Analysis of Internet Backbone Traffic and Header Anomalies observed

Wolfgang John and Sven Tafvelin
Chalmers University of Technology

Introduction

In order to support research and further development, the Internet community needs to understand the nature of Internet traffic. In this paper, an analysis of IP and TCP traffic was done using headers from two OC-192 links.

Methodology

Collection of Traces.
- April 7 -- 26, 2006
- Optical splitters were used on two OC-192 links attached to Endace DAG6.2SE cards
- The first 120 bytes of each (Packet over SONET) frame were captured by the DAG cards
- Four traces of 20 minutes each day. (2AM, 10AM, 2 PM, 8PM)

Processing and Analysis.
- Payload beyond transport layer were removed.
- Traces were sanitized, checked for inconsistencies.
- Traces were desensitized, stripped of all sensitive information to ensure privacy.

Results
- 148 traces
- 10.77 billion PoS frams
- 7.6 TB of data, 99.97% of the frames contain IPv4 packets

IP packet size distribution
- bimodal
- 44% is between 40 and 100 bytes
- 37% is between 1400 and 1500 bytes

Transport Protocols
- TCP: 90 - 95% of the data volume
- largest fraction of TCP and lowest of UPD during 2PM
- potential UDP DoS detected by high UDP traffic during April 16-17, later confirmed

Analysis of IP properties
- IP options are virtually not used
- only 68 packets carrying IP options were observed
- only 0.06% of IP fragmented traffic was observed, contrary to previous reports of up to 0.67%

Analysis of TCP properties
- MSS and SACK permitted options are widely used on connection establishment. (on the average 99.2% and 89.9% resp.)
- also observed were TCP options misbehavior which included undefined option types and inconsistencies in option header length value and actual option header length

Conclusions
- Current trends in Internet backbone traffic is useful in protocol and application design.
- Anomalies detected were caused by: buggy and misbehaving appliactions and protocol stacks; active OS fingerprinting, and; network attacks exploiting vulnerabilities.

Critique
The results of this paper only applies to the particular Internet backbone links used in the collection of data. A much more wider source of packet traces, (say, hundreds of OC links in different continents,) is needed to generalize the properties of Internet traffic.