Non-Trivial Off-Path Network Measurements without Shared Side-Channel Resource Exhaustion

Most traditional network measurement scans and attacks are carried out through the use of direct, on-path network packet transmission. This requires that a machine be on-path (i.e, involved in the packet transmission process) and as a result have direct access to the data packets being transmitted. This limits network scans and attacks to situations where access can be gained to an on-path machine. If, for example, a researcher wanted to measure the round trip time between two machines they did not have access to, traditional scans would be of little help as they require access to an on-path machine to function. Instead the researcher would need to use an off-path measurement scan. Prior work using network side-channels to perform off-path measurements or attacks relied on techniques that either exhausted the shared, finite resource being used as a side-channel or only measured basic features such as connectivity. The work presented in this dissertation takes a different approach to using network side-channels. I describe research that carries out network side-channel measurements that are more complex than connectivity, such as packet round-trip-time or detecting active TCP connections, and do not require a shared, finite resource be fully exhausted to cause information to leak via a side-channel. My work is able to accomplish this by understanding the ways in which internal network stack state changes cause observable behavior changes from the machine. The goal of this dissertation is to show that: Information side-channels can be modulated to take advantage of dependent, network state behavior to enable non-trivial, off-path measurements without fully exhausting the shared, finite resources they use

A closer look at IP-ID behavior in the Wild

International audienceOriginally used to assist network-layer fragmentation and reassembly, the IP identification field (IP-ID) has been used and abused for a range of tasks, from counting hosts behind NAT, to detect router aliases and, lately, to assist detection of censorship in the Internet at large. These inferences have been possible since, in the past, the IP- ID was mostly implemented as a simple packet counter: however, this behavior has been discouraged for security reasons and other policies, such as random values, have been suggested. In this study, we propose a framework to classify the different IP-ID behaviors using active probing from a single host. Despite being only minimally intrusive, our technique is significantly accurate (99% true positive classification) robust against packet losses (up to 20%) and lightweight (few packets suffices to discriminate all IP-ID behaviors). We then apply our technique to an Internet-wide census, where we actively probe one alive target per each routable /24 subnet: we find that that the majority of hosts adopts a constant IP-IDs (39%) or local counter (34%), that the fraction of global counters (18%) significantly diminished, that a non marginal number of hosts have an odd behavior (7%) and that random IP-IDs are still an exception (2%)