: Internet-scale IP alias resolution techniques. ACM SIGCOMM Comput. Commun. Rev. 40(1), 50–55 (2010)

    Article  Google Scholar 

  26. Keys, K., Hyun, Y., Luckie, M., Claffy, K.: Internet-scale IPv4 alias resolution with MIDAR. IEEE/ACM Trans. Netw. 21(2), 383–399 (2013)

    Article  Google Scholar 

  27. Killick, R., Eckley, I.A.: changepoint: an R package for changepoint analysis. J. Stat. Softw. 58(3), 1–19 (2014). http://www.jstatsoft.org/v58/i03/

    Article  Google Scholar 

  28. Kim, S., Harfoush, K.: Efficient estimation of more detailed Internet IP maps. In: Proceedings of ICC (2007)

    Google Scholar 

  29. Luckie, M., Beverly, R., Brinkmeyer, W., et al.: SpeedTrap: Internet-scale IPv6 alias resolution. In: Proceedings of IMC (2013)

    Google Scholar 

  30. Marchetta, P., Persico, V., Pescapè, A.: Pythia: yet another active probing technique for alias resolution. In: Proceedings of CoNEXT (2013)

    Google Scholar 

  31. Padmanabhan, R., Li, Z., Levin, D., Spring, N.: UAv6: alias resolution in IPv6 using unused addresses. In: Proceedings of PAM (2015)

    Google Scholar 

  32. Pansiot, J.J., Grad, D.: On routes and multicast trees in the Internet. ACM SIGCOMM Comput. Commun. Rev. 28(1), 41–50 (1998)

    Article  Google Scholar 

  33. Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  34. Postel, J.: RFC 792. Internet Control Message Protocol, IETF (1981)

    Google Scholar 

  35. Qian, S., Wang, Y., Xu, K.: Utilizing destination options header to resolve IPv6 alias resolution. In: Proceedings of GLOBECOM (2010)

    Google Scholar 

  36. Qian, S., Xu, M., Qiao, Z., Xu, K.: Route positional method for IPv6 alias resolution. In: Proceedings of ICCCN (2010)

    Google Scholar 

  37. Ravaioli, R., Urvoy-Keller, G., Barakat, C.: Characterizing ICMP rate limitation on routers. In: Proceedings of ICC (2015)

    Google Scholar 

  38. Sherry, J., Katz-Bassett, E., Pimenova, M., Madhyastha, H.V., Anderson, T., Krishnamurthy, A.: Resolving IP aliases with prespecified timestamps. In: Proceedings of IMC (2010)

    Google Scholar 

  39. Sherwood, R., Bender, A., Spring, N.: Discarte: a disjunctive Internet cartographer. ACM SIGCOMM Comput. Commun. Rev. 38(4), 303–314 (2008)

    Article  Google Scholar 

  40. Spring, N., Mahajan, R., Wetherall, D.: Measuring ISP topologies with rocketfuel. ACM SIGCOMM Comput. Commun. Rev. 32(4), 133–145 (2002)

    Article  Google Scholar 

  41. Vermeulen, K., Strowes, S.D., Fourmaux, O., Friedman, T.: Multilevel MDA-lite Paris Traceroute. In: Proceedings of IMC (2018)

    Google Scholar 

  42. Willinger, W., Alderson, D., Doyle, J.C.: Mathematics and the Internet: a source of enormous confusion and great potential. Not. Am. Math. Soc. 56(5), 586–599 (2009)

    MathSciNet  MATH  Google Scholar 

Download references

Acknowledgments

We thank Niels den Otter from SURFnet and Simon Leinen from Switch network for their time in conducting joint experiments of Limited Ltd. We thank people from Internet2 and Switch for providing the ground truth of their network. We thank the anonymous reviewers from both the PAM TPC and our shepherd, for their careful reading of this paper and suggestions for its improvement. Kevin Vermeulen, Olivier Fourmaux, and Timur Friedman are associated with Sorbonne Université, CNRS, Laboratoire d’informatique de Paris 6, LIP6, F-75005 Paris, France. Kevin Vermeulen and Timur Friedman are associated with the Laboratory of Information, Networking and Communication Sciences, LINCS, F-75013 Paris, France. A research grant from the French Ministry of Defense has made this work possible.

Author information

Authors and Affiliations

  1. Sorbonne Université, Paris, France

    Kevin Vermeulen, Burim Ljuma, Vamsi Addanki, Matthieu Gouel, Olivier Fourmaux & Timur Friedman

  2. University of Oregon, Eugene, USA

    Reza Rejaie

Authors
  1. Kevin Vermeulen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Burim Ljuma
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vamsi Addanki
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Matthieu Gouel
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Olivier Fourmaux
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Timur Friedman
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Reza Rejaie
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Kevin Vermeulen , Burim Ljuma , Vamsi Addanki , Matthieu Gouel , Olivier Fourmaux , Timur Friedman or Reza Rejaie .

Editor information

Editors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Anna Sperotto

  2. University of California, San Diego, CA, USA

    Alberto Dainotti

  3. University of Zürich, Zürich, Switzerland

    Burkhard Stiller

A Ethical Considerations

A Ethical Considerations

1.1 A.1 Precautions Taken

We take two precautions, that we understand to be community best practice: We sent all probing traffic from IP addresses that were clearly associated via WhoIs with their host locations, either at our institution or others hosting PlanetLab Europe nodes. We have also set up a web server on the probing machines with a contact email, so that any network operators could opt out from our experiment. We received no notice whatsoever from network operators expressing concern about our measurements. Though this is a positive sign, it could be that there are impacts that were not noticed, or that the concerns did not reach us. We therefore pushed our examination further, as detailed in the following sections.

Fig. 5.
figure 5

Maximum loss rates

Full size image

1.2 A.2 Impact on Other Measurements

Limited Ltd. ’s \(\mathtt {find\_rate}()\) aims to find an ICMP Echo Request probing rate that produces an Echo Reply trace with a loss rate in the [0.05, 0.10] range. While it is searching for this rate, it can induce a loss rate above 0.10. If it does so, it proceeds to a binary search to find a lower probing rate for which traces falls within the desired range. Figure 5 shows that loss rates can go as high as 0.60.

The impact on reachability for the IP addresses of that node is that there is a worst case 0.60 probability that a single ping packet to such an address will not receive a response if it arrives at the node during the five seconds of highest rate probing time. Most pings occur in series of packets, so the worst case probabilities are 0.36 for two ping packets being lost, 0.22 for three, 0.13 for four, 0.08 for five, and 0.05 for six. These are worst case probabilities for the five seconds at highest loss rate. Average reachability failure probabilities are 0.22 for one ping packet, 0.05 for two, 0.01 for three, and so on, while a node is being probed at its highest rate. To judge whether such a level of interference with other measurements is exceptional, we compare it to the impact of the state-of-the-art Midar tool. Midar has a phase during which it elicits three series of 30 responses each, using different methods for each series: TCP SYN packets, to elicit TCP RST or TCP SYN-ACK responses; UDP packets to a high port number, to elicit ICMP Destination Unreachable responses; and ICMP Echo Request packets, to elicit ICMP Echo Reply responses [26]. The probing rate is very low compared to Limited Ltd.: a mere 100 packets per second across multiple addresses. This is not a concern for the TCP and ICMP probing. However, the UDP probing taps into an ICMP rate limiting mechanism that tends to be much less robust than the typical ICMP Echo Reply mechanism on some routers. ICMP Destination Unreachable messages are often rate limited at 2 packets per second, which is \(1/500^\mathrm {th}\) the typical rate at which ICMP Echo Reply messages are rate limited. (For example, the default rate at which Cisco routers limit ICMP Destination Unreachable messages is 1 every 500 ms.)

Fig. 6.
figure 6

Example erroneous traceroute result

Full size image

We found that, when an IP address is a traceroute destination, Midar can completely block ICMP Destination Unreachable messages coming from that destination. Figure 6 illustrates the impact. The figure shows two traceroute results, the top one from before or after Midar being run, and the bottom one during Midar probing. During the Midar run, we see that traceroute receives no responses while it is probing hop 15, where the destination is in fact to be found. The normal functioning of traceroute is to continue probing at higher and higher hop counts. Only a few seconds later, when traceroute is sending probes to hop 20, does it start to receive ICMP Destination Unreachable messages from the destination. The result is an erroneous traceroute, indicating that the destination is five hops further away than it actually is. We observed this erroneous traceroute effect on 2,196 IP addresses out of a dataset of 10,000 IPv4 addresses collected from across the Internet. For both Limited Ltd. and Midar, transient interference with other measurements can be observed for the few seconds during which an IP address is being probed. Our conclusion is not that the diminution in ping reachability induced by Limited Ltd. is necessarily anodyne. Care should be taken to circumscribe this effect. But we observe that it does not stand out in terms of its impact on other measurements.

CPU Usage. We now examine the CPU overhead generated by Limited Ltd., and its potential impact on the forwarding plane and other features involving the CPU. We have run an experiment in a local network with our own Cisco (model 3825, IOS 12.3) and Juniper (model J4350, JunOS 8.0R2.8) routers. The experiment consists in measuring three metrics while \(\mathtt {find\_rate}()\) routine of Limited Ltd., which has the highest probing rate, is running. We measured: (1) The CPU usage of the router, (2) the throughput of a TCP connection between the two end hosts, and (3) the rate of BGP updates. ICMP rate limiting is configured on both our Juniper and Cisco routers with an access list [10, 21], limiting the ICMP input bandwidth destined to the router to 1,000 packets per second, which is the default configuration on Juniper routers.

TCP throughput was unaffected, at an average of 537 Mbps and BGP updates remained constant at 10 per second. CPU usage was at 5% for Cisco and 15% for Juniper when Limited Ltd. was not probing. During the probing, the maximum overhead was triggered for both at a maximum probing rate of 2,048 packets per second, with a peak at 10% for Cisco and 40% for Juniper during 5 s. Our conclusion is that there is an impact of high probing rates on CPU, but we do not witness a disruptive impact on either the data plane (TCP throughput) or the control plane (BGP update rate).

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Vermeulen, K. et al. (2020). Alias Resolution Based on ICMP Rate Limiting. In: Sperotto, A., Dainotti, A., Stiller, B. (eds) Passive and Active Measurement. PAM 2020. Lecture Notes in Computer Science(), vol 12048. Springer, Cham. https://doi.org/10.1007/978-3-030-44081-7_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-44081-7_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-44080-0

  • Online ISBN: 978-3-030-44081-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation