Detection of Active Topology Probing Deception
Abstract
For all purposes and intents, being able to infer the topology of a network is crucial to both operators and adversaries alike. Traceroute is a common active probing technique but it may be subverted by deceptive responses. We identify possible inconsistencies in traceroute deception systems, and endeavor to find potential deception in the historic IPv4 Routed /24 Topology Dataset from the Center for Applied Internet Data Analysis (CAIDA). Our results show three major patterns in 2013 and 2014 that exhibited instances of inconsistencies matching the techniques in our methodology. In addition to analyzing the historic dataset, we evaluate three cases of traceroute manipulation in the wild. These case studies include The Pirate Bay (TPB) server supposedly residing in North Korea, the Star Wars- and Christmas Carol-themed gags involving customized Domain Name System (DNS) names, and the experimental DeTracer at the Naval Postgraduate School (NPS). In the TPB case, we discovered extensive and long-running deception in the /24 subnet. We find intriguing patterns in the gag traceroutes and fake topologies from the DeTracer for which we may use to improve our filtering process. In all, the findings will aid future operations in verifying inferred network topologies from traceroutes.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 01, 2015
- Accession Number
- ADA632358
Entities
People
- Weiyou N. Phua
Organizations
- Naval Postgraduate School