Active Probing with ICMP Packets

Fabien Viger
fabien.viger@normalesup.org
Internship in the Department of Electrical and Electronic Engineering,
University of Melbourne
Supervisor : Darryl Veitch

Active Probing: A Brief Overview

Network

Sender

Sender
Monitor

Experimental Data :
departure and arrival times
other : order, loss

Receiver

Receiver
Monitor

Constraints :
non-invasive (rate)
not too many probes

Timestamps in Active Probing : What for ?

Sending packets
#1

Receiving packets

#2

#1

#2
time

timestamps

interdeparture time

interarrival time

endtoend delay of packet #1

Key Probe Parameters

Key Probe Parameters

Packet size

Key Probe Parameters

Packet size
Inter-Departure Time :

Independant probes

Back-to-back probes

Inter-Arrivals of Independant Probes

450

400

350

nb probes

300

250

200

150

100

50

20

30

40

50

60

70

80

InterArrival Time, in ms

Inter-Departure Time : 50ms

probes : 56 byte UDP packets

Inter-Arrivals of Back-to-Back Probes

110
100

backtoback signature

90

nb pairs

80
70
60
50
40
30
20
10

0.2

0.4

0.6

0.8

1.2

1.4

1.6

1.8

InterArrival Time, ms

Probes sent in pairs, back-to-back within pairs

probes : 56 byte UDP packets

Key Probe Parameters

Packet size
Inter-Departure Time
Packet type : UDP, TCP, ICMP

Key Probe Parameters

Packet size
Inter-Departure Time
Packet type : UDP, TCP, ICMP
TTL : hop-limited probes (ex : traceroute)
ICMPTE
Probe (TTL=5)
ICMPTE
Probe (TTL=4)
Sender

Hop #4

Hop #5

Destination

Key Probe Parameters

Packet size
Inter-Departure Time
Packet type : UDP, TCP, ICMP
TTL
Source IP address : Spoofing
hoplimited spoofed probe
Sender

ICMPTE
Hop A

Hop B

Receiver

10

Why is ICMP interesting in Active Probing ?

An Alternative to UDP probes

ICMP Echo Reply

No interaction with routers

Can generate ICMP Time Exceeded

ICMP Time Exceeded

No interaction with routers

Never generate ICMP Time Exceeded

11

Why is ICMP Interesting in Active Probing ?

Allows Interaction with Specific Router
Router chosen by direct addressing

Routers reply to ICMP packets

Example : ping

ICMP Echo Reply

ICMP Echo Request

Sender

Hop A

Hop B

Receiver

154.231.46.23

12

Why is ICMP Interesting in Active Probing ?

Allows Interaction with Specific Router
Router chosen by direct addressing
Router chosen by TTL

Answer is an ICMP Time Exceeded

ICMPTE

Hoplimited probe
Sender

Hop A

Hop B

Receiver

13

Why is ICMP Interesting in Active Probing ?

Add Spoofing

Spoofed ping
Spoofed Echo Request
Sender

Echo Reply
Hop A

Hop B

Receiver

154.231.46.23

Spoofed hop-limited probes

hoplimited spoofed probe
Sender

ICMPTE
Hop A

Hop B

Receiver

14

Something New with ICMP : Reordering

Experimental Methodology

TE
#2

#1

Sender

#2

#1

#2

Hop #1

#1

Hop #2

TE

#2

Hop #3

TE

#2

Receiver

TE
#2

#1

Sender

#2

Hop #1

#1

#2

#1

Hop #2

#2

Hop #3

TE

#2

TE

Receiver

15

Something New with ICMP : Reordering

Theoritical Results

reordering ratio

100%

0
size of the 2nd probe
critical size

bandwidth =

critical size
ICM P generation time

16

Something New with ICMP : Reordering

Experimental Results

100

UDP
ICMP

90

Reordering Ratio, in %

80

70

60

50

40

30

20

10

500

1000

1500

Size of the Second Probe, in bytes

17

We need to know more about ICMP processing !

What is going on ?
To use all the possibilities that ICMP offers
To discover, perhaps, some new tricks for Active Probing

18

End-to-End Delay : Comparison between ICMP and UDP

Methodology

UDP
Echo Reply

Sender

Hop A

Hop B

Receiver

19

End-to-End Delay : Comparison between ICMP and UDP

Methodology
Sending packets

Receiving packets

UDP

UDP
time

delay of UDP probe

ICMP

ICMP
time

delay of ICMP probe

UDP

ICMP

UDP

interdeparture time

ICMP
interarrival time

time

delay variation

20

End-to-End Delay : Comparison between ICMP and UDP

Data processing
Get N samples
Get average delay variation : choose the apropriate filter

Average : too sensitive to noise

Robust Average : better, but still disturbed by outliers assymetry

Difference of the Medians : quite good

Median of the Differences : better

21

End-to-End Delay : Comparison between ICMP and UDP

Experiment on single Router

Route from France to Australia

350

Evaluation of the Delay Variation, in s

620

300

nb pairs

250

200

150

100

50

0
5

Delay Variation between ICMP and UDP, in ms

640

660

680

700

720

740

760

780
1
10

10

10

10

Nb probes used for the evaluation

22

Size (bytes)
56
400
800
1200
1500

Delay variation (s)

760
990
1225
1460
1620

Delay Variation ICMP UDP

End-to-End Delay : Comparison between ICMP and UDP

Packet Size Dependance

Size of all probes

23

End-to-End Delay : Comparison between ICMP and UDP

Larger Experiment : Methodology
Pick a random destination host
Run traceroute to get distance between us and host
Run experiment with hop-limited probes, T T L = distance 1
ICMPTE
Hoplimited ICMP
ICMPTE
Hoplimited UDP
Sender

Hop #1

Hop #d2

Hop #d1

Destination

delay variation = RT TICM P RT TU DP

24

End-to-End Delay : Comparison between ICMP and UDP

Larger Experiment : Results
15 hosts around the world
6/15 : no ICMP-TE generation for Echo Reply probes
11/15 : Delay variation < 30s
Non-existent or insignificant ICMP difference
4/15 : ICMP slower than UDP
Delay variation 250s on 2 of them
Delay variation 1ms on the 2 others

25

End-to-End Delay : Comparison between ICMP and UDP

Others Types of ICMP
Experiment was done only on a few routes
UDP and ICMP Time Exceeded
ICMP Echo Reply and ICMP Time Exceeded
ICMP Echo Reply and ICMP Echo Request

Same delay

26

End-to-End Delay : Comparison between ICMP and UDP

Back-to-Back Probes
ICMP

3000

3000

2500

2500

2000

2000

nb pairs

nb pairs

UDP

1500

1500

1000

1000

500

500

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

InterArrival Time in between pairs

0.9

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

InterArrival Time in between pairs

Inter-Arrival Time of probes sent back-to-back

Back-to-back ICMP pairs have Inter-Arrival Time bigger than UDP ones

ICMP queueing may be different in some routers

27

End-to-End Delay : Comparison between ICMP and UDP

Conclusions
Some routers forward ICMP slower than UDP

Delay variation = Cst +Size

Practically, 80% have delay variation < 2ms

But most treat them the same

However, ICMP-specific routers could become the norm

28

ICMP Generation Time

Is it significant ?
Is it always the same, for a given router ?
If not, how does it vary ? (Noise, Size dependance . . . )

29

ICMP-TE Generation Time

State of the Art : Govindan & Paxson 1997

direct probe

direct probe

hoplimited spoofed probe

Sender

ICMPTE
Hop A

Hop B

Receiver

ICMP-TE generation time = Dhop limited Ddirect

ICMP Echo Reply probes
They used Spoofing
Estimation were made over 200 Internet routers

30

ICMP-TE Generation Time

State of the Art : Govindan & Paxson 1997
The Results

For most routers (80%), ICMP-TE generation time < 1ms

50% are even < 300s

Sending back-to-back probes, they had 81% reordering

31

ICMP-TE Generation Time

Experimental Results
The Results :
Route
CUBIN CUBIN
Paris CUBIN
Paris CUBIN
Paris CUBIN

Router
CUBINlab Firewall
ENS Gateway
Router #3
Router #4

Gen. Time (s)

<5
1250
100
9200

Spoofing protection reduces drastically the testbed

Consistent with Govindan and Paxsons results
The router #4 singularity

32

ICMP-TE Generation Time

Experimental Results
The router #4 singularity : a route change ?

hoplimited spoofed Probe

Sender

direct Probe

ICMPTE

Hop B
Hop A

Hop D
Hop C

Spoofing doesnt always work properly

But no such result in Govindan and Paxsons paper

Receiver

direct Probe

33

ICMP Echo Reply Generation Time

Echo Reply

Echo Reply
Echo Reply

spoofed Echo Request

Sender

Hop A

Hop B

Receiver

Router
ENS Gateway
Router #3
Router #4

Gen. Time (s)

< 20
116
20

Echo Reply Generation Time

The Results :
Router #3

Size of all probes

34

ICMP can be Powerful without Spoofing

Experimental Methodology

Echo
Reply

hoplimited
probe

Echo Reply
ICMPTE

ping answering time

Echo Request

ICMPTE generation time

hoplimited probe
Sender

Hop A

ICMP-TE generation time = ping answer time

35

ICMP can be Powerful without Spoofing

Experimental Methodology

Echo
Reply

hoplimited
probe

ICMPTE
Echo Reply

ICMPTE generation time

ping answering time

Echo Request
hoplimited probe
Sender

Hop A

ICMP-TE generation time > ping answer time

36

ICMP can be Powerful without Spoofing

Advantages
doesnt need Spoofing
Sender = Receiver
Many adjustable Parameters :

Size of the hop-limited probe

Size of the ping probe

Initial Order

37

ICMP can be Powerful without Spoofing

Some Results
Tests on 3 routes
Route #1 : No reordering
Route #2 : 100% reordering, i.e. ping is much too faster
Route #3 : Some reordering, but ratio decreases with size
A promising avant-gout
: that could work!

38

ICMP is More Resistant to Natural Reordering

Natural Reordering exists : tests with UDP packets
Small passing one bigger
Many smalls passing one bigger
Never passing more than one
No (or a very little) natural reordering with ICMP packets
Using ICMP reduces the reordering noise

39

Application : Failed Experiment

TE
#2

#1

Sender

#2

#1

#2

Hop #1

#1

Hop #2

TE

#2

Hop #3

TE

#2

Receiver

TE
#2

#1

Sender

#2

Hop #1

#1

#2

#1

Hop #2

#2

Hop #3

TE

#2

TE

Receiver

40

Application : Failed Experiment

reordering ratio

100%

0
size of the 2nd probe
critical size

bandwidth =

critical size
ICM P generation time

41

Application : Failed Experiment . . . Finally Works!

35

Reordering ratio, %

30

reordering ratio

100%

25

20

15

10

size of the 2nd probe

critical size

500

1000

nd

Size of the 2

1500

probe, in bytes

42

Application : Failed Experiment . . . Finally Works!

What changed ?
ICMP probes instead of UDP

removed ICMP delay difference

removed Natural Reordering

Direct 2nd probe is now Spoofed Echo Request

43

Conclusion
ICMP offers many possibilities :
Alternative to classical probes

Add degrees of freedom

Router-interaction probe

Add new concepts

Enlarges the possibilities of Active Probing

44